Skip to main content
SpringerLink
Log in

AVSDA: Autonomous Vehicle Security Decay Assessment

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13204))

Included in the following conference series:

Abstract

Security practices become weaker over time as attackers’ capabilities evolve. Security decay within vehicle software systems can have devastating consequences as it can pose a direct threat to people’s lives. Thus, it is crucial to monitor the changing threat level on vehicles during their full lifespan. We present an Autonomous Vehicle Security Decay Assessment (AVSDA) framework that analyzes and predicts the system’s security risk over vehicles’ lifespan. The framework analyzes vulnerable software components periodically and estimates the security risk level to identify security decay. AVSDA employs several metrics specifically designed for autonomous vehicle systems to automatically identify potentially weak components and quantify security risk. We evaluate the framework on OpenPilot, an autonomous driving system. The case study demonstrates the effectiveness of the AVSDA framework in identifying security decay over time. The results show an accuracy rate of 94% and a recall rate of 78%, outperforming all other known metrics by at least 50%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We define specific level values to rate the risk. These values are identified to reflect the level of risk and enable quantitative measurement. Different risk values have comparable ranges to reflect various risk levels accurately. Consistently, the highest risk level between different parameters has a value of 8, and the lowest has 1. In between these two levels, values are assigned depending on the number of medium levels (e.g., one medium level assigned value 3, two medium levels assigned values 4 and 2). Security engineers can assign other values but have to follow the same approach assuring proportional ranges in the risk values of different levels.

  2. 2.

    Security experts can change these values if needed.

References

  1. AUTOSAR enabling continuous innovations. https://www.autosar.org/

  2. Black hat USA 2015: The full story of how that jeep was hacked. https://www.kaspersky.com/blog/blackhat-jeep-cherokee-hack-explained/9493/

  3. ISO/IEC 18045:2005 information technology - security techniques - methodology for it security evaluation. https://www.iso.org/standard/30830.html

  4. ISO/SAE 21434 road vehicles cybersecurity engineering. https://www.iso.org/standard/70918.html

  5. Openpilot. https://comma.ai/

  6. Openpilot source code. https://github.com/commaai/openpilot

  7. Society of automotive engineers. https://www.sae.org/

  8. UNECE WP.29-Introduction. https://unece.org/wp29-introduction

  9. What is MISRA? https://www.misra.org.uk/MISRAHome/WhatisMISRA/tabid/66/Default.aspx

  10. What is the ISO 26262 functional safety standard? https://www.ni.com/en-ca/innovations/white-papers/11/what-is-the-iso-26262-functional-safety-standard-.html

  11. Alberts, C.J., Dorofee, A.J.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Professional, Boston (2003)

    Google Scholar 

  12. Antinyan, V., Staron, M., Sandberg, A.: Evaluating code complexity triggers, use of complexity measures and the influence of code complexity on maintenance time. Empir. Softw. Eng. 22(6), 3057–3087 (2017). https://doi.org/10.1007/s10664-017-9508-2

    Article  Google Scholar 

  13. Ben Othmane, L., Ranchal, R., Fernando, R., Bhargava, B., Bodden, E.: Incorporating attacker capabilities in risk estimation and mitigation. Comput. Secur. 51, 41–61 (2015)

    Article  Google Scholar 

  14. Burton, S., Likkei, J., Vembar, P., Wolf, M.: Automotive functional safety = safety + security. In: Proceedings of the First International Conference on Security of Internet of Things, pp. 150–159 (2012)

    Google Scholar 

  15. Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Architect. 57(3), 294–313 (2011)

    Article  Google Scholar 

  16. SAE Vehicle Electrical System Security Committee: SAE j3061-cybersecurity guidebook for cyber-physical automotive systems. SAE-Society of Automotive Engineers (2016)

    Google Scholar 

  17. Durisic, D., Nilsson, M., Staron, M., Hansson, J.: Measuring the impact of changes to the complexity and coupling properties of automotive software systems. J. Syst. Softw. 86(5), 1275–1293 (2013)

    Article  Google Scholar 

  18. Giger, E., Pinzger, M., Gall, H.C.: Comparing fine-grained source code changes and code churn for bug prediction. In: Proceedings of the 8th Working Conference on Mining Software Repositories, pp. 83–92 (2011)

    Google Scholar 

  19. Henniger, O., Apvrille, L., Fuchs, A., Roudier, Y., Ruddle, A., Weyl, B.: Security requirements for automotive on-board networks. In: 2009 9th International Conference on Intelligent Transport Systems Telecommunications, (ITST), pp. 641–646 (2009)

    Google Scholar 

  20. Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp. 3–14 (2016)

    Google Scholar 

  21. Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24. IEEE (2013)

    Google Scholar 

  22. Macher, G., Armengaud, E., Brenner, E., Kreiner, C.: A review of threat analysis and risk assessment methods in the automotive context. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds.) SAFECOMP 2016. LNCS, vol. 9922, pp. 130–141. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45477-1_11

    Chapter  Google Scholar 

  23. Macher, G., Armengaud, E., Brenner, E., Kreiner, C.: Threat and risk assessment methodologies in the automotive domain. Procedia Comput. Sci. 83, 1288–1294 (2016)

    Article  Google Scholar 

  24. Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Software Eng. 37(3), 371–386 (2010)

    Article  Google Scholar 

  25. Medeiros, N., Ivaki, N., Costa, P., Vieira, M.: Software metrics as indicators of security vulnerabilities. In: 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE), pp. 216–227. IEEE (2017)

    Google Scholar 

  26. Mössinger, J.: Software in automotive systems. IEEE Softw. 27(2), 92–94 (2010)

    Article  Google Scholar 

  27. Moukahal, L., Zulkernine, M.: Security vulnerability metrics for connected vehicles. In: 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp. 17–23 (2019)

    Google Scholar 

  28. Moukahal, L.J., Elsayed, M.A., Zulkernine, M.: Vehicle software engineering (VSE): research and practice. IEEE Internet Things J. 7(10), 10137–10149 (2020)

    Article  Google Scholar 

  29. Nighswander, T., Ledvina, B., Diamond, J., Brumley, R., Brumley, D.: GPS software attacks. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 450–461 (2012)

    Google Scholar 

  30. Ruddle, A., et al.: Deliverable D2.3: security requirements for automotive on-board networks based on dark-side scenarios. EVITA Project (2009)

    Google Scholar 

  31. Salfer, M., Eckert, C.: Attack surface and vulnerability assessment of automotive electronic control units. In: 2015 12th International Joint Conference on E-Business and Telecommunications (ICETE), vol. 4, pp. 317–326. IEEE (2015)

    Google Scholar 

  32. Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Software Eng. 37(6), 772–787 (2010)

    Article  Google Scholar 

  33. Sommer, F., Dürrwang, J., Kriesten, R.: Survey and classification of automotive security attacks. Information 10(4), 148 (2019)

    Article  Google Scholar 

  34. Tangade, S.S., Manvi, S.S.: A survey on attacks, security and trust management solutions in VANETs. In: 2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT), pp. 1–6. IEEE (2013)

    Google Scholar 

  35. Thing, V.L., Wu, J.: Autonomous vehicle security: a taxonomy of attacks and defences. In: 2016 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 164–170. IEEE (2016)

    Google Scholar 

Download references

Acknowledgment

This work is partially supported by Irdeto, the Natural Sciences and Engineering Research Council of Canada (NSERC), and the Canada Research Chairs (CRC) program.

Author information

Authors and Affiliations

  1. Queen’s University, Kingston, Canada

    Lama Moukahal & Mohammad Zulkernine

  2. Irdeto, Ottawa, Canada

    Martin Soukup

Authors
  1. Lama Moukahal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Zulkernine
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Soukup
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lama Moukahal .

Editor information

Editors and Affiliations

  1. University of Kansas, Lawrence, KS, USA

    Bo Luo

  2. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  3. Polytechnique Montréal, Montréal, QC, Canada

    Frédéric Cuppens

  4. Iowa State University, Iowa Ciy, IA, USA

    Lotfi Ben Othmane

  5. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  6. University of Sfax, Sfax, Tunisia

    Slim Kallel

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Moukahal, L., Zulkernine, M., Soukup, M. (2022). AVSDA: Autonomous Vehicle Security Decay Assessment. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham. https://doi.org/10.1007/978-3-031-02067-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-02067-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-02066-7

  • Online ISBN: 978-3-031-02067-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation