Automating Vehicle SOA Threat Analysis Using a Model-Based

Methodology

Yuri Gil Dantas

, Simon Barner

, Pei Ke

, Vivek Nigam

and Ulrich Sch

opp

fortiss GmbH, Munich, Germany

Huawei Technologies D

usseldorf GmbH, D

usseldorf, Germany

Keywords:

Automotive, Threat Analysis, Service-Oriented Architectures, Automation, Safe and Secure-by-Design.

Abstract:

This article proposes automated methods for threat analysis using a model-based engineering methodology

that provides precise guarantees with respect to safety goals. This is accomplished by proposing an intruder

model for automotive SOA which together with the system architecture and the loss scenarios identiﬁed by

safety analysis are used as input for computing assets, impact rating, damage/threat scenarios, and attack paths.

To validate the proposed methodology, we developed a faithful model of the autonomous driving functions

of the Apollo framework, a widely used open source autonomous driving stack. The proposed machinery

automatically enumerates several attack paths on Apollo, including attack paths not reported in the literature.

1 INTRODUCTION

The automotive industry is under great transformation

to meet challenges of implementing features such

as Autonomous Driving and Over-the-Air Updates.

Instead of using distributed architectures with

domain-speciﬁc hardware, vehicles are using

software-intensive Service-Oriented Architectures

(SOA) with powerful centralized computer units.

The open-source Apollo framework (Apollo, 2021)

is an example of this transformation providing

autonomous vehicle features that have been used in

the development of real-world autonomous vehicle

applications, such as autonomous taxis and buses.

This transformation has also increased concerns

on how attackers can affect road-user safety. While

security threats to safety have been known for

more than a decade ago (WIRED, 2015), the

upcoming/recent standards ISO 21434 (ISO/SAE

21434, 2020) and the UNECE (UN, 2021) have pushed

industry to change its development process to enable

safe and secure-by-design vehicles. For example, the

ISO 21434 puts great emphasis on the development

process and on the threat analysis, e.g., Damage/Threat

Scenario/Attack Path enumeration, that shall be

performed and addressed before putting the vehicle

on the road. At the end, Original Equipment

Manufactures (OEMs) shall provide compelling

arguments and evidence, i.e., an assurance case, that

their vehicles are safe also from a security perspective.

OEMs may pay a costly price if they develop

autonomous vehicle features without previously

producing analysis, argument, and evidence

supporting vehicle safety and security. Without

these artifacts, it is hard to expect that these vehicles

will be accepted by certiﬁcation agencies and

be allowed to be used in several countries, once

standards are more heavily enforced. Even more

troublesome is that several attacks have been reported

that can cause serious hazards to road-users, such

as vehicle collisions. As we claim here, many of

these attacks could have been identiﬁed during the

design of the system architecture by using a safe

and secure-by-design approach with suitable threat

analysis supported by automation.

A key challenge for the development of safe

and secure-by-design vehicles is handling the

enormous complexity involved. For example,

without adequate countermeasures, SOA allows any

software component to publish any data including

data that may be consumed by safety-critical

functions. This has been a source of, e.g.,

overprivilege attacks (Hong et al., 2020) causing

hazardous situation whenever a safety-critical function

consumes data erroneously published by a malicious

component (or even by a faulty component).

For another example, malicious components may

exploit SOA communication vulnerabilities to cause

man-in-the-middle attacks (Zelle et al., 2021).

Moreover, sensors, such as cameras and GPS radios,

180

Dantas, Y., Barner, S., Ke, P., Nigam, V. and Schöpp, U.

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology.

DOI: 10.5220/0011786400003405

In Proceedings of the 9th Inter national Conference on Information Systems Secur ity and Privacy (ICISSP 2023), pages 180-191

ISBN: 978-989-758-624-8; ISSN: 2184-4356

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

SOA Vehicle Model

Assets

Safety

Analysis

(HARA,

STPA)

Safety-Related Damage /

Threat Scenarios

Attack Paths

Security

Countermeasures

SOA Intruder

Model

Functions,

Signals,

Hazards

Loss

Scenarios

Logical/Physical

Architecture

LAUFEN

Automation

Figure 1: Illustration of the proposed Safe and

Secure-by-Design methodology, tool-chain and key

contributions (C1, C2 and C3).

are attack surfaces that may be exploited by attackers

to cause hazards (Jha et al., 2020; Shen et al., 2020).

1.1 Safe and Secure-by-Design

Methodology and Contributions

The proposed safety and security methodology and

three key contributions are depicted in Figure 1.

The methodology is built upon the following key

ideas from the automotive safety and security

co-engineering literature:

•

Analysis Techniques for Software-Intensive

Systems: System Theoretic Process Analysis

(STPA) (Leveson and Thomas, 2018) has

been recommended for safety analysis of

autonomous functions by standards such as the

ISO 21448 (Safety Of The Intended Functionality

– SOTIF) (SOTIF, 2021) for assuring the safety

of features such as autonomous driving. This

is because STPA does not assume linear causal

dependency and rather puts a greater emphasis on

the faulty/malicious component interactions.

•

Safety to Security: The approach recommended

by Bosch engineers (F

orster et al., 2019) uses

safety artifacts, e.g., safety goals and hazards,

as inputs to security analysis. There are two

key motivations for this: 1) A safety analysis is

typically carried out before a security analysis. 2)

By using safety as input to security, one can claim,

through appropriate traceability, completeness of

security analysis w.r.t. to the results of the safety

analysis. This is done, for example, by checking

whether all causes of hazards (called loss scenarios

in STPA terminology) have traces to appropriate

security analysis.

•

Model-Based Tool-Chains: Model-based

engineering approaches are based on formal

abstractions of the system under design and

therefore help mitigate the complexity of

nowadays software and hardware architectures

and to boost development speed and quality

when compared to traditional document-based

approaches by means of automated analysis,

design and validation tools.

While these methods have been proposed, this

article is the ﬁrst to apply them together into

an overarching model-based methodology for SOA

vehicle architectures. As depicted in Figure 1, we

start from a (SOA) Vehicle Model, specifying the

key functions, logical components, and platform

(a.k.a. physical) architecture. These model elements

ensure the soundness of the approach, as the safety

and security analysis that follow are traced to the

model. From the Hazard Analysis and Risk Asessment

(HARA) and STPA analysis, key safety functions,

channels and physical elements are identiﬁed, which

are then traced as assets from the security perspective

that need to be protected. Loss scenarios obtained from

STPA, i.e., the situations that may lead to hazards, are

traced to damage and threat scenarios specifying how

intruders can cause safety hazards. From this point

onward, we carry out a security analysis, e.g., using

the logical and platform architectures to identify attack

paths that can cause threat scenarios. Ultimately, we

discuss potential countermeasures to address threats.

The key beneﬁts of the approach are three-fold:

The ﬁrst beneﬁt is a full traceability between safety

and security analysis and the vehicle model. This

means that the analysis is reﬂected in the actual

implementation that will be deployed in the vehicle.

The second beneﬁt is that the methodology provides

guarantees that all loss scenarios for all hazards

are considered by the security analysis, e.g., all

loss scenarios are traced to damage/threat scenarios.

This means that all identiﬁed safety issues shall be

considered from the security perspective. The third

beneﬁt is that our model-based methodology enables

the use of automated methods, e.g., the automated

enumeration of attack paths based on intruder models.

The main contributions of this article are:

•

Apollo-Based Vehicle Model (C1): By examining

the relevant pieces of code in the Apollo code-base

related to autonomous driving functions, we

designed a faithful vehicle model. The model

reﬂects the SOA publish and subscribe pattern, and

the information (namely the topics) between the

Apollo components. To the best of our knowledge,

it is the ﬁrst model based on the Apollo v7.0.0

code base.

•

Intruder Model for Vehicle SOA (C2): By

examining vehicle SOA security literature,

we formalized an intruder model for vehicle

SOA. The intruder is capable of carrying out

Man-in-the-Middle (MITM) attacks, and carrying

out spooﬁng attacks by inﬁltrating the system

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology

181

from public interfaces to, e.g., exploit perception

sensors, such as LiDAR and Camera.

•

Attack Path Automation (C3): We developed

a machinery (LAUFEN) to automate the

enumeration of attack paths on the vehicle system

architecture. LAUFEN takes as input the

model, assets, damage/threat scenarios, and the

implementation of the intruder model, and outputs

all attack paths.

We demonstrate and validate our approach and

automation on the developed Apollo Vehicle Model.

Our focus is on safety assets as it is the main

concern for autonomous driving. The developed

machinery identiﬁed 246 attack paths. The attack

paths include attacks that have been reported in the

literature. Given the traceability to safety analysis, our

machinery identiﬁes a much greater number of attack

paths that would need to be mitigated (or for which

some security rational shall be provided) by security

countermeasures. Indeed, based on the generated

attack paths, we identiﬁed potential attacks that have

not yet been reported.

Structure of This Article: Section 2 describes the

Apollo vehicle model. Section 3 describes how

to trace assets, damage/threat scenarios to artifacts

produced by safety analysis. Sections 4 and 5

describe the intruder model and the attack paths

generated, including its validation using the Apollo

model. After discussing related and potential future

work in Section 6, we conclude in Section 7.

2 APOLLO MODELING

Apollo (Apollo, 2021) is an open-source autonomous

driving stack enabling highly autonomous vehicle

features (more precisely, at Level 4 in the SAE

ranking (sae, 2018)), such as Highway and Trafﬁc Jam

Pilots, where a vehicle can drive with limited human

supervision. Apollo v7.0.0 (Apollo, 2021) consists of

more than 500k lines of C++ code.

A central part of the Apollo implementation is

the Cyber RT middleware (cyb, 2019). Cyber RT

provides a publish/subscribe pattern to enable the

communication between software components running

over it. Components can communicate via tagged

channels, a.k.a. topics. Components may publish data

to topics by writing messages to a named topic and

may subscribe to any topic of interest by referring to

the topic name. Whenever a publisher writes data

to a topic, this data is received by all subscribers.

Cyber RT allows more than one component to publish

data on a topic, and more than one component to

subscribe to it. The announcement of (new) topics

and the subscription of components to topic names are

performed by a mechanism called service discovery.

This section describes the designed Apollo model

used to demonstrate our methodology. The model

focuses on the parts of the code-base that are related

to autonomous vehicle features, namely, sensors

(Camera, LiDAR), localization, perception, prediction,

planning, control, and HMI.

The Apollo system architecture has been

modeled in the model-based system engineering tool

AutoFOCUS3 (fortiss GmbH, 2022). The model

comprises of 9 functions, 61 logical components,

341 ports, transmitting 73 data structures with

361 members, 16 execution units, 12 transmission

units, and 6 sensors. We developed an experimental

metamodel (Aravantinos et al., 2015) extension

in AutoFOCUS3 to describe publish/subscribe

communication by means of dedicated topic port data

types. Due to the lack of space, the remainder of this

section describes only selected parts of the logical

and platform architecture, since the security results

presented in this article mainly focus on the logical

architecture and platform architecture.

Logical Architecture. The designed logical

architecture is complex and consists of four

hierarchical levels with multiple components. Figure 2

depicts the second highest level of our Apollo model

containing the main autonomous driving components.

The localization component receives sensor data

from GNSS and computes the vehicle’s position.

The vehicle’s position is received by the following

components. The perception component receives

sensor data from cameras, radars and LiDAR, and the

vehicle’s position. Perception identiﬁes obstacles, such

as other vehicles on the road, as well as the state of

trafﬁc lights. The prediction component takes the list

of obstacles from perception and the vehicle’s position,

and tries to predict the intention of obstacles, which

may be other vehicles or pedestrians. The prediction

includes aspects such as whether a vehicle intends to

change lanes. The relative map component aggregates

the list of obstacles and combines it with map data,

which contains information about the road, such as

lanes and trafﬁc lights. The planning component

takes as input all the data computed by localization,

perception, prediction and relative map. Planning uses

this data to plan a safe and comfortable trajectory

for the vehicle. The control component receives the

planned trajectory and produces control commands

(steering, acceleration, etc.) for the vehicle to follow

the trajectory.

A key challenge was to ensure the faithfulness of

the model to the Apollo code. To accomplish this, we

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

182

Figure 2: Logical architecture: Main autonomous driving components.

extracted the model elements by manually inspecting

the Apollo code. For example, to ﬁnd all Cyber

RT components implemented in Apollo, we inspect

the code to ﬁnd all implementations of the

class

cyber::Component

. The next step was to identify

the topics and which components publish to them

and subscribe to them. The Apollo implementation

speciﬁes the topic communication using the following

mechanisms: DAG conﬁguration ﬁles, C++ code

implementing readers for topics and producers of

topics, and library code. We inspected each of these

mechanisms to map the topics that are subscribed and

published to components.

Platform Architecture. Figure 3 illustrates our

platform architecture that follows the trend for modern

smart car architectures consisting of a few, but

powerful ECUs and using network interfaces (i.e.,

switches) between ECUs.

The main ECUs in the platform architecture

are: (1) MDC: Mobile Data Center: This hardware

is responsible for the autonomous function related

components, such as inferring objects from camera

input, predicting the movement of objects in the

environment, planning trajectories. The MDC is

further sub-divided into sub-systems with different

types of processing units with different levels of safety

assurance levels, such as an ASIL-D MCU. (2) CDC:

Intelligent Cockpit: This hardware is responsible

for all the cockpit related functions, such as driver

monitoring systems and entertainment functions.

(3) VDC: Vehicle Controller: This hardware is

responsible for the basic vehicle control functions,

such as Electric Power Steering, Battery Management,

and Anti-lock Braking functions. (4) VIU 1-4: Vehicle

Integration Units: These hardware are powerful

gateways that interface the MDC, CDC, and VDC,

connected through network interfaces, to the domain

speciﬁc hardware connected through CAN buses.

The yellow shade in the model represents the system

boundary (a.k.a. item boundary). We consider as part

of the system all components that are implemented in

the Logical Architecture. For example, Sensors (e.g.,

LiDAR and GPS radio) are not part of the system itself.

They are third-party devices that are connected to the

system and provide inputs from the environment. We

consider them as public interfaces that are outside and

may be accessed by external users.

SAFETY-INFORMED SECURITY

ANALYSIS

Our main focus is to identify assets, damage and

threat scenarios related to safety as it is the main

concern to autonomous driving. We describe how

key safety artifacts are consumed by security analysts

to identify key security artifacts, establishing a

traceability between security and safety concerns. One

can argue from such traces the (relative) completeness

with respect to safety of the security analysis in the

sense that threats that can cause any one of the safety

loss scenarios are identiﬁed. As there is existing

literature that advocates similar traceability between

safety and security (F

orster et al., 2019; Dantas and

Nigam, 2022a), albeit not using loss scenarios and

artifacts mentioned in the ISO 21434 (ISO/SAE 21434,

2020), we simply exemplify the method on examples

using the Apollo system architecture. Our mapping

from safety artifacts to security artifacts is inspired

by the following work (Sabaliauskaite et al., )(Macher

et al., 2015)(F

orster et al., 2019).

Safety Analysis. We carried out a safety analysis for

the Apollo system architecture. In compliance to ISO

26262-3 (ISO26262, 2018), we have identiﬁed hazards

by using Hazard Analysis and Risk Assessment

(HARA). Furthermore, we use System Theoretic

Process Analysis (STPA) (Leveson and Thomas, 2018)

to identify how such hazards may occur.

Relevant for this article are hazards and loss

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology

183

Figure 3: Platform architecture based on modern smart car architecture (yellow shading represents the system boundary).

Table 1: Example of safety analysis results.

Hazard HZ1 Unintended distance between the ego vehicle and other objects.

Severity Life-Threatening (S3)

Exposure High Probability (E4) Safety Risk Level: ASIL D

Controllability Difﬁcult to Control (C3)

Loss Scenario LS1 that causes Hazard HZ1

Source Target Message Failure Mode

planning control trajectory erroneous

scenarios provided, respectively, by HARA and STPA.

A hazard is a potential source of loss (e.g., loss of life)

caused by malfunctioning behavior of the item (i.e.,

Apollo system architecture). A loss scenario describes

the casual factors that may lead to a hazard.

We have identiﬁed 4 hazards and 21 loss

scenarios. We will use the hazard (HZ1) and loss

scenario (LS1) described in Table 1 to demonstrate

the model-based methodology for threat analysis

described in Section 1.1. HZ1 is a high risk level

(ASIL D) related to the autonomous driving functions.

LS1 is a possible cause for HZ1. LS1 is traced to

two components in the model, planning and control,

and to the topic containing the trajectory produced by

planning. LS1 speciﬁes that if the computed trajectory

is erroneous, e.g., instead of recommending a low

acceleration, it recommends a right acceleration, HZ1

may occur, i.e., the vehicle may collide with obstacles.

Assets and Damage/Threat Scenarios from Safety

Analysis. Following the ISO 21434 (ISO/SAE

21434, 2020), assets are objects (e.g., software

components, hardware units) for which the

compromise of its cybersecurity property can lead to

the damage of the item. A damage scenario denotes

the adverse consequence due to the compromise of a

cybersecurity property of an asset. A threat scenario

denotes the potential actions (or simply attack) on

assets that can lead to damage scenarios. The hazards

and loss scenarios obtained from the safety analysis

can be directly used to identify such security artifacts

related to safety-related damages.

Damage scenarios are traced to hazards. The

damage scenario traced to HZ1 speciﬁes that

unintended distance shall be avoided also from a

security perspective. There are three main assets

that can be traced to the loss scenarios: Safety

Functions: The safety related functions (typically

implemented as pieces of software) shall be protected.

For LS1, the functions planning and control are

such assets. Topic/Messages: The safety-related

signals/messages mentioned in the loss scenarios shall

be protected. For LS1, the topic carrying the trajectory

information shall be protected. Hardware/Physical:

The hardware in which safety functions are deployed

shall be protected. The functions associated to LS1 are

deployed at the MCU (inside of MDC) hardware unit.

Moreover, the failure mode of loss scenarios indicates

which cyber-security properties (CIA properties) are

associated to the these assets. The failure mode

erroneous and loss indicate, respectively, that the

integrity and availability of the corresponding assets

shall be ensured. Notice that the conﬁdentiality

property cannot be extracted from safety analysis as

lack of conﬁdentiality does not lead to safety-related

damages. From the loss scenario and its derived

assets, one can elaborate threat scenarios by using,

e.g., the STRIDE methodology (Shostack, 2014). For

example, the integrity of safety functions and of

physical assets can be violated by tampering attacks,

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

184

while the integrity of topic/messages can be violated

by spooﬁng and elevation of privilege.

These artifacts are used to enumerate attack paths

that shall be considered, namely those that can

lead to threat scenarios. The enumeration of attack

paths depends on the technology that is being used.

For example, if a software may be updated using

Over-the-Air mechanisms, then attack paths shall

consider how these mechanisms can be exploited to

tamper the software with malicious updates. For the

Apollo system architecture considered in this article,

one needs to consider the use of SOA machinery,

e.g., protocols for service discovery, publish-subscribe

communication patterns, sensors, and other public

interfaces, e.g., Bluetooth and WiFi. These are

considered in the next section.

4 INTRUDER MODEL FOR

VEHICLE SOA

We formalize an SOA intruder model deﬁned by the

rules in Figure 4. The intruder model is based on

the main attacks against vehicle SOA with centralized

architecture, described in Section 6. Intuitively, SOA

contain two main attack surfaces that may be exploited

if no suitable countermeasures are deployed.

•

Outsider Attackers can exploit public interfaces,

such as sensors and communication interfaces, to

inﬁltrate the system and attack vehicle assets, such

as safety functions. For example, attackers can

spoof GPS coordinates thus violating the integrity

of published position information by localization.

•

Insider Attackers can exploit vulnerabilities in the

underlying SOA protocols and carry out MITM

attacks thus violating the integrity of topics. For

example, attackers can carry out MITM attacks

between localization and perception to violate the

integrity of position information.

Figure 4 introduces the rules of the intruder model

reﬂecting these type of attacks. These inference rules

derive three judgments described below.

contains

system speciﬁcations which are extracted from the

vehicle model. These speciﬁcations are formalized as

atomic formulas using the predicate symbols described

in Table 2.

Γ ` wrt(X , Y )

and

Γ ` rd(X , Y )

denote that the port

of model element may write, respectively, read on

. Rule

write

speciﬁes that an output

of an ECU

may write on an input port

of a network element

if an output port

of a component is allocated to

(speciﬁed by

cpo(c, co), alloc(co, eo)

), and there is a

channel from

(speciﬁed by

ch(eo, ni)

). Rule

Table 2: Description of the predicates used to deﬁne the

intruder’s capabilities.

Predicate Denotation

ecui(ecu, ei) ECU ecu and its input port ei.

ecuo(ecu, eo) ECU ecu and its output port eo.

neti(net, ni)

net. interface

net

and its input port

ni.

neto(net, no)

net. interface

net

and its input port

no.

ch(out, inp)

channel from output port

out

input port inp.

wrt(el1, el2) element el1 writes data to el2.

rd(el1, el2) element el1 reads data from el2.

cpi(c, ci) component c and its input port ci.

cpo(c, co)

component

and its output port

alloc(el, ecu) element el is allocated to ecu.

pub(c, co, tp)

component

publishers the topic

through output port co.

sub(c, ci, tp)

component

subscribers to the

topic tp through input port ci.

if(ecu, ci, tp)

topic

is published within

ecu

through an information ﬂow from

ci.

pro(tp)

topic

is protected by a

cryptographic primitive.

publico(el, po) public el and its output port po.

i reach(el)

element

is reachable by the

intruder.

i attack(el) el may be attacked by the intruder.

write

is similar, but for public elements. Rule

write

speciﬁes that an input port of an ECU may write to

its own output port – we assume that there exists an

internal transmission within the ECU (

ch(ei, eo)

), e.g.,

components exchanging messages within the ECU.

Rule

write

is similar, but for network interfaces. Rule

read

speciﬁes when an ECU reads from a network

interface (similar to

write

). Rule

read

speciﬁes that

subscriber ports may read from publisher ports.

Γ ` i reach(X)

denotes when a port

of a model

element is reachable by an intruder. Rule

basic out

speciﬁes that any port of a public element in the

architecture can be reached by the (outsider) intruder.

Rule

reach wrt

speciﬁes that a port

of a model

element can be reached by the (outsider) intruder if a

port

writes on

. Respectively,

reach rd

speciﬁes

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology

185

Write and Read Rules

cpo(c, co), alloc(co, eo), ecuo(ecu, eo), neti(net, ni), ch(eo, ni) ∈ Γ

Γ ` wrt(eo, ni)

write

ecui(ecu, ei), ecuo(ecu, eo), ch(ei, eo) ∈ Γ

Γ ` wrt(ei, eo)

write

neti(net, ni), neto(net, no), ch(ni, no) ∈ Γ

Γ ` wrt(ni, no)

write

publico(el, po), neti(net, ni), ch(po, ni) ∈ Γ

Γ ` wrt(po, ni)

write

sub(c1, ci, tp), pub(c2, co, tp) ∈ Γ

Γ ` rd(ci, co)

read

cpi(c, ci), alloc(ci, ei), ecui(ecu, ei), neto(net, no), ch(no, ei) ∈ Γ

Γ ` rd(ei, no)

read

Intruder Reachability Rules

publico(el, po) ∈ Γ

Γ ` i reach(po)

basic

out

pub(c, co, tp) ∈ Γ

Γ ` i reach(co)

basic

ins

Γ ` wrt(p1, p2) Γ ` i reach(p1)

Γ ` i reach(p2)

reach wrt

Γ ` rd(p2, p1) Γ ` i reach(p1)

Γ ` i reach(p2)

reach rd

pub(c, co, tp), sub(c, ci, tp1), pub(c1, co1, tp1) ∈ Γ Γ ` rd(ci, co1) Γ ` i reach(co)

Γ ` i reach(ci)

reach ins rd

Intruder Attack Rules

if(ecu, p, tp) ∈ Γ Γ ` i reach(p)

Γ ` i attack(tp)

at out

sub(c1, ci, tp), pub(c, co, tp), ¬pro(tp) ∈ Γ Γ ` i reach(ci) Γ ` i reach(co)

Γ ` i attack(tp)

at ins

Figure 4: Intruder model for SOA.

that a port

of a model element can be reached

by the (outsider) intruder if

reads on a port

Rule

basic ins

speciﬁes that any publisher port in the

architecture can be reached by the (insider) intruder.

Rule

reach ins rd

speciﬁes that the (insider) intruder

can reach a subscriber port

reads on a reached

publisher port co.

Γ ` i attack(X)

denotes when a topic

can

be attacked. Rule

at out

speciﬁes that any topic

published within an information ﬂow (

if(ecu, p, tp)

)

from a reached ECU’s input port may be attacked.

Rule

at ins

speciﬁes that any topic between publisher

and subscriber ports reached by the (insider) intruder

may be attacked if the topic is not protected.

Outsider Intruder (Example). Consider the

platform architecture depicted in Figure 5. The black

and white circles connected to hardware units are,

respectively, output and input ports. We assume that

Sensor

is a public interface. The output port

Sensor

can be reached by the intruder based on the

rule

basic out

. The output port

writes on the input

port

of the network interface

Network1

, then based

reach wrt

the intruder can reach

and

. We

assume that the subscriber port (light blue square) of

component

CP1

is allocated to the input port

ECU1

, and that

reads from

. The intruder can

then reach

and

based on

reach rd

. Neither

nor

can be reached by the intruder. The intruder

can reach

writes to

. The intruder cannot

reach

and

. Finally, an intruder may carry out,

e.g., a spooﬁng attack from

Sensor

to violate the

integrity of the topics published by either

CP1

CP2

since there is an information ﬂow from i2 (at out).

Insider Intruder (Example). Consider the logical

architecture depicted in Figure 6. The dark and

light blue squares connected to components are,

respectively, publisher and subscriber ports. The

intruder can reach all publisher ports

o1...o6

based

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

186

basic ins

. Based on

reach ins rd

, the intruder

can reach the subscriber ports

i1...i7

, as these

ports read from publishers, e.g.,

reads from

localization

via port

. The intruder cannot reach

the subscriber port

, as

infotainment

is not a

publisher. We assume the topics published by ports

and

are protected. Assume the topic published

planning

through port

is the intruder’s target.

As a result, the intruder has the following options

to carry out MITM attacks. An attack may be

carried out between

routing

and

planning

or even

between

perception

and

prediction

given that

the topic published by

perception

may affect the

topic published by

planning

. The intruder can

neither carry out attacks between

localization

and

planning

(same for

perception

and

prediction

nor between

prediction

and

planning

since the

topics are protected (

at ins

). The intruder cannot carry

out attacks from infotainment.

Figure 5: Illustration of the outsider intruder.

Figure 6: Illustration of the insider intruder.

Table 3: Number of identiﬁed attack paths and the execution

time taken by LAUFEN to computed the attack paths.

Intruder #Attack Paths

Execution time

(s)

Outsider 152 1.11

Insider 94 0.06

5 AUTOMATING ATTACK PATH

ANALYSIS

LAUFEN (vehicLe threAt analysis aUtomation For

sErvice-orieNted architectures) is an SOA machinery

that enables the automated computation of several

activities of the Threat Assessment and Remediation

Analysis (TARA) analysis. This section focuses

on the automated computation of attack paths that

can cause threat scenarios to vehicle SOA, i.e., the

paths that violate cybersecurity properties of assets

(Section 3). To this end, LAUFEN implements the

proposed intruder model in the logic programming

tool DLV (Leone et al., 2006). LAUFEN encodes

the system speciﬁcation as facts using the predicates

described in Table 2, and the intruder model described

in Section 4. Then the DLV solver is used to

enumerate the attack paths. We validate LAUFEN

on the modeled Apollo system architecture. The

implementation and the experimental results are

available at (Dantas and Nigam, 2022b).

Given the high complexity of the Apollo model,

naively computing the attack paths based on

reachability does not scale, in particular for the

outsider intruder. To address this problem, the

computation is divided into two steps. The ﬁrst step,

Intruder reachability, computes all the model elements

that are reachable by the intruder as speciﬁed by the

write and read, and reachability rules. Since no paths

are computed, the DLV engine computes the reachable

elements in the range of milliseconds. We then use the

reachable elements as input to the second step, Path

computation, where we make use of the attack rules.

Instead of enumerating all paths, we proceed using

a goal-oriented search to enumerate only the attack

paths on assets (a.k.a. asset-centric approach). This

means that DLV does not require to compute all paths.

We run the experiments on a 1.90GHz Intel Core

i7-8665U with 16GB of RAM running Ubuntu 18.04

LTS with kernel 5.4.0-113-generic and DLV 2.1.1.

Table 3 shows the number of identiﬁed attack paths,

and the execution time of LAUFEN. The execution

time in enumerating the attack paths is rather low,

i.e., 1.11 and 0.06 seconds for the outsider and insider

intruder, respectively. The number of identiﬁed attack

paths is high due the complexity of the system, e.g.,

the great number of public elements and the great

number of information ﬂows in the architecture. We

do not rule out any attack path to guarantee a complete

coverage of possible steps exploited by the intruder.

Section 5.1 elaborates on countermeasures that may

mitigate several of the identiﬁed attack paths.

We analyzed the generated attack paths w.r.t.

potential attacks against safety-critical topics. Table 4

organizes selected attack paths into attacks carried out

by an outsider attacker and insider attacker.

Firstly, our analysis was able to identify several

attacks that have been reported in the literature, namely

those attacks associated with a citation. The set of

attack paths computed includes attacks carried out

by outsider attackers exploiting

Bluetooth

LiDAR

Camera

GPS

and

Radar

that may target safety-critical

topics, cause loss scenarios and harm to road-users,

as well as by insider attackers exploiting SOA

communication vulnerabilities to target topics.

Secondly, we also identiﬁed potential attacks that

up to the best of our knowledge have not been reported

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology

187

Table 4: Potential attacks derived from selected attack paths. From and To denote, respectively, the model element where the

attack starts and ends. Affected Topic denotes the actual target of the attacker. The upper and lower part of the table describe,

respectively, selected attacks carried out by the outsider and insider intruder, incl. attacks reported in the literature. NA denotes

attacks that up to the best of our knowledge have not been reported in the literature. #Attack Paths denotes that number of

computed attack paths From and To.

From To Affected Topic Article

#Attack

Paths

Outsider Intruder

Bluetooth VDC signal (Chowdhury et al., 2020) 3

LiDAR MCU obstacles (Hau et al., 2021) 24

Front Left Camera MCU obstacles (Jha et al., 2020) 18

GPS MCU localization pose (Shen et al., 2020) 18

Front Radar MCU obstacles (Komissarov and Wool, 2021) 6

T-Box MCU traffic light NA 18

Insider Intruder

gnss driver velodyne detection tf (Hong et al., 2020) 1

gnss driver msf localization gnss best pose (Hong et al., 2020) 1

compensator velodyne detection pointcloud2 (Hong et al., 2020) 1

control chassis signal (Hong et al., 2020) 1

chassis gnss driver chassis (Hong et al., 2020) 1

v2x proxy traffic light traffic light NA 1

routing planning routing response NA 1

relative map planning map NA 1

in the literature (marked with NA). We analyzed in

further detail some of the attacks by using the model

and its connection to the Apollo code to ﬁnd out how

such attacks can lead to safety problems.

v o i d T r a f f i c L i g h t s P e r c e p t i o n C o m p o n e n t : : On R ece i veIm a ge (

c o n s t s t d : : s h a r e d p t r <a p o l l o : : d r i v e r s : : Image> msg ,

c o n s t s t d : : s t r i n g& ca m era name ) { . . .

* *

S e t t r a f f i c l i g h t s t a t u s b a s ed on c a mer a d a t a

* *

t r a f f i c l i g h t p i p e l i n e −>P e r c e p t i o n (

c a m e r a p e r c e p t i o n o p t i o n s , f r a me . g e t ( ) ) ; . . .

* *

O v e r w r i t e s t r a f f i c l i g h t s t a t u s i f v a l i d v 2x d a t a

* *

S y n c V 2X T r af f i cL i g ht s ( f r a m e . g e t ( ) ) ; . . . }

Figure 7: Overwriting trafﬁc light status with V2X data.

V2X Trafﬁc Light Overwrite Attack. LAUFEN

has identiﬁed attack paths targeting

v2v proxy

from

both outside and inside. Figure 8 illustrates the

attack from the outside. The

v2v proxy

component

publishes data on the trafﬁc light status obtained from

the road infrastructure. This data is subscribed by

the

traffic light

component which also subscribes

data from the cameras to identify and publish the

trafﬁc light status. Since there is a traceability from

the Apollo model and the Apollo source code, it

is straightforward to ﬁnd the relevant classes for

vulnerabilities. Indeed, we found out that the function

TrafﬁcLightsPerceptionComponent gives priority to

the data received by

v2v proxy

over the data received

by the cameras. Figure 7 shows a code snippet from

the TrafﬁcLightsPerceptionComponent function. As

a result, an attacker may manipulate the trafﬁc light

status from either outside (i.e., spooﬁng attack) or

inside (i.e., MITM attack). As illustrated by Figure 8,

a spooﬁng attack from

T-Box

manipulating the trafﬁc

light status can cause serious harm to passengers and

pedestrians as the vehicle can cross a red-light.

Route/Mapping Injection Attack. The seriousness

of some of the identiﬁed attack paths may not

be too obvious from a safety perspective. For

example, LAUFEN has identiﬁed the following attack

path:

{routing, planning}

targeting the

routing

response

topic. An insider attacker may carry out

a MITM attack between

routing

and

planning

provide a malicious route for the ego vehicle. From a

safety perspective, a loss scenario of type erroneous

from

routing

planning

may be easy to control,

and hence it would lead to a low criticality hazard (e.g.,

ASIL A or B). From a security perspective, however,

there are several serious consequences, including

hijacking of passengers. The

planning

component

may also be affected by the road map published

relative map

, as

planning

takes the map into

account while computing the vehicle trajectory.

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

188

Figure 8: Illustration of a spooﬁng attack from T-Box to manipulate trafﬁc light status received by v2v proxy.

5.1 Potential Countermeasures

We have performed an attack path analysis to

deduce potential locations for instantiating security

countermeasures. Our analysis focused on the

computed attack paths using the outsider intruder. This

choice was made because we noticed that many of such

attack paths have the same preﬁx, which may be a hint

for instantiating security countermeasures.

Table 5 presents the main results of our attack

path analysis. Speciﬁcally, Table 5 shows the public

element that can be reached the outsider intruder, the

number of attack paths computed by LAUFEN from

the public element, and the common preﬁx for all

attack paths from the same public element.

Table 5: Attack paths analysis (outsider intruder).

Public element

#Attack

Paths

Preﬁx

Front

Left

Camera

21 Front Left

Camera → GMSL

→ VIU 1

Front

Right

Camera

21 Front Right

Camera → GMSL

→ VIU 3

GPS 21 GPS → Serial

→ VIU 3

Front

Radar

10 Front Radar →

CAN → MDC

Rear

Radar

10 Rear Radar →

CAN → MDC

LiDAR 27 LiDAR → SW4

Bluetooth 21 Bluetooth →

USB → CDC

T-Box 21 T-Box → SW3

The last architecture element described in the

Preﬁx column may be a suitable location to instantiate

a countermeasure and consequently address the attack

paths. From the Preﬁx column, we can also notice

that the gateway

VIU 3

is a common location in the

attack paths from both

Front Right Camera

and

GPS

. Similarly, the connection between

CAN

and

MDC

a common location in the attack paths from

Front

Radar

and

Rear Radar

. This gives us a hint that

security countermeasures could be placed in front

VIU 3

, and between

CAN

and

MDC

to address such

attack paths (speciﬁcally, 62 attack paths).

Firewalls are, e.g., recommended (Cheng et al.,

2019) as means to protect vehicle architectures

against such attacks. They may be deployed in

front of the last architecture elements in the Preﬁx

column to ﬁlter network trafﬁc and prevent malicious

intrusion. For the network interfaces (i.e.,

T-Box

and

Bluetooth

), one could also implement a mutual

authentication mechanism (e.g., mTLS) to ensure that

only authenticated messages are accepted.

Safety architecture patterns, such as

Heterogeneous Duplex pattern (Armoush, 2010),

may also be deployed as a second-layer of defense.

Consider, e.g., the V2X trafﬁc light overwrite attack

carried by an outsider attacker. This attack violates the

integrity of

traffic light

topic through

T-Box

. A

possible countermeasure is to include a checker in the

traffic light

component to consider inputs from

both

v2x proxy

and cameras (i.e., heterogeneous

inputs) – the

traffic light

component emits an

alert to the driver or transition the system to a safe

state if the inputs do not match.

The MITM attacks (e.g., the route injection

attack) carried by an insider attacker exploit SOA

communication vulnerabilities to violate the integrity

of topics. Digital signatures are a well-known

countermeasure for ensuring authenticity and integrity

between servers (e.g., publishers) and clients (e.g.,

subscribers). To address MITM attacks, one can

implement digital signatures in the Apollo system,

where each publisher originator signs its message,

and each subscribe of the message veriﬁes the

signature of the message. Fast-DDS provides a

cryptographic plugin for message authentication codes

computation and veriﬁcation. The use of digital

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology

189

certiﬁcates to address MITM attacks in Apollo was

inspired by (Hong et al., 2020) that proposed a

countermeasure using digital signatures for mitigating

publisher-subscriber overprivilege issues in Apollo.

All 94 attack paths (insider intruder) are, in

principle, addressed upon implementing digital

signatures. The decision of using digital signatures

causes, however, a performance penalty at the

execution time of software components. The

performance penalty can then be analyzed according

to several points of view, including security, safety

and ﬁnancial. However, since all of the identiﬁed

attack paths are safety critical, countermeasures shall

be implemented to ensure vehicle safety.

6 RELATED WORK

Due to the lack of space, we moved some parts of the

related work to (Dantas et al., 2022).

Attacks Against Vehicle SOA. The following work

has inspired us to formalize the intruder model for

vehicle SOA. A recent systematization of knowledge

article (Shen et al., 2022) gives an overview of

the state-of-the-art of the literature. In “Drift with

the devil” (Shen et al., 2020) it is shown that

an intruder may manipulate location information

by spooﬁng GPS radio signals. LiDAR sensor

signals may be spoofed to remove obstacles on the

road (Hau et al., 2021). Camera signals may also

be spoofed to manipulate video frames given that

the camera trafﬁc is transmitted in plain text (Jha

et al., 2020). An attack may exploit vulnerabilities

in a Bluetooth stack weakness to lock the brakes

of the vehicle (Chowdhury et al., 2020). In the

work by (Zelle et al., 2021), the authors investigate

possible security issues in the service discovery

mechanism of vehicle SOA, in particular SOA using

the SOME/IP protocol, enabling the attacker to carry

out MITM attacks between publishers and subscribers.

In the work on AVGuardian (Hong et al., 2020),

the authors investigated possible publisher/subscriber

overprivilege instances in Apollo.

Our intruder model speciﬁes the main attacker’s

capabilities needed to carry out the above attacks

at the architecture level, including the capabilities

of attackers to carry out (a) spooﬁng attacks from

outside (e.g., from sensors), and (b) MITM attacks

from inside (e.g., between components), thus violating

the integrity of safety-critical topics. The attacks

exploiting overprivileged instances can be seen as a

speciﬁc case of the MITM attack.

Automate Threat Analysis. A survey on threat

modeling (Xiong and Lagerstr

om, 2019) has

shown that most threat modeling work remains

to be done manually. We brieﬂy describe some

of the security/threat analysis tools that provide

computed-aided support in the automotive domain.

AVGuardian (Hong et al., 2020) is a static

analysis tool to detect overprivilege instances in source

code implementing service-oriented architectures for

automotive systems. AVGuardian examines each

module’s source code and automatically detects

publisher and subscriber overprivilege instances in the

ﬁelds of topics deﬁned by the module. AVGuardian

requires the behavior speciﬁcation of the system to

detect overprivilege instances. LAUFEN has been

implemented to identify threats and attack paths during

the design of the system architecture without the

behavior speciﬁcation of the system. LAUFEN was

able to automatically compute attack paths that may

lead to the attacks detected by the AVGuardian tool.

ProVerif (Blanchet et al., 2022) and Tamarin

Prover (Basin et al., 2022) are well-known automated

reasoning tools to verify the security properties of

systems (in particular, security protocols) with the

Dolev-Yao intruder model (Dolev and Yao, 1983).

These reasoning tools require the formal speciﬁcation

of the behavior of the system to verify its properties.

A promising future work direction is to include the

behavior speciﬁcation in our Apollo model and use

such reasoning tools to verify security properties of

SOA protocols such as SOME/IP or DDS.

An attack propagation method that targets

automotive safety-critical functions has been proposed

by (Fockel et al., 2022). The commercial tool

ThreatGet (thr, 2022) enables the identiﬁcation

of attack paths following ISO 21434. Microsoft

SDL Threat Modeling tool (sdl, 2022) is another

well-known commercial tool to compute threats. The

threats are computed using STRIDE. The attack path

associated to each compute threat is represented

using data ﬂow diagrams. To the best of our

knowledge, these tools do not support intruder model

capabilities for vehicle SOA. This article advances the

state-of-the-art by proposing a machinery built upon

realistic formalized intruder models for vehicle SOA.

7 CONCLUSION

This article proposed automated methods for

threat analysis using a model-based engineering

methodology. To this end, we have (a) modeled

a faithful vehicle model of the autonomous driving

functions of the Apollo framework, (b) formalized

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

190

an intruder model for vehicle SOA based on a

literature review, and (c) developed LAUFEN, an

SOA machinery for computing several activities of

a threat analysis, including attack paths.

ACKNOWLEDGMENTS

We thank the anonymous reviewers for valuable

comments. We thank Anait Boyajyan for the

assistance provided with the ﬁgures used in this article.

REFERENCES

(2018). SAE International Releases Updated Visual Chart

for Its “Levels of Driving Automation” Standard for

Self-Driving Vehicles.

(2019). Apollo Cyber RT. Available at https://cyber-rt.

readthedocs.io/.

(2022). Microsoft SDL Threat Modeling Tool.

Available at https://www.microsoft.com/en-us/

securityengineering/sdl/threatmodeling.

(2022). ThreatGet - Threat Analysis and Risk Management.

Available at https://www.threatget.com/.

Apollo (2021). An Open Autonomous Driving Platform.

https://github.com/ApolloAuto/apollo.

Aravantinos, V., Voss, S., Teuﬂ, S., H

olzl, F., and Sch

atz,

B. (2015). AutoFOCUS 3: Tooling Concepts for

Seamless, Model-based Development of Embedded

Systems. In ACES-MB’15.

Armoush, A. (2010). Design Patterns for Safety-Critical

Embedded Systems. PhD thesis, RWTH Aachen

University.

Basin, D., Cremers, C., Dreier, J., Meier, S., Sasse, R.,

and Schmidte, B. (2022). Tamarin Prover https://

tamarin-prover.github.io/.

Blanchet, B., Cheval, V., Allamigeon, X., Smyth, B.,

and Sylvestre, M. (2022). ProVerif https://bblanche.

gitlabpages.inria.fr/proverif/.

Cheng, B. H. C., Doherty, B., Polanco, N., and Pasco, M.

(2019). Security Patterns for Automotive Systems. In

MODELS’19.

Chowdhury, A., Karmakar, G. C., Kamruzzaman, J., Jolfaei,

A., and Das, R. (2020). Attacks on Self-Driving Cars

and Their Countermeasures: A Survey. IEEE Access.

Dantas, Y. G., Barner, S., Ke, P., Nigam, V., and Schoepp, U.

(2022). Technical Report: Automating Vehicle SOA

Threat Analysis using a Model-Based Methodology.

Technical report.

Dantas, Y. G. and Nigam, V. (2022a). Automating Safety

and Security Co-Design through Semantically-Rich

Architectural Patterns. ACM Trans. Cyber Phys. Syst.

Dantas, Y. G. and Nigam, V. (2022b). https://github.com/

ygdantas/LAUFEN.

Dolev, D. and Yao, A. C. (1983). On the security of public

key protocols. IEEE Trans. Inf. Theory, 29(2):198–207.

Fockel, M., Schubert, D., Trentinaglia, R., Schulz, H.,

and Kirmair, W. (2022). Semi-automatic integrated

safety and security analysis for automotive systems. In

MODELSWARD’22.

orster, D., Loderhose, C., Bruckschl

ogl, T., and Wiemer,

F. (2019). Safety goals in vehicle security analyses: a

method to assess malicious attacks with safety impact.

In the 17th escar Europe - Embedded Security in Cars.

fortiss GmbH (2022). AutoFOCUS 2.21.

Hau, Z., Co, K. T., Demetriou, S., and Lupu, E. C.

(2021). Object removal attacks on lidar-based 3d object

detectors. CoRR, abs/2102.03722.

Hong, D. K., Kloosterman, J., Jin, Y., Cao, Y.,

Chen, Q. A., Mahlke, S. A., and Mao, Z. M.

(2020). AVGuardian: Detecting and Mitigating

Publish-Subscribe Overprivilege for Autonomous

Vehicle Systems. In EuroS&P’20.

ISO26262 (2018). ISO 26262, road vehicles — functional

safety — part 6: Product development: software level.

ISO/SAE 21434 (2020). Road vehicles - cybersecurity

engineering.

Jha, S., Cui, S., Banerjee, S. S., Cyriac, J., Tsai, T.,

Kalbarczyk, Z., and Iyer, R. K. (2020). ML-Driven

Malware that Targets AV Safety. In DSN 2020.

Komissarov, R. and Wool, A. (2021). Spooﬁng attacks

against vehicular FMCW radar. In ASHES@CCS’21.

Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G.,

Perri, S., and Scarcello, F. (2006). The DLV system for

knowledge representation and reasoning. ACM Trans.

Comput. Log., 7.

Leveson, N. G. and Thomas, J. P. (2018). STPA Handbook.

Macher, G., Sporer, H., Berlach, R., Armengaud, E., and

Kreiner, C. (2015). SAHARA: A Security-aware

Hazard and Risk Analysis Method. In DATE’15.

Sabaliauskaite, G., Liew, L. S., and Cui, J. C.

Shen, J., Wang, N., Wan, Z., Luo, Y., Sato, T., Hu, Z., Zhang,

X., Guo, S., Zhong, Z., Li, K., Zhao, Z., Qiao, C., and

Chen, Q. A. (2022). Sok: On the semantic AI security

in autonomous driving. CoRR, abs/2203.05314.

Shen, J., Won, J. Y., Chen, Z., and Chen, Q. A. (2020). Drift

with Devil: Security of Multi-Sensor Fusion based

Localization in High-Level Autonomous Driving under

GPS Spooﬁng. In USENIX’20.

Shostack, A. (2014). Threat Modeling: Designing for

Security. Wiley.

SOTIF, I. . (2021). Safety of the Intended Functionality.

UN (2021). UN Regulation No. 155 - Cyber security and

cyber security management system.

WIRED (2015). Hackers remotely kill a jeep on the

highway-with me in it. Available at https://www.wired.

com/2015/07/hackers-remotely-kill-jeep-highway/.

Xiong, W. and Lagerstr

om, R. (2019). Threat modeling - A

systematic literature review. Comput. Secur., 84:53–69.

Zelle, D., Lauser, T., Kern, D., and Krauß, C.

(2021). Analyzing and Securing SOME/IP Automotive

Services with Formal and Practical Methods. In

ARES’21.

Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology

191