Combinatorial Testing Methods for Reverse Engineering Undocumented CAN Bus Functionality
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 37, Pages 1 - 7
Abstract
Modern vehicles such as cars, ships, and planes are increasingly managed using Electronic Control Units (ECUs) that communicate over a Controller Area Network (CAN) bus. While this approach offers enhanced functionality, efficiency, and robustness, it may also be used for unforeseen or malicious purposes ranging from aftermarket modifications to full-fledged attacks threatening passengers’ safety. The ability to conduct in-depth tests is thus vital to protect against these issues. However, much of the functionality of ECUs is proprietary or undocumented. To alleviate this obstacle, this work presents a reverse engineering approach using high-coverage test sets produced using Combinatorial Testing (CT) methods. Our results indicate that this technique is promising for exciting unknown functionality, although challenges regarding the presence of hidden state and high-accuracy oracles are yet to be overcome.
References
[1]
Marc Brinkmann. 2016. Rust SocketCAN. https://github.com/socketcan-rs/socketcan-rs Accessed on 2023-07-17.
[2]
Council of European Union. 2019. REGULATION (EU) 2019/2144 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166. https://eur-lex.europa.eu/eli/reg/2019/2144/oj.
[3]
Alex Drozhzhin. 2015. Black Hat USA 2015: The full story of how that Jeep was hacked. Kaspersky Daily (2015). https://www.kaspersky.com/blog/blackhat-jeep-cherokee-hack-explained/9493/ Accessed on 2023-07-17.
[4]
Jürgen Dürrwang, Johannes Braun, Marcel Rumez, Reiner Kriesten, and Alexander Pretschner. 2018. Enhancement of Automotive Penetration Testing with Threat Analyses Results. SAE International Journal of Transportation Cybersecurity and Privacy 1, 2 (nov 2018), 91–112. https://doi.org/10.4271/11-01-02-0005
[5]
Christof Ebert and John Favaro. 2017. Automotive Software. IEEE Software 34, 3 (2017), 33–39. https://doi.org/10.1109/MS.2017.82
[6]
Thomas Fischl. 2023. USBtin - USB to CAN interface. https://www.fischl.de/usbtin/ Accessed on 2023-07-17.
[7]
Daniel S. Fowler, Jeremy Bryans, Siraj Ahmed Shaikh, and Paul Wooderson. 2018. Fuzz Testing for Automotive Cyber-Security. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). 239–246. https://doi.org/10.1109/DSN-W.2018.00070
[8]
Bernhard Garn, Jovan Zivanovic, Manuel Leithner, and Dimitris E. Simos. 2022. Combinatorial methods for dynamic gray-box SQL injection testing. Software Testing, Verification and Reliability 32, 6 (2022), e1826. https://doi.org/10.1002/stvr.1826
[9]
Andy Greenberg. 2015. Hackers Remotely Kill a Jeep on the Highway - With Me in It. Wired (2015). https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ Accessed on 2023-07-17.
[10]
Holger Heinemann. 2018. Fending Off Cyber Attacks – Hardening ECUs by Fuzz Testing. Technical Report. Vector Informatik GmbH. Accessed in the translated version.
[11]
Thomas Huybrechts, Yon Vanommeslaeghe, Dries Blontrock, Gregory Van Barel, and Peter Hellinckx. 2018. Automatic Reverse Engineering of CAN Bus Data Using Machine Learning Techniques. In Advances on P2P, Parallel, Grid, Cloud and Internet Computing, Fatos Xhafa, Santi Caballé, and Leonard Barolli (Eds.). Springer International Publishing, Cham, 751–761.
[12]
ISO Central Secretary. 2004. Road vehicles — Diagnostics on Controller Area Networks (CAN) — Part 3: Implementation of unified diagnostic services (UDS on CAN). Standard ISO 15765-3:2004. International Organization for Standardization, Geneva, CH. https://www.iso.org/standard/66574.html
[13]
ISO Central Secretary. 2015. Road vehicles – Controller area network (CAN) – Part 1: Data link layer and physical signalling. Standard ISO 11898-1:2015. International Organization for Standardization, Geneva, CH. https://www.iso.org/standard/63648.html
[14]
Ludwig Kampel, Bernhard Garn, and Dimitris E. Simos. 2017. Combinatorial Methods for Modelling Composed Software Systems. In 2017 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 229–238. https://doi.org/10.1109/ICSTW.2017.43
[15]
Ludwig Kampel, Paris Kitsos, and Dimitris E. Simos. 2022. Locating Hardware Trojans Using Combinatorial Testing for Cryptographic Circuits. IEEE Access 10 (2022), 18787–18806. https://doi.org/10.1109/ACCESS.2022.3151378
[16]
Florian Klueck, Yihao Li, Mihai Nica, Jianbo Tao, and Franz Wotawa. 2018. Using Ontologies for Test Suites Generation for Automated and Autonomous Driving Functions. In 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). 118–123. https://doi.org/10.1109/ISSREW.2018.00-20
[17]
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage. 2010. Experimental Security Analysis of a Modern Automobile. In 2010 IEEE Symposium on Security and Privacy. 447–462. https://doi.org/10.1109/SP.2010.34
[18]
Manuel Leithner, Bernhard Garn, and Dimitris E Simos. 2021. HYDRA: Feedback-driven black-box exploitation of injection vulnerabilities. Information and Software Technology 140 (2021), 106703.
[19]
Charlie Miller and Chris Valasek. 2015. Remote Exploitation of an Unaltered Passenger Vehicle. Technical Report. IOActive.
[20]
Robert Bosch GmbH 1991. CAN Specification. Version 2.0. Robert Bosch GmbH, D-7000 Stuttgart 30.
[21]
Christoph Schmittner, Zhendong Ma, Carolina Reyes, Oliver Dillinger, and Peter Puschner. 2016. Using SAE J3061 for Automotive Security Requirement Engineering. In Computer Safety, Reliability, and Security, Amund Skavhaug, Jérémie Guiochet, Erwin Schoitsch, and Friedemann Bitsch (Eds.). Springer International Publishing, Cham, 157–170.
[22]
Jianbo Tao, Yihao Li, Franz Wotawa, Hermann Felbinger, and Mihai Nica. 2019. On the Industrial Application of Combinatorial Testing for Autonomous Driving Functions. In 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 234–240. https://doi.org/10.1109/ICSTW.2019.00058
[23]
OpenCV team. [n. d.]. OpenCv. https://opencv.org/ Accessed on 2023-07-25.
[24]
Ken Tindell. [n. d.]. The canframe.py tool. https://kentindell.github.io/2020/01/03/canframe_py_tool/ Accessed on 2023-08-01.
[25]
twistedfall. 2023. opencv-rust. https://github.com/twistedfall/opencv-rust Accessed on 2023-07-25.
[26]
Michael Wagner, Kristoffer Kleine, Dimitris E Simos, Rick Kuhn, and Raghu Kacker. 2020. CAGEN: A fast combinatorial test generation tool with support for constraints and higher-index arrays. In 2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). IEEE, 191–200.
[27]
N. Weiß, E. Pozzobon, J. Mottok, and V. Matousek. 201. Atomated Reverse Engineering Of Can Protocols. In Neural Network World Volume. Issue 3. https://doi.org/10.4311/NNW.2021.31.015
[28]
Timothy Werquin, Mathijs Hubrechtsen, Ashok Thangarajan, Frank Piessens, and Jan Tobias Mühlberg. 2021. Automated Fuzzing of Automotive Control Units. CoRR abs/2102.12345 (2021). arXiv:2102.12345https://arxiv.org/abs/2102.12345
[29]
Franz Wotawa, Josip Bozic, and Yihao Li. 2020. Ontology-based Testing: An Emerging Paradigm for Modeling and Testing Systems and Software. In 2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 14–17. https://doi.org/10.1109/ICSTW50294.2020.00020
[30]
Raphael Yuster. 2020. Perfect sequence covering arrays. Designs, Codes and Cryptography 88, 3 (2020), 585–593.
[31]
Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler. 2023. The Fuzzing Book. CISPA Helmholtz Center for Information Security. https://www.fuzzingbook.org/ Retrieved 2023-01-07 14:37:57+01:00.
Index Terms
- Combinatorial Testing Methods for Reverse Engineering Undocumented CAN Bus Functionality
Index terms have been assigned to the content through auto-classification.
Recommendations
An in-vehicle embedded system for can-bus events monitoring
ITS applications usually involve inter-vehicle communication as a medium to exchange information between vehicles experiencing undesirable and/or dangerous situations (e.g., traffic jam, accident, or bad road conditions) and other surrounding vehicles. ...
Characterizing the "Driver DNA" Through CAN Bus Data Analysis
CarSys '17: Proceedings of the 2nd ACM International Workshop on Smart, Autonomous, and Connected Vehicular Systems and ServicesPeople's driving behavior is influenced by different human and environmental factors, and several attempts to characterize it have been proposed. Nowadays, the standardization of the CAN bus and the increase of the electronic components units in modern ...
High Positioned Brake Reminder System Based on CAN Bus
PACCS '09: Proceedings of the 2009 Pacific-Asia Conference on Circuits, Communications and SystemsIn order to reduce the vehicle rear collisions and the damage degrees on passengers, we adopt the dot matrix display technology and the vehicle high positioned brake reminder technology based on CAN bus. The designed high positioned brake reminder ...
Comments
Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Qualifiers
- Short-paper
- Research
- Refereed limited
Funding Sources
- Österreichische Forschungsförderungsgesellschaft
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 47Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)22
Reflects downloads up to 07 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format