attacking autosar using software and hardware attacks
play

Attacking AUTOSAR using Software and Hardware Attacks Pascal al - PowerPoint PPT Presentation

Attacking AUTOSAR using Software and Hardware Attacks Pascal al Nasahl Graz University of Technology Niek Timmer mers Riscure 1 Introduction 2 Introduction Niek Timmers Principal Security Analyst @ Riscure 3 Introduction


  1. AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 77

  2. AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 5. COM or DCM handles the payload 78

  3. Where do we attack?! 79

  4. AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 5. COM or DCM handles the payload 80

  5. Attacking AUTOSAR’s PDU router 81

  6. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) 82

  7. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Our to ‘free memory’ task 83

  8. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Our to ‘free memory’ task to ‘free memory’ task 84

  9. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our to ‘free memory’ task to ‘free memory’ current task task 85

  10. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task 86

  11. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied 87

  12. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register 88

  13. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register • Step 4: MCU will execute the ISO-TP message (blue blocks) 89

  14. Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register • Step 4: MCU will execute the ISO-TP message (blue blocks) • Step 5: Wait for IDLE task to be scheduled and execute our task 90

  15. Why does this work? 91

  16. Attacking AUTOSAR’s PDU Router 92

  17. Attacking AUTOSAR’s PDU Router Disassembled memcpy() 93

  18. Attacking AUTOSAR’s PDU Router Disassembled memcpy() 94

  19. Attacking AUTOSAR’s PDU Router Disassembled memcpy() We take control of the Program Counter (PC) during the copy! 95

  20. We have our own task. Now what?! 96

  21. Post Exploitation 97

  22. Post Exploitation • Extract information (secrets) 98

  23. Post Exploitation • Extract information (secrets) • Analyze firmware dynamically 99

  24. Post Exploitation • Extract information (secrets) • Analyze firmware dynamically • Perform additional attacks (e.g. side channel attack) 100

Recommend


More recommend