AVGuardian: Detecting and Mitigating Publish-Subscribe Overprivilege for Autonomous Vehicle Systems

Autonomous vehicle (AV) software systems are emerging to enable rapidly developed self-driving functionalities. Since such systems are responsible for safety-critical decisions, it is necessary to secure them in face of cyber attacks. Through an empirical study of representative AV software systems Baidu Apollo and Autoware, we discover a common over privilege problem with the publish-subscribe communication model widely adopted by AV systems: due to the coarse-grained message design for the publish-subscribe communication, some message fields are over-granted with publish/subscribe permissions. To comply with the least-privilege principle and reduce the attack surface resulting from such problem, we argue that the publish/subscribe permissions should be defined and enforced at the granularity of message fields instead of messages. To systematically address such publish-subscribe over-privilege problems, we present AVGuardian, a system that includes (1) a static analysis tool that detects overprivilege instances in AV software and generates the corresponding access control policies at the message field granularity, and (2) a low-overhead, module-transparent, runtime pub-lish/subscribe permission policy enforcement mechanism to perform online policy violation detection and prevention. Using our detection tool, we are able to automatically detect 581 overprivilege instances in total in Baidu Apollo. To demonstrate the severity, we further constructed several concrete exploits that can lead to vehicle collision and identity theft for AV owners, which have been reported to Baidu Apollo and confirmed as valid. For defense, we prototype and evaluate the policy enforcement mechanism, and find that it has very low overhead, does not affect original AV decision logic, and also is resilient to message replay attacks.

[1]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[2]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[3]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[4]  Peter Schartner,et al.  Application-level security for ROS-based applications , 2016, 2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[5]  David M. Eyers,et al.  Role-based access control for publish/subscribe middleware architectures , 2003, DEBS '03.

[6]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[7]  Kang G. Shin,et al.  Viden: Attacker Identification on In-Vehicle Networks , 2017, CCS.

[8]  Peter Schartner,et al.  Secure communication for the robot operating system , 2017, 2017 Annual IEEE International Systems Conference (SysCon).

[9]  Zhuoqing Morley Mao,et al.  An Initial Investigation of Protocol Customization , 2017, FEAST@CCS.

[10]  David M. Eyers,et al.  Access control in publish/subscribe systems , 2008, DEBS.

[11]  Alexander L. Wolf,et al.  Security issues and requirements for Internet-scale publish-subscribe systems , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[12]  Fred B. Schneider,et al.  Least Privilege and More , 2003, IEEE Secur. Priv..

[13]  Tim Güneysu,et al.  Exploiting the Power of GPUs for Asymmetric Cryptography , 2008, CHES.

[14]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[15]  David Brumley,et al.  GPS software attacks , 2012, CCS.

[16]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[17]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[18]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[19]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[20]  Lawrence D. Jackel,et al.  Explaining How a Deep Neural Network Trained with End-to-End Learning Steers a Car , 2017, ArXiv.

[21]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[22]  Kang G. Shin,et al.  Error Handling of In-vehicle Networks Makes Them Vulnerable , 2016, CCS.

[23]  Henrik I. Christensen,et al.  SROS: Securing ROS over the wire, in the graph, and through the kernel , 2016, ArXiv.

[24]  Ning Wang,et al.  1 Sensitivity , Specificity , Accuracy , Associated Confidence Interval and ROC Analysis with Practical SAS , 2010 .

[25]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[26]  Aaron Hunter,et al.  A Security Analysis of an In-Vehicle Infotainment and App Platform , 2016, WOOT.

[27]  Seungyeop Han,et al.  SSLShader: Cheap SSL Acceleration with Commodity Processors , 2011, NSDI.

[28]  Sotiris Ioannidis,et al.  PixelVault: Using GPUs for Securing Cryptographic Operations , 2014, CCS.

[29]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[31]  Jonathan Petit,et al.  Remote Attacks on Automated Vehicles Sensors : Experiments on Camera and LiDAR , 2015 .

[32]  Somesh Jha,et al.  Automatic placement of authorization hooks in the linux security modules framework , 2005, CCS '05.

[33]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[34]  Yiheng Feng,et al.  Exposing Congestion Attack on Emerging Connected Vehicle based Traffic Signal Control , 2018, NDSS.

[35]  Alexander Carballo,et al.  A Survey of Autonomous Driving: Common Practices and Emerging Technologies , 2019, IEEE Access.

[36]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[37]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.

[38]  Ryan M. Eustice,et al.  Risk Assessment for Cooperative Automated Driving , 2016, CPS-SPC '16.

[39]  Amir Rahmati,et al.  Context-Specific Access Control: Conforming Permissions With User Expectations , 2015, SPSM@CCS.

[40]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[41]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[42]  Martin Klein,et al.  Acceleration of RSA Cryptographic Operations Using FPGA Technology , 2009, 2009 20th International Workshop on Database and Expert Systems Application.