Abstract
We are rethinking the decades-old design of the CAN bus by incorporating reactive defense capabilities in it. While its reliability and cost effectiveness turned CAN into the most widely used in-vehicle communication interface, its topology, physical layer and arbitration mechanism make it impossible to prevent certain types of adversarial activities on the bus. For example, DoS attacks cannot be stopped as the physical layer gives equal rights to all the connected ECUs and an adversary may exploit this by flooding the network with high priority frames or cause transmission errors which may move honest ECUs into the bus-off state. In response to this, we propose a reactive mechanism based on relays placed along the bus that will change the network topology in case of an attack, i.e., a moving target defense mechanism, allowing a bus guardian to filter and redirect legitimate traffic. We take care of physical properties of the bus and keep the 120 Ω load constant at the end of the lines whenever relays are triggered to modify the topology of the bus. We build a proof-of-concept implementation and test it in a laboratory setup with automotive-grade controllers that demonstrates its functionality over collected real-world in-vehicle traffic. Our experiments show that despite short term disturbances when the relays are triggered, the frame loss is effectively zero.
Original language | English |
---|---|
Title of host publication | Proceedings of the 30th USENIX Security Symposium |
Publisher | USENIX Association |
Pages | 4259-4276 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133243 |
State | Published - 1 Jan 2021 |
Event | 30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online Duration: 11 Aug 2021 → 13 Aug 2021 |
Conference
Conference | 30th USENIX Security Symposium, USENIX Security 2021 |
---|---|
City | Virtual, Online |
Period | 11/08/21 → 13/08/21 |
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems
- Safety, Risk, Reliability and Quality