csw2017 minrui yan+jianhao-liu a visualization tool for evaluating can-bus cybersecurity
Post on 12-Apr-2017
609 Views
Preview:
TRANSCRIPT
A visualizationtoolforevaluatingCAN-buscybersecurity
Minrui YanSkyGo Team, Qihoo 360
Jianhao LiuSkyGo Team, Qihoo 360
Jianhao LiuDirectorSkyGo TeamQihoo 360
Who Are We
2
Minrui YanResearcher, Developer
SkyoGo TeamQihoo 360
Agenda
• Vehicle cybersecurity risks• Key point of vehicle cybersecurity• CAN-Pick• Design a security CAN-bus network• Q&A
3
The car hacking history
• Car===>Can-bushacking• Connectedcar===>Telematicshacking• Autonomouscar===>Automaticsystemhacking
4
Risk
5
Telematics hacking - 2015
6
Automaticsystemhacking - 2016
7
Cybersecurity in vehicle
8
ActionDecisionPerception
SensorFusion
SensorFusion
DecisionControl
DecisionControl
VehicleDynamics
Management
VehicleDynamics
Management
BrakeControl
BrakeControl
SteeringControl
SteeringControl
Vision
Radar
Lidar
Ultrasonic
Brake
Brake
Brake
Brake
Powersteering
Powersteering
Cloud
感知 决策 控制
摄像头
雷达
超声波
云
激光雷达
传感器融合
传感器融合
决策控制
决策控制
车辆动力学管理
车辆动力学管理
制动控制
制动控制
转向控制
转向控制
制动
制动
制动
制动
转向
转向
信息安全 (CyberSecurity)
Cybersecurity in vehicle
9
Cybersecurity in vehicle
10
In-vehicle network
11
Attack path
12
LAN
The principleof CAN-bus
• CarrierSenseMultipleAccess/CollisionDetection– Carrier sense– Multiple access– Collision detection
13
Extended IDIDE
SRR
SOF
EOFITM
DEL
ACK
DEL
CRCData FieldDLCr0
r1
RTR
IDBus Idle Bus Idle
The principleof CAN-bus
• Communicationmatrix– ID– Signal mapping– Sendingmethod
14
The principleof CAN-bus
15
- Diagnostic
- Development
Weakness of CAU-bus network
• Attacker model– Crediblegateway– Send illegal message
• Vulnerabilityanalysis– Tapping– Spoofing– Replay– Brute force
16
Powertrain Control
Body Control
Dashboard
DoorControl
AirbagAirCondition
SeatControl Power
Locks
LightControl
EngineControl
ActiveSuspensionABS/ASR
TransmissionControl
高速CAN 低速CAN
Signaltype
• Periodic• Onevent• Ifactive• Periodic and onevent• Periodic and ifactive
17
18
• Features:– Real-time line chart– Replay– Fuzzing– UDS analysis– Plugins
A visualization tool for evaluating CAN-bus cybersecurity
• Supports:– Multi-platform(Linux, macOS, Windows)– Multi hardware(USBtin, SocketCAN, etc.)– Programming online
CAN-Pick architecture
19
HardwareDeviceEngine
CacheSchedule
TaskEngine WebEngine
CAN-PickEngine
PluginManager
Task,Message,Setting
Recv,Send
TaskMessage
SettingTaskMessageTask
Server
Sync
Replay,Analyze,Fuzz,UDS,etc.
Load
CAN-Pick architecture
20
Datavisualization
• Sorted by ID• Hex to Text• Highlight with changing bits• Compare multiple bits• Line chart for displaying
21
Buffer management
• Diff checker• Distinction• Visualization for reviewing
22
23
PacketA(1102)Noise
PacketB(1007)Anaction
PacketC(63)Result
Diff
24
25
Fuzz module
• Two fuzzing modes– Pitchfork– Cluster bomb
26
ID0x010x020x030x040x050x06
Data10011002100310041005
27
Demo1
28
Replay module
• Two replaying modes– Single message– Full Buffer
• Customize option– Interval– Times– Line range(buffer)
29
30
31
UDS module
• UDS analyze– From buffer history
• Services scan
32
UDS services
• Requests– 0x10 DiagnosticSessionControl– 0x2F I/O Control By Id– 0x27 Security Access– 0x3E Tester Present
• Responses– {service_id + 0x40} Positiveresponses– 0x7F Negativeresponse
33
022F 03 00000000000x7E0
02500300000000000x7E8
027F 0300000000000x7E8
UDS services
• 0x2F - I/O control By Identifier– DID(DataID) ControlRecord ControlMask
– DID(DataID)• TwobyteIDfortheoutput
– ControlRecord• whatyouwanttheoutputtodo(On/Off,Up/Down,etc.)
– ControlMask• abitwisemaskofoneormoreparametersthatwillbemodified
34
022F 03 04 07 01 00000x7E0
UDS services
• 0x27 - Security Access– Service id Sub-function(Request seed)
– Seed
– Sub-function(Send key) Key
35
0227 01 00 00 01 00000x7E0
0267 01 04 07 00 00000x7E8
0227 02 04 07 00 00000x7E0
• Subfunction– 0x01 Request– 0x02 Send key
36
37
Holo module
• Programming online• Auto-Generate front code• Download via server(TODO)• Share your masterpiece(TODO)
38
Security design
39
Security design
• MAC(messageauthenticationcode)– Light(only1or2byte)
• CommonSecretKey– Anti-tamper– Preassigned
40
CAN message data MAC
Securitydesign
• Omissionratios– Randomness
• Delay– No waste in send and authorize
• Store space L*T• Low hardware complexity
41
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
连续帧数量 n
漏检率
Pn
Pa=0.1
Pa=0.3
Pa=0.5
Pa=0.7
Pa=0.9
100 120 140 160 180 200 220 240 260 280 3003
4
5
6
7
8
9
10
11
广播周期 T
广播时间
Tc /
ms
Securitydesign
• Advantages– In theory it can defense all kind of attacking and faking message– Unnecessary to change hardware architecture and protocol
• Disadvantages– A little modify in ECU– Guarantee communicationeffectiveness
• Solution– ECU firmware
42
Acknowledgements
• Tsinghua University– Prof. Jian Wang
• SkyGo Team, Qihoo 360– All team member
• CANToolz
43
Thanks!
Jianhao Liuliujianhao@360.cnMinrui Yan minruiyan@gmail.com
https://github.com/360SkyGo/CAN-Pick(Releasesoon…)
top related