Assistente AI
Trascrizione
00:09:510Alessandro Brighente: Okay, Hi, everyone. So
00:14:440Alessandro Brighente: last thing we discussed is the the attacking model that we have on the on the canvas. Right? So today, we are going to dive a bit into the the possible attacks that we have on the canvas.
00:27:80Alessandro Brighente: Okay? And so we already discussed the attacker model. So what the attacker might want to do is to inject messages right or to stop suspend somehow the transmission of ongoing sections
00:42:316Alessandro Brighente: and we have 2 kind of phone
00:46:640Alessandro Brighente: severity
00:48:170Alessandro Brighente: of the attacks. Right? So we say that we have a weekly compromise issue or strongly compromised issues right? And the difference between these 2 situations is how much control we can have. Over what the Dcu is actually doing. Right? So we have different kinds of attacks in here.
01:09:390Alessandro Brighente: The 1st one is a publication attack. And so, what does the attacker require in order to launch publication of that? Well, it needs a compromise issue as a strong attacker, because it needs to publicize and inject inject messages on the canvas right to do that. It needs to forge the Ids of the packets, the Dscs.
01:33:750Alessandro Brighente: And the content of the message itself. Right? The data part of the of the packet, just as a reminder. The Id is the identifier of the packet, but in terms of its priority the Dlc. Is instead the the the length of the data frames as a numerical value that tells you how many bytes of data you can expect in the data field of the cam frame.
02:00:240Alessandro Brighente: So what is the objective of the attacker in here when we're talking about publication attacks? Well, what the attacker does is overriding any periodic messages that it observes on the on the bus itself. Right override means that it's sending messages on behalf of another issue and possibly a safety critical issues, such that these publicated message actually calls
02:25:830Alessandro Brighente: some damage. Okay? So what does it mean? If there's another issue that relies on these kind of messages receiving altered messages or a high volume of messages might render the receiving issues. Not active anymore, not
02:44:200Alessandro Brighente: operating anymore. Okay? So here you have a depiction and how the attack would work. Right? So you have a legitimate issues. Bnc, right? And they come with their identifier. Right? So, for instance, if you 0 s. 2 0
03:03:701Alessandro Brighente: the attacker compromises, if you a right, and start sending messages on behalf of another issue right with the with the same identifier. So here you have. What happens? Without the attack this would be the legitimate traffic. And you see that the the messages that issue B sends
03:23:150Alessandro Brighente: are periodic. Not that many? Right? It's not so intense as traffic instead of with the attack we have. The Ecua sends messages and loop like those coming from Ecub.
03:37:640Alessandro Brighente: but with a higher frequency. Right? So you see that you have many of these B 0 in here in the red square, meaning that the attacker is sending that and increasing the volume of the the message that are spread or sent over the canvas, and therefore this is, you see, is receiving them. Might
04:00:140Alessandro Brighente: my need to deal with a lot of traffic right?
04:04:520Alessandro Brighente: a higher intensity of traffic, and therefore gets inactive or inoperable. Somehow.
04:13:770Alessandro Brighente: a second form of attack is called suspension attack, in which we need the a single weekly compromise. The issue right again. You see, this scenario in here again we have issue A, B and C, this time is issue. B is compromised by the attacker.
04:32:570Alessandro Brighente: What the typer wants to do in this case is to suspend the weekly compromise issues, message transmission
04:39:370Alessandro Brighente: and basically block these messages that come from these issues right? So the fact that it prevents transmitting these kind of messages is bad also for other issues that are connected to the canvas
04:56:260Alessandro Brighente: that rely on the reception of these kind of messages. Right? So if we have a issue a in this case, in the figure that relies on the messages coming from Issueb. The fact that the attacker is preventing these messages to be transmitted on the canvas means that issue a cannot act based on the content of these messages. Right
05:17:137Alessandro Brighente: so here in the in the figure, you have. Again, the distinction between the cases with and without the attack, so without the attack, you see that you have both 2 0 and 0 messages that are sent over the canvas.
05:31:500Alessandro Brighente: and the difference from the top line, and the bottom line is the fact that here at the suspension time, when the the attack kicks in, you see that you don't have any other B 0 messages right? Meaning that the attacker prevents these this kind of message to be transmitted over the canvas.
05:55:500Alessandro Brighente: The 3rd attacker. Is the mastery attack? Right? So in this case, what the attacker needs are 2 compromise issues one strongly compromised and one weakly compromised
06:09:622Alessandro Brighente: and the objective is to manipulate an issue while shielding, meaning, hiding the fact that someone could realize that this issue has been compromised
06:23:280Alessandro Brighente: right? So you see, that 1st thing that the attacker does is to monitor the traffic that is sent over the canvas. Thanks to the weekly compromise issue, right? It connects information and identifiers and periodicity of traffic, this kind of stuff.
06:38:850Alessandro Brighente: And once the attacker obtained these this kind of information what it does is to superimpose its own message to the legitimate one. Right? So you see the difference with the with the 1st attack that we that we saw right? So here, for instance, you have again on top the message sequence without the attack. So you have this determination between 2 0 and 0 with a certain periodic
07:04:570Alessandro Brighente: instead, when the attack kicks in, as you observe in here. You have that the legitimate 0 has been
07:13:950Alessandro Brighente: substituted somehow with the attackers control the 0. So in this sense the attacker is impersonating another issue and sending the content that actually wants to to send.
07:25:700Alessandro Brighente: Alright. This is very important, and something that we are going to explore for the 1st highly impactful attack that we have on the campus. Right? So the things that we've seen up to now are more definition on how you would generate messages as the attacker, or what you would want to do
07:47:262Alessandro Brighente: with these messages. But now we go into the details of what is called the bus of attack. Right? So if you remember, we said that we have, some error handling mechanisms in the controllers of the this use, right? So based on the number of errors that I observe I can be in the interactive error, passive or bus, of state. And the
08:11:270Alessandro Brighente: how much you can interact with the Combus depends on my saying so. What we have in here is the 1st attack that showed that this mechanism can be exploited by an attacker, and then, in particular the fact that
08:27:795Alessandro Brighente: since we have no security mechanism on the canvas, and that we can easily connect to the communication media. Just make messages we can force some of these use, or potentially all these use connected to the canvas
08:43:630Alessandro Brighente: to transition in the bus off state.
08:46:200Alessandro Brighente: Okay, so here you have the the reference. You can check the you can search for the paper. Here's the all the details. But yeah, basically, now we're going to see the details on how these this is possible.
09:02:160Alessandro Brighente: Okay,
09:04:540Alessandro Brighente: so it's somehow a denial of service of that right? So we are forcing one of these used to transition to the bus of State. And as you remember, when an issue is in the bus of state, it means that it can no longer send messages on the canvas. So it's basically detached from the canvas.
09:24:500Alessandro Brighente: One of the traditional ways of achieving the number of services through floating right? If I send a large number of messages to a certain destination right to my potential victim, maybe I'm able to prevent such victim to receive for the messages. Right? This is the example that you have on traditional network security stuff. Right? So you have a web server. You send a lot of messages
09:47:970Alessandro Brighente: that's web server.
09:50:490Alessandro Brighente: And at a certain point the server would not be able to process them anymore. And it's basically another service. You can no longer communicate with that server. What we have in here is very different, right? We are not sending a large number of messages. The objective of the attacker is not to float them
10:08:442Alessandro Brighente: the canvas with random messages or something that is potentially blocking but to to target a specific issue right? We want to minimize the number of messages that we send in order for a specific issue, not to be able to communicate with canvas anymore, and therefore to transition to the bus or state. Okay, so it's very different from
10:31:164Alessandro Brighente: I mean from Florida.
10:33:969Alessandro Brighente: So what is the adversary model? So what does the attacker need in order to
10:42:260Alessandro Brighente: to associate this attack.
10:44:770Alessandro Brighente: we need access to the canvas, of course, right? So we need the either to connect a new issue to the canvas attackers control issue, of course, or to compromise one of the issues that is already part of the vehicle. So this is something that you can do also. Remotely, there's some some work that show it. You can gain control over one of these issues remotely. But we don't go into the details of that. We just assume that we have such
11:12:380Alessandro Brighente: a compromise issues right? So we do not need them to reverse engineer messages. Right? So what does it mean?
11:21:840Alessandro Brighente: Usually, if you check how canvas messages are transmitted over the canvas by different manufacturers.
11:29:290Alessandro Brighente: Their format might somehow change right? Because maybe a vendor has their own format of campaigns. Another vendor as a different format. So on support. Right. So you might need to to reverse engineer part of them in order to understand exactly the content of these messages.
11:47:959Alessandro Brighente: But this is not something that that we need for for the bus software, right? So in the end you see that what we need is just to be able to monitor the traffic on the canvas to gather some basic information, and then being able to send the messages with the with the given Id. In order to
12:08:120Alessandro Brighente: to cause this this attack.
12:12:830Alessandro Brighente: Of course, the attacker needs again to inject them with messages right and inject messages that
12:18:450Alessandro Brighente: the factor is able to craft, and so to send messages through publication or through masqueradesh, right? The thing that we've seen before.
12:29:610Alessandro Brighente: But
12:31:140Alessandro Brighente: yeah, we we need to to carefully craft these packets. So how do we do that? Or what is exactly that we want to do
12:38:760Alessandro Brighente: so? Again, when the number of errors that an issue thinks it performed in increases over a certain threshold. Then we know that we transition to these different States up to the point where we get to the to the bus stop, right? So we want to be the specific and target issue to measure these number of errors and transition to this bus stop state.
13:13:265Alessandro Brighente: so of course, this is something that we do initially for certain.
13:18:420Alessandro Brighente: because again, we want to minimize the number of messages that we send right to to detach a specific issue. But potentially, this is something that the attacker can do one issue one by one, right to to all the issues and potentially detach the the whole network.
13:35:330Alessandro Brighente: So what are the conditions that the attacker needs to put in in order to be able to successfully deliver such a soft attack.
13:45:840Alessandro Brighente: So let's suppose that we have a victim issue that sends its its messages with a certain periodicity.
13:54:600Alessandro Brighente: right? So periodically, every t second whatever the victim sends the message. M.
14:03:150Alessandro Brighente: So what does the attacker need in order to to trigger this bus of attacks. So the 1st thing the 1st condition is being able to use the same id as the victim is here
14:14:30Alessandro Brighente: right if you remember. We have that each issue is a sign up, let's say a set of ids that it can use right and based on id it knows it's priority over the canvas, whether it's allowed or not to send that message over the canvas.
14:30:410Alessandro Brighente: And this is something that happens over the arbitration phase. Right? We need to compare the ideas of messages coming from different issues.
14:38:350Alessandro Brighente: and the message with the lower Id gets to win the invitation and send the the packet
14:44:450Alessandro Brighente: I think we discussed last time, if I remember correctly, is what happens if 2 issues send a message with the same Id.
14:53:180Alessandro Brighente: But there's no winner in there. Right?
14:55:570Alessandro Brighente: Okay, this is exactly what we are going to exploit in here. We want to send a message with the same Id of another issue, such that there is no winner. Both of these use are supposed to just meet their message over the canvas
15:09:810Alessandro Brighente: and
15:13:100Alessandro Brighente: and then we're going to trigger some errors, basically. But yeah, for the time being, we need to use the same Id. Then, in order to be able to use the same Id
15:22:30Alessandro Brighente: and the trigger an error. It means that somehow we are aligned in time with the victim in 0. Right? We get to win the arbitration or lose the arbitration only during the arbitration phase. And if we miss our chance of sending our own Id.
15:38:570Alessandro Brighente: then basically, there's nothing we can do. We need to wait for the successive round. So in order to to trigger errors on the transmissions of a given issue.
15:47:790Alessandro Brighente: we need to start our transmission of our our Spoof id exactly when the victim issue starts its own transmission.
15:58:460Alessandro Brighente: In this sense we are going to through the arbitration phase with the same steps with the same set of bits, and then we get to both, win these arbitration and send together our messages.
16:11:570Alessandro Brighente: Then
16:13:180Alessandro Brighente: good. At this point we have both the chance right, both the attacker and the victim, the chance to transmit the the message. And now the point is that we want to trigger errors at the victim side. So how do we do that?
16:26:710Alessandro Brighente: We know that there is an error. Whenever, for instance, the the bit that this you wants to send on the canvas, and the bit that this you is measuring on the canvas are different. So it means that at a certain point the attacker should be able to to insert a bit that wins these this kind of arbitration, right? Or that. Triggers this kind of error, this you wants to send something and measure something different on the on the canvas.
16:55:280Alessandro Brighente: So the 3rd condition is that the attacker in its timeframe, after the arbitration, needs to have at least a bit that is dominant compared to what the victim timeframe has. Right? So it means, after the arbitration. At a certain point the attacker needs to have a 0 bit while the original message, the one coming from the victim has bit one. If this is the case, the bit 0 would be written on the canvas.
17:24:540Alessandro Brighente: and at that point the victim will notice the difference between what we wanted to transmit and what it senses on on the canvas.
17:33:190Alessandro Brighente: If this is the case right? If all of these 3 conditions occur.
17:39:370Alessandro Brighente: all of them.
17:40:873Alessandro Brighente: Then the attacker can trigger these this error mechanism. Right? Increase the error counter at the victim side, right? And so through different iterations, we get to to increase and increase and increase the error counters at the victim up to the point where it gets to to boss.
17:58:880Alessandro Brighente: Right? So you see that we have some challenges in here, the 1st one using the same Id.
18:05:20Alessandro Brighente: That's a challenge. It's not that that difficult right? We said that we can easily access the canvas. There's no authentication encryption. Nothing that hides the values of the id that we observed from the canvas. So the 1st thing as an attacker is to connect to the canvas and to monitor the traffic right? Collect these Ids collect the periodicity of these Ids, meaning, how often does the victim send its packet?
18:30:370Alessandro Brighente: And then, we have these 2 things in here that seems trivial, but they are definitely not right, transmitting at the same time as M.
18:41:420Alessandro Brighente: Well, how do I know
18:43:130Alessandro Brighente: when to transmit my package right. Maybe I have the periodicity of the packet. But who ensures that this periodicity is going to be respected, that there's no variation in the delay in the processing day, or some noise happening over the channel that triggers some small variation on the transmit time of the victim.
19:03:888Alessandro Brighente: Remember that we need to be very precise. If we don't start our transmission exactly when the victim transmission starts, then we're going to fail. We're not going to be able to deliver the the attack.
19:16:550Alessandro Brighente: and then, having at least a bit that is dominant in the dark message
19:21:580Alessandro Brighente: which bits, do we want to to modify right, which is the the correct bit that we want to modify. How many of them do we want to modify? Right? So we we need to solve these kind of challenges.
19:39:530Alessandro Brighente: It's the track of the timing of sending the message
19:43:400Alessandro Brighente: is,
19:44:520Alessandro Brighente: is most so easily your.
19:47:310Alessandro Brighente: I guess. Great.
19:49:110Alessandro Brighente: How like is this effect?
19:52:200Alessandro Brighente: Now we are going to to see some strategies, thanks to which you, you have this attack. That is work going to work with the 99% confidence intervals.
20:02:160Alessandro Brighente: So there's certain use in order to trigger the big thing to send message when you want or to know, to predict, basically when the big thing is going to meet. And so this is going to be effective. But we get to this. In a few slides.
20:27:432Alessandro Brighente: Can we just
20:33:800Alessandro Brighente: ignore the result of clarification. And
20:42:20Alessandro Brighente: if you do that the the victim issue is not going to do anything right. It's not sensing some, some errors, because the the translating issue with sense an error when it knows that you want the aggregation
20:55:640Alessandro Brighente: right? And it does. If this does not occur.
20:59:20Alessandro Brighente: the this uses to just going to to receive whatever gets to be transmitted, but doesn't create. It's ever counted. So since our goal is to detach a big thing is you from the canvas, right? Because basically, we cannot compromise all of them.
21:14:130Alessandro Brighente: And then we need to take this into account. So I need to transmit something that the victim is, you thinks it transmitted, and therefore trigger every single process
21:35:160Alessandro Brighente: unlimited. So
21:38:900Alessandro Brighente: we don't send that.
21:47:800Alessandro Brighente: So you mean, I just send something over the document. I don't send anything right now.
21:55:160Alessandro Brighente: I know extended
21:57:118Alessandro Brighente: is one of the resolution processes.
22:05:910Alessandro Brighente: So let let's make an example. So the big thing. Is you always translating something right? Who is the application?
22:13:00Alessandro Brighente: And then you want the the attacker
22:17:490Alessandro Brighente: to overwrite some of the bits that gets to be transmitted over the data. Yes.
22:23:130Alessandro Brighente: right?
22:26:460Alessandro Brighente: Just trying to see. Why do we submitted to send?
22:34:710Alessandro Brighente: Thank you guys.
22:35:990Alessandro Brighente: And
22:37:210Alessandro Brighente: I'm not sure you can just meet the at every point in time.
22:52:160Alessandro Brighente: If that would be the case, it means that
22:56:550Alessandro Brighente: in normal conditions, where you don't have a task.
22:59:770Alessandro Brighente: every seals that attempts something, you may be able to block the the board communication.
23:06:740Alessandro Brighente: which should not be the case. It should not be allowed.
23:10:400Alessandro Brighente: And so I think it's something related to safety.
23:13:720Alessandro Brighente: I I should check how that works. But
23:16:620Alessandro Brighente: yeah, if that would be the case, even though you don't have any attack, it means that. Okay, there's a transmission going on related to whatever topic I don't know. And then I and it's you I want to transmit my my message, I start with a 0, and then it's going to write anything in the description of the campus.
23:36:10Alessandro Brighente: and that much we can ever only see you with additional meeting.
23:41:430Alessandro Brighente: So that's not something we need
23:44:470Alessandro Brighente: that can happen.
23:45:890Alessandro Brighente: at least not with the with the standard hardware that you haven't received.
23:51:500Alessandro Brighente: The alternative would be okay. I don't care about
23:55:400Alessandro Brighente: anything. I just have a device that is applying a voltage value on the combustion whenever it's needed, right or just continuously send 0.
24:06:130Alessandro Brighente: And then maybe that's going to work.
24:08:690Alessandro Brighente: But yeah, we need to be able to see from the architecture that you have on the on the side of this user.
24:20:370Alessandro Brighente: because again, otherwise it
24:22:680Alessandro Brighente: it wouldn't work for even in normal conditions, right?
24:44:80Alessandro Brighente: One having a contact center with this
24:53:230Alessandro Brighente: that would work good
25:18:125Alessandro Brighente: need to check these this mechanism, but
25:21:590Alessandro Brighente: you shouldn't be able to do that with some department. That's the
25:27:650Alessandro Brighente: doing great
25:32:150Alessandro Brighente: pretty good. 90 days.
25:48:530Alessandro Brighente: Yeah, at that point. I can just monitor the traffic and see when that specifically happening, I know how long the know
26:04:620Alessandro Brighente: can synchronize with that. Instead of just
26:09:160Alessandro Brighente: one thing on top of that.
26:13:230Alessandro Brighente: That's why I was saying. I don't think you can give a box if they come back
26:18:590Alessandro Brighente: again. Normal conditions without the bus
26:21:330Alessandro Brighente: when someone is available to implement
26:23:960Alessandro Brighente: prevented to do that.
26:37:300Alessandro Brighente: And then
26:39:430Alessandro Brighente: we reach out so that everyone is not audition. And they don't do anything.
26:57:910Alessandro Brighente: Okay, let let's say that for the time being we assume that we are only able to compromise issues that have the same architecture of standard. This use right? And therefore we need to comply with this.
27:08:290Alessandro Brighente: and then whether we can launch the attack without the Id or not, it depends on the hardware that we use. But we're going to get back on this, because now I'm curious. And I want to understand.
27:20:460Alessandro Brighente: how
27:21:500Alessandro Brighente: would you be able to do that?
27:26:130Alessandro Brighente: Okay, later. So.
27:30:930Alessandro Brighente: okay, given that we compromise one of these use, that is, part of the canvas itself. Right? So what we have in here is the sequence of bits that you have by the big team and the adversary. Right? So you see here, we have the 1st one, which is the Sara train. Then we have the application. Ids. Both of them need to be equal.
27:54:770Alessandro Brighente: And here you have the beats that you observe on the canvas.
27:59:500Alessandro Brighente: So up to here you see that the pizza that the big team is sending adversion is sending, and those on the canvas are the same.
28:08:430Alessandro Brighente: So there is no error
28:11:360Alessandro Brighente: at this point, he said. This point
28:14:740Alessandro Brighente: the attacker sets a bit 0 when they the bit should be one on the victim packet.
28:22:690Alessandro Brighente: Of course, the the bit that you're going to observe on the canvas it's 0, and therefore the victim observes an error in there
28:30:770Alessandro Brighente: since is since this one is a transmit error, the transmit error counter of the victim is going to to increase, and we said that every time the Tc increases is going to increase by by a
28:44:550Alessandro Brighente: okay? So we have the 1st error in here. So here we have in the in the 1st phase, right? The 1st phase means that the victim is in the interactive state.
28:56:370Alessandro Brighente: Okay? So both the adversary and the victim starts from the same state. Both of them are in a reductive. It means that whenever they they sense an error, they can send an active error frame, and whenever there's a a transmitter ever they're going to to increase their tc.
29:18:970Alessandro Brighente: so we saw that we have a Tc. For the victim transmitter encounter in the waiting room because the attacker imposes dominant bit.
29:29:320Alessandro Brighente: But what happens is that also the attackers? Tc, increases right? Because it's nevertheless going to observe a a stopping or the error which is triggered under the adversary. Note, right? So the fact that the victim is sensing some error means that it's going to to send some send out some error as well
29:53:679Alessandro Brighente: and have the the attacker. CC. To increase.
29:58:980Alessandro Brighente: So what happens when a transmission fails? Well, one of the automatic
30:05:380Alessandro Brighente: behaviors that we have in count controllers is that nodes automatically retransmit whatever fade message they observe. Right? So I'm trying to transmit something. I sense an error, and I retransmit that same message. And this is great for for the attackers perspective, right from the talkers perspective.
30:25:40Alessandro Brighente: because it means that by sending over and over the same message, it's going to increase over and over the Tc. Of the the of the victim.
30:39:50Alessandro Brighente: and it's DC as well
30:41:520Alessandro Brighente: alright. So you see that we have the the 1st transmission, 1st tc, then our flag Tc. Of the adversary that increases as well.
30:52:210Alessandro Brighente: Then we have 11 Recessive bits before the retransmission, and then we have the retransmission again. The same error, therefore, Tc. Plus 8 on the victim side, error flag, tc. Plus 8 on the adversary side, and so on, so forth. Right? We said that we transition to
31:14:180Alessandro Brighente: today,
31:18:590Alessandro Brighente: to the error, passive state after a certain value of the Tc, this Tc. Is a CC. Threshold is a hundred 27.
31:29:120Alessandro Brighente: So when the victim and the attacker transition, after 16 transmission to the Tc. Equals you a hundred 28. It means that the transition to the positive state.
31:42:720Alessandro Brighente: so what happens now is that the the victim transitions to the azure passive state, and it tries to deliver these positive error flag right? Which contains 6 6 Recessive bits.
31:59:220Alessandro Brighente: We said that when we have Recessive bits we are not able to override whatever is written on the canvas, and therefore, the transmission of the attacker can proceed up to the end of the packet right. So only after the end of the attackers transmission, then the possibility can flow. Go on the canvas.
32:21:390Alessandro Brighente: But this means that despite the fact that the error that the attacker might transition to the error positive thing. Now it has a successful transmission, because basically its transmission is not blocked by the error frame of the victim.
32:38:620Alessandro Brighente: So it means that the Tc. Of the attacker gets decreased by one, and at this point the attacker is back in the other active state. So the attacker has full control over the canvas.
32:52:820Alessandro Brighente: So this is exactly what happens in here? Right? So you have again the entry transmission. 16. Transmission. At this point we have again the same thing, another transmission. But the the error that the victim observed is now a passive flag, because the victim transmission to the to the error, passive state.
33:20:500Alessandro Brighente: So this thing here is not going to override the packet that the adversary is sending, or they can bust, and therefore the packet of the adversary gets to the end of frame. So this marks a successful transmission, and therefore a decrease in the transmitter counter of the attack, which is 127, meaning that the attacker again, is in the error. Active phase
33:44:165Alessandro Brighente: now we have, again the transmissions for the the victim in the error. Passive state
33:50:976Alessandro Brighente: which means that Dtc is going to increase and increase again, right?
33:57:810Alessandro Brighente: So when the victim is
34:01:710Alessandro Brighente: in the error passing, say.
34:04:831Alessandro Brighente: now we have the retransmission again. But the victim this time needs to wait for the for the end of the transmission of the attacker.
34:15:440Alessandro Brighente: and at this time the attacker can reinject the malicious message.
34:26:150Alessandro Brighente: So what we have in here now is something we need to take into account as a docker is that
34:33:190Alessandro Brighente: while what we had before is a periodically transmission, right? Because I'm sending a frame. I observe an error. I send my error frame and block the transmission, and whatever communication is happening on the Combus, and they know that after a certain number of beats there's going to be a retransmission.
34:52:820Alessandro Brighente: This is not going to happen when the victim is in the repulsive state, right? Because it cannot block the communication. So it needs to wait for the end of the the transmission from from the attacker, and therefore it needs to wait longer before attempting its own transmission. Nevertheless, this is something that the attacker can take into account in order to perform synchronization, and again overwrite these these packets.
35:23:423Alessandro Brighente: Then what happens then? We iterate again and again. These this attack have the victims transmitter accounted to increase up to the point where it gets over 200 and 55, and therefore it gets to
35:46:90Alessandro Brighente: So again the other passive mode is exactly what we've we've seen before.
35:52:160Alessandro Brighente: The Tc. Of the victim of the attacker at this point are different, while in the phase one, they were increasing together the same values. Now we have something different. Every time that the adversary is sending its own packet it would be successful, and therefore gets the Tc to be decreased by by one.
36:12:300Alessandro Brighente: So here's the the behavior that you observe. Right? So here you have the Tc of the victim, and the you see that on the 1st phase phase one, both of them increase
36:28:240Alessandro Brighente: at the same pace with the same values.
36:30:460Alessandro Brighente: And that's the point where we transition from phase one to phase 2. We have this difference between the victims, transmitter, encounter, and the adversary transmitter the adversary. One is going to decrease while the victims one is going to increase up to the point where we get to 255, and we have the the victim to go into.
36:52:210Alessandro Brighente: right? So here you have instead the difference what happens with the Tc in phase one and phase 2. So when the victim is in error, active or error passive
37:04:600Alessandro Brighente: states.
37:06:332Alessandro Brighente: So you observe here that you have these kind of behavior right? Whenever it increases by 8, then it also decreases by one. This is because, basically the the the victim is able to transmit its own passive error flag right? So this is marked as
37:26:470Alessandro Brighente: success, and therefore it gets decreased by one. But despite being decreased by one and the successive iteration, the successive transmission. The Tc is increased by 8, so every time it gets increased by by 7 right? So it's not able to
37:41:500Alessandro Brighente: to cope with the fact that these errors are nevertheless occurring in transmission.
37:51:420Alessandro Brighente: Okay, so
37:55:850Alessandro Brighente: which issues do we want to to target in here? Well, of course, we want to target those that are safety critical. And since the idea of the the conference gives us an indication on the priority of the packet. We can directly map this to the
38:14:110Alessandro Brighente: how much safety critical a certain packet is. Right. So the attacker may want to target low value. Ids, in order to disconnect issues such as those that are controlling acceleration and and breaking.
38:32:922Alessandro Brighente: Okay, let's have a 10 min break.
38:52:575Alessandro Brighente: Okay. So
39:00:840Alessandro Brighente: after the the discussion, why can't we just send whatever bit we want on the the canvas without caring about ids and stuff?
39:13:225Alessandro Brighente: So reasonable things. 1st one. When we talk about these attacking the regional board, they say
39:21:70Alessandro Brighente: that they assume they compromise an issue right? So it means that we compromise a specific device with specific behaviors, and that can send only come messages. Right? So we don't have full control over the type of messages we can send. What we mentioned before. What your colleague brought up makes perfectly sense.
39:44:561Alessandro Brighente: When we don't need to comply with the with the canvas protocol. Right? So we have a device that we can control fully control. And we can just send the arbitrary voltage value when we want on the canvas at that point.
40:01:134Alessandro Brighente: Yeah, the assumption for for this attack is the fact that we are compromising an issue. And that we can only deal with what the issue can actually transmit them.
40:13:470Alessandro Brighente: Okay? So indeed, we cannot have full control over what we can change in the in the constraints.
40:22:100Alessandro Brighente: And
40:24:960Alessandro Brighente: one of the problems that we have is, okay, how do we modify the message in order to to cause these these error to happen. Okay, so this should be the same right? So whatever comes we did and previously needing should be the same. But something after that should change
40:44:870Alessandro Brighente: and things we cannot change due to the fact that we are using this user. And we have a can controller. Are acknowledgement and the Crc. Fields right? These are set by the can controller and cannot be altered by the attacker self.
41:01:680Alessandro Brighente: So what we can modify is, either. The Dlc right? The value that I mentioned before that tells us how many bytes we have in the data field
41:17:87Alessandro Brighente: or change the the data field itself right, and change everything there and add the dominant bit whether one is present in the and the victims.
41:30:140Alessandro Brighente: Creighton.
41:32:120Alessandro Brighente: okay, so we need to modify something in those 2 fields
41:36:888Alessandro Brighente: of the of the attackers. Backend.
41:44:320Alessandro Brighente: Good. So
41:46:460Alessandro Brighente: Then
41:48:350Alessandro Brighente: we need the tool to set the the correct id right. We need to to understand. Which team issue we want to target and generate packets accordingly, send them with a certain periodicity.
42:00:964Alessandro Brighente: One of the problems that we might face is the fact that there's a filter applied on the issues. Right? You can imagine this filter as something like this specific issue needs only to process packets with the a given Id range, right? So we can distinguish between the received messages and the accepted messages.
42:23:960Alessandro Brighente: Of course. Since the canvas is a broadcast communication medium, all the issues we receive, all the packets, but only certain issues with only with specific filters will be able to accept the messages. And if we don't accept the message, then, we are not able to to see it's called. We are not able to access its id, and so forth. We are basically not able to read the message
42:50:230Alessandro Brighente: right? So the 1st thing that the the attacker needs to to deal with is the fact that the compromise issue might or might not have a filter applied.
43:01:240Alessandro Brighente: If there's no filter applied, then done, we can basically see all the traffic that flows through the canvas. Right? We can collect all the packets, read them, and perform our computation.
43:11:680Alessandro Brighente: If instead, there's a filter on the issue. Well, that's not so bad
43:17:505Alessandro Brighente: in the sense that this is something that can be controlled. Remotely, right?
43:24:590Alessandro Brighente: So the attacker gets control over one of these issues with the filter. And then what it does is through software commons access this filter and modify it
43:35:980Alessandro Brighente: as her attack as well.
43:38:995Alessandro Brighente: So this is something that can be done remotely. It's something that can be done through serial peripheral interfaces. It depends on the on the issue type, right? And the model and maker of the issue. But basically, there's no access control mechanism that prevents us from from changing these these filters on these use. So whenever we get the access to the issue and compromise it. Then we can change the filter value and get to capture all the packets.
44:07:180Alessandro Brighente: Great. Now we have, a view of all the traffic that's flowing on the canvas.
44:13:830Alessandro Brighente: Now, the point is synchronization, right? So we know about ids. We know about the packet structure, and we can counter how often right these packet with these specific id gets to be transmitted by the the victim issue.
44:33:440Alessandro Brighente: Alright, so this is fundamental. So again. As I mentioned before, we need to transmit our own attack frame when the victim frame gets to be transmitted. If we need so just a single bit. You see that we are not going to have the same arbitration id of the victim issue.
44:52:980Alessandro Brighente: So it means that potentially either the victim issue wins the arbitration, and then we're done, or we're causing some some errors. And the the the victim issue doesn't get to win. The arbitration doesn't get to transmit anything, and we have no increase in the transmitter counter. Right? So we need to be exactly aligned to have the same id to be evaluated at the same time.
45:20:335Alessandro Brighente: So
45:21:290Alessandro Brighente: if all the messages on the canvas, or at least the messages of our victims issue, gets to be transmitted periodically on the canvas, say, everything
45:33:350Alessandro Brighente: seconds. Then we are done. We can just count seconds. Right? We need to be synchronized with that. And we know that if the 1st transmission happened at second 0 and second transmission happen, a second, 5, and then 10, and then 15, we can expect the successive transmission to be at 20 right? And based on this. We know when to send this kind of messages.
45:57:690Alessandro Brighente: unfortunately, this is not exactly what happens in canvas.
46:01:910Alessandro Brighente: as you know, from basic networking stuff. Whenever you have transmissions
46:10:60Alessandro Brighente: the periodicity of the traffic is affected by jitter right? Which is basically these variation in the delay of packets, and it's usually a random, variable right? You cannot have a full control over the jitter. You know that this random variable is going to be there, and it's going to affect the periodicity of your traffic. So if in the case without jitter, the periodicity would be t
46:36:983Alessandro Brighente: now with jitter, the periodicity would be t plus a certain random, variable, a normally distributed random, variable, with a certain mean and bias.
46:46:790Alessandro Brighente: Good. So
46:49:590Alessandro Brighente: what can the attacker do? Right? So this is a problem in terms of synchronization. We cannot know exactly when this transmission is going to happen.
46:59:386Alessandro Brighente: So we have this very important thing that comes from the way the canvas behaves.
47:07:513Alessandro Brighente: Which is that nodes which have either lost arbitration or had new messages buffered while the bus was busy, attempt to transmit the messages. As soon as the bus becomes idle.
47:19:970Alessandro Brighente: Right? So what happens in here? We have an issue that is trying to transmit right. If it cannot transmitter it gets it. Message buffer
47:29:149Alessandro Brighente: to why this you will not be able to transmit. Very likely is the fact that it lost the the arbitration right, and it means that after that it may try to transmit its message, and it may be successful.
47:44:630Alessandro Brighente: If this happens, we can expect these to be something periodical, right? So if our assumption that we had before about the the canvas traffic being periodic was correct, which is.
47:57:330Alessandro Brighente: not only we can rely on the periodicity in terms of time, but we can rely on the periodicity in terms of sequence of ids that observe on the canvas. Right? So it means that
48:09:950Alessandro Brighente: if I take a look at the traffic, I don't even care about timing right. I don't care about the fact that the the the victim's frame comes at times 0 5 10 blah blah. I care about the fact that every time that I observe the id of my victim
48:28:150Alessandro Brighente: before that one I observe another specific id. So now I know that whenever you observe that id. My victims is going to just meet up to that right? So this is what we call the the preceded id.
48:41:720Alessandro Brighente: okay, which is basically the idea of the message that completed this transmission right before the start of end, which is, which is, my message of interest. Right? The one from from the victim.
48:53:470Alessandro Brighente: To give a very simple example, let's say that my victim issue has id 2 right before id 2. I always observe a id
49:06:990Alessandro Brighente: one whatever. Right? So now I am serving the traffic. So the traffic and I see that there's a packet with 81 great. Now I can expect that the packet with 82 is going to be exactly after that right which gives me indication on when I should send my my packet great. This is something that we can use in here.
49:26:560Alessandro Brighente: So we use the concept of procedure. Id in order to to launch our message right? So here you have again a depiction of what happens with these procedure. Ids. Right? So let's say that you always observe m. 1 and 2 and M. 3. It means that M. 3 is going to lose habitation with M. 2, which is going to lose habitation with m. 1. So I will always observe this sequence of messages. And if this is my message of interest.
49:54:280Alessandro Brighente: and I observe from the network traffic and one and then M. 2, I'm going to expect the M. 3, and this is where I can send my my message. Furthermore, I don't need to care about
50:05:400Alessandro Brighente: that much to care about timing, but the fact that this message has a certain size, then you have the interframe sequence, which is a certain number of bits. Then another message, if it's given size, which is indicated by the the message itself from the Dsc. And then we have interframe sequence, and then we know that we need to transmit in there. So we know exactly how many bits we need to count before before actually sending our Spoof message.
50:37:00Alessandro Brighente: This is something that actually happens on the canvas right? If you observe the traffic, you see that this is actually a periodicity that you can observe
50:45:680Alessandro Brighente: for most of these use not all of them. But for most of these use you, you get this, this thing about the preceded id
50:53:212Alessandro Brighente: this happens basically because message Ids never changes right? So if an issue is assigned a certain message, Id, it's going to use that one. It's not going to change. It's it's priority. And then the fact that we have these interframe sequence from one timeframe the other like these these 3 beats after the completion of the message and the transmission of the successive message.
51:21:700Alessandro Brighente: So we said that this is something that happens for most of the issues right some of these issues as a specific procedure. Id. Some of them has certain sequences of ids that you can observe, and then expect the different one to be there. But what if we are dealing with an issue that has no procedure? Id right? So there's no way we can predict. When
51:46:600Alessandro Brighente: the message from the victim issue is going to be transmitted based on this concept of the city. Id.
51:52:580Alessandro Brighente: Well, the good thing, though
51:54:310Alessandro Brighente: from the touchers perspective, is again the fact that the attacker can send arbitrary timeframes on the canvas. Right? So if there's no procedure, Id, why not create one? So why not creating a a packet that is going to be the procedure id of my victims issue.
52:14:240Alessandro Brighente: And this this is exactly what we do with this publication of recedivity.
52:22:370Alessandro Brighente: And we have some parameters that we can control in here. Right? We need to understand when to send this specific Id back.
52:29:660Alessandro Brighente: We need to understand how many packets do we want to send as specifically this
52:34:640Alessandro Brighente: and the content of the fabricated messages? Right? Of course, we can send arbitrary messages with arbitrary ids but they need somehow to to to make sense. And we want our procedure. Id to be successful. Right? We want to be sure that whenever we are sending our fabricated Id, then the victim the victims, you will will attempt this transmission after that
53:00:710Alessandro Brighente: good regarding timing. So as you just said, we want to be sure that whenever we send our message with the publicated preced Id. After that one, the victim is going to transmit its train. So it needs to be the one actually the preceded id right from from the definition of procedure. Id
53:23:30Alessandro Brighente: So at this time we remember what we said, the beginning right? So if we cannot rely on the procedure, id
53:30:809Alessandro Brighente: the other other variable that we can use is the fact that never plus
53:37:680Alessandro Brighente: canvas traffic is going to be periodic.
53:40:190Alessandro Brighente: So every 2 seconds, or something like that, I'm going to serve a certain timeframe
53:46:550Alessandro Brighente: which is affected by jitter. Right fine. But the jitter is the only random variable that we have in here.
53:52:470Alessandro Brighente: Okay, so now.
53:54:70Alessandro Brighente: when do I want to transmit my precipitary packet while I'm going to transmit it
54:00:707Alessandro Brighente: after T. Plus J on the variable for the jitter. Second, right? So how do we compute that?
54:10:250Alessandro Brighente: Why do we do this again? We cannot rely on preced id because we are creating the procedure. Id so the only the only factor that we can observe and somehow try to control is timing, which is still there. Right?
54:24:780Alessandro Brighente: Good. So how do we?
54:29:210Alessandro Brighente: How do we compute these these timings. Right? So what you have in these equations is on the 1st one. You have the time in which the the adversary sends the enter frame
54:41:820Alessandro Brighente: alright. And how how do we? How do you compute that? Well, basically, it's the time transmission from the victim
54:53:75Alessandro Brighente: plus a certain delay, right?
54:56:180Alessandro Brighente: And these expanded gets to be this one. So we have the time of origin of the packet, plus the random variable, which is the jitter plus the delay.
55:08:00Alessandro Brighente: If we go to the second message right? So the the time of which adversary sends the frame. N plus one. Well, again, we have something similar to what we had before depicting transmission, n plus one plus a delay.
55:21:360Alessandro Brighente: which, again, is something very similar to what we had before at the time of origin, plus the periodicity of the message that we say it's there, and we're going to use it, plus another realization of the random variable, which is the jitter plus delay
55:37:730Alessandro Brighente: great. So based on these things. Now we get to we need to understand which values to give to these timing that the person needs to use right? So t
55:48:325Alessandro Brighente: a dB, n plus one
55:53:720Alessandro Brighente: good. So we can compute the the next victim transmit time based on the equations that we had before. Right? So we have the time of the adversary plus the periodicity minus the delay, plus the the jitter at N plus one minus the jitter at end. So you can do all these computations based on these equations that you observe
56:15:260Alessandro Brighente: in here. Right? So it's just substitutions.
56:18:520Alessandro Brighente: And you do this very simple math. And you get this time this thing in here, right? So the time of the adversary is something that you know, the periodicity is something that you can get out of many observation of the package right? So this can be the expected periodicity, or something like that
56:36:662Alessandro Brighente: minus the delay again, something that you can easily compute. It's the processing delay of sending a message and receiving the message after passing it through the the controllers and stuff from this view, and then you're left with these J. Star in here that it's the only random variable that you have right the thing that depends on the variable. That depends on the on the jitter.
56:58:980Alessandro Brighente: So you see that here you have J. Star, which is not J, as we've seen before. But it's the difference between these 2 random variables, right? So 2 realizations of a random variable with the same distribution.
57:14:260Alessandro Brighente: I spare you the the math about this. But basically, this is going to be again negotiable and a variable assuming that the jitter is a gaution and a variable.
57:25:860Alessandro Brighente: And we need to do some reasoning about this, right? So there's a random variable. We know it exists. But maybe it's small. Maybe we can control what happens in here. Some. Somehow.
57:39:00Alessandro Brighente: So based on these, we can define some constraints that the attacker has in order to successfully transmit the appreciate id.
57:50:240Alessandro Brighente: And these constraints are these 3
57:54:630Alessandro Brighente: thing is that you see in here, right? The 1st integration tells you that the time of publication of tax needs to be less than the minimum
58:04:770Alessandro Brighente: of the victim transmission time for n plus one frame. Which means this thing in here right again, if you're talking about the minimum.
58:15:100Alessandro Brighente: These 3 components in here are deterministic. So there's no minimum in there. There's nothing we can do about that. But we have a random variable in here for which we are interested in the minimum value.
58:26:940Alessandro Brighente: Second, inequality. Same thing. Now, the time of publication attack plus
58:33:160Alessandro Brighente: h, we get to what h means should be greater than the maximum of the transmit time of the victim for the n plus one frame. Same reasoning that we had before. We have some deterministic values for which we have no control. But then we have a random variable in here, so our maximum value should be over the random variable.
58:54:870Alessandro Brighente: and then you have the 3rd condition in here.
58:57:810Alessandro Brighente: which is the duration of bus holding for the time. What does it mean?
59:02:313Alessandro Brighente: It means that the attacker should be able to control what happens on the canvas
59:06:660Alessandro Brighente: right before the the victim transmits its message. Right? It's creating a series of preceded Ids or something for which it has a strong control. And he knows that after losing the control of this, the victim is going to transmit its own frame. How can we translate this thing? It means that we need to send K. Times the the message with the with the procedure. Id
59:33:840Alessandro Brighente: right? So it means that if I'm going to create the message with preced id one for the victim with preceded
59:45:10Alessandro Brighente: from scratch.
59:46:440Alessandro Brighente: Let's suppose that I need to send my message. We proceed id one and I know that after that
59:52:720Alessandro Brighente: the big team's message is going to be there. If with the Id, too.
59:57:290Alessandro Brighente: I need to send a certain number of messages with procedure. Id. One.
00:02:320Alessandro Brighente: which depends on the control that I have over the digital variable as we see in a slide. Then, yeah, I know that I keep sending these messages with the id one such that I know that the victim issue is somehow going to synchronize with this and transmit its own frame after the end of my repetitive messages.
00:26:90Alessandro Brighente: Okay, so
00:28:130Alessandro Brighente: The number of messages that I send should be higher than this difference in here. The difference between the maximum value of the random, variable J. Star and the minimum value of the random variable J. Star. Okay, the jitter slot.
00:43:460Alessandro Brighente: Good. So how do we use this thing in here?
00:47:421Alessandro Brighente: So we know, as I mentioned before, the jitter itself is a Gaussian random, variable. Why is it a Gaussian boundary? Variable? Well, because we use the central limit theorem. And it means that we observe many times unknown, variable. Its distribution is going to
01:05:940Alessandro Brighente: to be normally distributed.
01:09:80Alessandro Brighente: I'm not going into that. But basically, we have. You see here, right? We have a Gaussian number variable. And it's bounded somehow, this J. Star that we get as the difference between a 2 realization of the jitter and the variable is bounded. So it means that the absolute value of its maximum and minimum value can be approximated by this this value that you're serving here.
01:34:810Alessandro Brighente: Alright. So these I in here is an attack parameter. As the attacker. We need to decide that we we want to give it an integer value. Right? 1, 2, 3 blah blah.
01:45:940Alessandro Brighente: And this thing in here is the standard deviation of the jitter. Right? And again, this is something that we can measure. How do we measure that? We we measure the periodicity of a message of a given id right? We observe the 1st value, second, value, 3rd value on how often this message happens, and we can perform some statistics over there, and we can compute the standard deviation of the periodicity of this message.
02:12:760Alessandro Brighente: Good. So we have these things in here.
02:17:481Alessandro Brighente: Again, from the due to the fact that Dj. Star is a Gaussian random, variable, and is bounded you can check how the confidence intervals of Gaussian random, variable works. But basically this tells you
02:31:950Alessandro Brighente: that if we set a certain value for the for I we get different confidence interval in in the values that we approximating here. Right? So you can check if you set the I equal to 3, you have 99.3% confidence interval, for I equal to 4. Instead, you have 99.9, 9. Confidence interval. And this.
02:55:360Alessandro Brighente: how can we translate this? It means that if we give this random, variable, a certain value.
03:03:140Alessandro Brighente: which is this thing here? Right. I times square root of 2 times its standard deviation. We're going to guess its value with this confidence interval in here. So we are kind of sure about the value of this this little thing
03:21:400Alessandro Brighente: great. So we can substitute this thing in the equation that we had before.
03:25:960Alessandro Brighente: And basically, it means that the adversary needs to start injecting
03:30:850Alessandro Brighente: the valid, the the package with the publicated Id. The procedure ids at these times in here. Right? So now we don't have a random, variable anymore. We substituted it with something for which we have control in terms of confidence interval.
03:49:480Alessandro Brighente: Now the problem is, how many messages do we want to use for? How much time do we want to keep the bus occupied before the big thing gets to transmit its timeframe?
04:00:670Alessandro Brighente: Well, we need to satisfy the 3rd constraint. I we said that the number of messages times its duration should be higher than this difference in here. But now we know how to approximate this difference in here.
04:16:750Alessandro Brighente: Right? So let's suppose that we have this thing here. Right? We we said that in the data frame we have 8 Byte the maximum that we can afford in order to keep the bus occupied for as much time as possible, which means that I need to send less packets. I can use the the bit stopping rules right? So send the a certain a certain sequence of bits
04:41:60Alessandro Brighente: right consecutive bits with similarity. I know that after 5 bits, with the same polarity I should add another bit with inverse polarity, and this makes my pocket longer, somehow, than the number of bits that I need to send longer, and therefore occupy the bus for a longer time.
05:02:270Alessandro Brighente: So this is the the thing that you're saying here, how much time does it take to transmit the the longest possible packet
05:11:405Alessandro Brighente: and you have in here?
05:14:340Alessandro Brighente: 8 it's the number of pizza per bite
05:19:950Alessandro Brighente: times l, which is the number of bytes that you have in the data field, plus all the bits that you have outside the the data field. And then the number of stopping bits that you're going to to add to your package right? Assuming that that you can do that. In the in the data field. And you do that every time you can.
05:41:811Alessandro Brighente: Divided by the rate of the of the bus. Right? So if you do the the mountain here, you get 124 divided by S. Bus. This is how much time you get to to occupy the bus with the package structure this way.
05:56:960Alessandro Brighente: So this means that
05:59:470Alessandro Brighente: if let's suppose that we have a standard deviation which is equal to 0 0 25 ms, and the rate on the bus that is a hundred kilobit per second
06:12:79Alessandro Brighente: this is the number of messages that you need to send right. You can substitute the equations and and find this thing in here, which means that in order to get the
06:22:230Alessandro Brighente: 99, 73% confidence interval. You only need to send one message right? If you send one message, you're sure 99.7 3% of the fact that you're going to create a procedure. Id, and the big thing is going to transmit exactly after that.
06:40:00Alessandro Brighente: If you want to be even sure you can set E equal to 4 I equal to 4. Right? This gives you 99 dot 99% confidence interval. But this means that you need to send the 2 messages structured this way. Right? So now, you are
06:56:130Alessandro Brighente: basically sure that if you send 2 messages with a certain procedure, Id. Then the victim is going to transmit exactly after that, and you know that that at that time you need to send your fabricated message for the boss of steak.
07:16:100Alessandro Brighente: What about the content of the preceding id message? Right? So
07:25:170Alessandro Brighente: we need to decide the id to put and to use as
07:31:650Alessandro Brighente: id right? So we can decide from a pool of Ids. So, for instance, we observe the traffic from the canvas. We see all the Ids that we have in there. We can create a list of them.
07:42:550Alessandro Brighente: and then, choose the Id with the lowest priority. That is not part of the place right? So in this way we know that we are going to send a message that doesn't belong to any you. None of this. You in your canvas is going to send a message with that Id. So you know that this is free, and no one is going to compete with you.
08:05:30Alessandro Brighente: And not only you can do that, but if you want to to avoid being recognized or be identified as the attacker, you can change this Id for each of the transmissions.
08:17:819Alessandro Brighente: What if you said the one preceding Id is not sufficient. But you need to. You need to send 2 messages right? So the 1st thing you can choose the one from the pool as before.
08:28:479Alessandro Brighente: but the second one needs to have a value which has higher priority than your victims issue right? So you need to decide the order in which you want to use these Ids from the pool, such that you can control the fact that the preceded Id from the victim issue gets to win the arbitration, and then you have, your victims. Issue frame.
08:56:319Alessandro Brighente: Why don't we need a higher prioritized Id, when we only send one message like, shouldn't we also choose the name? Id. It's going to be an Id. And then yes.
09:12:609Alessandro Brighente: yes, yes, you. You choose from the pool, the one that has higher priority than your target. One
09:21:720Alessandro Brighente: good. How do we prevent? the boss of attack? Right? So
09:26:810Alessandro Brighente: we cannot enforce access control. We cannot use cryptographic means. Why can't we use cryptographic means? Well, issues due to the way in which they are built? Right their components.
09:41:620Alessandro Brighente: They are not very good in handling cryptographic primitives, and that would be not very, very strong. You need hardware security models. You need some components that are definitely not there. There have been proposal about modifying the architecture of PC use.
09:57:600Alessandro Brighente: You can check there's the the Alpha star project that deals with with the architecture of this use.
10:03:800Alessandro Brighente: But what is the problem with that is that we have a lot of cars that are around right, which we cannot think about replacing all these use, and then manufacturers are not
10:17:470Alessandro Brighente: that happy about changing the way in which they they deploy the receive and changing these
10:24:122Alessandro Brighente: the the way in which they communicate just for the sake of security. So we need to find the other alternatives.
10:32:370Alessandro Brighente: So in terms of bus off, how do we recognize bus software and see that something wrong is happening?
10:37:560Alessandro Brighente: Well, we have specific behaviors that the bassoft itself is using and triggering
10:45:130Alessandro Brighente: alright. So the 1st one in phase one, we have that at least 2 consecutive errors occur during transmission of frames.
10:55:390Alessandro Brighente: And
10:57:30Alessandro Brighente: this is what we're looking for, right? So if you observe that the the error occurs over and over during the transmission of consecutive frames, then there's something wrong, right? Why should the an issue keep having errors on its transmission? One is fine, 2 is fine, but after that there's something wrong.
11:20:350Alessandro Brighente: wrong, not something wrong happening, right? So we have many activator flags caused by the same issue.
11:27:420Alessandro Brighente: And then the second feature of the box office is in phase 2
11:32:780Alessandro Brighente: we have that at the time when you ever pass it, big things. Tc. Increases a message with the same Id will be successfully transmitted by some Ecu on the bus. Right? So it means that
11:43:430Alessandro Brighente: I have an issue that is transmitting a message with a certain id it gets an error.
11:49:180Alessandro Brighente: but we observe that another
11:52:943Alessandro Brighente: packet with the same Id has been successfully transmitted on the canvas. Right? How can it be possible? Right? There's something wrong in here. It's like saying that something is happening and not happening at the same time.
12:06:852Alessandro Brighente: So this is the other thing that we we can observe right, which makes the canvas somehow the the bus stop attack somehow easily identifiable by looking at how the canvas behave and how the the error messages sent over the canvas behave.
12:24:500Alessandro Brighente: So it means that we can at least create a normal detectors. Right? I can write my algorithm to detect these kind of anomalies right? If something wrong happens in phase one.
12:36:70Alessandro Brighente: then I can raise a flag.
12:38:280Alessandro Brighente: If something wrong happens in phase 2 as well.
12:41:390Alessandro Brighente: my flag needs to somehow be bigger, and I know that if something wrong is happening, so what one of the things you can do now identifying anomalies is, of course, not a way of solving them.
12:54:998Alessandro Brighente: So what you could do, and then, at that point where you identify them is to just reset the the canvas. Right? Of course, this. This needs some some manual effort, but at this you can prevent, some safety critical situation. When you, when you detect the
13:11:740Alessandro Brighente: the occurrence of the bus of attack before issues actually going to to the bus of state.
13:20:760Alessandro Brighente: Of course there have been modifications to the boss of attack. Right? So alternatives that deal with the fact that the boss of attack is easily identifiable, right? Easily detectable, based on these 2 features that I just mentioned. And so we have these other attack strategy, which is weeping calm.
13:39:960Alessandro Brighente: which is a variation of the original bus of attack. Again, the idea is the same. We want to trigger this behavior in issues and let them transition to the bus of State. But we want to be steadier somehow. We don't want to be easily identifiable by the anomaly detection system.
13:57:210Alessandro Brighente: and on Friday we are going to see how this works.
14:03:900Alessandro Brighente: Any questions.
14:08:210Alessandro Brighente: Great. Thank you.
14:10:900Alessandro Brighente: Bye.
14:18:510Alessandro Brighente: Okay.