Automatic attack path generation in automotive model-based security testing

Abstract

Modern vehicles represent highly complex systems that combine many distributed components to provide vehicle functions. This trend leads to an increasing number of potential attack surfaces. Numerous cyberattacks have exploited these systems in the recent past. For this reason, testing vehicles and their subsystems for vulnerabilities that enable such attacks is particularly relevant to ensure the safety of occupants and road users. The primary security testing methods currently in use (for example, penetration testing) are typically performed manually, as they are exploratory and experience-based. In addition, these test procedures can typically only be applied late in the development process when a vehicle and its sub-systems have already been largely completed. Thus, potential vulnerabilities are discovered late, which complicates an elimination. The wide range of technologies used leads to high complexity in modern vehicles. As a result, there is a risk that manual test methods reach their limits and vulnerabilities are overlooked. To address these issues, this dissertation investigates model-based security testing methods used for early and automated testing. This dissertation investigates how model-based security testing for detecting vehicle vulnerabilities can be improved by automatically generating attack paths during development. Since cybersecurity vulnerabilities are typically discovered through the execution and investigation of cyberattacks, automotive-related cyberattacks are collected and analyzed in an Automotive Attack Database (AAD) and the associated Automotive Security Attack Classification Tool (ASAC). Characteristics relevant to executing attacks are identified, and a concept for an Automotive Model-Based Security Testing Method (AMBST) is presented. Information technological and security-relevant vehicle systems and external systems interacting with the vehicle are modeled. In addition, artifacts applied to protect vehicles from cyberattacks and attack-related artifacts are considered. Based on these artifacts, a security model is created to simulate and analyze attacks. Furthermore, a test model is created and used to generate attack paths automatically. The methodology is implemented in an associated Automotive Model-Based Security Testing Tool (AMBSTT) and applied to several stages and use cases of the automotive development and test process. Overall, this dissertation presents a model-based security testing methodology used in vehicle development to generate attack paths automatically. The attack paths can be used in the test process and beyond to support development activities, such as detecting attacks and vulnerabilities in threat and risk analyses.