This presentation provides overview about the different threat modeling approach with examples from Automotive. This presentation was given in IEEE VTS Event on 4 Sep - "Safe and Secure Automotive" Workshop
4. 4
4
Software Security
Is Not Keeping
Pace with
Technology in the
Auto Industry
Source:
https://www.sae.org/binaries/content/assets
/cm/content/topics/cybersecurity/securing_t
he_modern_vehicle.pdf
6. 6
6
CYBER–SECURITY STANDARD – ISO/SAE 21434
ISO 21434 specifies requirements for cybersecurity
risk management regarding engineering for concept, 2
development, production, operation, maintenance,
and decommissioning for road vehicle electrical and
electronic (E/E) 3 systems, including their components
and interfaces.
Formal Version is published on Aug 2021.
8. 8
8
CYBER–SECURITY STANDARD
Cyber Security
Requirement Elicitation
Cyber Security
Implementation
Risk Treatment
Verification
Risk Treatment
Validation
• Derive Cyber security
goals based on the
threat modeling.
• Security Architecture &
Design
• Allocated CS
Requirements to
Design elements
• Identify appropriate CS
Controls.
• Define Interfaces &
Analyze Architectural
Design.
• Detailed down the CS
design.
• CS Coding Guidelines.
Establish the Bi-Directional Traceability & Consistency between CS Requirements and Goals.
• Cyber Security Verification
strategy, including
techniques like: Static &
Dynamic code analysis,
Network Tests & Brute force
simulating attacks.
Verification methods
including Security code
reviews and Test case
reviews etc.
• Cyber security test
specification, methods
include: BVA, Equivalence
classes, Error Guessing etc.
• Test the implementation of
the design and component
integration.
Note: Interpretation based on the “ASPICE for Cyber Security Yellow
page”
• Cyber Security Validation
Strategy, methods
including Penetration
Testing, Network Tests &
Brute force simulating
attacks.
• Cyber Security Test
execution.
9. 9
9
CYBERSECURITY (CS) LIFECYCLE
Plan
CS
Requirement
Analysis
CS Design
CS
Implementatio
n
CS
Verification
Release &
Post Release
Support
CS Relevance
Determination
Equipment &
Infrastructure
Cyber security
Interface
Agreement for
development
(CIAD)
System Modeling
List of Assets &
define CS goals
Threat Modeling
(TARA, STRIDE)
Testability Analysis
Security
Requirement
HW & SW CS
Architecture &
Design
Vulnerability
Analysis
CS Design
Guideline &
Review
Commercial of the
Selves (COTS)
Secure coding practices
DevSecOps
Testing [Security
Testing, SW & HW
Integration,
Component
Security]
Risk Based Testing
[Code Review ,
PEN Testing,
FUZZ Testing]
Release
Product Security
Incident
Response Team
(PSIRT)
Releasing
Security Fix
Patches
Implementation of Continuous integration and delivery pipeline.
11. 11
11
SYSTEM MODELING
Define the system from the Cybersecurity point of view to identify the scope of Threat Analysis & Risk Assessment (TARA)
Sequence
12. 12
12
TYPICAL ATTACK SURFACE
Attack Surface Name
AS01 On Board Systems and Software
AS02 OTA Update Channel
AS03 Physical Ports (include USB, Diagonostic Port)
AS04 Automotive Ethernet Communication Channel
AS05
AV Sensors (such as LIDAR, RADAR, IMU, Wheel
Odometer)
AS06 Telematic Unit
AS07 CAN Bus
AS08 Wireless/Cellular Communication Channels
13. 13
13
TYPICAL ATTACK TYPES
Sl No Attack Type
1 Adversarial attack on algorithms
2 Data exfiltration
3 Denial of Service
4 Disabling of sensors locally or remotely
5 Elevation of privilege to enable unauthorized control
6 Exfiltration of software modules and sensitive information
7 Gain access control to other modules
8 Gaining access/control through poor or misconfigurations
9 Gaining access/control through software vulnerabilities
10 Insider threat
11 Jamming (DoS) of Communication Channels
12 Jamming (DoS) of Signals
13 Malware infiltration and execution
14 side channel attack
15 Spoofing of CAN messages
16 Spoofing of communication
17 Spoofing of GPS Messages
18 Spoofing of packets
19 Spoofing of signals
20 Spoofing of software provider identity
21 Tampering of Data in Transit (MitM)
22 Tampering of Date at Rest
23 Tampering of hardware modules
24 Tampering of Software Functionalities
25 Tranduction attack (exploiting senor physics)
18. 18
18
METHODS FOR THREAT ANALYSIS
• EVITA method comes from an
European research project EVITA (E-
Safety Vehicle Intrusion Protected
Applications).
• Thread identification uses attack
trees to identify generic threats;
threat classification means classify
the threat risk; and risk assessment
recommends actions based on the
resulting risk classification of the
threats.
• OCTAVE stands for Operationally
Critical Threat, Asset, and
Vulnerability Evaluation, which is a
process-driven threat/risk
assessment methodology.
• Microsoft STRIDE, TVRA.
• Common tools like Microsoft Threat
Modeling Tool.
19. 19
19
CASE STUDY INFOTAINMENT
Step 1: Item Definition
• Complete analysis of the System, in
scope for the security analysis.
• Identify following information: item
boundary, function(use-cases) and
preliminary architecture
• Feature Scoping.
• Identify operational environment of the
item, constraints and compliance
20. 20
20
CASE STUDY INFOTAINMENT
Step 2: Identify the Asset:
Asset ID Asset Type Purpose
System
components
C I A
A10
Current Location
data
Data
The data related to the
current location of vehicle and
head unit.
Navigation, Wi-Fi,
Bluetooth
H M L
C – Confidentiality (Non-Repudiation)
I - Integrity (Authenticity)
A – Availability (Authorization)
Few Examples Scenarios Below from IVI domain
Something for which the compromise of its cybersecurity
properties can lead to damage to an item’s stakeholder
22. 22
22
CASE STUDY INFOTAINMENT
Step 3: Threat Modeling
AG10. Compromise integrity of location data of vehicle
3.1 Attack Goals Note:
Attack tree (denoted with Tag A*).
Attack Steps (denoted with Tag S*).
23. 23
23
CASE STUDY INFOTAINMENT
Step 4: Threat Analysis
AG10. Compromise integrity of location data of vehicle
No Attack goal Threat agent Motivation
AG10 Compromise integrity of location
data of vehicle
Individual attacker Gain personal advantage
To better understand the attacks, each attack goal should be identified with possible actors and motivations
in an effort to match threat agents and their intentions with particular attacks.
24. 24
24
CASE STUDY INFOTAINMENT
Step 4: Threat Analysis
Identify Severity Vector and map S,P,O,F
Safety – Physically putting at risk or harming the driver and passengers of the
vehicle
Privacy – Identification and tracking of vehicles or individuals
Financial – Financial losses that may be experienced by individuals or ITS
operators.
Operational – Interference with vehicle systems and functions that do not impact
functional safety
Attack
Goal
Attack Objective Safety Privacy Financial Operational Severity
AG10 Disclose location history
data
0 3 3 0 3
Track location of HU 0 3 3 0 3
4* is the highest level and 0 is the lowest level
25. 25
25
CASE STUDY INFOTAINMENT
Step 4: Threat Analysis
Attack Probability calculation
Factor Value Symbol Points
Preparation time
(1 point per week)
Less than 1 Day <1D 0
Less than 1 Week <1W 1
Less than 1 Month <1M 4
Less than 3 Months <3M 13
Less than 6 Months <6M 26
Over 6 Months >6M 100
Level of Expertise Layman script kiddie LSK 0
Competent attacker CA 2
Expert attacker EA 5
Level of knowledge Publicly available PA 0
Restricted info RI 1
Confidential info CI 4
Secret info SI 10
Opportunity window Permanent access PEA 0
Wide opportunity Wide 1
Moderate opportunity Mod 4
Small opportunity Small 12
No opportunity None 100
Equipment Standard equipment Std 0
Specialized equipment Spc 3
Dedicated equipment Ded 7
No availability None 100
Probability X = (Preparation_Time + Expertise +
Knowledge_of_System +
Opportunity_Window + Equipment)
Probability
X <= 9 5
10 <= X <= 13 4
14 <= X <= 19 3
20 <= X <= 24 2
25 <= X 1
26. 26
26
CASE STUDY INFOTAINMENT
Step 4 : Threat Analysis
Attack Probability calculation
ID Asset Attack (threats)
Prep.t
ime
Exper
tise
Inf
o.
Opportu
nity
Equipm
ent
eff
ort
Pr
ob
A10T
1
Physical tampering <1D CA RI Small Spc 18 3
S14T
1
Gain access to USB port <1W CA PA Small Spc 18 3
S3T1 Sniff Bluetooth packets <1D CA PA PEA Std 2 5
Attack
Goal
Attack Method Combined
Effort
Combined probability
AG10 Extract from device 18 3
Get runtime control of service 4 5
Extract Bluetooth device address 6 5
WIFI SSID 3 5
Extract location data from GPS 5 5
27. 27
27
CASE STUDY INFOTAINMENT
Step 5: Risk Assessment
Risk Calculation Attack Potential
Severity Level Potential = 1 Potential = 2 Potential = 3 Potential = 4 Potential = 5
Si = 0 No risk No risk No risk No risk No risk
Si = 1 R0 R0 R1 R2 R3
Si = 2 R0 R1 R2 R3 R4
Si = 3 R1 R2 R3 R4 R5
Si = 4 R2 R3 R4 R5 R6
ID Attack Objective Attack Method Severity probabilit
y
Risk
AG10 Disclose location history data 3 5
Extract from device 3 3
Get runtime control of service 5 5
Track location of HU 3 5
Extract Bluetooth device address 5 5
WIFI SSID 5 5
Extract location data from GPS 5 5
28. 28
28
CASE STUDY INFOTAINMENT
Step 6: Risk Treatment
Goal ID Cybersecurity Goal Security Control
SG8
Unauthorized access to Bluetooth interface should
be prevented.
Bluetooth security measures, Intrusion prevention system, Kernel Hardening,
User space hardening.
SG9
Unauthorized access to Wi-Fi interface should be
prevented.
Wi-Fi security measures, Intrusion prevention system, Kernel Hardening, User
space hardening, Network Firewall, Audits and Best Practices.
Attack
ID
Asset Attack (leaf) Prep. time
Expertis
e
Info.
Opportunit
y
Equipmen
t
effor
t
Prob Security
A10T1
Compromise integrity
of location data of
vehicle
<1D CA RI Small Spc 18 3 Countermeasures
Probability will be reduced by the Counter measures taken on the Security Risk.
30. 30
30
CASE STUDY TELEMATICS
System analysis, Boundary analysis,
Feature scoping
Define CS Scope
Gain access to phone number and Extracting valuable
data
32. 32
32
Attack Objective Attack Goal Involved Assets Safety Privacy Financial Operational Severity
Gain access to phone number Extracting valuable data Private Data 0 3 2 0 3
Impact in S, F, O, P categories cannot be compared and is to be
evaluated separately
Pick MAX of (S, F, O, P) impact level for the damage scenario
impact rating
Attack Goal, Attack Objective & Security
CASE STUDY TELEMATICS
33. 33
33
Identify Method & Attack Step
Objective:
Gains access to phone
number
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
Method 2: Install back door
SW update (Malicious) to
gain access to WIFI
Attack Step1 :
Read phone data from
memory (buffer
overruns -kernel)
Attack Step 2 :
Read phone data by
password cracking
(unauthorized access)
Sub Method
Launch Man in
middle OTA attack
Attack Step 2:
Read Microphone data &
get in vehicle audio file
Attack Goal:
Extracting valuable data
Attack Step 1 :
Exploit Kernel
Vulnerability/ Password
cracking to gain access
CASE STUDY TELEMATICS
34. 34
34
“Read phone data by password
cracking (unauthorized access)”
Elapsed Time: 0
Expertise: 3
Knowledge of system: 3
Window of Opportunity: 1
Equipment: 4
“Attack Potential” is 11 (SUM of the above)
Attack Potential
CASE STUDY TELEMATICS
35. 35
35
Objective:
Gain access to phone number
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
Attack Potential: 11
Method 2: Install back door
SW update (Malicious) to
gain access to WIFI
Attack Potential: 15
Attack Step1 :
Read phone data from
memory (buffer
overruns -kernel)
Attack Potential: 15
Attack Step 2 :
Read phone data by
password cracking
(unauthorized access)
Attack Potential: 11
Sub Method
Launch Man in middle
OTA attack
Attack Potential: 15
Attack Step 2:
Read Microphone data &
get in vehicle audio file
Attack Potential: 15
Attack Goal:
Extracting valuable data
Attack Step 1:
Exploit Kernel
Vulnerability/ Password
cracking to gain access
Attack Potential: 11
Or
And
Assign Attack Potential
The potential of a node whose children are AND’ed =
MAX(children)
CASE STUDY TELEMATICS
36. 36
36
Objective:
Gain access to phone number
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
Attack Potential: 11
Method 2: Install back door
SW update (Malicious) to
gain access to WIFI
Attack Potential: 15
Attack Step1 :
Read phone data from
memory (buffer
overruns -kernel)
Attack Potential: 15
Attack Step 2 :
Read phone data by
password cracking
(unauthorized access)
Attack Potential: 11
Sub Method
Launch Man in middle
OTA attack
Attack Potential: 15
Attack Step 2:
Read Microphone data &
get in vehicle audio file
Attack Potential: 15
Attack Goal:
Extracting valuable data
Attack Step 1:
Exploit Kernel
Vulnerability/ Password
cracking to gain access
Attack Potential: 11
Or
And
A3
A4 A3
A4
A3
A4
Derive Attack Probability
A3
CASE STUDY – TELEMATICS
37. 37
37
Objective:
Gain access to phone number
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
Attack Potential: 11
Method 2: Install back door
SW update (Malicious) to
gain access to WIFI
Attack Potential: 15
Attack Step1 :
Read phone data from
memory (buffer overruns -
kernel)
Attack Potential: 15
Attack Step 2 :
Read phone data by
password cracking
(unauthorized access)
Attack Potential: 11
Sub Method
Launch Man in middle
OTA attack
Attack Potential: 15
Attack Step:
Read Microphone data &
get in vehicle audio file
Attack Potential: 15
Attack Goal:
Extracting valuable data
Attack Step :
Exploit Kernel
Vulnerability/ Password
cracking to gain access
Attack Potential: 11
Or
And
A3
A4 A3
A4
A3
A4
A3
Derive Security Risk Level
R4
R3
R4 R3
R3
R4
R3
CASE STUDY TELEMATICS
38. 38
38
CASE STUDY TELEMATICS
Objective Method Sub Method Attack Step
Security Risk
Level
Gain access
to phone
number
Code execution attack
Read phone data by password cracking (unauthorized
access)
R4
Read phone data from memory (buffer overruns -kernel) R3
Install back door SW
update (Malicious) to
gain access to WIFI
Exploit Kernel Vulnerability/ Password cracking to gain
access
R4
Launch Man in middle OTA
attack
Read Microphone data & get in vehicle audio file R3
Derive Counter Measure
TPMS - Tire pressure monitoring system
SDARS - Satellite Digital Audio Radio Services – used for V2X
GNSS-Global Navigation Satellite System
DoIP - Diagnostic over Internet Protocol
CAN FD - Controller Area Network Flexible Data-Rate
A2B- Analog’s Audio Bus
RKE- Rancher Kubernetes Engine
GPIO - General Purpose Input/Output
JTAG - Joint Test Action Group – used for verifying designs and testing printed circuit boards after manufacture
UART- universal asynchronous receiver-transmitter
TPMS - Tire pressure monitoring system
SDARS - Satellite Digital Audio Radio Services – used for V2X
GNSS-Global Navigation Satellite System
DoIP - Diagnostic over Internet Protocol
CAN FD - Controller Area Network Flexible Data-Rate
A2B- Analog’s Audio Bus
RKE- Rancher Kubernetes Engine
GPIO - General Purpose Input/Output
JTAG - Joint Test Action Group – used for verifying designs and testing printed circuit boards after manufacture
UART- universal asynchronous receiver-transmitter
TPMS - Tire pressure monitoring system
SDARS - Satellite Digital Audio Radio Services – used for V2X
GNSS-Global Navigation Satellite System
DoIP - Diagnostic over Internet Protocol
CAN FD - Controller Area Network Flexible Data-Rate
A2B- Analog’s Audio Bus
RKE- Rancher Kubernetes Engine
GPIO - General Purpose Input/Output
JTAG - Joint Test Action Group – used for verifying designs and testing printed circuit boards after manufacture
UART- universal asynchronous receiver-transmitter
Access Memory through Buffer overruns
Access Memory through Buffer overruns
Read Microphone data & get in vehicle audio file= 11 (Elapsed Time: 0, Expertise: 3,Knowledge of system: 3, Window of Opportunity: 1, Equipment: 4)
Exploit Kernel Vulnerability/ Password cracking to gain access= 15 (Elapsed Time: 1, Expertise: 3,Knowledge of system: 3, Window of Opportunity: 4, Equipment: 4)