This document discusses misbehavior handling throughout the vehicle-to-vehicle (V2V) system lifecycle. It proposes decomposing misbehavior activity into four parts: local misbehavior detection, reporting, investigation, and revocation decision. It suggests considering these parts independently. The best available misbehavior detection algorithm will differ depending on available vehicle sensors. Administrative considerations like privacy and oversight are important. The document outlines two approaches to misbehavior detection - an open garden approach allowing various vehicle-side approaches, and a uniform approach. It recommends following the open garden approach when possible.
This presentation discusses the use of Garbled Circuits for improving security and simplifying implementation of Secure Credential Management Systems (SCMS) in the Automotive industry
This document discusses using quantum-safe cryptography to protect against future quantum computers. It proposes a "hybrid" approach where a FIPS-approved classical algorithm is used for conformance while a quantum-safe algorithm is also used to provide long-term security. Specifically, it examines using the "OtherInfo" field when deriving keys to include a quantum-safe symmetric key as part of the key derivation process. This would allow quantum-safe encryption of data even when using a FIPS-approved scheme for key establishment and compliance. However, it is unclear if including symmetric keys in "OtherInfo" is permitted by standards.
Connected vehicles will communicate vast amounts of sensitive data over networks, but securing these systems faces unique challenges. Hackers could potentially cause accidents, track drivers, or disable safety features. The automotive industry lacks the security expertise of IT, and adding security slows development. However, vehicle-to-vehicle communication shows promise for accident prevention if privacy and security are prioritized through new protocols, like changing identifiers frequently while authenticating messages through a certificate management system. Governments are now mandating security standards for connected cars to address these risks.
The document discusses the development of the IEEE 1609.2 standard for security in connected vehicles. It explores how the standard was created with only partial contributions from security experts. It aims to examine specific design decisions in the standard, how the divergence between the US and EU versions occurred, and lessons learned for developing security standards in the future. The goal is to understand how to create standards in a more transparent, robust way that avoids issues like regional incompatibility.
Scaling secure systems like vehicle-to-vehicle communication presents challenges around growing the number of devices, maintaining them securely over long periods of time, and managing privacy across international borders. The biggest constraint is ensuring the many human decisions needed are made correctly and at scale. Centralizing some decisions, like device certification requirements and revocation criteria, while decentralizing others, like authorization, can help reduce the number of human judgments needed. Proper data management is also crucial to balance security, privacy, and accountability. Attention to future threats from quantum computers and evolving standards will further support scalability over time.
Presentation given at WiSec 2017 by Dr. Virendra Kumar. His, along with Drs. Jonathan Petit and William Whyte's, paper was one of six to receive the reproducibility label.
The survey of 524 automotive software professionals found:
1) Security is not fully integrated into development processes and developers lack training on secure development practices.
2) Nearly half believe a major overhaul of automotive technology architecture is needed to improve security.
3) There is uncertainty around whether a hack-proof vehicle can be built, with pressures around costs, timelines, and prioritization of security.
This document discusses security challenges and successes for connected vehicles. It outlines how the Secure Credential Management System (SCMS) has been developed and implemented to securely provision vehicle credentials. It also describes how a threat analysis framework identifies device security requirements based on analyzing data confidentiality, integrity and availability levels. Key challenges discussed are how to securely provision device certificates without frequent connectivity and how to balance privacy and misbehavior detection for credential revocation.
This presentation discusses the use of Garbled Circuits for improving security and simplifying implementation of Secure Credential Management Systems (SCMS) in the Automotive industry
This document discusses using quantum-safe cryptography to protect against future quantum computers. It proposes a "hybrid" approach where a FIPS-approved classical algorithm is used for conformance while a quantum-safe algorithm is also used to provide long-term security. Specifically, it examines using the "OtherInfo" field when deriving keys to include a quantum-safe symmetric key as part of the key derivation process. This would allow quantum-safe encryption of data even when using a FIPS-approved scheme for key establishment and compliance. However, it is unclear if including symmetric keys in "OtherInfo" is permitted by standards.
Connected vehicles will communicate vast amounts of sensitive data over networks, but securing these systems faces unique challenges. Hackers could potentially cause accidents, track drivers, or disable safety features. The automotive industry lacks the security expertise of IT, and adding security slows development. However, vehicle-to-vehicle communication shows promise for accident prevention if privacy and security are prioritized through new protocols, like changing identifiers frequently while authenticating messages through a certificate management system. Governments are now mandating security standards for connected cars to address these risks.
The document discusses the development of the IEEE 1609.2 standard for security in connected vehicles. It explores how the standard was created with only partial contributions from security experts. It aims to examine specific design decisions in the standard, how the divergence between the US and EU versions occurred, and lessons learned for developing security standards in the future. The goal is to understand how to create standards in a more transparent, robust way that avoids issues like regional incompatibility.
Scaling secure systems like vehicle-to-vehicle communication presents challenges around growing the number of devices, maintaining them securely over long periods of time, and managing privacy across international borders. The biggest constraint is ensuring the many human decisions needed are made correctly and at scale. Centralizing some decisions, like device certification requirements and revocation criteria, while decentralizing others, like authorization, can help reduce the number of human judgments needed. Proper data management is also crucial to balance security, privacy, and accountability. Attention to future threats from quantum computers and evolving standards will further support scalability over time.
Presentation given at WiSec 2017 by Dr. Virendra Kumar. His, along with Drs. Jonathan Petit and William Whyte's, paper was one of six to receive the reproducibility label.
The survey of 524 automotive software professionals found:
1) Security is not fully integrated into development processes and developers lack training on secure development practices.
2) Nearly half believe a major overhaul of automotive technology architecture is needed to improve security.
3) There is uncertainty around whether a hack-proof vehicle can be built, with pressures around costs, timelines, and prioritization of security.
This document discusses security challenges and successes for connected vehicles. It outlines how the Secure Credential Management System (SCMS) has been developed and implemented to securely provision vehicle credentials. It also describes how a threat analysis framework identifies device security requirements based on analyzing data confidentiality, integrity and availability levels. Key challenges discussed are how to securely provision device certificates without frequent connectivity and how to balance privacy and misbehavior detection for credential revocation.
This document provides an overview of certificate management protocols for 1609.2 certificates used in vehicle-to-everything (V2X) communication. It describes the terminology, topology, interfaces, and lifecycles involved in issuing and managing different types of certificates within the Security Credential Management System (SCMS). The document outlines the processes for enrolling to receive certificates, requesting operational certificates, downloading certificates, and handling revocation. It also discusses the ASN.1 module structure used to specify the protocols and packet data units for each interface.
This document summarizes the key findings of a survey conducted by the Ponemon Institute regarding automotive cybersecurity. Some of the main points from the survey include:
- There is a growing concern among automakers and suppliers that hackers are actively targeting modern connected vehicles. However, organizations are not prioritizing security.
- A lack of skilled security personnel and pressure to meet deadlines are hindering secure development practices. Cryptography use and legacy systems are also issues.
- While security responsibility is unclear, respondents believe the most challenging aspects of securing vehicles are the expenses involved, the time added to development, and lack of formal requirements and policies.
SDN involves separating the network control plane from the data plane, logically centralizing network intelligence and state. This allows network applications to directly interface with and control the underlying network infrastructure through open interfaces and APIs. SDN provides opportunities to apply business logic dynamically to network behavior and automate network service orchestration through open programmable interfaces. While SDN introduces some security risks if the controller is compromised, it also enables new security applications and the ability to scale security through a separate "service plane". SDN could help address some existing security issues and drawbacks in traditional network architectures.
This document summarizes a CISSP mentor program session on security assessment and testing. It includes a 10 question quiz on topics like regression testing, fuzzing, static vs dynamic testing, and types of penetration testing. It also discusses a scenario about hiring a security firm to conduct a security assessment and penetration test of a bank's new web application. Key points covered include using a "flag" file instead of real data in a penetration test, the benefits of partial knowledge vs zero knowledge tests, and the proper response if an active compromise is discovered during a test.
2014-12-16 defense news - shutdown the hackersShawn Wells
The document discusses technologies for continuous monitoring and data standardization. It begins with an overview of a presentation on vulnerability management, configuration management, and the DoD Centralized Super Computing Facility story. It then covers various topics related to cybersecurity including reliance on technology over time, the ever-increasing capability and complexity of systems, cybercrime statistics, and the Security Content Automation Protocol (SCAP).
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
SDN Security: Two Sides of the Same CoinZivaro Inc
When it comes to Software Defined Networking (SDN) Security there are two sides of the story. This webinar addresses both sides – what security vulnerabilities exist in modern SDN technologies and how SDN technologies can create new security protections. Also included are use cases that SDN solutions can provide and the new applications of SDN that can secure modern enterprise and data center environments.
Presented by GTRI CTO, Scott Hogg, in a webinar on June 9, 2016. For more information, visit http://www.gtri.com/.
This document contains a CISSP CBK review exam with 55 multiple choice questions covering various topics in cybersecurity. Some of the questions test knowledge of risk management, access controls, cryptography, security operations and incident response. The exam is assessing understanding of fundamental cybersecurity concepts as defined in the Common Body of Knowledge for the CISSP certification.
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
http://www.radware.com/Products/DefenseFlow/
Learn about the industry's first SDN application that enables network operators to program the network to provide DDoS protection as a native network service.
Security is a major concern in computer networking which faces increasing threats as the commercial
Internet and related economies continue to grow. Virtualization technologies enabling
scalable Cloud services pose further challenges to the security of computer infrastructures,
demanding novel mechanisms combining the best-of-breed to counter certain types of attacks
. Our work aims to explore advances in Cyber Threat Intelligence (CTI) in the context of
Software Defined Networking (SDN) architectures. While CTI represents a recent approach
to combat threats based on reliable sources, by sharing information and knowledge about
computer criminal activities, SDN is a recent trend in architecting computer networks based
on modularization and programmability principles. In this dissertation, we propose IntelFlow,
an intelligent detection system for SDN that follows a proactive approach using OpenFlow
to deploy countermeasures to the threats learned through a distributed intelligent plane. We
show through a proof of concept implementation that the proposed system is capable of delivering
a number of benefits in terms of effectiveness, altogether contributing to the security
of modern computer network designs.
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
This document summarizes session #10 of a CISSP mentor program. It reviews topics in domains 4 and 5, including network scanning tools, wireless LANs, remote access, access control concepts, authentication methods, single sign-on, and identity lifecycle processes. Quizzes are given on domain 4 topics. Discussions also cover protocols like RADIUS, Diameter, Kerberos, and TACACS/TACACS+, as well as single sign-on implementations and access review procedures.
This document summarizes the seventh session of a CISSP mentor program. It reviews Domain 3 on security engineering, including perimeter defenses, site selection and configuration, and system defenses. It then provides a quiz on these topics. The session concludes with a review of Domain 4 on communication and network security, covering network architecture, secure network devices and protocols, and secure communications. Key terms are defined, such as the OSI and TCP/IP models, LANs/WANs, circuit switching vs. packet switching, and the layers of the OSI model.
Vulnerability Inheritance in ICS (English)Digital Bond
This document discusses vulnerability inheritance in programmable logic controllers (PLCs) from third-party libraries and software. It provides a specific example of vulnerabilities found in the CoDeSys runtime and engineering software used by hundreds of industrial control system vendors. The document outlines how two major Japanese PLC vendors were found to be affected by these vulnerabilities due to their use of CoDeSys, and concludes that vendors need to implement secure development practices like security testing to prevent inheriting vulnerabilities from third-party components.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Securing future connected vehicles and infrastructureAlan Tatourian
Slides from a keynote I gave at AZ Infragard. Since this was a keynote, I tried to dazzle the audience by talking more about technology and portraying security only as part of the underlying architecture of cognitive autonomous systems.
Routers play an important role in cyber forensics investigations. During an investigation, an analyst should gather evidence from routers to help determine the source of an attack. This includes examining router logs, configurations, and volatile memory to find artifacts left by attackers. Log files may contain source IP addresses and protocols used. Configurations should be collected but not reset to avoid destroying evidence. Commands like "show access list" and "show users" can provide clues about hacker activity on the router. Properly documenting the chain of custody of all router evidence is crucial for the investigation.
This document discusses the governance, management, and auditing challenges of drones and autonomous vehicles as their use increases. It notes that regulations have not kept up with the rapid development of new drone technologies and uses. It proposes a system to help manage this space by detecting, logging, and potentially defending areas from unauthorized drones, while allowing authorized drones to continue operating. The system would use software-defined radios, hardware radios, and audio detection to passively monitor drone control signals and telemetry in a flexible and scalable way for applications like facility security and event monitoring.
This document provides an overview of certificate management protocols for 1609.2 certificates used in vehicle-to-everything (V2X) communication. It describes the terminology, topology, interfaces, and lifecycles involved in issuing and managing different types of certificates within the Security Credential Management System (SCMS). The document outlines the processes for enrolling to receive certificates, requesting operational certificates, downloading certificates, and handling revocation. It also discusses the ASN.1 module structure used to specify the protocols and packet data units for each interface.
This document summarizes the key findings of a survey conducted by the Ponemon Institute regarding automotive cybersecurity. Some of the main points from the survey include:
- There is a growing concern among automakers and suppliers that hackers are actively targeting modern connected vehicles. However, organizations are not prioritizing security.
- A lack of skilled security personnel and pressure to meet deadlines are hindering secure development practices. Cryptography use and legacy systems are also issues.
- While security responsibility is unclear, respondents believe the most challenging aspects of securing vehicles are the expenses involved, the time added to development, and lack of formal requirements and policies.
SDN involves separating the network control plane from the data plane, logically centralizing network intelligence and state. This allows network applications to directly interface with and control the underlying network infrastructure through open interfaces and APIs. SDN provides opportunities to apply business logic dynamically to network behavior and automate network service orchestration through open programmable interfaces. While SDN introduces some security risks if the controller is compromised, it also enables new security applications and the ability to scale security through a separate "service plane". SDN could help address some existing security issues and drawbacks in traditional network architectures.
This document summarizes a CISSP mentor program session on security assessment and testing. It includes a 10 question quiz on topics like regression testing, fuzzing, static vs dynamic testing, and types of penetration testing. It also discusses a scenario about hiring a security firm to conduct a security assessment and penetration test of a bank's new web application. Key points covered include using a "flag" file instead of real data in a penetration test, the benefits of partial knowledge vs zero knowledge tests, and the proper response if an active compromise is discovered during a test.
2014-12-16 defense news - shutdown the hackersShawn Wells
The document discusses technologies for continuous monitoring and data standardization. It begins with an overview of a presentation on vulnerability management, configuration management, and the DoD Centralized Super Computing Facility story. It then covers various topics related to cybersecurity including reliance on technology over time, the ever-increasing capability and complexity of systems, cybercrime statistics, and the Security Content Automation Protocol (SCAP).
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
SDN Security: Two Sides of the Same CoinZivaro Inc
When it comes to Software Defined Networking (SDN) Security there are two sides of the story. This webinar addresses both sides – what security vulnerabilities exist in modern SDN technologies and how SDN technologies can create new security protections. Also included are use cases that SDN solutions can provide and the new applications of SDN that can secure modern enterprise and data center environments.
Presented by GTRI CTO, Scott Hogg, in a webinar on June 9, 2016. For more information, visit http://www.gtri.com/.
This document contains a CISSP CBK review exam with 55 multiple choice questions covering various topics in cybersecurity. Some of the questions test knowledge of risk management, access controls, cryptography, security operations and incident response. The exam is assessing understanding of fundamental cybersecurity concepts as defined in the Common Body of Knowledge for the CISSP certification.
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
http://www.radware.com/Products/DefenseFlow/
Learn about the industry's first SDN application that enables network operators to program the network to provide DDoS protection as a native network service.
Security is a major concern in computer networking which faces increasing threats as the commercial
Internet and related economies continue to grow. Virtualization technologies enabling
scalable Cloud services pose further challenges to the security of computer infrastructures,
demanding novel mechanisms combining the best-of-breed to counter certain types of attacks
. Our work aims to explore advances in Cyber Threat Intelligence (CTI) in the context of
Software Defined Networking (SDN) architectures. While CTI represents a recent approach
to combat threats based on reliable sources, by sharing information and knowledge about
computer criminal activities, SDN is a recent trend in architecting computer networks based
on modularization and programmability principles. In this dissertation, we propose IntelFlow,
an intelligent detection system for SDN that follows a proactive approach using OpenFlow
to deploy countermeasures to the threats learned through a distributed intelligent plane. We
show through a proof of concept implementation that the proposed system is capable of delivering
a number of benefits in terms of effectiveness, altogether contributing to the security
of modern computer network designs.
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
This document summarizes session #10 of a CISSP mentor program. It reviews topics in domains 4 and 5, including network scanning tools, wireless LANs, remote access, access control concepts, authentication methods, single sign-on, and identity lifecycle processes. Quizzes are given on domain 4 topics. Discussions also cover protocols like RADIUS, Diameter, Kerberos, and TACACS/TACACS+, as well as single sign-on implementations and access review procedures.
This document summarizes the seventh session of a CISSP mentor program. It reviews Domain 3 on security engineering, including perimeter defenses, site selection and configuration, and system defenses. It then provides a quiz on these topics. The session concludes with a review of Domain 4 on communication and network security, covering network architecture, secure network devices and protocols, and secure communications. Key terms are defined, such as the OSI and TCP/IP models, LANs/WANs, circuit switching vs. packet switching, and the layers of the OSI model.
Vulnerability Inheritance in ICS (English)Digital Bond
This document discusses vulnerability inheritance in programmable logic controllers (PLCs) from third-party libraries and software. It provides a specific example of vulnerabilities found in the CoDeSys runtime and engineering software used by hundreds of industrial control system vendors. The document outlines how two major Japanese PLC vendors were found to be affected by these vulnerabilities due to their use of CoDeSys, and concludes that vendors need to implement secure development practices like security testing to prevent inheriting vulnerabilities from third-party components.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Securing future connected vehicles and infrastructureAlan Tatourian
Slides from a keynote I gave at AZ Infragard. Since this was a keynote, I tried to dazzle the audience by talking more about technology and portraying security only as part of the underlying architecture of cognitive autonomous systems.
Routers play an important role in cyber forensics investigations. During an investigation, an analyst should gather evidence from routers to help determine the source of an attack. This includes examining router logs, configurations, and volatile memory to find artifacts left by attackers. Log files may contain source IP addresses and protocols used. Configurations should be collected but not reset to avoid destroying evidence. Commands like "show access list" and "show users" can provide clues about hacker activity on the router. Properly documenting the chain of custody of all router evidence is crucial for the investigation.
This document discusses the governance, management, and auditing challenges of drones and autonomous vehicles as their use increases. It notes that regulations have not kept up with the rapid development of new drone technologies and uses. It proposes a system to help manage this space by detecting, logging, and potentially defending areas from unauthorized drones, while allowing authorized drones to continue operating. The system would use software-defined radios, hardware radios, and audio detection to passively monitor drone control signals and telemetry in a flexible and scalable way for applications like facility security and event monitoring.
SANOG 33: Why is securing the Internet's routing system so hardAPNIC
This document discusses why securing the internet's routing system is so difficult. It begins by outlining some key factors that contribute to problems being "hard" to solve, such as technical challenges, economic barriers, and risk mitigation issues. It then analyzes what has made some internet successes possible, such as piecemeal deployment and early adopter advantages. In contrast, problems like securing routing require orchestrated universal adoption where individual benefits are not clear. The document examines why secure routing specifically is so challenging, including that there is no central authority, routing is based on unverified rumors, and it is difficult to determine what constitutes a "correct" routing system. Overall, securing internet routing remains an extremely difficult problem to solve.
What is Cloud Security, and Can I Have Some?John Kinsella
This document discusses cloud security and deployment models. It defines cloud computing according to NIST and describes the three main types: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The document also covers legal issues around discovery, governance, and compliance in cloud environments. Best practices for cloud security include encrypting data at rest and in transit, implementing strong identity management and access controls, ensuring portability between cloud providers, and understanding data locations.
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
Threat Hunting has been commonly definable as a series of investigative actions that should be performed by human teams in order to cover detection gaps where automated tools fail. However, as those techniques become more and more popular and standardized, wouldn't it be the case that we are able to automate a large part of those common threat hunting activities, creating what is basicaly a definition oxymoron?
In this session, we will demonstrate how some IOC-based threat hunting techniques can be automated or constructed to augment human activity by encoding analyst intuition into repeatable data extraction and processing techniques. Those techniques can be used to simplify the triage stage and get actionable information from potential threats with minimal human interaction. The more math-oriented parts will cover descriptive statistics, graph theory, and non-linear scoring techniques on the relationships of known network-based IOCs to an organization's log data.
Our goal here is to demonstrate that by elevating the quality of data available to our automation processes we can effectively simulate "analyst intuition" on some of the more time consuming aspects of network threat hunting. IR teams can then theoretically more productive as soon as the initial triage stages, with data products that provide a “sixth sense” on what events are the ones worth of additional analyst time.
Data Integrity Techniques: Aviation Best Practices for CRC & Checksum Error D...Philip Koopman
Author: Prof. Philip Koopman, Carnegie Mellon University
Abstract:
This talk includes both a tutorial and explanation of research results on the proper use of Cyclic Redundancy codes (CRCs) and checksums in an aviation context. More than 50 years since the invention of the CRC, the proper use of these error detection codes is still hampered by a combination of misleading folklore, sub-optimality of standard approaches, general inaccessibility of research results, and the occasional typographical error in key reference materials. However, recent work has been able to exhaustively explore the CRC design space and identify optimal selection criteria based on key system characteristics. This talk will covers the following areas: checksum and CRC theory with an emphasis on intuitive understanding rather than heavy math; why using a standard or widely used CRC can be suboptimal (or worse); how to pick a good checksum/CRC; the key parameters that affect the error detection capability of a checksum/CRC; CRC pitfalls illustrated via examples from Controller Area Network and ARINC-825; an example CRC selection process for achieving a required level of functional criticality; and a “seven deadly sins” list for CRC/checksum use. Some key research findings that are discussed include: a well-chosen CRC is usually dramatically better than a checksum for relatively little additional computational cost; you can usually do a lot better than “standard” CRC (especially CRC-32); Hamming Distance at the target payload length is the predominant selection criterion of interest; and it is important to avoid bit encoding approaches that undermine CRC effectiveness.
Bio:
Dr. Philip Koopman is a professor at Carnegie Mellon University, with research interests in the areas of software robustness, embedded networking, dependable embedded computer systems, and autonomous vehicle safety. Previously, he was a US Navy submarine officer, an embedded CPU architect for Harris Semiconductor, and an embedded system researcher at United Technologies. In addition to a variety of academic publications and two dozen patents, he has authored the book Better Embedded System Software based on lessons learned from more than a hundred design reviews of industry software. He has affiliations with both the Carnegie Mellon Electrical & Computer Engineering Department (ECE) and the National Robotics Engineering Center (NREC). He is a senior member of IEEE, senior member of the ACM, and a member of IFIP WG 10.4 on Dependable Computing and Fault Tolerance.
types of modern technologies used in transportation, uses of modern technology in transportation ,Introduction
Why ITS?
Application of ITS
Implementation of ITS
Benefits of ITS
Demerits of ITS
This document discusses privacy considerations for connected vehicles that communicate using dedicated short range communications (DSRC). DSRC allows vehicles to broadcast basic safety messages to nearby vehicles to improve road safety by warning of hazards. However, these messages and the vehicle certificates could potentially be tracked and used to identify vehicles, violating privacy. Solutions proposed to address privacy include changing vehicle identifiers frequently and revoking certificates if the onboard system is compromised, but these require a trusted authority to manage certificates and many opportunities remain for privacy to be breached.
This document presents a method for passively fingerprinting network users based on their unique patterns of network behavior, as observed in NetFlow data. The method identifies destinations only contacted by a single internal IP, compiling these into fingerprints that can identify users. Initial results found fingerprints for 38-83% of users, depending on how strictly uniqueness was defined. Fingerprints showed some variability over time, leaving opportunities to improve stability and automate the process. The approach aims to make simple behavioral fingerprinting accessible to network administrators.
Cloud Security - Cloud Arena - Tim WilloughbyTim Willoughby
Tim explains technology to various groups in an understandable way. He lives in Naas, Ireland and works as a translator between technical and business teams, using web services and cloud computing. Security, standardization, and control are ongoing challenges for moving organizations to the cloud.
Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks
From Birds to Network Nodes
Components in Each Node
Information Flow in Each Node
Information Flow Between Nodes
1. Models can describe aspects of distributed systems in an abstract way, simplifying their complexity. Architectural models define how responsibilities are distributed among components, while interaction models deal with time handling.
2. Three architectural models were discussed: client-server, peer-to-peer, and variations including proxy servers, mobile code, agents, thin clients, and mobile devices.
3. Two interaction models - synchronous and asynchronous distributed systems - differ in whether bounds can be placed on timing.
4. Fault models specify what faults may occur and their effects, including omission, arbitrary, and timing faults impacting processes and communication.
Modular Mining Systems provides proximity detection and mine safety solutions using multiple layers of sensors and technologies. These layers include GPS, RFID, beacons, radar, cameras, and human operators. When integrated together in Modular's DISPATCH mine management system, the layers can compensate for each other's limitations to improve detection reliability while reducing nuisance alarms. This multi-layered approach is part of Modular's overall systems solution for mine safety that addresses equipment, procedures, situational awareness, fitness, competency, and ability.
This document discusses how route leaks can degrade internet service quality in a distributed manner. It defines route leaks and provides examples of how they occur and their effects. While often thought to be intentional, most route leaks are actually caused by human error. Route leaks are widespread due to the many failure scenarios and operators involved. Their impact is difficult to identify and address as degradation does not terminate service. Collective efforts using route analysis tools and knowledge sharing within the internet community are needed to combat distributed service issues like route leaks.
PacNOG 29: Routing security is more than RPKIAPNIC
APNIC Chief Scientist presented on how much more there is to routing security than just RPKI at PacNOG 29, held online from 29 November to 9 December 2021.
Computer Vision for Traffic Sign Recognitionthevijayps
This document discusses a project to develop a system for traffic sign recognition using computer vision. The system aims to detect and recognize traffic signs independently of variations in appearance, perspective, lighting, and partial occlusions. The objectives are outlined as making the system invariant to these factors and able to provide information on visibility, condition, and placement of signs. An approach is presented involving video segmentation, color-based and shape-based detection methods. MATLAB is identified as a tool for image processing tasks like reading, displaying, and compressing images. Algorithms and pseudo-code are discussed for tasks like video segmentation and image compression. The conclusion states that the algorithm can generalize to other object recognition and considers difficulties of outdoor environments.
Similar to Misbehavior Handling Throughout the V2V System Lifecycle (20)
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. Overview
• This presentation does not present any particular results, but is intended to help think about how
MBD will work within the system in the long run
• Present a decomposition of misbehavior-related activity into four parts that can be considered
independently
• Local Misbehavior Detection / Reporting / Investigation / Revocation Decision
• Rather than “What’s the best misbehavior [XXX] algorithm?”, ask “What do we do with the fact that
the best available misbehavior detection algorithm will differ?”
• Best known algorithm will vary from time to time
• Best locally implementable algorithm may depend on the sensors available on a vehicle
• Which of these algorithms need to be public? standardized? uniform?
• Administrative considerations: privacy implications, incentives, oversight
• What’s the right group to think about MBD going forward?
• How can the future introduction of V2I systems into misbehavior reporting processes improve MD performance
overall?
• Apologies in advance: we haven’t seen the other presentations so some of this material may be
redundant.
3. Who are we representing?
• Ourselves!
• Work not funded through IEEE / CAMP / NYC Pilot
• … therefore, nothing we say represents any other party’s
opinion
• … also, we can say “OBEs should do this” without worrying
about self-certification etc.
• … and we can talk about physical enforcement of revocation
(i.e. police stopping revoked cars) without making it seem that
OEMs (or anyone else) are encouraging it
4. Proposed conclusions (spoilers!)
• Two possible approaches
• Open garden approach: many different vehicle-side approaches to MBD
• Good detection, privacy risks for reporters
• The MA knows considerable information about the reporting unit
• Sensors, version of detection/reporting algorithm run, etc
• It’s okay for only a small percentage of vehicles to have the best misbehavior detection / reporting
• Privacy against MA must be managed
• Uniform approach
• A low number of distinct approaches to MBD
• Fewer privacy risks to reporters, incentives to report are less of a concern
• … but risks throwing away useful information
• Recommendation: follow open garden approach to the greatest possible extent
• In a world where vehicles may have a range of different capabilities, it’s not clear
what metrics to use to evaluate success of MBD
• These should be developed
5. Proposed conclusions (2)
• On the assumption that:
1. There will be relatively low numbers of attackers
2. There will be relatively low numbers of honest-but-malfunctioning
devices
… the system seems likely to be robust.
• But it is not clear that we know much about assumption (2)
• Closer study is warranted
6. What is misbehavior?
• Different types of anomaly:
• Message structure validation
• Message frequency
• Message content 'plausibility'
• Focus here is on message content plausibility
• Note that examples where a private key is known to have been
extracted allow us to bypass misbehavior detection and go straight
to revocation
• Galois has implemented verifiably correct BSM parser, we
recommend the use of verifiably correct software
• DOS attacks can be carried out with just a radio, no need for a cert
best way to address is to allow devices to report ”channel
congestion in area X” so it can be investigated in the real world
7. Possible goals of MBD
• Reduce false alerts
• Remove malicious vehicles from the system
• Via revocation or physical activity
• Notify malfunctioning vehicles that they need maintenance
8. Cost points in the system
• Vehicle equipment
• Sensors
• Processing power
• For real-time data analysis
• For real-time crypto operations
• For background crypto operations
• Storage for certificates
• Storage for CRLs
• Storage for other data
• Maps, …
• Connectivity
• Off-vehicle
• Upload capacity for MBD
reports
• Download capacity for CRLs
• Storage for MBD
• Processing for analysis and
investigation (computer and
human)
9. Background: two misbehavior
scenarios
• “One lane off”
• Innocent misbehavior
• … but could cause forward
collision warning in all overtaking
vehicles
• Active malware
• Aware of MBD algorithms and
tries to bypass
• Impact:
• If messages can be confirmed by
other sensors, very hard for
attacker to create e.g. FCW false
alerts
• DSRC message is just one sensor
input, can be overruled by others
• Key DSRC scenarios:
• Intersection Movement Assist
(IMA)
• Extended Electronic Brake light
(EEBL)
• Impact analysis will emphasise
the key DSRC scenarios
10. Revocation
Investigation
Reporting
Stages of the MBD process
• Local Misbehavior Detection
• Determining which messages to ignore
• Reporting
• Determining which messages to report
• If there is a time delay between observing
and reporting, deciding which messages to
store
• Investigation
• How the MA goes about determining
whether two or more certificates belong to
the same vehicle
• Revocation
• What are the criteria for revocation?
• Some are easy – e.g. same cert used in two
different places at the same time – our focus
is on revocation based on the message
contents
• PICTURE HEREDetection
Vehicle
MA LA
PCA, RA,
CRLG
12. Local misbehavior detection v
reporting• Starting premise: system capacity costs money
• … for MBD reports
• … for MBD storage
• … for MBD analysis
• … for CRL distribution
• What can we say about using that capacity efficiently?
• Prioritize reports that report messages that were not
caught by local misbehavior detection
• By our definition of local misbehavior, those messages
were already filtered out
• … but this works best if misbehaving messages will be
locally detected by all vehicles
• If LMBD is assisted by sensors or processing power
there’s a tradeoff
• Cost on car v system cost
• Proper prioritization of reporting is helped by knowing
what the baseline local detection capability is on other
cars
• Proposal: there should be some minimum performance
requirements for LMBD, just as there are minimum
performance requirements for sending BSMs
• NOTE: RSEs can also do MBD
• May be better than OBEs – up to date, no privacy
concerns
• In known locations so malicious attacker can avoid them
• Could deter misbehavior in the first place
• NOTE 2: DSRC-equipped cellphones could report MBD
– this is something the system should support but not
investigated further here
13. Local misbehavior detection
• On the boundary between “security”
and “correct application operations”
• Similar to “plausibility checking” – is
there any real difference?
• Filter out bad messages before they
can cause alerts to be raised
• Entirely local
• Can be OEM-specific
• Can be private
• Can depend on other sensors / etc on
the receiving car
• Bad messages that successfully
bypass local misbehavior detection
can cause false alerts, possibly
worse
Raise
alert?
Good
data?
Good
alert?
Report
?
DSRC
Sensors
Map
No
Yes
Yes
End
Yes
No
No
Yes
14. Local misbehavior detection examples
and cost
• Basic plausibility checks
• Speed too great, unrealistic turning angle, unrealistic
acceleration
• Can be carried out on a message-by-message basis
• Consistency with sensors
• Are messages consistent with other sensor input?
• Note: not applicable to key DSRC scenarios
• Can be carried out on a message-by-message basis,
only for nearby cars
• Consistency with RF
• Is message direction consistent with RF?
• Approach suggested by Battelle, needs dual antennas
• Consistency between own messages
• Brake status not consistent with deceleration observed
between messages
• Speed not consistent with distance between messages
• Requires storage, processing linear in number of
nearby vehicles
• Consistency with map
• Is trajectory consistent with lanes known to exist?
• Requires storage, processing linear in number of
nearby vehicles
• Consistency with other messages
• Does the trajectory implied by one car’s messages match
the trajectory implied by other cars’?
• Requires storage, processing (kind-of) more than
linear in number of nearby vehicles
• Hand-wavingly, n2 or n log n
• In practice bounded above by kn.
• BSM design is intended to enable
vehicles to make collision
avoidance determination on the
basis of a single message – is this
realistic?
15. Example techniques applied to example
scenarios: EEBL
One lane to the left
• Basic plausibility checks – not
caught
• Consistency with sensors – not
caught
• Consistency with RF – caught
• Consistency between own
messages – not caught
• Consistency with map –
possibly caught
• Consistency with other
messages – caught
Malicious attacker
• Basic plausibility checks – not
caught
• Consistency with sensors – not
caught
• Consistency with RF – caught
• Consistency between own
messages – not caught
• Consistency with map – not
caught
• Consistency with other
messages – possibly caught
16. Example techniques applied to example
scenarios: ICW
One lane to the left
• Doesn’t affect validity of IMA alert!
• So does this count as misbehavior at all?
• Basic plausibility checks – not caught
• Consistency with sensors – not caught
• Consistency with RF – probably not
caught
• Consistency between own messages –
not caught
• Consistency with map – possibly
caught
• Consistency with other messages –
probably not caught
Malicious attacker
• Basic plausibility checks – not caught
• Consistency with sensors – not caught
• Consistency with RF – possibly caught
• Consistency between own messages –
not caught
• Consistency with map – not caught
• Consistency with other messages –
probably not caught
17. Local misbehavior detection:
conclusions
1. The specific use cases that DSRC is most helpful for are difficult to catch
on a message-by-message basis
• Require more processing power than is necessary for a simple assessment of
collision probability
• Maps help catch accidental misbehavior
• Directional RF helps catch some types of misbehavior
• It would be interesting to understand the delta in processing power necessary for
reliable alert generation between a fully trustworthy system and a system with
malicious actors
2. No matter what level of local misbehavior detection is in place, some
false alerts will likely be raised
• Reporting will be necessary
3. Adaptive misbehavior rule updates (e.g., from centralized analytics at
the MA) may have the ability to significantly reduce local processing
power needs.
18. Local MBD: answers to framing
questions
• Do local MBD algorithms need to be public?
• Yes: allows creation of sensible reporting algorithms
• No: allows OEMs to compete
• Do local MBD algorithms need to be standardized?
• Arguments from “public” apply, but also:
• No: May make it hard to change algorithms if attackers work out ways around the current
one
• Do local MBD algorithms need to be uniform?
• Arguments from “public” apply, but also:
• No: creates lowest-common-denominator approach
• Proposal:
• There should be a minimum standard local MBD algorithm
• OEMs should be free to develop other local MBD algorithms so long as they catch
everything that is caught by the standard
• No need for OEM-specific local MBD algorithms to be public
19. Self diagnosis (h/t Rob Abramson)
• Carry out local MBD on your own messages
• Can also significantly reduce both reporting and revocation traffic if devices have self-
diagnostics
• Innocently malfunctioning device can detect that its messages are inconsistent with with
other vehicles’ messages (or that it is raising a lot of alerts without seeing reactions) and
• Shut itself off
• Turn on check engine light
• On next key-on can compare messages it “would have” sent with received messages
• (… assuming that innocently malfunctioning device correctly implements self-diagnostics
in the first place)
• Should there be a standard / minimum performance reqts for self-diagnosis, along with
assumption that this exists that informs decision to report?
• Yes: If there are and they’re correctly implemented, reduce need to report/revoke.
• No: Can’t assume they’re correctly implemented, need to report/revoke anyway.
• Proposal: There should be some self-diagnosis requirements but they shouldn’t affect
reporting criteria
21. Reporting
• How important is any single
observation of misbehavior?
• What is reported to the MA?
• Should differently equipped
vehicles be allowed to report
different things?
• What are the privacy
implications?
• What are the administrative
implications?
22. Basic approach
• Messages that cause false alerts
should be reported
• How to determine false alerts?
• Some metric for expected reaction severity
• If a driver gets the alert and drives straight
on, alert is clearly false
• If a driver gets the alert and hard-brakes,
alert may be true
• Car may report false alerts on self or
observe behavior consistent with false alerts
on other vehicles
• Reporting all alerts catches false alerts
• …But runs risk of privacy violation
• … + unintended use of system for
enforcement activities against drivers
• OEMs may have different alert algorithms,
should they also have a globally agreed
“alert” algorithm for reporting?
• If a message is caught by local MBD, i.e.
if it does not cause a false alert but would
have if not caught, should it be reported?
• If all vehicles can catch the message, no
need for revocation
• ... But reporting does allow misbehaving vehicles
to be notified and/or physically located
• See later discussion
• Also, since this detection depends more on
sensors, its reporting is more privacy-
violating
• Proposal:
• Baseline: everyone reports false alert + no
braking
• Devices with greater filtering ability can
report messages whose falseness is more
ambiguous
• Caught messages should be reported, but at
lower priority than false-alert MBR
23. Report contents
• Authenticated BSMs (cannot
forge BSM)
• Own sensor data
• A report that only contains
authenticated BSMs doesn’t
necessarily need to be signed
• Privacy protection for
reporters?
• A report that contains other
information does need to be
signed
• Allows deeper analysis but
greater privacy risk
24. Importance of one observation
• Not all OBEs will have good connectivity, not all OBEs will be able to
connect immediately
• If OBEs connect once every 3 years (~1000 days) then .1% of vehicles will
connect every day
• If 5% of vehicles have always-on cellular connectivity* then 5% of vehicles
could connect every day
• * -- and don’t mind using it for MBR
• Is this enough?
• Claim: yes – we’re trying to catch significant disruption and misbehavior
that affects less than 1000 cars isn’t “significant”
• Implication: 5% penetration of cars with good connectivity is enough to
catch significant disruption
• May be no need for MBR over 5.9 GHz at all
25. Different local reporting algorithms
• Local: if different between vehicles, how to handle cases where
a vehicle is accused of misbehaving because it was surrounded
by more punitive vehicles?
• Different algo per Vehicle type?
• Algorithm depends on reporting vehicle type?
• Algorithm depends on reportED vehicle type?
• Can reporting algorithm be proprietary?
• If so, can it be protected? Can it be figured out from input and output?
26. Public, standardized, uniform?
Public?
• Yes: MA needs to know
reporting criteria
• Yes: publicly reviewed algorithm
is more likely to be robust
• No: Malicious attacker can work
out ways around the algorithm
• Proposal: Reporting algorithm
should be known to MA,
despite privacy risk if different
devices use different different
reporting algorithms
• Implication: Need a way to
identify or describe reporting
algorithm
Standardized?
• Yes: Good to have clarity
• Yes: Reduces privacy concerns
• Yes: Avoids mistakes
• No: Slow to change, attacker
may work out way around it
• Proposal: So long as known to
MA, no need to standardize
Uniform
• Yes: Best privacy
• No: Throws away ability to use
sensor information from best-
equipped devices
• Proposal: No need to be
uniform
27. Reporting and privacy
• Baseline MBR for false alert can contain BSMs from the two involved vehicles
• Any third party can observe that the messages would likely cause an alert and that alerted
vehicle did not react
• (or did not react as strongly as expected)
• Note that this is an argument for reporting messages that would have caused false alerts
if not for sensor input
• … because these messages cause alerts in less-well-equipped vehicles, so the fact that those
vehicles do report those alerts compromises their privacy if others don’t
• Can misbehavior reports be stripped of identifying information when stored on the
reporting device, or when sent to the MA?
• Need to send the original signed BSMs to avoid slander attacks
• To avoid slander attacks via false alert based MBR, the MA must be able to
investigate both BSM senders in the report (this has been known for a long time)
• Innocent reporters in area of high misbehavior might inadvertently have their privacy
compromised
28. Reporting from more highly-equipped
vehicles
• Should highly-equipped vehicles be entitled to send more detailed misbehavior reports than
vehicles with more basic equipment (sensors, etc)?
• Proposal: Yes, but note argument above that false alerts can be detected from BSMs alone
• Should they be *required* to send more detailed misbehavior report?
• How do they indicate that they are entitled to send more detailed reports?
• SSP?
• Privacy concerns:
• Revealing specific capabilities of car might identify car, or make it unique in particular area
• This would be known only to MA but would create database that could be hacked
• In the current design, BSMs and MBRs are signed by the same certificate
• Therefore, including device-specific MBR SSP in BSM cert would compromise BSM privacy
• Possible resolution:
1. See how much can be done with false alert detection based on BSMs alone
2. Permit more detailed misbehavior reports but…
• Sign those with dedicated certs other than the BSM certs
• As many MBR certs per week as BSM certs
• Possibly have multiple sets corresponding to different capability levels and sign with the lowest capability levels
3. Separate MBR verification from analysis – one component verifies report signature, other uses contents
• Not clear how this would work
29. A free-rider problem
• For any given OEM the incentive is for their vehicles not to report
• Preserve privacy best
• Free-ride on the reporting of others
• How can this be avoided?
• Keep stats on MBR from different OEMs’ vehicles?
• Unlikely to be popular, even worse privacy properties
• Testing?
• Not clear what conditions to test for
• And bad-faith OEM, which we’re assuming, can detect test environment and give fake results
• Make reporting more privacy-preserving to reduce incentives to free-ride?
• Proposal: Include requirement for reporting in minimum performance
requirements, assume good-faith behavior on part of OEMs, assume that if
one bad actor is caught it’ll scare the others
• incentive to OEMs may be to report Misbehavior in exchange for new/updated
MD rules?
30. Liability in misbehavior reporting
• Needs to be clarified
• If someone is incorrectly revoked due to reports from another vehicle can they sue
• … the MA?
• … the reporting vehicle?
• Legal status needs to be clear: ideal situation provides strong protection for reporters
• What if there’s a malicious reporting algorithm?
• Ford cars have an algorithm that selects target GM cars and “nudges” the BSM in the report to make
it seem that there’s been an alert with slightly increased probability
• … legal status needs to be clear: some body needs power to punish malicious reporting
• …or simply 'poorly-reporting' algorithm?
• SCMS may need to provide evidence to OEMs to prove that their MD algorithms need to be
modified for improved effectiveness.
• Proposal: VIIC or similar policy body should investigate how policy around reporting
should be made and maintained.
32. Overview
• MA gets a series of MBR
• There are some MBR that feature
the same cert enough times that a
revocation decision can be made
on the basis of those MBR alone
• (see caveat)
• For others, MA needs to ask LA
whether two messages belong to
the same vehicle
• Need to strike a balance between
allowing MA to investigate and
preventing it going on fishing
expedition looking for linked certs
Revocation
Investigation
Reporting
Detection
Vehicle
MA LA
PCA, RA,
CRLG
33. CAR and WAR
• CAR
• Cluster / Analyze / Resolve
• MA clusters reports to determine which certs
might go together
• Asks LA “am I right?”
• LA responds yes/no
• WAR
• Analyze / Weight / Resolve
• Yes I know
• For each cert, MA assigns a weight
associated to the severity of the misbehavior
reports
• Asks LA “Does any vehicle cross a
threshold?”
• Learns only those vehicles that do, not the
ones that don’t
• In both cases, MA rationale for queries is
auditable
• (That caveat)
• Even if there are a lot of MBR featuring a
single cert, that might be an attacker
slandering that vehicle
• So some form of linkage query needs to be
carried out on the reporting certs
34. CAR / WAR strengths and weaknesses
CAR
• Strengths:
• Least burden on LA
• Weaknesses:
• Doesn’t catch instances where the keys are
extracted from a device and then used in
moderation in very different locations.
• Say I extract the keys from a device and
misbehave in New York and San Francisco with
different certs – how would clustering detect
that?
• If the question the MA can ask is “are *all* of
these certs from the same device”:
• Number of possible queries is exponential in
number of certs in the query
• Large queries too many of them
• Small queries fishing expedition
WAR
• Works best for a revocation
“badness function” where the
badness of the misbehaving
device is equal to the sum of the
badnesses of each of its
reports.
• Works less well in the case
where badness depends on
things like time or distance
between incidents.
35. Proposal
• Use CAR to set weights
• LA supports (SEQUENCE OF {cert identifier, weight, threshold})
API
37. Oversight of revocation
• Revocation has the potential to be legally messy
• The system is withdrawing a privilege from a user…
• … which potentially exposes them to safety-of-life risks
• (You can’t argue that sending BSMs improves your safety without arguing that preventing you sending
them reduces your safety
• Conditions for revocation need to be clear
• Is there a right of review?
• Concern:
• We want to automate decisions, including revocation decisions, as much as possible
• Decisions made by people are expensive
• Decisions made by lawyers are extremely expensive
• How much do we need to anticipate and budget for review, appeals, and other
legal/administrative action?
• Proposal: Operating / business plan for SCMS manager should take this
into account and ensure processes are defensible
38. “Revocation” for malfunctioning OBEs
• If an OBE is malfunctioning, e.g. creating the “one lane left” situation, it
would be useful to notify it without permanently revoking its certs
• ”Standard” approach to revocation, i.e. publishing linkage seeds, doesn’t
allow this.
• Proposal for investigation: allow for “malfunction list”:
• Like CRL in that it is a signed cert management message
• Contains hash of cert rather than linkage seed
• Cert is cert that signed a misbehaving message
• MA can use investigation to only include one cert per vehicle
• OBEs retain the hashes of recently used certs to compare against malfunction list
• Malfunction list can be distributed only locally (10s of miles) to the observed
misbehavior as innocently malfunctioning vehicles will not in general travel far
• Other vehicles do not need to retain malfunction list information – vehicles check on
receipt whether they are included on the list, store the result of the check, and may
discard the list itself
39. Misbehavior for other applications
• SPaT: Traffic signals are out of phase with SPaT messages
• WSA: advertised services are not actually being offered
• DOS: not application specific but could be significant
• Ongoing question: who should be in charge of MBD design
• Security people?
• Application designers?
• Current situation in PC-land: anti-virus is written by specialist
developers
• … but that’s somewhat different situation
• Ongoing challenge: involve application researchers/specifiers in this
area even though they think of it as “security”
40. Misbehavior by SCMS Components
• A malicious MA can in principle break the privacy of any misbehavior
reporter/reported device
• Can the misbehavior investigation interface be limited without significantly
affecting MA’s detection capabilities?
• Can the misbehavior detection be distributed (instead of centralized at MA)
among LA, PCA, and MA?
• Can there be an effective oversight mechanism to keep a check on MA’s
malicious activities?
• Other SCMS components are also assumed to follow the protocols
honestly. What if they don’t? Examples:
• When a device is revoked, what if instead of blacklisting it, RA simply
replaces its linkage chain with a new one?
• What if an LA doesn’t follow the linkage value generation algorithm: creates
pre-linkage values that look normal but are not linked to one another?
• What if LA or PCA don’t answer misbehavior investigation queries honestly?
41. Large Scale Misbehavior/Malfunction
• Current revocation mechanisms are likely to succumb to large scale
revocation (> 1 million devices)
• Storage: Large CRLs are not only difficult to transmit but devices will most likely not
have the required storage space for them
• Computation: Every certificate verification requires checking the CRL, devices will
most likely not have the required computation power for that
Note: Revoking PCA/ICA won’t always solve the problem, specially if misbehaving
devices are distributed over multiple PCAs/ICAs
• SiriusXM have a broadcast encryption based certificate provisioning
proposal that may be better equipped to handle large scale revocation
• Trades “2-way communication for cert provisioning” with “higher storage in devices”
• Requires an always-ON broadcast communication
• Can handle essentially unlimited number of revocations
• Revocation is not CRL-based, doesn’t put burden on the device w.r.t.
storage/computation