CSCS '23: Proceedings of the 7th ACM Computer Science in Cars Symposium

The automotive industry is drastically moving towards autonomous. This trend constitutes in a fundamental change of going from mechanical and electrical engineering towards software-driven approaches. Modern vehicles can embed more than hundred electronic control units (ECUs). As autonomous vehicles require more intelligence as well as more computing power, high-performance computers (HPCs) bring the data management capabilities for cloud and IoT services to support the transition to a service-oriented vehicle system architecture. With this growing reliance on software in vehicles, software reliability and trustworthiness are increasingly critical to vehicle security. Measuring security trustworthiness in automotive software is even more valuable as cybersecurity is shifting to the left, i.e. in the early phase of development and design process.

In this article, we propose a novel method for evaluating security trustworthiness of automotive software by leveraging a computational trust model. The method consists of selecting different domains contributing to software security, calculating their respective expectation value (trustworthiness score) and combining it using operators from the computational trust model. We evaluate the method using an automotive use case, i.e. over-the-air (OTA) update software. We describe a possible integration of the proposed method into a solution which would be valuable for cybersecurity stakeholders, e.g. cybersecurity managers, cybersecurity architects and software quality managers, aiming to monitor security health of automotive software throughout its development life cycle.

The advent of autonomous vehicles continuously fosters innovative concepts in the context of smart cities. One such concept is the City Bot infrastructure, where an autonomous and modular vehicle fleet can be configured depending on the tasks, required by the smart city. The dynamic task adaptation is enabled by splitting the vehicle into a tractor module, which performs the autonomous driving functionality, and a trailer module, which contains the task-specific equipment. A backend can assign tasks to the vehicles, which then autonomously fulfill their given tasks. The modular design and autonomous task handling, however, give rise to new security threats. This paper performs a security analysis of an autonomous and modular vehicle fleet, which autonomously handles tasks assigned by a backend. We then discuss how the identified risks can be addressed by (1) using state-of-the-art automotive security mechanisms, (2) designing tailored concepts or (3) highlighting potential for future research directions.

Vulnerable or malicious third-party components introduce vulnerabilities into the software supply chain. Software Composition Analysis (SCA) is a method to identify direct and transitive dependencies in software projects and assess their security risks and vulnerabilities.

In this paper, we investigate two open source SCA tools, Eclipse Steady (ES) and OWASP Dependency Check (ODC), with respect to vulnerability detection in Java projects. Both tools use different vulnerability detection methods. ES implements a code-centric and ODC a metadata-based approach. Our study reveals that both tools suffer from false positives. Furthermore, we discover that the success of the vulnerability detection depends on the underlying vulnerability database. Especially ES suffered from false negatives because of the insufficient vulnerability information in the database.

While code-centric and metadata-based approaches offer significant potential, they also come with their respective downsides. We propose a hybrid approach assuming that combining both detection methods will lead to less false negatives and false positives.

Cybersecurity is key for the new and future vehicles that heavily rely on IT systems and depend on data exchange. These vehicles will bring countless new features and are potentially capable of autonomous driving. This paper studies and details a framework that uses the CVSS for evaluating cybersecurity in the automotive world. We present a theoretical model to create a 5-grade rating system based on the CVSS for the sECU of the vehicle. It will enable evaluating the cybersecurity quality of vehicles, so to establish a trustworthy and reliable environment. The model is based on TARA, VARA, and SDL that is already used in the development of car components. Using such a system, will instigate the automotive industry to more heavily address cybersecurity.

The United Nations Economic Commission for Europe (UNECE) demands the management of cyber security risks in vehicle design and that the effectiveness of these measures is verified by testing. Generally, with rising complexity and openness of systems via software-defined vehicles, verification through testing becomes a very important for security assurance. This mandates the introduction of industrial-grade cybersecurity testing in automotive development processes. Currently, the automotive cybersecurity testing procedures are not specified or automated enough to be able to deliver tests in the amount and thoroughness needed to keep up with that regulation, let alone doing so in a cost-efficient manner. This paper presents a methodology to automatically generate technology-agnostic test scenarios from the results of threat analysis and risk assessment (TARA) process. Our approach is to transfer the resulting threat models into attack trees and label their edges using actions from a domain-specific language (DSL) for attack descriptions. This results in a labelled transitions system (LTS), in which every labelled path intrinsically forms a test scenario. In addition, we include the concept of Cybersecurity Assurance Levels (CALs) and Targeted Attack Feasibility (TAF) into testing by assigning them as costs to the attack path. This abstract test scenario can be compiled into a concrete test case by augmenting it with implementation details. Therefore, the efficacy of the measures taken because of the TARA can be verified and documented. As TARA is a de-facto mandatory step in the UNECE regulation and the relevant ISO standard, automatic test generation (also mandatory) out of it could mean a significant improvement in efficiency, as two steps could be done at once.

The VALERIE tool pipeline is a synthetic data generator [14] developed with the goal to contribute to the understanding of domain-specific factors that influence perception performance of DNNs (deep neural networks). This work was carried out under the German research project KI Absicherung in order to develop a methodology for the validation of DNNs in the context of pedestrian detection in urban environments for automated driving.

The VALERIE22 dataset was generated with the VALERIE procedural tools pipeline providing a photorealistic sensor simulation rendered from automatically synthesized scenes. The dataset provides a uniquely rich set of metadata, allowing extraction of specific scene and semantic features (like pixel-accurate occlusion rates, positions in the scene and distance + angle to the camera). This enables a multitude of possible tests on the data and we hope to stimulate research on understanding performance of DNNs.

Based on cross-domain semantic segmentation experiments, i.e. training on synthetic data and evaluation on target real world data, a comparison with several other publicly available datasets is provided, demonstrating that VALERIE22 is one of best performing synthetic datasets currently available in the open domain. 1

As of today, car manufacturers are currently addressing privacy goals primarily from a legal perspective. However, with the common acceptance of privacy by design, it is important to also address the technical perspective. As of today there is no systematic understanding or even approach how to address privacy requirements. Our contribution is twofold: (i) We propose a system model for the automotive domain to model and analyse a use case for suitable locations of adding privacy enhancing technologies. (ii) As a generic solution, we propose the privacy manager, a generic entity which supports applications in the implementation of privacy enhancing technologies or enforces a certain data flow avoiding that information is leaked in an avoidable way. To evaluate our approach, we apply our system model at two automotive scenarios, platooning and silent testing, and describe how the privacy manager can be used to integrate privacy considerations early on. In general our proposed system model was easily applicable to the two chosen use cases.

The rapid evolution of Intelligent Transport Systems (ITS) has heightened the cyber vulnerability of modern vehicles, transforming them from isolated mechanical entities to complex interconnected systems. This paper bridges the existing gaps in the formalization of cyber attacks on ITS, extending common frameworks, like MITRE ATT&CK, to encompass the unique challenges of the automotive and rail sectors. We introduce a multi-modal approach grounded in real-world events, exploring the implications of new technologies in ITS and the convergence of IT and OT security in transportation. Our VATT&EK framework, leveraging the Tactics, Techniques, and Procedures (TTP) approach, offers a structured categorization of adversarial tactics and techniques, aiding in systematic threat pinpointing and prioritization. This not only guides the formulation of vehicle specifications but also informs penetration testing procedures and real-time threat detection capabilities. By providing a common language and taxonomy for discussing vehicle-related cyber threats, our work fosters collaboration among researchers, manufacturers, and security professionals, ensuring strengthened security postures in tandem with vehicular technological advancements.

Enabling secure communication to and from endpoint-ECUs in automotive E/E architectures is crucial, as e.g. shown by recent attacks such as CAN injection. Cost-efficient and resource-saving in-vehicle solutions are currently missing. Emerging network technologies for upcoming zone-based architectures require bandwidths of 10 Mbit/s for nodes at the edge of the internal vehicle network.

The new security protocol CANsec, achieving Authenticated Encryption with Associated Data (AEAD) for CAN XL frames, aims to satisfy the new requirements. The industry encryption standard for AEAD is AES-GCM, the Advanced Encryption Standard used in the Galois Counter Mode. However, AES-GCM exhibits severe drawbacks when it comes to so-called nonce misuses. In this paper, we study an alternative cipher suite for automotive in-vehicle networks with a focus on two properties.

First, to allow applications in resource-constrained endpoint-ECUs in automotive networks to additionally execute CANsec, we propose an alternative solution to AES: the lightweight algorithm Ascon.

Second, the nonce misuse behaviour of Ascon in the particular application of CANsec should improve on the AES-GCM case. Here, we compare already known attacks and their implications for the different choices of cipher suites. In particular, we look at GCM decryption and forgery attacks, as well as at decryption and forgery attacks on generic sponge constructions. Besides these attacks, we also analyse the behaviour of AES-GCM-SIV and Ascon with respect to nonce misuses.

We conclude the study by suggesting Ascon as an additional, optional cipher suite for CANsec.