EE Seminar: Parrot, a software-only anti-spoofing system for the CAN bus
Speaker: Tsvika Dagan
Ph.D. student under the supervision of Prof. Avishai Wool
Sunday, November 6th, 2016 at 15:30
Room 011, Kitot Bldg., Faculty of Engineering
Parrot, a software-only anti-spoofing system for the CAN bus
Background
Modern cars have multiple dedicated computers under the hood called ``electronic control units'' (ECUs). These ECUs control all aspects of the car's operation: from the engine, breaking and steering controls to the car's entertainment systems. The ECUs are connected to each other in a network that typically uses the CAN bus protocol. CAN bus is a simple serial protocol, with absolutely no security components: it was designed under the assumption that all ECUs are legitimate, trustworthy, and operating according to their specifications. However, over the last few years researchers have shown that many ECUs are vulnerable to attack. Since CAN bus in itself is so naive, any attack on one ECU can immediately allow lateral movement, to attack other, more critical, ECUs; the subverted ECU can trivially spoof (masquerade as) any other ECU and cause significant damage. Replacing CAN bus with a more robust technology is probably a good idea. However, due to the huge investment made by manufacturers, and the decades it takes until old cars are scrapped, it is an important goal to improve the security stance of cars within the limitations of CAN bus. Thus finding methods to block the lateral movement, from the originally compromised ECU to others, is a major step in this direction.
Abstract
In this talk I will describes a novel anti-spoofing system for in-car CAN bus networks. If an attacker compromises one of the car's electronic control units (ECUs), and from there tries to attack another, more critical, ECU, the Parrot system blocks this lateral movement. Unlike previous firewall-based solutions or cryptography-based solutions, the attack messages are identified and destroyed by the legitimate message ID's owner. Our method does not merely drop messages that are non-conforming with policy: the Parrot defense typically disconnects the compromised ECU from the bus. And unlike previous solutions, that require a modified controller (since they violate the CAN bus protocol), our method is able to shut down the attacker while obeying the protocol rules. Hence, the Parrot defense can be added as a software-only patch to any standard ECU. We implemented the Parrot system and tested its behavior in detailed experiments. With CAN controllers that are able to transmit fast enough we were able to disable the attacking ECU in most experiments. For slower controllers, we showed a successful alternative.
