Nuova ricerca


Dipartimento di Ingegneria "Enzo Ferrari"

Home | Didattica |


2023 - Are VANETs pseudonyms effective? An experimental evaluation of pseudonym tracking in adversarial scenario [Relazione in Atti di Convegno]
Gambigliani Zoccoli, G.; Stabili, D.; Marchetti, M.

With the increasing adoption of Vehicular Ad Hoc Networks (VANETs) for the development of Cooperative Intelligent Transportation Systems (C-ITS) many concerns regarding privacy and anonymity in VANETs have been raised by security researchers and practitioners, highlighting the need for effective mechanisms to protect sensitive information exchanged by connected vehicles. One of the first concerns is related to the vehicle's identifier, a field contained in the messages sent from the vehicle and that can be used to track the vehicle across the infrastructure, with consequent severe implications on the privacy of the driver. Consequently, VANET communications leverage short-lived pseudonyms instead of persistent vehicle's identifiers, aiming to enhance the privacy of the vehicle. Pseudonym change schemes proposed in the literature are effective in masking the real sender of a given message, but they do not guarantee privacy against attackers that can monitor and correlate multiple messages among themselves. This paper evaluates 5 different pseudonym change mechanisms against a realistic threat model. Our results demonstrate that it is possible for a realistic attacker to reliably track multiple vehicles, with minor differences across different pseudonym change schemes.

2022 - Comparison of Machine Learning-based anomaly detectors for Controller Area Network [Relazione in Atti di Convegno]
Venturi, A.; Stabili, D.; Pollicino, F.; Bianchi, E.; Marchetti, M.

This paper presents a comparative analysis of different Machine Learning-based detection algorithms designed for Controller Area Network (CAN) communication on three different datasets. This work focuses on addressing the current limitations of related scientific literature, related to the quality of the publicly available datasets and to the lack of public implementations of the detection solutions presented in literature. Since these issues are preventing the reproducibility of published results and their comparison with novel detection solutions, we remark that it is necessary that all security researchers working in this field start to address them properly to advance the current state-of-the-art in CAN intrusion detection systems. This paper strives to solve these issues by presenting a comparison of existing works on publicly available datasets.

2022 - DAGA: Detecting Attacks to in-vehicle networks via n-Gram Analysis [Articolo su rivista]
Stabili, D.; Ferretti, L.; Andreolini, M.; Marchetti, M.

Recent research showcased several cyber-attacks against unmodified licensed vehicles, demonstrating the vulnerability of their internal networks. Many solutions have already been proposed by industry and academia, aiming to detect and prevent cyber-attacks targeting in-vehicle networks. The majority of these proposals borrow security algorithms and techniques from the classical ICT domain, and in many cases they do not consider the inherent limitations of legacy automotive protocols and resource-constrained microcontrollers. This paper proposes DAGA, an anomaly detection algorithm for in-vehicle networks exploiting n-gram analysis. DAGA only uses sequences of CAN message IDs for the definition of the n-grams used in the detection process, without requiring the content of the payload or other CAN message fields. The DAGA framework allows the creation of detection models characterized by different memory footprints, allowing their deployment on microcontrollers with different hardware constraints. Experimental results based on three prototype implementations of DAGA showcase the trade off between hardware requirements and detection performance. DAGA outperforms the state-of-the-art detectors on the most performing microcontrollers, and can execute with lower performance on simple microcontrollers that cannot support the vast majority of IDS approaches proposed in literature. As additional contributions, we publicly release the full dataset and our reference DAGA implementations.

2022 - SixPack v2: enhancing SixPack to avoid last generation misbehavior detectors in VANETs [Relazione in Atti di Convegno]
Zoccoli, G. G.; Pollicino, F.; Stabili, D.; Marchetti, M.

This paper proposes SixPack v2, an enhanced version of the SixPack attack that allows to evade even state-of-the-art misbehavior detection systems. As the original SixPack, SixPack v2 is a dynamic attack targeting other C-ITS entities by simulating the sudden activation of the braking system with consequent activation of the Anti-lock Braking System. SixPack v2 achieves better evasion by improving the main phases of the attack (FakeBrake, Recovery, and Rejoin) through a novel path-reconstruction algorithm that generates a more realistic representation of the real vehicle trajectory. We experimentally evaluate the evasion capabilities of SixPack v2 using the F2MD framework on the LuSTMini city scenario, and we compared the detection performance of the F2MD framework on both versions of SixPack. Results show that SixPack v2 evades detection with a significantly higher likelihood with respect to the initial version of the attack, even against the latest version of F2MD.

2021 - Accountable and privacy-aware flexible car sharing and rental services [Relazione in Atti di Convegno]
Pollicino, F.; Ferretti, L.; Stabili, D.; Marchetti, M.

The transportation sector is undergoing rapid changes to reduce pollution and increase life quality in urban areas. One of the most effective approaches is flexible car rental and sharing to reduce traffic congestion and parking space issues. In this paper, we envision a flexible car sharing framework where vehicle owners want to make their vehicles available for flexible rental to other users. The owners delegate the management of their vehicles to intermediate services under certain policies, such as municipalities or authorized services, which manage the due infrastructure and services that can be accessed by users. We investigate the design of an accountable solution that allow vehicles owners, who want to share their vehicles securely under certain usage policies, to control that delegated services and users comply with the policies. While monitoring users behavior, our approach also takes care of users privacy, preventing tracking or profiling procedures by other parties. Existing approaches put high trust assumptions on users and third parties, do not consider users' privacy requirements, or have limitations in terms of flexibility or applicability. We propose an accountable protocol that extends standard delegated authorizations and integrate it with Security Credential Management Systems (SCMS), while considering the requirements and constraints of vehicular networks. We show that the proposed approach represents a practical approach to guarantee accountability in realistic scenarios with acceptable overhead.

2021 - Hardware limitations to secure C-ITS: experimental evaluation and solutions [Articolo su rivista]
Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.

Cooperative Intelligent Transportation Systems (C-ITS) improve driving experience and safety through secure Vehicular Ad-hoc NETworks (VANETs) that satisfy strict security and performance constraints. Relevant standards, such as the IEEE 1609.2, prescribe network-efficient cryptographic protocols to reduce communication latencies through a combination of the Elliptic Curve Qu-Vanstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA). However, literature lacks open implementations and performance evaluations for vehicular systems. This paper assesses the applicability of IEEE 1609.2 and of ECQV and ECDSA schemes to C-ITSs. We release an open implementation of the standard ECQV scheme to benchmark its execution time on automotive-grade hardware. Moreover, we evaluate its performance in real road and traffic scenarios and show that compliance with strict latency requirements defined for C-ITS requires computational resources that are not met by many automotive-grade embedded hardware platforms. As a final contribution, we propose and evaluate novel heuristics to reduce the number of signatures to be verified in real C-ITS scenarios.

2021 - SixPack: Abusing ABS to avoid Misbehavior detection in VANETs [Relazione in Atti di Convegno]
Pollicino, F.; Stabili, D.; Bella, G.; Marchetti, M.

This paper presents SixPack, a cyber attack to VANET communications that is able to go undetected by the current state-of-the-art anomaly detectors. The SixPack attack is a dynamic attack conducted by an insider attacker who modifies the content of the Basic Safety Messages to pretend a sudden activation of the braking system with the consequent activation of the Anti-lock Braking System, and create a fake representation of the vehicle. The attacker then rejoins the fake representation of the vehicle with the real one, avoiding the current state-of-the-art anomaly detectors. We experimentally evaluated the evasion capabilities of the SixPack attack using the F2MD test framework on the LuST and LuSTMini city scenarios, demonstrating the ability of the attacker to generate a high percentage of false positives that prevent the attack from being detected consistently.

2020 - An experimental analysis of ECQV implicit certificates performance in VANETs [Relazione in Atti di Convegno]
Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.

Emerging Cooperative Intelligent Transportation Systems (C-ITS) enable improved driving experience and safety guarantees, but require secure Vehicular Ad-hoc NETworks (VANETs) that must comply to strict performance constraints. Specialized standards have been defined to these aims, such as the IEEE 1609.2 that uses network-efficient cryptographic protocols to reduce communication latencies. The reduced latencies are achieved through a combination of the Elliptic Curve Qu-Vantstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA), to guarantee data integrity and authenticity. However, literature lacks implementations and evaluations for vehicular systems. In this paper, we consider the IEEE 1609.2 standard for secure VANETs and investigate the feasibility of ECQV and ECDSA schemes when deployed in C-ITSs. We propose a prototype implementation of the standard ECQV scheme to evaluate its performance on automotive-grade hardware. To the best of our knowledge, this is the first open implementation of the scheme for constrained devices that are characterized by low computational power and low memory. We evaluate its performance against C-ITS communication latency constraints and show that, although even highly constrained devices can support the standard, complying with stricter requirements demands for higher computational resources.

2020 - Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity [Articolo su rivista]
Dagan, Tsvika; Montvelisky, Yuval; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai

This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.

2019 - Detection of missing CAN messages through inter-arrival time analysis [Relazione in Atti di Convegno]
Stabili, D.; Marchetti, M.

Recent cyber-attacks to real vehicles demonstrated the risks related to connected vehicles, and spawned several research effort aimed at proposing algorithms and architectural solutions to improve the security of these vehicles. Most of the documented attacks to the connected vehicles require the injection of maliciously forged messages to subvert the normal behaviour of the electronic microcontrollers. More recently, researchers discovered that by abusing error isolation mechanisms of the Controller Area Network (CAN), one of the protocols deployed for in-vehicle networking, it is possible to isolate a microcontroller from the vehicle internal network (namely bus-off attack), with possible severe implication on both safety and security. This vulnerability has already been exploited for gaining remote control of a vehicle, by driving a targeted microcontroller in bus-off and impersonating it through the injection of malicious messages on the CAN bus. This paper strives to counter bus-off attacks by proposing an algorithm for the detection of missing messages from the in- vehicle CAN bus. Bus-off attacks to in-vehicle network are simulated by removing messages from valid CAN traces recorded from an unmodified licensed vehicle. Experimental evaluations of our proposal and comparisons with previous work demonstrate that the proposed algorithms outperforms other detection algorithms, achieving almost perfect detection (F-score equal or near to 1.0) across different tests.

2019 - READ: Reverse engineering of automotive data frames [Articolo su rivista]
Marchetti, M.; Stabili, D.

Security analytics and forensics applied to in-vehicle networks are growing research areas that gained relevance after recent reports of cyber-attacks against unmodified licensed vehicles. However, the application of security analytics algorithms and tools to the automotive domain is hindered by the lack of public specifications about proprietary data exchanged over in-vehicle networks. Since the controller area network (CAN) bus is the de-facto standard for the interconnection of automotive electronic control units, the lack of public specifications for CAN messages is a key issue. This paper strives to solve this problem by proposing READ: A novel algorithm for the automatic Reverse Engineering of Automotive Data frames. READ has been designed to analyze traffic traces containing unknown CAN bus messages in order to automatically identify and label different types of signals encoded in the payload of their data frames. Experimental results based on CAN traffic gathered from a licensed unmodified vehicle and validated against its complete formal specifications demonstrate that the proposed algorithm can extract and classify more than twice the signals with respect to the previous related work. Moreover, the execution time of signal extraction and classification is reduced by two orders of magnitude. Applications of READ to CAN messages generated by real vehicles demonstrate its usefulness in the analysis of CAN traffic.

2018 - Analyses of secure automotive communication protocols and their impact on vehicles life-cycle [Relazione in Atti di Convegno]
Stabili, D.; Ferretti, L.; Marchetti, M.

Modern vehicles are complex cyber physical systems where communication protocols designed for physically isolated networks are now employed to connect Internet-enabled devices. This unforeseen increase in connectivity creates novel attack surfaces, and exposes safety-critical functions of the vehicle to cyber attacks. As standard security solutions are not applicable to vehicles due to resource constraints and compatibility issues, research is proposing tailored approaches to cope with existing systems and to design next generations vehicles. In this paper we focus on solutions based on cryptographic protocols to protect in-vehicle communications and prevent unauthorized manipulation of the vehicle behaviors. Existing proposals consider vehicles as monolithic systems and evaluate performance and costs of the proposed solutions without considering the complex life-cycle of automotive components and the multifaceted automotive ecosystem that includes a large number of actors. The main contribution of this paper is a study of the impact of security solutions by considering vehicles life-cycle. We model existing proposals and highlight their impacts on vehicles production and maintenance operations by taking into consideration interactions among multiple players. Finally, we give insights on the requirements of architectures for secure intra-vehicular protocols.

2018 - Cybersecurity of Connected Autonomous Vehicles : A ranking based approach [Relazione in Atti di Convegno]
Burzio, G.; Cordella, G. F.; Colajanni, M.; Marchetti, M.; Stabili, D.

The concordant vision of the future automotive landscape foresees vehicles that are always connected to infrastructure and Cloud services, and that are equipped with autonomous driving or advanced driver assistance systems. It is clear that in a similar scenario cybersecurity of modern and future vehicles is paramount. With connected autonomous vehicles the protection from external attack will be an essential requirement, motivated by the outstanding safety implications of an autonomous vehicles remotely controlled by an attacker or a malware. However, the automotive industry still lacks reliable and repeatable methods to assess the cybersecurity level of modern cars. This paper has a twofold contribution. First, it describes the ongoing effort of regulatory bodies within the European Union toward the definition of cybersecurity certification schemes. Second, it outlines the main requirements of a cybersecurity ranking approach that is suitable for certifying the security level of connected vehicles. Since improved cybersecurity guarantees will come at the expense of increased complexity and costs, the proposed ranking approach allows to assess whether the cybersecurity level is appropriate by considering the potential safety risks of a successful attack to the ranked system or subsystem.

2017 - Anomaly detection of CAN bus messages through analysis of ID sequences [Relazione in Atti di Convegno]
Marchetti, Mirco; Stabili, Dario

This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. The proposed algorithm identifies anomalies in the sequence of messages that flow in the CAN bus and is characterized by small memory and computational footprints, that make it applicable to current ECUs. Its detection performance are demonstrated through experiments carried out on real CAN traffic gathered from an unmodified licensed vehicle.

2017 - Detecting attacks to internal vehicle networks through Hamming distance [Relazione in Atti di Convegno]
Stabili, Dario; Marchetti, Mirco; Colajanni, Michele

Analysis of in-vehicle networks is an open research area that gained relevance after recent reports of cyber attacks against connected vehicles. After those attacks gained international media attention, many security researchers started to propose different algorithms that are capable to model the normal behaviour of the CAN bus to detect the injection of malicious messages. However, despite the automotive area has different constraint than classical IT security, many security research have been conducted by applying sophisticated algorithm used in IT anomaly detection, thus proposing solutions that are not applicable on current Electronic Control Units (ECUs). This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. Moreover, the proposed algorithm has been designed and implemented with the very strict constraint of low-end ECUs, having low computational complexity and small memory footprints. The proposed algorithm identifies anomalies in the sequence of the payloads of different classes of IDs by computing the Hamming distance between consecutive payloads. Its detection performance are evaluated through experiments carried out using real CAN traffic gathered from an unmodified licensed vehicle.

2017 - Vehicle Safe-Mode, Limp-Mode in the Service of Cyber Security [Relazione in Atti di Convegno]
Dagan, Tsvika; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Avishai, Wool

This paper describes a concept for vehicle safe-mode, that may help reduce the potential damage of an identified cyber-attack. Unlike other defense mechanisms, that try to block the attack or simply notify of its existence, our mechanism responds to the detected breach, by limiting the vehicle’s functionality to relatively safe operations, and optionally activating additional security counter-measures. This is done by adopting the already existing mechanism of Limp-mode, that was originally designed to limit the potential damage of either a mechanical or an electrical malfunction and let the vehicle “limp back home” in relative safety. We further introduce two modes of safe-modemoperation: In Transparent-mode, when a cyber-attack is detected the vehicle enters its pre-configured Limp-mode; In Extended-mode we suggest to use custom messages that offer additional flexibility to both the reaction and the recovery plans. While Extended-mode requires modifications to the participating ECUs, Transparent-mode may be applicable to existing vehicles since it does not require any changes in the vehicle’s systems—in other words, it may even be deployed as an external component connected through the OBD-II port. We suggest an architectural design for the given modes, and include guidelines for a safe-mode manager, its clients, possible reactions, and recovery plans. We note that our system can rely upon any deployed anomaly-detection system to identify the potential attack.

2016 - Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms [Relazione in Atti di Convegno]
Marchetti, Mirco; Stabili, Dario; Guido, Alessandro; Colajanni, Michele

This paper evaluates the effectiveness of information-theoretic anomaly detection algorithms applied to networks included in modern vehicles. In particular, we focus on providing an experimental evaluation of anomaly detectors based on entropy. Attacks to in-vehicle networks were simulated by injecting different classes of forged CAN messages in traces captured from a modern licensed vehicle. Experimental results show that if entropy-based anomaly detection is applied to all CAN messages it is only possible to detect attacks that comprise a high volume of forged CAN messages. On the other hand, attacks characterized by the injection of few forged CAN messages attacks can be detected only by applying several independent instances of the entropy based anomaly detector, one for each class of CAN messages.