Testing the Security and Performance of Automotive Ethernet ECUs

Similar documents
Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

ACHILLES CERTIFICATION. SIS Module SLS 1508

Security Technology White Paper

Ethernet. Ethernet. Network Devices

How do I get to

CSE 127: Computer Security. Network Security. Kirill Levchenko

Network Security TCP/IP Refresher

Networking Test 4 Study Guide

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Internet Control Protocols Reading: Chapter 3

8.2 The Internet Protocol

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Lecture Computer Networks

RARP: Reverse Address Resolution Protocol

CSCE 465 Computer & Network Security

Chapter 8 Security Pt 2

co Characterizing and Tracing Packet Floods Using Cisco R

Transport Layer Protocols

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

IP - The Internet Protocol

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

How To Protect A Dns Authority Server From A Flood Attack

Brocade NetIron Denial of Service Prevention

Packet Sniffing on Layer 2 Switched Local Area Networks

Solution of Exercise Sheet 5

Network Simulation Traffic, Paths and Impairment

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

VXLAN: Scaling Data Center Capacity. White Paper

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

CS5008: Internet Computing

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Internet Architecture and Philosophy

Technical Support Information Belkin internal use only

Networks: IP and TCP. Internet Protocol

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Surviving DNS DDoS Attacks. Introducing self-protecting servers

Network Layer: Network Layer and IP Protocol

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Chapter 9. IP Secure

CMA5000 SPECIFICATIONS Gigabit Ethernet Module

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Project 4: (E)DoS Attacks

Frequent Denial of Service Attacks

Attack Lab: Attacks on TCP/IP Protocols

Interconnection of Heterogeneous Networks. Internetworking. Service model. Addressing Address mapping Automatic host configuration

Safeguards Against Denial of Service Attacks for IP Phones

Linux Network Security

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Transport and Network Layer

1. Firewall Configuration

Computer Networks. Chapter 5 Transport Protocols

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Overview of TCP/IP. TCP/IP and Internet

CS 356 Lecture 16 Denial of Service. Spring 2013

VLAN und MPLS, Firewall und NAT,

LAN Switching Computer Networking. Switched Network Advantages. Hubs (more) Hubs. Bridges/Switches, , PPP. Interconnecting LANs

TCP Performance Management for Dummies

Asynchronous Transfer Mode: ATM. ATM architecture. ATM: network or link layer? ATM Adaptation Layer (AAL)

MEASURING WIRELESS NETWORK CONNECTION QUALITY

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

Indian Institute of Technology Kharagpur. TCP/IP Part I. Prof Indranil Sengupta Computer Science and Engineering Indian Institute of Technology

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Denial of Service Attacks

Understanding Layer 2, 3, and 4 Protocols

How To Test A Ddos Prevention Solution

What is a DoS attack?

ICOM : Computer Networks Chapter 6: The Transport Layer. By Dr Yi Qian Department of Electronic and Computer Engineering Fall 2006 UPRM

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

UPPER LAYER SWITCHING

Denial Of Service. Types of attacks

Networking Basics and Network Security

CSIS CSIS 3230 Spring Networking, its all about the apps! Apps on the Edge. Application Architectures. Pure P2P Architecture

A Very Incomplete Diagram of Network Attacks

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

Intrusion Detection Systems: A Formal Algorithmic approach

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Protecting and controlling Virtual LANs by Linux router-firewall

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Internet Working 5 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2004

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Objectives of Lecture. Network Architecture. Protocols. Contents

Lab VI Capturing and monitoring the network traffic

Network layer: Overview. Network layer functions IP Routing and forwarding

Application Protocols for TCP/IP Administration

10/100/1000 Ethernet MAC with Protocol Acceleration MAC-NET Core

Protocol Rollback and Network Security

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Question: 3 When using Application Intelligence, Server Time may be defined as.

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Transcription:

Bogdan Tenea Product Specialist Testing the Security and Performance of Automotive Ethernet ECUs

Security Automotive Ethernet ECUs SECURITY CONCEPTS

The connected car Connected cars use multiple new interconnects The number of ECUs in the car is growing fast This makes security even more complicated 3

Hacking Possible Results Possible results of car hacking: Loss of privacy Damage to the vehicle Theft Bodily injury Security is important because it affects functional safety When revealed, vulnerabilities cause negative media exposure, even if not exploited Definition: a vulnerability is a flaw or weakness in a system s design or implementation that can be exploited in order to violate the system s integrity or security policy 4

Security Concerns Proven car hacking examples In the past, done by directly connecting to the CAN bus Most recently, via wireless networked interfaces High severity hackers might take control of steering and brakes Moving the in-car network to Automotive Ethernet and TCP/IP will affect the security landscape - for hackers this lowers the entry barriers: Automotive Ethernet device connectivity is relatively inexpensive Lots of protocol analyzers available Lots of experience from the IT world 5

Layered Security Using IT world technology implies that you can benefit from its experience on security! A chain is only as strong as its weakest link security of the ECUs should be seen as layered components ECU1 Application layer Network layer Physical layer Ethernet ECU2 Application layer Network layer Physical layer 6

Securing the Layers Question: Which is the weakest link? Answer: Every layer needs to be tested! Security on the physical layer is generally not seen as an issue, at least for wired networks in controlled environments, such as Ethernet in a car Security on the Application layer is very dependent on the actual implementation of the applications running on each ECU Security on the Network layer can benefit from IT world experience, because it is using standard protocols from the IT world 7

Application Security Well known vulnerabilities are the easiest way for a hacker to get access to a system IT security professionals generally first start with the Common Vulnerabilities and Exposures (CVE) database Lists publicly known vulnerabilities Some of the vulnerabilities are generic (i.e. HTTP servers) Use of the CVE is standardized by the ITU, NIST Products for testing over 50.000 identified vulnerabilities are available on the market at this moment 8

Network Layer Security 1. Proper architecture, design, and implementation of network architecture is the first line of defense 2. Conformance testing is the second line of defense Implementation conforms to design specification and standards 3. Robustness testing is the third line of defense Does the device survive a Denial of Service (DoS) attack? Will all future Automotive Ethernet ECUs go through this? 9

Robustness Testing Robustness testing, in the context of network communication stack testing, means subjecting the stack to abnormal protocol behavior: Corner case protocol state/functionality Invalid protocol field values Invalid protocol message order, timing, number Invalid protocol state triggers Abnormal communication load up to network saturation Known in the IT industry as Denial of Service flood attacks Expectation for automotive is that the stack will continue to function and protect itself 10

Robustness Importance Considering a gateway that may have a TCP/IP stack connected to: other ECUs through the Automotive Ethernet network the wireless LTE or Wi-Fi connections on board or and maybe even on the diagnostics port abnormal protocol behavior on one port should not crash the stack and disable the gateway functionality on the CAN network Wireless Gateway ECU CAN Application layer Network layer Physical layer Ethernet Application layer Network layer Physical layer 11

Robustness Testing Automotive Ethernet and TCP/IP ROBUSTNESS EXAMPLES

Network Layers Layer 5-7 Applications SD SOME/IP DHCP ICMP Layer 4 TCP UDP ARP Layer 3 IP Layer 2 IEEE Ethernet + 802.1Q VLANs Layer 1 Automotive Ethernet Physical Layer 100BASE-T1 Application Middleware Ethernet + TCP/IP 13

Ethernet Robustness Ethernet Header Destination Address Source Address Ethertype Data CRC 6 octets 6 octets 2 octets 46-1500 octets 4 octets 1. Does the device ignore unknown upper protocols? 2. What happens when you send unusual sized frames? IEEE 802.3 total length must be between 64 and 1536 send frames smaller than 64 bytes (runt frames) send frames bigger than 1536 bytes (jumbo frames) 3. Does the device drop frames with an invalid FCS? invalid data should not be delivered to upper layers 4. Does device maintain functionality with high frame rate and/or data rate? frame processing is usually tied up to CPU interrupts overwhelming the CPU could lead to crashing the device 14

Ethernet Example Test Synopsis Prerequisites Test setup Test Input Parameters Test Procedure Pass Criteria An Ethernet stack must be able to withstand receiving traffic at line rate, without crashing or disabling the whole device on which the stack is running on. To do this the stack may activate defensive behavior either by rate limiting incoming traffic, or by disabling the specific network interface entirely. If DUT has any other exposed interfaces, it must maintain service on those interfaces while under extreme load on the tested interface. After incoming line rate traffic is stopped, DUT must resume normal operation on the tested interface within a reasonable amount of time. ARP must be enabled on the tested interface Tester directly connected to the Device under Test DIFACE_O_MAC_ADDR, FloodTime, RecoveryTime 1. TESTER: <HOST-1> Sends Ethernet line rate to DUT through <DIface-0> for <FloodTime> seconds: - Destination MAC Address set to <DIFACE_O_MAC_ADDR> - Source MAC Address set to <RANDOM-MAC> - Ethertype set to 0x0B07 (reserved protocol value) 2. DUT: While receiving line rate traffic DUT must maintain functionality on other exposed network interfaces 3. TESTER: Wait for <RecoveryTime> seconds for DUT to recover from any defensive behavior 4. TESTER: Sends ARP Request to DUT through <DIface-0> 5. DUT: Sends ARP Response 2. DUT: While receiving line rate traffic DUT must maintain functionality on other exposed network interfaces 5. DUT: Sends ARP Response 15

ARP Robustness ARP Header Hardware Type Protocol Type Hardwa re Length Protocol Length Operation Sender HW Address Sender Protocol Address Target Hardware Address Target Protocol Address 2 bytes 2 bytes 1 bytes 1 bytes 2 bytes Var. len. Var. len. Var. len. Var. len. 1. For Ethernet, HW length must be 6 and for IP, Proto Length must be 4 does the device correctly discard frames with invalid lengths specified? 2. Operation can be either request (0x1) or reply (0x2) invalid ID specified for selecting the operation from a table could crash the stack 3. Source Protocol Address needs to match the hosts sub-network if not respected this enables protocol address spoofing 4. Does device maintain functionality on high ARP Request rate? ARP table cache is usually populated from incoming ARP Requests does the device maintain functionality while ARP table is full? 16

ARP Example Test Synopsis Prerequisites Test setup Test Input Parameters Test Procedure Pass Criteria Reference When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following: Negative conditionals indicate an end of processing and a discarding of the packet.?is the opcode ares_op$request? (Note: In this test TESTER sends an ARP Packet with opcode field set to an invalid value, and expects that DUT will not send any ARP Response) Device under Test needs to have an IP stack and ARP enabled Tester directly connected to the Device under Test HOST-1-IP, DIface-0-IP, INVALID_OPERATION, ParamListenTime 1. TESTER: <HOST-1> Sends ARP packet to DUT through <DIface-0> containing : - Source IP Address set to <HOST-1-IP> - Destination IP Address set to <DIface-0-IP> - Operation code set to INVALID_OPERATION 2. TESTER: <HOST-1> Sends ARP Request to DUT through <DIface-0> 3. TESTER: <HOST-1> Listens (up to <ParamListenTime>) on <DIface-0> 4. DUT: Sends only one ARP Response 4. DUT: Sends only one ARP Response Derived from RFC 826 "An Ethernet Address Resolution Protocol", section "Packet Reception" (MUST) 17

IPv4 Robustness IPv4 Header Vers. IHL Type of Service Total Length ID Fragment Info TTL Protocol Checksum Source & Dest Options (IHL>5) 4 bits 4 bits 1 byte 2 bytes 2 bytes 1 byte 1 byte 1 byte 2 bytes 8 bytes Variable 1. Invalid field values for version/protocol should be ignored 2. IHL gives the header length including IP Options what happens when the indicated IHL is less than the minimum 20 bytes? survive receiving invalid header options with valid IHL? 3. Total length must be set to the total length of the diagram what happens if the indicated length is bigger that the actual received one? 4. Invalid checksum data should not be delivered to upper layers 5. Fragmentation is one of the biggest sources of IP attacks send the device lots of incomplete fragments, exhaust cache buffers 18

IPv4 Example Test Synopsis Test setup Test Procedure Notes An TCP/IP stack must be able to withstand receiving incomplete IPv4 fragments at high rate without crashing or disabling the whole device on which the stack is running on. To do this the stack may activate defensive behavior either by rate limiting incoming traffic, or by disabling the specific network interface entirely. If DUT has any other exposed interfaces, it must maintain service on those interfaces while under extreme load on the tested interface. After line rate traffic is stopped, DUT must resume normal operation on the tested interface within a reasonable amount of time. Tester directly connected to the Device under Test 1. TESTER: <HOST-1> Sends valid IPv4 fragments at high rate to DUT through <DIface-0> for <FloodTime> seconds containing the following: - Source MAC Address set to <RANDOM-MAC> - Source IP Address set to <RANDOM-IP> - MF (More Fragments) in Flags field set to 1 - Length set to a value bigger than total packet data 2. DUT: While receiving line rate traffic DUT must maintain functionality on other network interfaces 3. TESTER: Wait for <RecoveryTime> seconds for DUT to recover from any defensive behavior 4. TESTER: Sends ARP Request to DUT through <DIface-0> - Sender Protocol Address is not in the list of previously sent <RANDOM-IP> 5. DUT: Sends ARP Response The <RANDOM-MAC>, <RANDOM-IP> pair shall be consistent such that the IP packets do not to trigger any spoofing protection on the DUT 19

TCP Robustness TCP 3-Way Handshake 1. Flood with new connection requests (SYN flood) Usually handled by not allocating resources on first SYN Delay allocation until the 3-rd phase by using an sequence number from a hash on source IP and port that can be used to validate the ACK message 2. Flood with open connections (SYN+ACK flood) Attacker Client Attacker can deduce the correct seq. number in phase 3 A DUT can defend by closing unused open connections Attacker can fake transmitting data on the connections DUT may defend by limiting connections from same source IP DUT Server Alloc. TCB Alloc. TCB 20

OPEN Alliance TC8 OPEN Alliance Technical Committee 8 (TC8) responsible for ECU and network testing has recently created TCP/IP conformance test cases A lot of attention was directed towards also adding robustness tests TCP DHCP Client Autoconfig 5 tests, 6% 3 tests, 5% 50 tests, 19% 85 tests, 94% IP 53 tests, 95% ARP ICMP 13 tests, 27% 215 tests, 81% 11 tests, 50% 11 tests, 50% 27 tests, 51% 26 tests, 49% 36 tests, 73% Conformance Robustness 21

Performance Testing Ethernet and TCP/IP PERFORMANCE TESTING

Performance Testing Performance testing - how does a system perform in terms of responsiveness and stability under a particular workload? Above definition is quite extensive 23

Switch Performance The typical IT test for switch performance is specified by RFC 2544. It determines throughput and latency under specific conditions: How many ports transmitting How many are receiving One to one, many to many or fully meshed? One direction/bi-directional Protocols Broadcast/Multicast Test duration Test different frames size Because automotive is an engineered network, it has the luxury of testing only for specific engineered traffic configurations. Tools exist to precisely emulate usual and malicious traffic patterns that could flow in the car network 24

AVB Bridge Performance Audio Video Bridging was introduced to allow switches to provide guarantees regarding throughput and latency for A/V traffic The specific configuration and traffic pattern in which the switch network will operate needs to be tested Tests need to be run for a long duration, as lab results have shown performance is not constant If reliable enough, AVB/TSN can be used for body control functions AVB Traffic 60 Mbps 1 4 AVB Talker 1 AVB Listener 1 AVB Bridge (100 Mbps) 2 3 Non- AVB Device AVB Listener 2 Non - AVB Traffic 50 Mbps 25

TCP/IP Performance Throughput scenarios: Sending or receiving data Varying window sizes Varying number of connections Latency/responsiveness of the stack Varying number of connections Different throughput scenarios Session establishment rate Number of concurrent connections 26

Thank you! More @ www.ixiacom.com/automotive-ethernet

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information