Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step...
Transcript of Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step...
![Page 1: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/1.jpg)
1
Attacking AUTOSAR using
Software and Hardware Attacks
Pascal Nasahl
Graz University of Technology
Niek Timmers
Riscure
![Page 2: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/2.jpg)
2
Introduction
![Page 3: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/3.jpg)
3
Introduction
• Niek Timmers
• Principal Security Analyst @ Riscure
![Page 4: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/4.jpg)
4
Introduction
• Niek Timmers
• Principal Security Analyst @ Riscure
• Analyzing and testing of embedded technologies
![Page 5: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/5.jpg)
5
Introduction
• Niek Timmers
• Principal Security Analyst @ Riscure
• Analyzing and testing of embedded technologies
• Research
• Automotive, secure boot, fault injection, etc.
• More at niektimmers.com and riscure.com
![Page 6: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/6.jpg)
6
Introduction
• Niek Timmers
• Principal Security Analyst @ Riscure
• Analyzing and testing of embedded technologies
• Research
• Automotive, secure boot, fault injection, etc.
• More at niektimmers.com and riscure.com
Please visit Riscure’s booth for more information!
![Page 7: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/7.jpg)
7
Today’s Agenda
![Page 8: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/8.jpg)
8
Today’s Agenda
•Brief introduction to AUTOSAR Classic
![Page 9: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/9.jpg)
9
Today’s Agenda
•Brief introduction to AUTOSAR Classic
•Attacks on AUTOSAR
![Page 10: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/10.jpg)
10
Today’s Agenda
•Brief introduction to AUTOSAR Classic
•Attacks on AUTOSAR
•Case study
![Page 11: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/11.jpg)
11
Today’s Agenda
•Brief introduction to AUTOSAR Classic
•Attacks on AUTOSAR
•Case study
•Wrap-up
![Page 12: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/12.jpg)
12
Today’s Agenda
•Brief introduction to AUTOSAR Classic
•Attacks on AUTOSAR
•Case study
•Wrap-up
•Q&A
![Page 13: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/13.jpg)
13
AUTOSAR Classic
![Page 14: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/14.jpg)
14
AUTOSAR Classic
• Layered software
architecture
![Page 15: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/15.jpg)
15
AUTOSAR Classic
• Layered software
architecture
• Most layers are independent
from the Microcontroller
![Page 16: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/16.jpg)
16
AUTOSAR Classic
• Layered software
architecture
• Most layers are independent
from the Microcontroller
• Improve software reusability
![Page 17: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/17.jpg)
17
AUTOSAR Classic
Complex
Drivers
Microcontroller
Runtime Environment
Microcontroller
Drivers
Memory
Drivers
I/O Drivers
I/O Hardware
Abstraction
Memory
Hardware
Abstraction
Memory
Services
System Services
Onboard
Device
Abstraction
Wireless
Communication
Drivers
Communication
Hardware
Abstraction
Off-board
Communication
Services
Application Layer
Crypto Drivers
Crypto
Hardware
Abstraction
Crypto
Services
Communication
Drivers
Communication
Services
Wireless
Communication
HW Abstraction
![Page 18: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/18.jpg)
18
AUTOSAR Classic
Complex
Drivers
Microcontroller
Runtime Environment
Microcontroller
Drivers
Memory
Drivers
I/O Drivers
I/O Hardware
Abstraction
Memory
Hardware
Abstraction
Memory
Services
System Services
Onboard
Device
Abstraction
Wireless
Communication
Drivers
Communication
Hardware
Abstraction
Off-board
Communication
Services
Application Layer
Crypto Drivers
Crypto
Hardware
Abstraction
Crypto
Services
Communication
Drivers
Communication
Services
Wireless
Communication
HW Abstraction
Vulnerabilities can be introduced in any layer!
![Page 19: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/19.jpg)
19
Summary of AUTOSAR
![Page 20: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/20.jpg)
20
Summary of AUTOSAR
•Complex software; will contain bugs/vulnerabilities
![Page 21: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/21.jpg)
21
Summary of AUTOSAR
•Complex software; will contain bugs/vulnerabilities
•Made by different vendors / developers• Do you trust your suppliers?
![Page 22: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/22.jpg)
22
Summary of AUTOSAR
•Complex software; will contain bugs/vulnerabilities
•Made by different vendors / developers• Do you trust your suppliers?
•Mature code due to safety requirements• i.e. MISRA-C
![Page 23: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/23.jpg)
23
Summary of AUTOSAR
•Complex software; will contain bugs/vulnerabilities
•Made by different vendors / developers• Do you trust your suppliers?
•Mature code due to safety requirements• i.e. MISRA-C
Mature! But not guaranteed secure...
![Page 24: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/24.jpg)
24
What can go wrong?
![Page 25: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/25.jpg)
25
Potential MCAL vulnerabilities
![Page 26: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/26.jpg)
26
Potential MCAL vulnerabilities
![Page 27: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/27.jpg)
27
Potential MCAL vulnerabilities
Who verifies your MCAL for vulnerabilities?
![Page 28: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/28.jpg)
28
What about MISRA-C?!
![Page 29: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/29.jpg)
29
What about MISRA-C?!
![Page 30: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/30.jpg)
30
What about MISRA-C?!
You cannot conform to directives automagically…
![Page 31: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/31.jpg)
31
What else?
![Page 32: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/32.jpg)
32
Vulnerabilities in complex software
![Page 33: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/33.jpg)
33
Vulnerabilities in complex software
![Page 34: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/34.jpg)
34
Vulnerabilities in complex software
Who verifies your communication stack?
![Page 35: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/35.jpg)
35
Mitigating software vulnerabilities
![Page 36: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/36.jpg)
36
Mitigating software vulnerabilities
•Minimize the low hanging fruit• Secure coding standard, code checkers, ...
![Page 37: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/37.jpg)
37
Mitigating software vulnerabilities
•Minimize the low hanging fruit• Secure coding standard, code checkers, ...
•Find vulnerabilities yourself before attackers do• Continuous security code reviews, ...
![Page 38: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/38.jpg)
38
Mitigating software vulnerabilities
•Minimize the low hanging fruit• Secure coding standard, code checkers, ...
•Find vulnerabilities yourself before attackers do• Continuous security code reviews, ...
•Make it harder to exploit software vulnerabilities• Software exploitation mitigations, ...
![Page 39: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/39.jpg)
39
Sufficiently complex software
has vulnerabilities.
![Page 40: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/40.jpg)
40
Finding them is not always trivial...
Sufficiently complex software
has vulnerabilities.
![Page 41: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/41.jpg)
41
What if an attacker cannot find any
or they are too difficult to exploit?
Finding them is not always trivial...
Sufficiently complex software
has vulnerabilities.
![Page 42: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/42.jpg)
42
Hardware attacks!?
![Page 43: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/43.jpg)
43
Hardware attacks!?
•Attacker needs physcial access the ECU
![Page 44: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/44.jpg)
44
Hardware attacks!?
•Attacker needs physcial access the ECU
•Attacker often needs to open the ECU
![Page 45: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/45.jpg)
45
Hardware attacks!?
•Attacker needs physcial access the ECU
•Attacker often needs to open the ECU
•Different types of HW attacks:
•E.g. PCB-level, Fault injection, Side Channels, etc.
![Page 46: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/46.jpg)
46
Hardware attacks!?
•Attacker needs physcial access the ECU
•Attacker often needs to open the ECU
•Different types of HW attacks:
•E.g. PCB-level, Fault injection, Side Channels, etc.
•Often a stepping stone for more scalable attacks
![Page 47: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/47.jpg)
47
Case study: FI on AUTOSAR
“Using FI to take control of an AUTOSAR-based ECU.”
![Page 48: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/48.jpg)
48
Case study: FI on AUTOSAR
• Demonstration ECU implemented using:• STM32F4 development board
• Arctic Core for AUTOSAR v3.1
“Using FI to take control of an AUTOSAR-based ECU.”
![Page 49: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/49.jpg)
49
Case study: FI on AUTOSAR
• Demonstration ECU implemented using:• STM32F4 development board
• Arctic Core for AUTOSAR v3.1
• Attacking using a previously described FI fault model
“Using FI to take control of an AUTOSAR-based ECU.”
![Page 50: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/50.jpg)
50
Case study: FI on AUTOSAR
• Demonstration ECU implemented using:• STM32F4 development board
• Arctic Core for AUTOSAR v3.1
• Attacking using a previously described FI fault model
“Using FI to take control of an AUTOSAR-based ECU.”
Fault Injection? Fault model?
![Page 51: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/51.jpg)
51
Voltage Fault Injection“Introducing faults into a chip in order to change its intented behavior.”
![Page 52: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/52.jpg)
52
Voltage Fault Injection“Introducing faults into a chip in order to change its intented behavior.”
![Page 53: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/53.jpg)
53
Voltage Fault Injection“Introducing faults into a chip in order to change its intented behavior.”
![Page 54: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/54.jpg)
54
Voltage Fault Injection“Introducing faults into a chip in order to change its intended behavior.”
![Page 55: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/55.jpg)
55
Voltage Fault Injection“Introducing faults into a chip in order to change its intented behavior.”
![Page 56: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/56.jpg)
56
Fault Injection Setup
![Page 57: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/57.jpg)
57
Fault Injection Setup
![Page 58: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/58.jpg)
58
Fault Injection Setup
![Page 59: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/59.jpg)
59
USB
Fault Injection Setup
![Page 60: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/60.jpg)
60
USB
Fault Injection Setup
CAN
![Page 61: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/61.jpg)
61
Voltage
USB
Fault Injection Setup
CAN
![Page 62: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/62.jpg)
62
Voltage
USB
Reset
Fault Injection Setup
CAN
![Page 63: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/63.jpg)
63
What can we do with fault injection?
![Page 64: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/64.jpg)
64
Fault Injection Fault Model
“Instruction corruption.”
![Page 65: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/65.jpg)
65
Fault Injection Fault Model
• Glitches can be used to modify instruction
“Instruction corruption.”
![Page 66: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/66.jpg)
66
Fault Injection Fault Model
• Glitches can be used to modify instruction
• In other words, we can modify software
“Instruction corruption.”
![Page 67: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/67.jpg)
67
Fault Injection Fault Model
• Glitches can be used to modify instruction
• In other words, we can modify software
• Fault injection breaks any software security model
“Instruction corruption.”
![Page 68: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/68.jpg)
68
How can we use this to attack
AUTOSAR-based ECUs?
![Page 69: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/69.jpg)
69
Attacking AUTOSAR
![Page 70: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/70.jpg)
70
Attacking AUTOSAR
•Our goal is to execute arbitrary code
![Page 71: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/71.jpg)
71
Attacking AUTOSAR
•Our goal is to execute arbitrary code
•Our only entry into the device is the CAN bus
![Page 72: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/72.jpg)
72
Attacking AUTOSAR
•Our goal is to execute arbitrary code
•Our only entry into the device is the CAN bus
•Of course, we have physical access…
![Page 73: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/73.jpg)
73
AUTOSAR’s PDU Router
![Page 74: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/74.jpg)
74
AUTOSAR’s PDU Router
1. CAN driver receives 8-byte CAN frame
![Page 75: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/75.jpg)
75
AUTOSAR’s PDU Router
1. CAN driver receives 8-byte CAN frame
2. Frame passes the CAN interface
![Page 76: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/76.jpg)
76
AUTOSAR’s PDU Router
1. CAN driver receives 8-byte CAN frame
2. Frame passes the CAN interface
3. Payload is reassembled by ISO-TP
![Page 77: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/77.jpg)
77
AUTOSAR’s PDU Router
1. CAN driver receives 8-byte CAN frame
2. Frame passes the CAN interface
3. Payload is reassembled by ISO-TP
4. Payload is copied to COM or DCM
![Page 78: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/78.jpg)
78
AUTOSAR’s PDU Router
1. CAN driver receives 8-byte CAN frame
2. Frame passes the CAN interface
3. Payload is reassembled by ISO-TP
4. Payload is copied to COM or DCM
5. COM or DCM handles the payload
![Page 79: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/79.jpg)
79
Where do we attack?!
![Page 80: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/80.jpg)
80
AUTOSAR’s PDU Router
1. CAN driver receives 8-byte CAN frame
2. Frame passes the CAN interface
3. Payload is reassembled by ISO-TP
4. Payload is copied to COM or DCM
5. COM or DCM handles the payload
![Page 81: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/81.jpg)
81
Attacking AUTOSAR’s PDU router
![Page 82: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/82.jpg)
82
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
![Page 83: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/83.jpg)
83
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
Copy ‘Our task’
to ‘free memory’
Our
task
![Page 84: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/84.jpg)
84
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
task
![Page 85: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/85.jpg)
85
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
task
Continue with
current task
![Page 86: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/86.jpg)
86
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
taskPointers pointing to the start of the payload
Continue with
current task
![Page 87: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/87.jpg)
87
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
• Step 2: We inject the glitch when the pointers are being copied
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
taskPointers pointing to the start of the payload
Continue with
current task
![Page 88: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/88.jpg)
88
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
• Step 2: We inject the glitch when the pointers are being copied
• Step 3: Successful glitches load a pointer into the PC register
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
taskPointers pointing to the start of the payload
Continue with
current task
![Page 89: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/89.jpg)
89
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
• Step 2: We inject the glitch when the pointers are being copied
• Step 3: Successful glitches load a pointer into the PC register
• Step 4: MCU will execute the ISO-TP message (blue blocks)
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
taskPointers pointing to the start of the payload
Continue with
current task
![Page 90: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/90.jpg)
90
Attacking AUTOSAR’s PDU router
• Step 1: Send an ISO-TP CAN message (< 4096 bytes)
• Step 2: We inject the glitch when the pointers are being copied
• Step 3: Successful glitches load a pointer into the PC register
• Step 4: MCU will execute the ISO-TP message (blue blocks)
• Step 5: Wait for IDLE task to be scheduled and execute our task
Modify pointer of IDLE
task to ‘free memory’
Copy ‘Our task’
to ‘free memory’
Our
taskPointers pointing to the start of the payload
Continue with
current task
![Page 91: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/91.jpg)
91
Why does this work?
![Page 92: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/92.jpg)
92
Attacking AUTOSAR’s PDU Router
![Page 93: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/93.jpg)
93
Attacking AUTOSAR’s PDU Router
Disassembled
memcpy()
![Page 94: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/94.jpg)
94
Attacking AUTOSAR’s PDU Router
Disassembled
memcpy()
![Page 95: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/95.jpg)
95
Attacking AUTOSAR’s PDU Router
Disassembled
memcpy()
We take control of the Program Counter (PC) during the copy!
![Page 96: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/96.jpg)
96
We have our own task. Now what?!
![Page 97: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/97.jpg)
97
Post Exploitation
![Page 98: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/98.jpg)
98
Post Exploitation
•Extract information (secrets)
![Page 99: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/99.jpg)
99
Post Exploitation
•Extract information (secrets)
•Analyze firmware dynamically
![Page 100: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/100.jpg)
100
Post Exploitation
•Extract information (secrets)
•Analyze firmware dynamically
•Perform additional attacks (e.g. side channel attack)
![Page 101: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/101.jpg)
101
Post Exploitation
•Extract information (secrets)
•Analyze firmware dynamically
•Perform additional attacks (e.g. side channel attack)
•Add (malicious) and/or change functionality
![Page 102: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/102.jpg)
102
Is all hope lost?
![Page 103: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/103.jpg)
103
Hardening AUTOSAR-based ECUs
![Page 104: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/104.jpg)
104
Hardening AUTOSAR-based ECUs
•Adhere to (automotive) security guidelines/standards
![Page 105: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/105.jpg)
105
Hardening AUTOSAR-based ECUs
•Adhere to (automotive) security guidelines/standards
•Make use of strong (hardware-based) security
![Page 106: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/106.jpg)
106
Hardening AUTOSAR-based ECUs
•Adhere to (automotive) security guidelines/standards
•Make use of strong (hardware-based) security
•Minimize attack surface and increase attack complexity
![Page 107: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/107.jpg)
107
Hardening AUTOSAR-based ECUs
•Adhere to (automotive) security guidelines/standards
•Make use of strong (hardware-based) security
•Minimize attack surface and increase attack complexity
•Consult internal/external embedded security experts
![Page 108: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/108.jpg)
108
To wrap up…
![Page 109: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/109.jpg)
109
Takeaways
![Page 110: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/110.jpg)
110
Takeaways
•Devices (incl. AUTOSAR-based ECUs) will be hacked
![Page 111: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/111.jpg)
111
Takeaways
•Devices (incl. AUTOSAR-based ECUs) will be hacked
•Not AUTOSAR’s fault!
![Page 112: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/112.jpg)
112
Takeaways
•Devices (incl. AUTOSAR-based ECUs) will be hacked
•Not AUTOSAR’s fault!
•No (known) software vulnerabilities ≠ secure
![Page 113: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/113.jpg)
113
Takeaways
•Devices (incl. AUTOSAR-based ECUs) will be hacked
•Not AUTOSAR’s fault!
•No (known) software vulnerabilities ≠ secure
•Hardware attacks are efficient and do scale
![Page 115: Attacking AUTOSAR using Software and Hardware Attacks · 88 Attacking AUTOSAR’sPDU router •Step 1: Send an ISO-TP CAN message (< 4096 bytes) •Step 2: We inject the glitch when](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f1f96dabf8ab064bd6ec5a5/html5/thumbnails/115.jpg)
115
Challenge your security
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
Riscure North America
550 Kearny St., Suite 330
San Francisco, CA 94108 USA
Phone: +1 650 646 99 79
Riscure China
Room 2030-31, No. 989, Changle Road, Shanghai 200031
China
Phone: +86 21 5117 5435