csw2017 minrui yan+jianhao-liu a visualization tool for evaluating can-bus cybersecurity

A visualizationtoolforevaluatingCAN-buscybersecurity

Minrui YanSkyGo Team, Qihoo 360

Jianhao LiuSkyGo Team, Qihoo 360

Jianhao LiuDirectorSkyGo TeamQihoo 360

Who Are We

2

Minrui YanResearcher, Developer

SkyoGo TeamQihoo 360

Agenda

• Vehicle cybersecurity risks• Key point of vehicle cybersecurity• CAN-Pick• Design a security CAN-bus network• Q&A

3

The car hacking history

• Car===>Can-bushacking• Connectedcar===>Telematicshacking• Autonomouscar===>Automaticsystemhacking

4

Risk

5

Telematics hacking - 2015

6

Automaticsystemhacking - 2016

7

Cybersecurity in vehicle

8

ActionDecisionPerception

SensorFusion

SensorFusion

DecisionControl

DecisionControl

VehicleDynamics

Management

VehicleDynamics

Management

BrakeControl

BrakeControl

SteeringControl

SteeringControl

Vision

Radar

Lidar

Ultrasonic

Brake

Brake

Brake

Brake

Powersteering

Powersteering

Cloud

感知 决策 控制

摄像头

雷达

超声波

云

激光雷达

传感器融合

传感器融合

决策控制

决策控制

车辆动力学管理

车辆动力学管理

制动控制

制动控制

转向控制

转向控制

制动

制动

制动

制动

转向

转向

信息安全 (CyberSecurity)

Cybersecurity in vehicle

9

Cybersecurity in vehicle

10

In-vehicle network

11

Attack path

12

LAN

The principleof CAN-bus

• CarrierSenseMultipleAccess/CollisionDetection– Carrier sense– Multiple access– Collision detection

13

Extended IDIDE

SRR

SOF

EOFITM

DEL

ACK

DEL

CRCData FieldDLCr0

r1

RTR

IDBus Idle Bus Idle

The principleof CAN-bus

• Communicationmatrix– ID– Signal mapping– Sendingmethod

14

The principleof CAN-bus

15

- Diagnostic

- Development

Weakness of CAU-bus network

• Attacker model– Crediblegateway– Send illegal message

• Vulnerabilityanalysis– Tapping– Spoofing– Replay– Brute force

16

Powertrain Control

Body Control

Dashboard

DoorControl

AirbagAirCondition

SeatControl Power

Locks

LightControl

EngineControl

ActiveSuspensionABS/ASR

TransmissionControl

高速CAN 低速CAN

Signaltype

• Periodic• Onevent• Ifactive• Periodic and onevent• Periodic and ifactive

17

18

• Features:– Real-time line chart– Replay– Fuzzing– UDS analysis– Plugins

A visualization tool for evaluating CAN-bus cybersecurity

• Supports:– Multi-platform(Linux, macOS, Windows)– Multi hardware(USBtin, SocketCAN, etc.)– Programming online

CAN-Pick architecture

19

HardwareDeviceEngine

CacheSchedule

TaskEngine WebEngine

CAN-PickEngine

PluginManager

Task,Message,Setting

Recv,Send

TaskMessage

SettingTaskMessageTask

Server

Sync

Replay,Analyze,Fuzz,UDS,etc.

Load

CAN-Pick architecture

20

Datavisualization

• Sorted by ID• Hex to Text• Highlight with changing bits• Compare multiple bits• Line chart for displaying

21

Buffer management

• Diff checker• Distinction• Visualization for reviewing

22

23

PacketA(1102)Noise

PacketB(1007)Anaction

PacketC(63)Result

Diff

24

25

Fuzz module

• Two fuzzing modes– Pitchfork– Cluster bomb

26

ID0x010x020x030x040x050x06

Data10011002100310041005

27

Demo1

28

Replay module

• Two replaying modes– Single message– Full Buffer

• Customize option– Interval– Times– Line range(buffer)

29

30

31

UDS module

• UDS analyze– From buffer history

• Services scan

32

UDS services

• Requests– 0x10 DiagnosticSessionControl– 0x2F I/O Control By Id– 0x27 Security Access– 0x3E Tester Present

• Responses– {service_id + 0x40} Positiveresponses– 0x7F Negativeresponse

33

022F 03 00000000000x7E0

02500300000000000x7E8

027F 0300000000000x7E8

UDS services

• 0x2F - I/O control By Identifier– DID(DataID) ControlRecord ControlMask

– DID(DataID)• TwobyteIDfortheoutput

– ControlRecord• whatyouwanttheoutputtodo(On/Off,Up/Down,etc.)

– ControlMask• abitwisemaskofoneormoreparametersthatwillbemodified

34

022F 03 04 07 01 00000x7E0

UDS services

• 0x27 - Security Access– Service id Sub-function(Request seed)

– Seed

– Sub-function(Send key) Key

35

0227 01 00 00 01 00000x7E0

0267 01 04 07 00 00000x7E8

0227 02 04 07 00 00000x7E0

• Subfunction– 0x01 Request– 0x02 Send key

36

37

Holo module

• Programming online• Auto-Generate front code• Download via server(TODO)• Share your masterpiece(TODO)

38

Security design

39

Security design

• MAC(messageauthenticationcode)– Light(only1or2byte)

• CommonSecretKey– Anti-tamper– Preassigned

40

CAN message data MAC

Securitydesign

• Omissionratios– Randomness

• Delay– No waste in send and authorize

• Store space L*T• Low hardware complexity

41

0 10 20 30 40 50 60 70 80 90 1000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

连续帧数量 n

漏检率

Pn

Pa=0.1

Pa=0.3

Pa=0.5

Pa=0.7

Pa=0.9

100 120 140 160 180 200 220 240 260 280 3003

4

5

6

7

8

9

10

11

广播周期 T

广播时间

Tc /

ms

Securitydesign

• Advantages– In theory it can defense all kind of attacking and faking message– Unnecessary to change hardware architecture and protocol

• Disadvantages– A little modify in ECU– Guarantee communicationeffectiveness

• Solution– ECU firmware

42

Acknowledgements

• Tsinghua University– Prof. Jian Wang

• SkyGo Team, Qihoo 360– All team member

• CANToolz

43

Thanks!

Jianhao Liuliujianhao@360.cnMinrui Yan minruiyan@gmail.com

https://github.com/360SkyGo/CAN-Pick(Releasesoon…)