VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

Modern cars are operated via an internal network
of more than 50 Electronic Control Units. Recent incidents have shown such ECUs to be
vulnerable to various kinds of remote attacks, which threatens
the safety of passengers and other road users alike. While recent standardization and research
efforts address security, few security mechanisms are implemented in
current cars. In this video we demonstrate VulCAN, a lightweight
and efficient framework for implementing industry standard-compliant
and secure vehicular communication, based on embedded trusted computing. We use the open-source
Sancus hardware-level security architecture to establish trust in a
simplified traction control system. Our demo system consists of a number of ECUs
some of which represent sensors or actuators at the wheels, other
ECUs perform centralized processing tasks. All ECUs are interconnected via a Controller
Area Network, the blue cable in our demo setup. CAN is the most prevalent
network in vehicles, and enables ECUs to jointly operate the car’s overall
behavior and safety critical functionality. To demonstrate real-world
applicability, we connected two off-the-shelf instrument clusters. An important feature of VulCAN is software
extensibility by multiple, distrusting remote software providers. We therefore organized our demo
application as a distributed set of trusted software components, which are
compiled on a PC and subsequently deployed over an untrusted network to the
ECUs. Untrusted support software on the participating
ECUs loads and schedules the trusted components, whereas
their authenticity can be established at runtime through a process known
as remote attestation. The black keypad abstracts genuine driver
interaction via steering wheel and brake pedals. Inputs from this keypad are processed on a
central ECU, which reacts by sending control messages over
the CAN bus. CAN is a broadcast medium. Anyone connected to the bus can see or even
modify these messages. We show this by recording all traffic on the
PC. ECUs at the wheels or within the instrument
clusters react upon receiving control messages. Many attacks against automotive control networks
rely on an attacker with access to the CAN bus to inject arbitrary
messages. In our demo we even go
one step further and assume a powerful attacker that also executes software
on the crucial central ECU. These attacker interactions are triggered
by the red keypad. Under attack, the left and the right side
of the setup behave differently. The right side shows how a car without our
security solution would react. As the attacker sends messages to activate
the direction indicators and to display a high engine speed, the right instrument
cluster and ECUs accept and display the spoofed values. Our vulcanized components on the left side
accept authenticated messages only, and indeed reject the attacker’s messages. We demonstrate how
unmodified legacy devices without Sancus can be transparently shielded. For
this, we connect a second instrument cluster to a VulCAN gateway, which
forwards authenticated messages from the untrusted blue CAN bus over the
yellow private CAN bus. The gateway ensures that attacker messages
are rejected. The driver can even be notified of an ongoing
attack by triggering a warning indicator in the dashboard. Our demo illustrates that vulcanized software
components never react to injected messages for which authenticity and
freshness cannot be verified. Even a powerful attacker with code execution
abilities on ECUs will not be able to extract the required cryptographic
keys to construct such authenticated messages due to the strong isolation
guarantees provided by the underlying Sancus architecture. Yet, such an attacker may harm availability
by monopolizing an ECU or by performing denial-of-service attacks against
the network, which are domains of active ongoing research at DistriNet. Since we value both research transparency
and reproducibility, we open-sourced all of our hardware designs,
plus the complete software stack, and a simulator. For more info, and related research efforts,
visit the VulCAN and Sancus websites/GitHub pages linked