resilience in automotive intrusion ... - ciri.illinois.edu · resilience in automotive intrusion...
TRANSCRIPT
Resilience in Automotive Intrusion Detection Systems
Gedare Bloom, Ph.D. Electrical Engineering and Computer Science
Howard University
Critical Infrastructure Resilience Institute
University of Illinois at Champaign-Urbana
August 8, 2018
August 8, 2018 :: Slide 2Gedare Bloom :: Howard University
SpeedSecurity
Safety
Critical Embedded
Systems Challenges
August 8, 2018 :: Slide 3Gedare Bloom :: Howard University
Distributed
Networked
(IoT, Infra) SpeedSecurity
Safety
Critical Embedded
Systems Challenges
August 8, 2018 :: Slide 4Gedare Bloom :: Howard University
Constrained
Feature-Rich
(Mobile, UVs)
Distributed
Networked
(IoT, Infra) SpeedSecurity
Safety
Critical Embedded
Systems Challenges
August 8, 2018 :: Slide 5Gedare Bloom :: Howard University
Complex
Stochastic
(Multicore, CPS)
Constrained
Feature-Rich
(Mobile, UVs)
Distributed
Networked
(IoT, Infra) SpeedSecurity
Safety
Critical Embedded
Systems Challenges
August 8, 2018 :: Slide 6Gedare Bloom :: Howard University
SpeedSecurity
Safety
Research in the
Embedded Systems
Security Lab
Real-time CPS
Automotive
Security
Internet of
Things
August 8, 2018 :: Slide 7Gedare Bloom :: Howard University
SpeedSecurity
Safety
Research in the
Embedded Systems
Security Lab
Real-time CPS
Automotive
Security
Internet of
Things
August 8, 2018 :: Slide 8Gedare Bloom :: Howard University
Automotive Security in the Connected World
• Need for Automotive Security
• Defense Mechanisms
– Message Authentication
– Intrusion Detection
August 8, 2018 :: Slide 9Gedare Bloom :: Howard University
Reliability grows!
We expect systems to become more reliable as we learn more about how to manufacture them and train people to use them.
• Exponential growth
• Bathtub curve
17 November 2017
August 8, 2018 :: Slide 10Gedare Bloom :: Howard University
Reliability grows! Security decays
• Systems in use for a long time
• A lot of opportunities to find vulnerabilities
Source: https://goo.gl/JUBLmd
August 8, 2018 :: Slide 11Gedare Bloom :: Howard University
Reliability grows! Security decays
• Systems in use for a long time
• A lot of opportunities to find vulnerabilities
Source: https://goo.gl/JUBLmd
Heartbleed
2012 - 2014
August 8, 2018 :: Slide 12Gedare Bloom :: Howard University
Reliability grows! Security decays
• Systems in use for a long time
• A lot of opportunities to find vulnerabilities
Source: https://goo.gl/JUBLmd
KRAK
2006 - 2016
August 8, 2018 :: Slide 13Gedare Bloom :: Howard University
Reliability grows! Security decays
• Systems in use for a long time
• A lot of opportunities to find vulnerabilities
Source: https://goo.gl/JUBLmd
Shellshock
September 1989 – September 2014
August 8, 2018 :: Slide 14Gedare Bloom :: Howard University
The life of a vulnerability
June 4
Adobe alerted to Flash Vulnerability
Issues advisory APSA10-01
June 7
Adobe announces it will
push up its update
June 10
Metasploit publishes reliable public exploit
June 14
Symantec links this to attacks
as far back as 2008
August 8, 2018 :: Slide 15Gedare Bloom :: Howard University
The life of a vulnerability
June 4
Adobe alerted to Flash Vulnerability
Issues advisory APSA10-01
June 7
Adobe announces it will
push up its update
June 10
Metasploit publishes reliable public exploit
June 14
Symantec links this to attacks
as far back as 2008
Mid-2008
June 29
Adobe issues update
for Reader
August 8, 2018 :: Slide 16Gedare Bloom :: Howard University
Security is different
• Attacks are systematic, not random
• Security is invisible and hard to measure
• Security is highly contextual
• Security is a property of systems
• Composition is unsolved
• Security is often binary
• Security is an assumed property
August 8, 2018 :: Slide 17Gedare Bloom :: Howard University
DRAM
Bank 2
Bank 1
Bank 0
Row 0
Row 1
Row 2
Row 3
Row Buffer
...
Source: http://tinyurl.com/z2waz74
August 8, 2018 :: Slide 18Gedare Bloom :: Howard University
Rowhammer
Bank 0
Row 0
Row 1
Row 2
Row 3
Row Buffer
...
Row 4
Row 5
Row 6
Row 7
• Repeatedly write to a row…• Cause a bit error in an adjacent row.• Improvement! Alternate between two rows.
• There’s code online.
August 8, 2018 :: Slide 19Gedare Bloom :: Howard University
Rowhammer
Bank 0
Row 0
Row 1
Row 2
Row 3
Row Buffer
...
Row 4
Row 5
Row 6
Row 7
August 8, 2018 :: Slide 20Gedare Bloom :: Howard University
Adversarial AI: Vulnerabilities in Machine Learning
Sharif et al., Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition, 2016.
August 8, 2018 :: Slide 21Gedare Bloom :: Howard University
It’s systems all the way down… and up
Can you exploit the software?
Can you exploit the hardware?
Can you exploit the
user?
Can you exploit the policies?
Perfect security is impossible
August 8, 2018 :: Slide 23Gedare Bloom :: Howard University
People are part of the system
Source: http://tinyurl.com/jxnwqnx
Digital devices tune out small errors while creating opportunities for large errors.
Every device creates its own
opportunity for human error.
Exotic devices create exotic
problems.
– Earl Wiener
August 8, 2018 :: Slide 24Gedare Bloom :: Howard University
Auto brake system demonstration
August 8, 2018 :: Slide 25Gedare Bloom :: Howard University
Autonomous Vehicles – Rising tide of new challenges
• March 18, 2018
• First known pedestrianfatality involving an AV
• Timeline:
– Vehicle traveling 43 MPH
– Unidentified object detected6 seconds before crash
– Emergency braking decision1.3 seconds before crash
– Human safety operatorapplies brakes 1 secondafter crash https://www.nytimes.com/interactive/2018/03/20/us/self-driving-uber-pedestrian-killed.html
August 8, 2018 :: Slide 26Gedare Bloom :: Howard University
Adversarial AI: Fooling Autonomy
Eykholt et al., Robust Physical-World Attacks on Deep Learning Visual Classification, 2018
August 8, 2018 :: Slide 27Gedare Bloom :: Howard University
Principles of the IoT
• Instrument all the things!Unrecorded events are an opportunity to add value
• Share all the things!Sharing data enables new applications
• Connect all the things!Air gaps are a network failure
August 8, 2018 :: Slide 28Gedare Bloom :: Howard University
source: http://goo.gl/6NsB7R
August 8, 2018 :: Slide 29Gedare Bloom :: Howard University
source: http://goo.gl/aGBc9W
August 8, 2018 :: Slide 31Gedare Bloom :: Howard University
Software Complexity – Decrease Hardware, Increase Features
Millions of Lines of Code (MLOC)
August 8, 2018 :: Slide 32Gedare Bloom :: Howard University
Software Complexity Attack Surface Opportunities
Much of the exploitable code is not safety-critical
Infotainment
Comfort
Exploits lead to hazards
August 8, 2018 :: Slide 33Gedare Bloom :: Howard University
Opportunities: the supply chain
August 8, 2018 :: Slide 34Gedare Bloom :: Howard University
Opportunities: connectivity
August 8, 2018 :: Slide 35Gedare Bloom :: Howard University
Opportunities: increasing complexity
source: https://www.nvidia.com/en-us/self-driving-cars/
August 8, 2018 :: Slide 36Gedare Bloom :: Howard University
In-Vehicle Networking
B
a
c
k
b
o
n
e
OBD-II
Aftermarket
Gateway Gateway
Infotainment
Convenience
Instrument Clusters
Monitoring Sensors
Safety-Critical
August 8, 2018 :: Slide 37Gedare Bloom :: Howard University
Exploits Lead to Hazards
B
a
c
k
b
o
n
e
OBD-II
Aftermarket
Gateway Gateway
Infotainment
Convenience
Instrument Clusters
Monitoring Sensors
Safety-Critical
Charlie
August 8, 2018 :: Slide 38Gedare Bloom :: Howard University
Current Approach to Automotive Security
Security Goals: C/I/A for access control.
Security Mechanisms:
Message authentication: Detect alterations and verify sources.
Intrusion detection: Monitor messages, metadata for anomalies.
Security Challenge: Reconcile security with safety!
August 8, 2018 :: Slide 39Gedare Bloom :: Howard University
Our Approach to Automotive Security
Security Goals: C/I/A for access control.
Security Mechanisms:
Message authentication: Detect alterations and verify sources.
Intrusion detection: Monitor messages, metadata for anomalies.
Security Challenge: Reconcile security with safety!
Fail-Operational IDS: triggers transitions to degraded, safe states.
August 8, 2018 :: Slide 40Gedare Bloom :: Howard University
Exploits Lead to Hazards
B
a
c
k
b
o
n
e
OBD-II
Aftermarket
Gateway Gateway
Infotainment
Convenience
Instrument Clusters
Monitoring Sensors
Safety-Critical
FO-IDS
Charlie
Degraded
August 8, 2018 :: Slide 41Gedare Bloom :: Howard University
Our Key Research Challenges
• Identifying features amenable to anomaly detection
– Key idea: leverage physics, combinations, and sequences
– Collect more data!
• Aim to understand the nature of in-vehicle network components with respect to capability to fail gracefully
– Defining fail-operational modes for devices or busses•Some are done. Some are obvious.
•Huge gray areas: Instrument clusters and safety/comfort overlaps
• Practicality of IDS for in-vehicle networks
• Evaluation
August 8, 2018 :: Slide 42Gedare Bloom :: Howard University
Improve Classification by Enhancing Feature Collectors
• Increase available data for feature vectors
– data provenance
– information flow tracking
• Improve the use of device identification and timestamps
Example: intrusions can be detected from CAN message timing anomalies.
Kyong-Tak Cho and Kang Shin
Fingerprinting Electronic Control Units for Vehicle Intrusion Detection
H. M. Song and H. R. Kim and H. K. Kim
Intrusion detection system based on the analysis of time intervals of
CAN messages for in-vehicle network
August 8, 2018 :: Slide 43Gedare Bloom :: Howard University
Trace-based Provenance Collection for IoT/CPS
• Tracer: monitors sensor readings to create a trace file
• Trace Mapper: converts trace file to a provenance graph
• ProvDB: a graph database of provenance records
• Provenance Application: uses provenance as input
E. Nwafor, D. Hill, A. Campbell, and G. Bloom, “Towards a provenance
aware framework for internet of things devices,” in UIC ’17.
E. Nwafor, A. Campbell, and G. Bloom, “Anomaly-based Intrusion Detection of IoT
Device Sensor Data using Provenance Graphs,” in IoTSec ‘18.
August 8, 2018 :: Slide 44Gedare Bloom :: Howard University
Measuring Trust in Critical Infrastructure
Data Science Algorithms
• trustworthy ML
• scalable architectures
• real-time streaming
Provenance Collection
• real-time sources
• sensor fusion
• compression
August 8, 2018 :: Slide 45Gedare Bloom :: Howard University
Practical Considerations of IDS: Hybrid Approach
• Signature vs. Anomaly
• What anomalies/rules?
M. Marchetti and D. Stabili and A. Guido and M. Colajanni
Evaluation of anomaly detection for in-vehicle networks through
information-theoretic algorithms
A. Taylor and N. Japkowicz and S. Leblanc
Frequency-based anomaly detection for the automotive CAN bus
August 8, 2018 :: Slide 46Gedare Bloom :: Howard University
Practical Considerations of IDS: Centralized vs. Distributed
August 8, 2018 :: Slide 47Gedare Bloom :: Howard University
Progress
Survey of IDS in automotive networksIDS prototypes• Message frequency and entropy• Signature rules• Changepoint detection• Timing model specification
Evaluation• Attack and threat models• Normal traffic log of a Toyota Prius vs. simulated attack logs
– Positive preliminary results
• Real CAN normal and attack logs of – Analysis in progress
August 8, 2018 :: Slide 48Gedare Bloom :: Howard University
Summary of Our Automotive Security Research
Aim to solve security problems with in-vehicle networks.Key Contribution: Bridge gap between fault tolerance and IDS security.
Other expected contributionsSimulation FidelityEvaluation and Data CollectionCharacterization of protocols suitable for in-vehicle networks (CAN)
Perfect security is impossible
Perfect security is impossible
Resiliency is critical
Embedded Systems Security Lab
Saurav Aryal Andre Campbell David Hill, Jr.
Lab Director
Undergraduate Researchers
Ebelechukwu Nwafor
Bassma SalehHabeeb Olufowobi
Ph.D. Students
Andriana Burgess
Gedare Bloom, Ph.D.
Cynthia Jules Samman ThapaKeenah Mays
M.S. Students
Uchenna Ezeobi Eric Muhati