A Process to Facilitate Automated Automotive Cybersecurity Testing

Modern vehicles become increasingly digitalized with advanced information technology-based solutions like advanced driving assistance systems and vehicle-to-x communications. These systems are complex and interconnected. Rising complexity and increasing outside exposure has created a steadily rising demand for more cyber-secure systems. Thus, also standardization bodies and regulators issued standards and regulations to prescribe more secure development processes. This security, however, also has to be validated and verified. In order to keep pace with the need for more thorough, quicker and comparable testing, today’s generally manual testing processes have to be structured and optimized. Based on existing and emerging standards for cybersecurity engineering, this paper therefore outlines a structured testing process for verifying and validating automotive cybersecurity, for which there is no standardized method so far. Despite presenting a commonly structured framework, the process is flexible in order to allow implementers to utilize their own, accustomed toolsets.

[1]  Richard R. Linde,et al.  Operating system penetration , 1975, AFIPS '75.

[2]  Simeon C. Ntafos,et al.  A report on random testing , 1981, ICSE '81.

[3]  Frederic L. Kirgis UNITED NATIONS ECONOMIC AND SOCIAL COUNCIL , 1983 .

[4]  Claudia Eckert On security models , 1996, SEC.

[5]  B.J. Wood,et al.  Red Teaming of advanced information assurance concepts , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[6]  Raymond A. Paul,et al.  Scenario-based functional regression testing , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[7]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[8]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[9]  P.M. Kamde,et al.  Value of Test Cases in Software Testing , 2006, 2006 IEEE International Conference on Management of Innovation and Technology.

[10]  Kamil Sarac,et al.  A SIP Security Testing Framework , 2009, 2009 6th IEEE Consumer Communications and Networking Conference.

[11]  Yu Lei,et al.  Practical Combinatorial Testing , 2010 .

[12]  Teodor Sommestad,et al.  A quantitative evaluation of vulnerability scanning , 2011, Inf. Manag. Comput. Secur..

[13]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[14]  Richard McNally,et al.  Fuzzing: The State of the Art , 2012 .

[15]  Lubos Brim,et al.  DiVinE 3.0 - An Explicit-State Model Checker for Multithreaded C & C++ Programs , 2013, CAV.

[16]  Alastair R. Ruddle,et al.  Threat Analysis and Risk Assessment in Automotive Cyber Security , 2013 .

[17]  Eric Armengaud,et al.  SAHARA: A security-aware hazard and risk analysis method , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[18]  Jaein Kim,et al.  Fuzzing CAN Packets into Automobiles , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[19]  Robert D. McLeod,et al.  Bluetooth in Intelligent Transportation Systems: A Survey , 2015, Int. J. Intell. Transp. Syst. Res..

[20]  M. Nahas,et al.  Applying the Scheduler Test Case Technique to Verify Scheduler Implementations in Multi-Processor Time-Triggered Embedded Systems , 2016 .

[21]  Stephen Oakes,et al.  Security Testing of an Unmanned Aerial Vehicle (UAV) , 2016, 2016 Cybersecurity Symposium (CYBERSEC).

[22]  Nguyen Hoang Nga,et al.  Combining Third Party Components Securely in Automotive Systems , 2016, WISTP.

[23]  Ireneusz Tarnowski How to use cyber kill chain model to build cybersecurity? , 2017 .

[24]  Alastair R. Ruddle,et al.  Towards a systematic security evaluation of the automotive Bluetooth interface , 2017, Veh. Commun..

[25]  Jeremy Bryans,et al.  Towards a Testbed for Automotive Cybersecurity , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[26]  Andrew C. Simpson,et al.  A Formal Model to Facilitate Security Testing in Modern Automotive Systems , 2018, IMPEX/FM&MDD.

[27]  Gang Zhao,et al.  A General Testing Framework Based on Veins for Securing VANET Applications , 2018, 2018 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).

[28]  Peter J. Hawrylak,et al.  Automatic Generation of Attack Scripts from Attack Graphs , 2018, 2018 1st International Conference on Data Intelligence and Security (ICDIS).

[29]  Bernhard K. Aichernig,et al.  Automata Learning for Symbolic Execution , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[30]  Jianying Zhou,et al.  ATG: An Attack Traffic Generation Tool for Security Testing of In-vehicle CAN Bus , 2018, ARES.

[31]  Ryo Kurachi,et al.  Proposal of HILS-Based In-Vehicle Network Security Verification Environment , 2018 .

[32]  Pascal Urien,et al.  SARA: Security Automotive Risk Analysis Method , 2018, CPSS@AsiaCCS.

[33]  Jeremy Bryans,et al.  Fuzz Testing for Automotive Cyber-Security , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).

[34]  Stefan Marksteiner,et al.  Approaching the Automation of Cyber Security Testing of Connected Vehicles , 2019, CECC.

[35]  Jeremy Bryans,et al.  A Method for Constructing Automotive Cybersecurity Tests, a CAN Fuzz Testing Example , 2019, 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[36]  Daniel Esteban Morales Bondy,et al.  ERIGrid Holistic Test Description for Validating Cyber-Physical Energy Systems , 2019, Energies.

[37]  Stefan Marksteiner,et al.  Cyber security requirements engineering for low-voltage distribution smart grid architectures using threat modeling , 2019, J. Inf. Secur. Appl..

[38]  Road vehicles. Cybersecurity engineering , .