automated cross platform reverse engineering of can bus
play

Automated Cross-Platform Reverse Engineering of CAN Bus Commands - PowerPoint PPT Presentation

Jan 11, 2024 •16 likes •646 views

Computer Security Laboratory Automated Cross-Platform Reverse Engineering of CAN Bus Commands From Mobile Apps Haohuang Wen 1 , Qingchuan Zhao 1 , Qi Alfred Chen 2 , and Zhiqiang Lin 1 1 Ohio State University 2 University of California, Irvine

  1. Computer Security Laboratory Automated Cross-Platform Reverse Engineering of CAN Bus Commands From Mobile Apps Haohuang Wen 1 , Qingchuan Zhao 1 , Qi Alfred Chen 2 , and Zhiqiang Lin 1 1 Ohio State University 2 University of California, Irvine NDSS 2020 T HE O HIO S TATE U NIVERSITY

  2. S R I D Data Field C A E O Identifier T D L R C O Byte Byte Byte Byte Byte Byte Byte Byte F R E C C K F 0 1 2 3 4 5 6 7 Introduction Our Observation CANHunter Evaluation Related Work Takeaway References In-vehicle Network and CAN Bus 2 / 20

  3. S R I D Data Field C A E O Identifier T D L R C O Byte Byte Byte Byte Byte Byte Byte Byte F R E C C K F 0 1 2 3 4 5 6 7 Introduction Our Observation CANHunter Evaluation Related Work Takeaway References In-vehicle Network and CAN Bus Control Area Network (CAN) bus. 2 / 20

  4. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References In-vehicle Network and CAN Bus Control Area Network (CAN) bus. I Data Field C S R D A E O Identifier T D L R C O Byte Byte Byte Byte Byte Byte Byte Byte F R E C C K F 0 1 2 3 4 5 6 7 CAN bus command. 2 / 20

  5. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Applications of CAN Bus Commands Driver Behavior Monitoring An On Board Diagnostic (OBD-II) dongle, used by insurance company Progressive to monitor driver behavior 3 / 20

  6. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Applications of CAN Bus Commands Vehicle Control Driver Behavior Monitoring An On Board Diagnostic (OBD-II) dongle, used by insurance company Progressive to An In-Vehicle Infotainment (IVI) system. monitor driver behavior 3 / 20

  7. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Applications of CAN Bus Commands: recently on Autonomous Driving 4 / 20

  8. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Applications of CAN Bus Commands: Security Vehicle Hacking The Jeep Cherokee hacking [MV15]. 5 / 20

  9. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Applications of CAN Bus Commands: Security Vehicle Security Monitoring Vehicle Hacking The Jeep Cherokee hacking [MV15]. CAN Bus Firewall [HKD11] [MA11]. 5 / 20

  10. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Reverse Engineering of CAN Bus Commands State-of-the-art 1 Fuzzing with random CAN bus commands [KCR + 10] [LCC + 15]. 2 Manually triggering physical actions and observing the CAN bus [car] [wir]. 6 / 20

  11. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Reverse Engineering of CAN Bus Commands State-of-the-art 1 Fuzzing with random CAN bus commands [KCR + 10] [LCC + 15]. 2 Manually triggering physical actions and observing the CAN bus [car] [wir]. Shortcoming 1 Limited scalability . CAN bus commands are highly customized and diversified . 2 Excessive cost . Significant manual effort and real automobiles are required. 6 / 20

  12. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation

  13. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation IVI App

  14. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation IVI App OBD-II Dongle App 7 / 20

  15. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation 7 / 20

  16. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation 7 / 20

  17. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation 7 / 20

  18. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation 7 / 20

  19. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Observation Direct / Indirect CAN Bus Commands 7 / 20

  20. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Our Contributions 1 Novel Approach . We propose a cost-effective and automatic approach for reverse engineering CAN bus commands through analyzing mobile apps. 2 Effective Techniques . We design a suite of effective techniques to uncover CAN bus command syntactics (structure and format) and semantics (meaning and functionality). 3 Implementation and Evaluation . We implemented CANHunter on both Android and iOS platforms, and evaluated it with 236 car mobile apps. It discovered 182 , 619 unique CAN bus commands in which 86 . 1 % of them are recovered with semantics. 8 / 20

  21. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Challenges and Insights Challenges 1 Precisely identify CAN bus command execution path 2 Command syntactics recovery 3 Command semantics recovery 9 / 20

  22. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Challenges and Insights Challenges 1 Precisely identify CAN bus command execution path 2 Command syntactics recovery 3 Command semantics recovery Solutions 1 Identify execution path with backward program slicing 2 Syntactics recovery with dynamic forced execution 3 Semantics recovery with UI correlation and function argument association 9 / 20

  23. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Overview of CANHunter Apps 10 / 20

  24. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Overview of CANHunter Static Analysis Execution Backward Slicing Path Apps 10 / 20

  25. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Overview of CANHunter Dynamic Forced Execution Static Analysis Semantics Recovery Syntactics Syntactics Execution Backward Slicing Function Argument Recovery Semantics Path UI Correlation Association Apps 10 / 20

  26. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Backward Slicing Screen_Info_Diag.viewDidLoad() 13 v4 = UIButton() 14 v4.setText(“Engine Controls”) ... 27 v4.addTarget(v4,”initECUs”) // register button trigger function MD_AllECUsToyota.initECUs() 4 v12.initWithRequestId(“0x7E0”,”Engine Controls”) 5 v12.frageID = ”0x7E0” ... 13 v22 = BaseFahrzeug.initWithName(“Corolla VIII”) 14 v22.ECU = v12 ... 25 v25 = v24.createWorkableECUKategorie(v22) WorkableModell.createWorkableECUKategorie( a3 ) ... 12 v6 = a3 13 v7 = v6.ECU.frageID ... 18 v8 = v7.substring(2,5) 19 v9 = NSString.stringWithForamt(“%@ 30 00 02”,v8) ... 42 v5.writeValue(v9,v14,1) // Target API 11 / 20

  27. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Backward Slicing Screen_Info_Diag.viewDidLoad() 13 v4 = UIButton() 14 v4.setText(“Engine Controls”) ... 27 v4.addTarget(v4,”initECUs”) // register button trigger function MD_AllECUsToyota.initECUs() 4 v12.initWithRequestId(“0x7E0”,”Engine Controls”) 5 v12.frageID = ”0x7E0” ... 13 v22 = BaseFahrzeug.initWithName(“Corolla VIII”) 14 v22.ECU = v12 ... 25 v25 = v24.createWorkableECUKategorie(v22) WorkableModell.createWorkableECUKategorie( a3 ) ... 12 v6 = a3 13 v7 = v6.ECU.frageID ... 18 v8 = v7.substring(2,5) 19 v9 = NSString.stringWithForamt(“%@ 30 00 02”,v8) ... 42 v5.writeValue(v9,v14,1) // Target API 11 / 20

  28. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Backward Slicing Screen_Info_Diag.viewDidLoad() 13 v4 = UIButton() 14 v4.setText(“Engine Controls”) ... 27 v4.addTarget(v4,”initECUs”) // register button trigger function MD_AllECUsToyota.initECUs() 4 v12.initWithRequestId(“0x7E0”,”Engine Controls”) 5 v12.frageID = ”0x7E0” ... 13 v22 = BaseFahrzeug.initWithName(“Corolla VIII”) 14 v22.ECU = v12 ... 25 v25 = v24.createWorkableECUKategorie(v22) WorkableModell.createWorkableECUKategorie( a3 ) ... 12 v6 = a3 13 v7 = v6.ECU.frageID ... 18 v8 = v7.substring(2,5) 19 v9 = NSString.stringWithForamt(“%@ 30 00 02”,v8) ... 42 v5.writeValue(v9,v14,1) // Target API 11 / 20

  29. Introduction Our Observation CANHunter Evaluation Related Work Takeaway References Syntactics Recovery Screen_Info_Diag.viewDidLoad() 13 v4 = UIButton() 14 v4.setText(“Engine Controls”) ... 27 v4.addTarget(v4,”initECUs”) // register button trigger function MD_AllECUsToyota.initECUs() 4 v12.initWithRequestId(“0x7E0”,”Engine Controls”) 5 v12.frageID = ”0x7E0” // “0x7E0” ... 13 v22 = BaseFahrzeug.initWithName(“Corolla VIII”) 14 v22.ECU = v12 ... 25 v25 = v24.createWorkableECUKategorie(v22) WorkableModell.createWorkableECUKategorie( a3 ) ... 12 v6 = a3 13 v7 = v6.ECU.frageID // “0x7E0” ... 18 v8 = v7.substring(2,5) 19 v9 = NSString.stringWithForamt(“%@ 30 00 02”,v8) ... 42 v5.writeValue(v9,v14,1) // Target API 12 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole

Cross-platform reversing with at NoConName December 2015 by oleavr Who am I? My name is Ole Andr Vadla Ravns Author of Frida, CryptoShark, oSpy, libmimic... Developer, Hacker and Reverse Engineer Currently working at

1.26k views • 43 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web Web WebGL Socket Worker Optimized Parallel Hardware Communication Acceleration Processing Channel Web Workers JaHOVA OS Internal APIs

957 views • 38 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse Engineering NAND Flash Adapted from Josh m0nk

Reverse Engineering NAND Flash Adapted from Josh m0nk

Reverse Engineering NAND Flash Adapted from Josh m0nk Thomass Black Hat PresentaBon Andrew bunnie Huang & Sean xobs Cross 30c3 PresentaBon

1.02k views • 30 slides
Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via Templates Nuno Amlio, Christian Glodt, Frederico Pinto, Pierre Kelsen University of Luxembourg Introduction Manual code development is expensive

243 views • 21 slides
Building Consistent Cross-Platform Interfaces Building Consistent Cross-Platform Interfaces

Building Consistent Cross-Platform Interfaces Building Consistent Cross-Platform Interfaces

Building Consistent Cross-Platform Interfaces Building Consistent Cross-Platform Interfaces https:/ /bit.ly/ato2018-cross-platform https:/ /bit.ly/ato2018-cross-platform-pdf @dbanksdesign #AllThingsOpen Consistent experiences help users

1k views • 46 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
the context of Reverse Engineering Sebastian Porst (sebastian.porst@zynamics.com) Christian

the context of Reverse Engineering Sebastian Porst (sebastian.porst@zynamics.com) Christian

Automated static deobfuscation in the context of Reverse Engineering Sebastian Porst (sebastian.porst@zynamics.com) Christian Ketterer (cketti@gmail.com) Sebastian Christian zynamics GmbH Student Lead Developer University of

1.04k views • 46 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai system is a fully automated loan management system. This solution extends the productivity of Your loan business to the maximum. Easily integrates

541 views • 27 slides
TkDND: a cross-platform dragndrop package Georgios Petasis Software and Knowledge

TkDND: a cross-platform dragndrop package Georgios Petasis Software and Knowledge

TkDND: a cross-platform dragndrop package Georgios Petasis Software and Knowledge Engineering Laboratory, Institute of Informatics and Telecommunications, National Centre for Scientific Research Demokritos, Athens, Greece

620 views • 18 slides
Systerel Smart Solver Forum Mthodes Formelles October 2014 S3 S3 for C Systerel Smart Solver

Systerel Smart Solver Forum Mthodes Formelles October 2014 S3 S3 for C Systerel Smart Solver

Systerel Smart Solver Forum Mthodes Formelles October 2014 S3 S3 for C Systerel Smart Solver S3 for Scade cS3 for Scade 2 Systerel Smart Solver Family of Model Checking solutions SAT based largely automatic

348 views • 6 slides
6/5/2018 What is Systematic Instruction and Applied Behavior Analysis in the Classroom? Summer

6/5/2018 What is Systematic Instruction and Applied Behavior Analysis in the Classroom? Summer

6/5/2018 What is Systematic Instruction and Applied Behavior Analysis in the Classroom? Summer Institute June 13-15, 2018 Felicia Nevarez, M.Ed Autism Programs University of New Mexico Center for Development and Disability Felicia Nevarez

132 views • 11 slides
Parent Child Interaction Therapy Program Development and Services Funding Opportunity 2019-2021

Parent Child Interaction Therapy Program Development and Services Funding Opportunity 2019-2021

Parent Child Interaction Therapy Program Development and Services Funding Opportunity 2019-2021 Presentation by : Laurie Theodorou, LCSW Early Childhood Mental Health Policy Specialist Child and Family Behavioral Health November 6 th and

679 views • 43 slides
Q: Who to include in pragmatic trials? A: It depends. Gregory Simon MD MPH Kaiser Permanente

Q: Who to include in pragmatic trials? A: It depends. Gregory Simon MD MPH Kaiser Permanente

Q: Who to include in pragmatic trials? A: It depends. Gregory Simon MD MPH Kaiser Permanente Washington Health Research Institute Laura M Dember MD University of Pennsylvania Perelman School of Medicine Outline What does it depend on?

694 views • 45 slides
Construction Matt Staats KAIST Shin Hong, Moonzoo Kim, Gregory Gay, Mats Heimdahl Gregg

Construction Matt Staats KAIST Shin Hong, Moonzoo Kim, Gregory Gay, Mats Heimdahl Gregg

Supporting Test Oracle Construction Matt Staats KAIST Shin Hong, Moonzoo Kim, Gregory Gay, Mats Heimdahl Gregg Rothermel University of Minnesota Twin-Cities KAIST / University of Nebraska-Lincoln 1 The Testing Problem Test Oracle Test

370 views • 15 slides
Educational Systems Sebastin Ventura Department of Computer Sciences and Numerical Analysis

Educational Systems Sebastin Ventura Department of Computer Sciences and Numerical Analysis

Data Analysis in in Educational Systems Sebastin Ventura Department of Computer Sciences and Numerical Analysis University of Crdoba Outli line Introduction Motivation Historical perspective Educational Data Science

651 views • 33 slides
Verification and Validation Ian Sommerville, SW Engineering, 7th/8th edition Ch 22 Why Test? 2

Verification and Validation Ian Sommerville, SW Engineering, 7th/8th edition Ch 22 Why Test? 2

Verification and Validation Ian Sommerville, SW Engineering, 7th/8th edition Ch 22 Why Test? 2 Why Test? 3 Software is Buggy! On average, 1-5 errors per 1KLOC Windows 2000 35M LOC 63,000 known bugs at the time of release

823 views • 49 slides
Automatic Generation of Hierarchical Placement Rules for Analog Integrated Circuits M. Eick , M.

Automatic Generation of Hierarchical Placement Rules for Analog Integrated Circuits M. Eick , M.

Institute for Electronic Design Automation Technische Universitt Mnchen Automatic Generation of Hierarchical Placement Rules for Analog Integrated Circuits M. Eick , M. Strasser, H. Graeb, U. Schlichtmann Institute for Electronic Design

331 views • 32 slides

More recommend