cananalyze
play

CANANALYZE A PYTHON FRAMEWORK SSTIC 2020 ERWAN LE-DISEZ & - PowerPoint PPT Presentation

Mar 22, 2024 •394 likes •691 views

CANANALYZE A PYTHON FRAMEWORK SSTIC 2020 ERWAN LE-DISEZ & ETIENNE CHARRON / 2020 Renault ABOUT US Etienne CHARRON Erwan LE DISEZ Intruder Cyber Security specialist Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault AGENDA # CONTEXT

  1. CANANALYZE A PYTHON FRAMEWORK SSTIC 2020 ERWAN LE-DISEZ & ETIENNE CHARRON / 2020 Renault

  2. ABOUT US Etienne CHARRON Erwan LE DISEZ Intruder Cyber Security specialist Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  3. AGENDA # CONTEXT # FRAMEWORK # DEMO # NEXT Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  4. 01 CONTEXT Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  5. CANANALYZE ARCHITECTURE OF A CAR Exposed (multimedia) ▪ ECU (Electronic Control Unit) • BCM ( B rake C ontrol M odule) Sensitive • Telematics box (vehicule) • Dashboard • …. ▪ BUS • CAN ( C ontroller A rea N etwork) • I2C ( I nter- I ntegrated Circuit ) • LIN ( L ocal I nterconnect N etwork) • … Erwan LE-DISEZ & Etienne CHARRON / 2020 5 Renault

  6. CANANALYZE SECURITY CONCERNS ▪ Cybersecurity impacts • Safety (preserve passager life) [Main concern] • Data privacy (RGPD) • IT (Automobile knowledge) ▪ Scenarios Vulnerability or • Compromise an ECU in the multimedia network Debug service • Bypass the CGW to send malicious frames in the vehicule network CGW bypass Vulnerability Vulnerability CGW bypass Erwan LE-DISEZ & Etienne CHARRON / 2020 6 Renault

  7. CANANALYZE SECURITY CONCERNS ▪ Verify Debug services are closed (or correctly locked by a robustness authentication) • UDS services ( Unified Diagnostic Services ISO 14229-1) • ReadMemoryByAddress • WriteMemoryByAddress • Transfer data ▪ Verify sensitives frames are correctly filtered by CGW (CAN firewall) How to verify this ? … CANanalyze … Erwan LE-DISEZ & Etienne CHARRON / 2020 7 Renault

  8. CANANALYZE GLOBAL OVERWIEW UDS (ReadMemoryByAddress, WriteMemoryByAddress, DataTransfer) UDS SERVICE_ID PARAMATER1 VERY LONG PARAMATER2 Fragmentation FRAG SERVICE_ID PARAMATER1 ISOTP FRAG VERY LONG PARAMATER2 PAD Simple packet (CANid DATA) CANID DLC C FRAG SERVICE_ID PARAMATER1 CRC CAN Erwan LE-DISEZ & Etienne CHARRON / 2020 8 Renault

  9. 02 FRAMEWORK Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  10. CANANALYZE WHY CREATING A NEW FRAMEWORK? Need for a CAN Army Swiss Knife ▪ Existing internal code base ▪ Programming language accessible to everyone, very simple API ▪ Support several hardware dongles (KOMODO, CANUSB) ▪ Support the use of several interfaces at the same time ▪ Specific features to validate / instrument CAN Gateways (virtual ECU / GW) VECTOR BeagleBone Black CAN USB dongle BBB + Komodo CAN DUO + Tranceiver extended CAPE Erwan LE-DISEZ & Etienne CHARRON / 2020 10 Renault

  11. CANANALYZE EXISTING FRAMEWORKS Udsoncan CANTools UDSim CANanalyze Activity (GIT) Too recent Language Python Python C/C++ Python API simplicity Documentation CAN / ISOTP / UDS ECU Simulator Script probing (CANid, UDS) Hardware compatibility Erwan LE-DISEZ & Etienne CHARRON / 2020 11 Renault

  12. CANANALYZE PROVIDED SCRIPTS – VIRTUAL GATEWAY Virtual Gateway Calibration Socket CAN Gateway : calibration.json + mapping.json JSON format defines routing + filtering per $ python3 scripts/gw_virtual_socketcan.py calibration.json mapping.json interface / CANID “ dlc": { Add virtual CAN interface vcan3 [physical=v1 virtual=vcan3] "ext": { Add virtual CAN interface vcan0 [physical=v2 virtual=vcan0] "0x20": [ { "payload": "0x0000000000000000", Add virtual CAN interface vcan1 [physical=ext virtual=vcan1] "mask": "0xF0F0000000000000" }, Add virtual CAN interface vcan2 [physical=dlc virtual=vcan2] { "payload": "0x0040000000000000", "mask": "0xF0F0000000000000" } ], ... "0x21": [ { "payload": "0x0000000000000000", R: dlc [0x406 - 0xb'd20a38059b300e'] "mask": "0xF0F0000000000000" }, R: v1 [0x53f - 0xb'ae2f8f45d9e1'] { "payload": "0x0040000000000000", R: dlc [0x200 - 0xb'df72'] "mask": "0xF0F0000000000000" } ]}, R: v1 [0x7aa - 0xb'c5be5f348af39461'] "v2": { R: dlc [0x405 - 0xb'67c68e0f3e093806'] "0x20": [ { "payload": "0x0000000000000000", R: v1 [0x7df - 0xb'6f33ee49fb21a96a'] "mask": "0xF0F0000000000000" }, ... ] }, READ R: v1 [0x020 - 0xb'12312333'] ... R: CAN ID matches = 0x020 } Interface mapping F: v1 -> v2 [0x020 - 0xb'12312333'] FORWARD W: v2 [0x020 - b'12312333'] R: v1 [0x021 - 0xb'aaaaaaaa'] Specific mapping depending on the interfaces R: CAN ID matches = 0x021 WRITE F: v1 -> v2 [0x021 - 0xb'aaaaaaaa'] W: v2 [0x021 - b'aaaaaaaa'] "interfaces": { ... "v1": { "channel" : "vcan0", "bustype" : "socketcan", "bitrate" : 500000}, "v2": { "channel" : "vcan3", Send messages to virtual GW: "bustype" : "socketcan", "bitrate" : 500000}, $ cangen vcan0 ...} $ cansend vcan0 123#DEADBEEF ... Erwan LE-DISEZ & Etienne CHARRON / 2020 12 Renault

  13. CANANALYZE PROVIDED SCRIPTS – PHYSICAL GATEWAY Interface mapping Calibration Specific mapping depending on the interfaces Calibration depending on the hardware "interfaces": { "v1": { "channel" : "vcan1", "bustype" : "socketcan", Calibration only required to validate the "bitrate" : 500000}, "ext": { "channel" : "A", "bustype" : "komodo", "port_nr" : 1, routing and filtering configuration "bitrate" : 500000}, "dlc": { "channel" : "B", "bustype" : "komodo", "port_nr" : 0, "bitrate" : 500000}, } Validation script ▪ Listen simultaneously on all interfaces and generate trafic depending on the tests ▪ Discover CANID authorized on interfaces (UDS DiagSessionControl) ▪ Check authorized CANID and payloads from calibration Erwan LE-DISEZ & Etienne CHARRON / 2020 13 Renault

  14. CANANALYZE PROVIDED SCRIPTS (CANID DISCOVERY) ECU Client Goal: Discover CANid offering UDS services (needed to get the debug services list) $ python scripts/id_uds.py km_init_channel: Acquired features: 38 km_init_channel: Bitrate set to 5000000 km_init_channel: Timeout set to 1 second(s) UDS service detected (canid_send=0x7CA, canid_receive=0x7DA) Erwan LE-DISEZ & Etienne CHARRON / 2020 14 Renault

  15. CANANALYZE PROVIDED SCRIPT (SCAN UDS SERVICES) Goal: list UDS services exposed by the ECU (and verify that some UDS debug services are disabled) ECU Client $ python scripts/nmap.py km_init_channel: Acquired features: 38 km_init_channel: Bitrate set to 5000000 km_init_channel: Timeout set to 1 second(s) Scan.services discovered 10 Diagnostic Session Control Scan.services discovered 11 ECU Reset Scan.services discovered 14 Clear Diagnostic Session Information Scan.services discovered 19 Read DTC Information Scan.services discovered 22 Read Data By Identifier Scan.services discovered 27 Security Access Scan.services discovered 2e Write Data By Identifier Scan.services discovered 31 Routine Control Scan.services discovered 3e Tester Present Erwan LE-DISEZ & Etienne CHARRON / 2020 15 Renault

  16. CANANALYZE ARCHITECTURE unittest python-can 3 ▪ CAN abstraction interface sphinx documentation DIAG DATA ID • Strong python-can adhesion: message format, socket CAN support UDS (and more) • Komodo support (single and dual interfaces) CTX APPLICATION ▪ ISOTP and advanced UDS interfaces ISOTP ▪ Context management NETWORK • Manage simultaneously multiple interfaces (CAN id filters, timeouts...) ABSTRACT CAN • Per-context cache (with filtering capabilities) Socket KOMODO CAN CAN ctx = context.create_ctx (channel = 'A', ▪ Simple API (create ctx / read / write) TOOLS bustype = BusType.KOMODO, LINK port_nr = 0, bitrate = 500000) Linux KOMODO vcan.sniff (ctx, max=20) SocketCAN vcan.write (ctx, can.Message( INTERFACE data = [0xD0, 0x32, 0x00, 0x09]), can_id = 0x166 ) Erwan LE-DISEZ & Etienne CHARRON / 2020 16 Renault

  17. 03 DEMO Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  18. CANANALYZE DEMO SETUP ▪ 4 virtual CAN interfaces: ▪ vcan0 (MULTIMEDIA) : exposed services ▪ vcan1 (SAFETY) : sensitive ECU ▪ vcan2 (ADAS) : optional driving aids ▪ vcan3 (DIAG) : ODB II diagnostic ▪ Sample calibration: ALLOW ▪ SAFETY => * : ALL CAN ID ▪ ADAS => MULTIMEDIA : CANID 0x01 / ACK 0x02 ▪ DIAG => SAFETY : CANID 0x0a / ACK 0x0b CANID routing No payload ▪ DIAG => ADAS : CANID 0x0d / ACK 0x0e filtering Erwan LE-DISEZ & Etienne CHARRON / 2020 18 Renault

  19. 04 EVOLUTION Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  20. CANANALYZE FUTURE EVOLUTIONS ▪ Probing UDS routines ▪ Support more hardware dongle ▪ Support CANFD ▪ Automatize some tests on Security Access ▪ … Erwan LE-DISEZ & Etienne CHARRON / 2020 20 Renault

  21. Renault

  22. 05 APPENDIX Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  23. 02’ COMMUNICATION WITH ECU Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault

  24. CANANALYZE WHAT IS A CAN REQUEST? ▪ CAN - ISO 11898-2 (2003): CAN « high-speed » (until 1Mbits/s), - ISO 11898-3 (2006): CAN « low-speed, fault tolerant » (until 125kbits/s). ARBITRATION ID (11) C DLC (4) DATA (0-64) CRC (15) "Daisy-chain" structure with twisted-pair CAN High / CAN Low Erwan LE-DISEZ & Etienne CHARRON / 2020 24 Renault

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection Networks Shaahin Hessabi Department of Computer Engineering g g Sharif University of Technology Signal Transmission on SoC We focus on global wires

800 views • 66 slides
Good morning.. My name is Simon Howlett, Product Development Director at Workiva, and welcome to

Good morning.. My name is Simon Howlett, Product Development Director at Workiva, and welcome to

Good morning.. My name is Simon Howlett, Product Development Director at Workiva, and welcome to TestOps in a DevOps world where Ill be talking a little about integrating your automated testing workflow and resources alongside a devOps

1.15k views • 45 slides
Mathew Rowley How many bricks does it take to crack a microcell?

Mathew Rowley How many bricks does it take to crack a microcell?

Mathew Rowley How many bricks does it take to crack a microcell? http://67.219.122.21/blackhat2012/ Thursday, July 26, 12 Mathew Rowley @wuntee I hate hearing peoples backgrounds... But this is an exception. Senior Security Consultant

1.17k views • 95 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
Chapters 8 (partial coverage) 1 Interfacing Processors and Peripherals I/O Design affected

Chapters 8 (partial coverage) 1 Interfacing Processors and Peripherals I/O Design affected

Chapters 8 (partial coverage) 1 Interfacing Processors and Peripherals I/O Design affected by many factors (expandability, resilience) Performance is complex: access latency throughput connection between devices and the

602 views • 29 slides
Empowering DAP Strategies for Literacy in Early Childhood Programs Nell K. Duke University of

Empowering DAP Strategies for Literacy in Early Childhood Programs Nell K. Duke University of

11/15/16 e k u d k l l e n @ Empowering DAP Strategies for Literacy in Early Childhood Programs Nell K. Duke University of Michigan Session Objectives Administrators: learn about fundamental knowledge their staff should have

685 views • 16 slides
Pu#ng Device API Privacy and Policy into User Context Frederick

Pu#ng Device API Privacy and Policy into User Context Frederick

Pu#ng Device API Privacy and Policy into User Context Frederick Hirsch 4 October 2010 Wednesday, October 6, 2010 1 New DAP APIs; Increased AHack Surface Contacts (reading

478 views • 11 slides
Principles of Grading Grades = Communication [not compensation] 1 Principle #2: Students need

Principles of Grading Grades = Communication [not compensation] 1 Principle #2: Students need

Cooking Up Assessment for Differentiated Student Product 1. Principles of Grading 2. Nuts & Bolts of Grading Differentiated Work 3. The DAP Tool Principle #1: Understanding Assessment Principles of Grading Grades = Communication [not

463 views • 9 slides
Argument Schemes and Critical Questions for Decision Aiding Process Wassila Ouerdane, Nicolas

Argument Schemes and Critical Questions for Decision Aiding Process Wassila Ouerdane, Nicolas

Context and Motivations Argumentation Scheme and Decision Conclusions Argument Schemes and Critical Questions for Decision Aiding Process Wassila Ouerdane, Nicolas Maudet and Alexis Tsoukis LAMSADE, Universit Paris Dauphine, France

696 views • 44 slides
DTrace, Node.js, and Flame Graphs NodeConf 2012 David Pacheco (@dapsays) Joyent Node.js for

DTrace, Node.js, and Flame Graphs NodeConf 2012 David Pacheco (@dapsays) Joyent Node.js for

DTrace, Node.js, and Flame Graphs NodeConf 2012 David Pacheco (@dapsays) Joyent Node.js for systems programming At Joyent, weve found Node.js to be a great environment for systems programming Unix abstractions (e.g., streams)

349 views • 9 slides
Dynamic Adaptive Policymaking: An Approach to Planning Under Deep Uncertainty Prof. Dr. Warren

Dynamic Adaptive Policymaking: An Approach to Planning Under Deep Uncertainty Prof. Dr. Warren

Dynamic Adaptive Policymaking: An Approach to Planning Under Deep Uncertainty Prof. Dr. Warren E. Walker New Zealand Climate Change Research Institute Victoria University of Wellington 10 February 2015 The Problem: How to make policy in a

767 views • 34 slides
Common Geometry Primitives (Unified Solids) Marek Gayer, CERN PH/SFT 1 st AIDA Annual Meeting,

Common Geometry Primitives (Unified Solids) Marek Gayer, CERN PH/SFT 1 st AIDA Annual Meeting,

Common Geometry Primitives (Unified Solids) Marek Gayer, CERN PH/SFT 1 st AIDA Annual Meeting, Hamburg Motivations for a common solids library Optimize and guarantee better long-term maintenance of Root and Gean4 solids libraries A rough

455 views • 32 slides
Local Health Improvement Coalition CHRC Grant Kick Off Anne Langley, JD, MPH, Director, Center

Local Health Improvement Coalition CHRC Grant Kick Off Anne Langley, JD, MPH, Director, Center

Local Health Improvement Coalition CHRC Grant Kick Off Anne Langley, JD, MPH, Director, Center for Population Health Initiatives Mark Luckner, Executive Director, Maryland Community Health Resources Commission Friday, September 11, 2020 Center

458 views • 6 slides
Varieties of De Morgan Monoids II: Covers of Atoms T. Moraschini 1 , J.G. Raftery 2 , and J.J.

Varieties of De Morgan Monoids II: Covers of Atoms T. Moraschini 1 , J.G. Raftery 2 , and J.J.

Varieties of De Morgan Monoids II: Covers of Atoms T. Moraschini 1 , J.G. Raftery 2 , and J.J. Wannenburg 2 1 Academy of Sciences of the Czech Republic, Czech Republic 2 University of Pretoria, South Africa TACL, June 2017 De Morgan monoids A De

876 views • 39 slides
SFR: Scalable Forwarding with RINA for Distributed Clouds Fatma Hrizi, Anis Laouiti and Hakima

SFR: Scalable Forwarding with RINA for Distributed Clouds Fatma Hrizi, Anis Laouiti and Hakima

SFR: Scalable Forwarding with RINA for Distributed Clouds Fatma Hrizi, Anis Laouiti and Hakima Chaouchi Telecom SudParis, France 6th International Conference NOF 2015, MONTREAL, CANADA, SEPTEMBER 30, 2015 07/10/2015 NOF 2015 1 Outline

255 views • 13 slides
Reconfigurable Computing Reconfigurable Computing Reconfigurable Architectures Reconfigurable

Reconfigurable Computing Reconfigurable Computing Reconfigurable Architectures Reconfigurable

Reconfigurable Computing Reconfigurable Computing Reconfigurable Architectures Reconfigurable Architectures Chapter 3.2 Chapter 3.2 Prof. Dr.- -Ing. Jrgen Teich Ing. Jrgen Teich Prof. Dr. Lehrstuhl fr Hardware- -Software Software-

655 views • 29 slides
SERIES 500 SWITCHES SLIDE SWITCHES SWITCHES TACT SPECIFICATIONS Contact Rating: Gold, 0.4 VA

SERIES 500 SWITCHES SLIDE SWITCHES SWITCHES TACT SPECIFICATIONS Contact Rating: Gold, 0.4 VA

SERIES 500 SWITCHES SLIDE SWITCHES SWITCHES TACT SPECIFICATIONS Contact Rating: Gold, 0.4 VA @ 20 VAC or DC NAVIGATION SWITCHES Silver, 5A @ 120 VAC, 2A @ 250 VAC Life Expectancy: 50,000 make-and-break cycles at full load Contact

575 views • 23 slides
@" 'tvery Doy Caunts in the Lile of 0 Child' Language, Communication and Literacy: Let's dig

@" 'tvery Doy Caunts in the Lile of 0 Child' Language, Communication and Literacy: Let's dig

Care Council of Nassau,lnc. @" 'tvery Doy Caunts in the Lile of 0 Child' Language, Communication and Literacy: Let's dig into Early Learning Standardsl July 16,2018 Long lsland Speech-Language-Hearing Association Introduction o Welcomel tr

199 views • 8 slides
Akenteva Anna Postgres Professional Overview 1. The role of VACUUM and Autovacuum 2. Issues and

Akenteva Anna Postgres Professional Overview 1. The role of VACUUM and Autovacuum 2. Issues and

The present and future of VACUUM and Autovacuum postgrespro.ru Akenteva Anna Postgres Professional Overview 1. The role of VACUUM and Autovacuum 2. Issues and workarounds 3. Future prospects 2 1. The role of VACUUM and Autovacuum

829 views • 47 slides
Research and development for the IsoDAR experiment WIN2017 06/23/2017 Spencer N. Axani

Research and development for the IsoDAR experiment WIN2017 06/23/2017 Spencer N. Axani

Research and development for the IsoDAR experiment WIN2017 06/23/2017 Spencer N. Axani saxani@mit.edu On Behalf of the IsoDAR collaboration 1 Sterile neutrino overview Modern searches for ~1 eV scale light sterile neutrinos are motivated by

443 views • 21 slides
Neural Network Compression Linear Neural Reconstruction David A. R. Robin Internship with

Neural Network Compression Linear Neural Reconstruction David A. R. Robin Internship with

Neural Network Compression Linear Neural Reconstruction David A. R. Robin Internship with Swayambhoo Jain Feb-Aug 2019 Report : www.robindar.com/m1-internship/report.pdf Neural networks X R d W 2 1 ( W 1 0 ( W 0 X ))

710 views • 33 slides
3/26/19 INSERT Martinsville Trailer HOMETOWN PRIDE & A WORLDLY WELCOME Build Positive

3/26/19 INSERT Martinsville Trailer HOMETOWN PRIDE & A WORLDLY WELCOME Build Positive

3/26/19 INSERT Martinsville Trailer HOMETOWN PRIDE & A WORLDLY WELCOME Build Positive Proximity with a Main Street Book Club Rebecca Rowe Douglas Jackson & VIRGINIA MAIN STREET DOWNTOWN DOWNTOWN as a primary opportunity for

541 views • 4 slides
QBF-BASED SYNTHESIS OF OPTIMAL WORD-SPLITTING IN APPROXIMATE MULTI-LEVEL CELLS Daniel E. Holcomb

QBF-BASED SYNTHESIS OF OPTIMAL WORD-SPLITTING IN APPROXIMATE MULTI-LEVEL CELLS Daniel E. Holcomb

QBF-BASED SYNTHESIS OF OPTIMAL WORD-SPLITTING IN APPROXIMATE MULTI-LEVEL CELLS Daniel E. Holcomb Kevin Fu University of Michigan 2 March 2014 QBF Synthesis of Optimal Word-Splitting 2 Motivation 2 March 2014 QBF Synthesis of Optimal

752 views • 29 slides
DS504/CS586: Big Data Analytics Graph Mining II Prof. Yanhua Li Time: 6-8:50PM Thursday

DS504/CS586: Big Data Analytics Graph Mining II Prof. Yanhua Li Time: 6-8:50PM Thursday

Welcome to DS504/CS586: Big Data Analytics Graph Mining II Prof. Yanhua Li Time: 6-8:50PM Thursday Location: AK233 Spring 2018 Course Project I has been graded. v Grading was based on v 1. Project report v 2. Project team presentation v 3.

653 views • 36 slides

More recommend