attacking autosar using software and hardware attacks
play

Attacking AUTOSAR using Software and Hardware Attacks Pascal al - PowerPoint PPT Presentation

Sep 10, 2023 •176 likes •1.34k views

Attacking AUTOSAR using Software and Hardware Attacks Pascal al Nasahl Graz University of Technology Niek Timmer mers Riscure 1 Introduction 2 Introduction Niek Timmers Principal Security Analyst @ Riscure 3 Introduction

  1. AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 77

  2. AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 5. COM or DCM handles the payload 78

  3. Where do we attack?! 79

  4. AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 5. COM or DCM handles the payload 80

  5. Attacking AUTOSAR’s PDU router 81

  6. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) 82

  7. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Our to ‘free memory’ task 83

  8. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Our to ‘free memory’ task to ‘free memory’ task 84

  9. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our to ‘free memory’ task to ‘free memory’ current task task 85

  10. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task 86

  11. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied 87

  12. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register 88

  13. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register • Step 4: MCU will execute the ISO-TP message (blue blocks) 89

  14. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register • Step 4: MCU will execute the ISO-TP message (blue blocks) • Step 5: Wait for IDLE task to be scheduled and execute our task 90

  15. Why does this work? 91

  16. Attacking AUTOSAR’s PDU Router 92

  17. Attacking AUTOSAR’s PDU Router Disassembled memcpy() 93

  18. Attacking AUTOSAR’s PDU Router Disassembled memcpy() 94

  19. Attacking AUTOSAR’s PDU Router Disassembled memcpy() We take control of the Program Counter (PC) during the copy! 95

  20. We have our own task. Now what?! 96

  21. Post Exploitation 97

  22. Post Exploitation • Extract information (secrets) 98

  23. Post Exploitation • Extract information (secrets) • Analyze firmware dynamically 99

  24. Post Exploitation • Extract information (secrets) • Analyze firmware dynamically • Perform additional attacks (e.g. side channel attack) 100

Recommend

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses &amp; worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
RHAPSODY &amp; AUTOSAR WALTER VAN DER HEIDEN WILLERT SOFTWARE TOOLS ABOUT WILLERT SOFTWARE TOOLS

RHAPSODY &amp; AUTOSAR WALTER VAN DER HEIDEN WILLERT SOFTWARE TOOLS ABOUT WILLERT SOFTWARE TOOLS

RHAPSODY &amp; AUTOSAR WALTER VAN DER HEIDEN WILLERT SOFTWARE TOOLS ABOUT WILLERT SOFTWARE TOOLS THE WILLERT SOFTWARE TOOLS COMPANY SPECIALIZES SINCE 1992 IN TOOLS FOR SOFTWARE ENGINEERING WITH RESPECT TO REALTIME EMBEDDED SYSTEMS. WILLERT HAS

832 views • 50 slides
TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone @uffeux Principal Consultant @ NCC Group Focus on hardware and embedded systems security Previously: 10 years product security @

1.41k views • 54 slides
Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard Julien

Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard Julien

Introduction EMAN 2 EMAN 4 Conclusion Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Universit e de Limoges

476 views • 45 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz &lt;at&gt; signal11.eu www.signal11.eu Motivation Are we able to counteratack ? Different possibilities: Traditional network scan and attack

1.02k views • 52 slides
Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

397 views • 11 slides
Whats new? Calibration Hardware IAEA Acquisition software Hardware and Software Upgrade for

Whats new? Calibration Hardware IAEA Acquisition software Hardware and Software Upgrade for

Hardware and Software Upgrade for the Solution Measurement and Monitor System at Rokkasho Reprocessing Plant R.Plenteda, A.Alessandrello, M.Frankl, W.Deringer, M.Lang, M.Cronholm, K.Baird, D.Breban, C.Creusot International Atomic Energy Agency

705 views • 17 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing &amp; Infrastructure - NDSU Systems Administrator - EduTech Dabbler in Enterprise Wireless Member Apache Software Foundation 2 Standard Disclaimer

436 views • 32 slides
Attacking Microcontrollers From a Software Perspective Don A. Bailey (donb@isecpartners.com) A

Attacking Microcontrollers From a Software Perspective Don A. Bailey (donb@isecpartners.com) A

Attacking Microcontrollers From a Software Perspective Don A. Bailey (donb@isecpartners.com) A copy of this presentation http://pa-ri.sc/uC/ Including all example software whois donb? Ok, donb . Whats this all about? How did I

1.19k views • 103 slides
Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is as old as the trade of hacking Common Characteristics: Physical access (at least within transmission range of EM/Accoustic signals). Seemingly

252 views • 22 slides
Advanced Wi-Fi Attacks Using Commodity Hardware Mathy Vanhoef @vanhoefm BruCON, Belgium, 3

Advanced Wi-Fi Attacks Using Commodity Hardware Mathy Vanhoef @vanhoefm BruCON, Belgium, 3

Advanced Wi-Fi Attacks Using Commodity Hardware Mathy Vanhoef @vanhoefm BruCON, Belgium, 3 October 2018 Background Wi-Fi assumes each stations behaves fairly With special hardware we dont have to Continuous jamming: channel

885 views • 76 slides
s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

When Hardware Attacks s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require:

688 views • 25 slides
Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Computer Hardware Computer - hardware and software Like piano and music In this

Computer Hardware Computer - hardware and software Like piano and music In this

Computer Hardware Computer - hardware and software Like piano and music In this section: hardware The computer is an amazingly useful general-purpose technology, to the point that now cameras, phones, thermostats .. these are all now

390 views • 17 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&amp;P), 2019 (Dustin)

726 views • 44 slides
Computer Basics Class Rob Germeroth &amp; Matt Harmon Hardware vs Software Hardware Any

Computer Basics Class Rob Germeroth &amp; Matt Harmon Hardware vs Software Hardware Any

Computer Basics Class Rob Germeroth &amp; Matt Harmon Hardware vs Software Hardware Any physical component that makes up part of the computer. (mouse, keyboard, processor, hard drive, etc.) Software - Programs and other operating

450 views • 17 slides
Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return

647 views • 42 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Introduction to Computers and Programming Hardware Software Computer languages

Introduction to Computers and Programming Hardware Software Computer languages

Introduction to Computers and Programming Hardware Software Computer languages Compiling and running 1 Computer Basics A computer system consists of both hardware and software . Hardware - the physical components.

471 views • 17 slides
CPSC 875 CPSC 875 John D McGregor John D. McGregor Interface Design The next few slides are

CPSC 875 CPSC 875 John D McGregor John D. McGregor Interface Design The next few slides are

CPSC 875 CPSC 875 John D McGregor John D. McGregor Interface Design The next few slides are from the Autosar The next few slides are from the Autosar architecture documentation: Despite the Autosar cofidential tag on each slide these pages

961 views • 56 slides

More recommend