Exploring Vulnerabilities and Security Schemes of Service-Oriented Internet 0f Things (IoT) Protocols

Kayas, Golam, 0000-0001-7186-3442

08 1900

The Internet of Things (IoT) is spearheading a significant revolution in the realm of computing systems for the next generation. IoT has swiftly permeated various domains, including healthcare, manufacturing, military, and transportation, becoming an essential component of numerous smart devices and applications. However, as the number of IoT devices proliferates, security concerns have surged, resulting in severe attacks in recent years. Consequently, it is imperative to conduct a comprehensive investigation into IoT networks to identify and address vulnerabilities in order to preempt potential adversarial activities. The aim of this research is to examine different IoT-based systems and comprehend their security weaknesses. Additionally, the objective is to develop effective strategies to mitigate vulnerabilities and explore the security loopholes inherent in IoT-based systems, along with a plan to rectify them. IoT-based systems present unique challenges due to the expanding adoption of IoT technology across diverse applications, accompanied by a wide array of IoT devices. Each IoT network has its own limitations, further compounding the challenge. For instance, IoT devices used in sensor networks often face constraints in terms of resources, possessing limited power and computational capabilities. Moreover, integration of IoT with existing systems introduces security issues. A prime example of this integration is found in connected cars, where traditional in-vehicle networks, designed to connect internal car components, must be highly robust to meet stringent requirements. However, modern cars are now connected to a wide range of IoT nodes through various interfaces, thus creating new security challenges for professionals to address. This work offers a comprehensive investigation plan for different types of IoT-based systems with varying constraints to identify security vulnerabilities. We also propose security measures to mitigate the vulnerabilities identified in our investigation, thereby preventing adversarial activities. To facilitate the exploration and investigation of vulnerabilities, our work is divided into two parts: resource-constrained IoT-based systems (sensor networks, smart homes) and robustness-constrained IoT-based systems (connected cars). In our investigation of resource-constrained IoT networks, we focus on two widely used service-oriented IoT protocols, namely Universal Plug and Play (UPnP) and Message Queue Telemetry Transport (MQTT). Through a structured phase-by-phase analysis of these protocols, we establish a comprehensive threat model that explains the existing security gaps in communications. The threat models present security vulnerabilities of service-oriented resource-constrained IoT networks and the corresponding security attacks that exploit these vulnerabilities. We propose security solutions to mitigate the identified vulnerabilities and defend against potential security breaches. Our security analysis demonstrates that the proposed measures successfully thwart adversarial activities, and our experimental data supports the feasibility of the proposed models. For robustness-constrained IoT-based systems, we investigate the in-vehicle networks of modern cars, specifically focusing on the Controller Area Network (CAN) bus system, which is widely adopted for connecting Electronic Control Units (ECUs) in vehicles. To uncover vulnerabilities in these in-vehicle networks, we leverage fuzz testing, a method that involves testing with random data. Fuzz testing over the CAN bus is a well-established technique for detecting security vulnerabilities in in-vehicle networks. Furthermore, the automatic execution of test cases and assessment of robustness make CAN bus fuzzing a popular choice in the automotive testing community. However, a major drawback of fuzz testing is the generation of a large volume of execution reports, often containing false positives. Consequently, all execution reports must be manually reviewed, which is time-consuming and prone to human errors. To address this issue, we propose an automatic investigation mechanism to identify security vulnerabilities from fuzzing logs, considering the class, relative severity, and robustness of failures. Our proposed schema utilizes artificial intelligence (AI) to identify genuine security-critical vulnerabilities from fuzz testing execution logs. Additionally, we provide mechanisms to gauge the relative severity and robustness of a failure, thereby determining the criticality of a vulnerability. Moreover, we propose an AI-assisted vulnerability scoring system that indicates the criticality of a vulnerability, offering invaluable assistance in prioritizing the mitigation of critical issues in in-vehicle networks. / Computer and Information Science

Computer science

Automotive security

Internet of Things (IoT)

IoT security

Security

Attacking Computer Vision Models Using Occlusion Analysis to Create Physically Robust Adversarial Images

Loh, Jacobsen

01 June 2020

Self-driving cars rely on their sense of sight to function effectively in chaotic and uncontrolled environments. Thanks to recent developments in computer vision, specifically convolutional neural networks, autonomous vehicles have developed the ability to see at or above human-level capabilities, which in turn has allowed for rapid advances in self-driving cars. Unfortunately, much like humans being confused by simple optical illusions, convolutional neural networks are susceptible to simple adversarial inputs. As there is no overlap between the optical illusions that fool humans and the adversarial examples that threaten convolutional neural networks, little is understood as to why these adversarial examples dupe such advanced models and what effective mitigation techniques might exist to resolve these issues. This thesis focuses on these adversarial images. By extending existing work, this thesis is able to offer a unique perspective on adversarial examples. Furthermore, these extensions are used to develop a novel attack that can generate physically robust adversarial examples. These physically robust instances provide a unique challenge as they transcend both individual models and the digital domain, thereby posing a significant threat to the efficacy of convolutional neural networks and their dependent applications.

Autonomous Vehicles

Computer Vision

Deep Learning

Convolutional Neural Networks

Adversarial Examples

Automotive Security

Artificial Intelligence and Robotics

Efficiency of CNN on Heterogeneous Processing Devices

Ringenson, Josefin

January 2019

In the development of advanced driver assistance systems, computer vision problemsneed to be optimized to run efficiently on embedded platforms. Convolutional neural network(CNN) accelerators have proven to be very efficient for embedded camera platforms,such as the ones used for automotive vision systems. Therefore, the focus of this thesisis to evaluate the efficiency of a CNN on a future embedded heterogeneous processingdevice. The memory size in an embedded system is often very limited, and it is necessary todivide the input into multiple tiles. In addition, there are power and speed constraintsthat needs to be met to be able to use a computer vision system in a car. To increaseefficiency and optimize the memory usage, different methods for CNN layer fusion areproposed and evaluated for a variety of tile sizes. Several different layer fusion methods and input tile sizes are chosen as optimal solutions,depending on the depth of the layers in the CNN. The solutions investigated inthe thesis are most efficient for deep CNN layers, where the number of channels is high.

CNN

Accelerator

Convolution

Heterogeneous Processing Device

AI Engine

FPGA

Hardware Architecture

Automotive Security

Computer Vision

Layer Fusion

Computer Systems

Datorsystem

Embedded Systems

Inbäddad systemteknik

Security Analysis of Ethernet in Cars

Talic, Ammar

January 2017

With the development of advanced driving assistance systems, the amount of data that needs to be transmitted within a car has increased tremendously. Traditional communication bus based systems are unable to meet today’s requirements; hence automotive Ethernet is being developed and standardized. Ethernet has for many years been the de facto standard in interconnecting computers. In that time several vulnerabilities of the networking protocol stack implementations and even the protocols themselves have been discovered. The knowledge from exploiting computer networks can be applied to the automotive domain. Additionally, vehicle manufacturers tend to implement their own stacks, due to copyleft reasons; hence the chances of implementation faults increases as opposed to using well-tested open source solutions. Since the line between security and safety in cars is almost nonexistent, security has to be properly addressed. This thesis investigates the security of automotive Ethernet and its accompanying protocols. It starts with an introduction to computer and automotive networking and protocols. After a solid foundation is laid, it investigates what makes up automotive Ethernet, its application in the field, and the automotive specific components relying on it. After looking at related work, a data network security audit and analysis as defined by the open-source security testing methodology is performed. The system is graded with risk assessment values. Weak points are identified and improvements suggested. The impact of the proposed improvements is shown by reevaluating the system and recalculating the risk assessment values. These efforts further the ultimate goal of achieving increased safety of all traffic participants. / Med utvecklingen av avancerade körningsassisterande system har mängden data som behöver sändas inom en bil ökat enormt. Traditionella kommunikationsbussbaserade system kan inte uppfylla dagens krav. Därmed utvecklas och standardiseras Ethernet för fordon. Ethernet har i många år varit de facto-standarden i sammankopplandet mellan datorer. Under den tiden har flera sårbarheter hos nätverksprotokolls implementeringar och protokoll själva upptäckts. Det finns anledning att tro att kunskapen från att utnyttja datanätverk kan tillämpas på fordonsdomänen. Att tillägga är att fordonstillverkare tenderar att genomföra sina egna staplar. På grund av copyleft skäl, ökar chanserna för implementeringsfel i motsats till att använda testade open source-lösningar. Eftersom människors säkerhet hos bilar är extremt viktigt, måste även dess system hanteras ordentligt. Denna avhandling undersöker säkerheten för Ethernet och kompletterande protokoll hos bilar. Den börjar med en introduktion till datorers och bilars nätverk och protokoll. Efter en stabil grund fastställts, undersöker den vad som utgör Ethernet hos bilar, dess tillämpning inom fältet, och de bilspecifika komponenterna den beror av. Efter att ha tittat på relaterat arbete utförs en säkerhetsgranskning och analys av datanätverk som definieras av säkerhetsmetoden för open-source. Systemet värderas med riskbedömningsvärden. Svaga punkter identifieras och förbättringar föreslås. Effekten av de föreslagna förbättringarna framgår utav omvärdering av systemet och omräkning av riskbedömningsvärdena. Dessa bedömningar leder till det yttersta målet för ökad säkerhet för alla trafikanter.

Automotive security

penetration testing

automotive Ethernet

TCP/IP

DoIP

BroadR-Reach

OSSTMM

flash bootloader

Ethernet för fordon

TCP/IP

Ethernet säkerhet

DoIP

BroadR-Reach

OSSTMM

flash bootloader

Communication Systems

Kommunikationssystem

Automating Security Risk and Requirements Management for Cyber-Physical Systems

Hansch, Gerhard

15 October 2020

No description available.

510

Management von Sicherheitsrisiken

Generieren von Sicherheitsanforderungen

IT-Sicherheitsmanagement

Kontinuierliches Risikomanagement

Cybersecurity engineering

Security risk management

Machine-readable security requirements

Risk-driven security

Security engineering

Security requirements

Security risk assessment

Security risk mitigation

Security risk monitoring

Cybersecurity compliance

Automotive security

CPS security

IIoT security

OT security

Informatik (PPN619939052)