forked from pontusj101/autosarLang
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathAPInternetwork.mal
363 lines (294 loc) · 12.6 KB
/
APInternetwork.mal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
include APServices.mal
category System {
//Partially taken from vehicleLang with some modifications
asset ECU extends AdaptiveMachine
info: "An intelligent ECU, which is designed to support high-performance computing and high-speed connectivity."
rationale: "An intelligent ECU extends the adaptive machine defined within this specification."
{
| connect
info: "Attackers can attempt to connect to the ECU if they have access to the network, services, data flows, etc..."
-> _adaptiveMachineAccess,
attemptChangeOperationMode,
firmware.maliciousFirmwareModification
| access
info: "Attacker gain an access to the ECU after bypassed access control or properly authenticated."
-> _adaptiveMachineAccess,
changeOperationMode,
uploadFirmware,
bypassMessageConfliction,
injectWakeUpFunction,
busNetwork.denialOfService
| maliciousFirmwareUpload
info: "Maliciously upload a forged firmware leads to full access on the ECU and ability to inject messages on the previous running services."
-> access,
bypassMessageConfliction,
busNetwork.trafficInjection
& uploadFirmware
info: "Updating the firmware leads to the ability to inject messages not only on the previous running services but also on network."
-> busNetwork.trafficInjection
| passFirmwareValidation
info: "If the firmware validation key is stored in the ECU, this means that the firmware validation is passed, and a new firmware can be uploaded."
-> uploadFirmware
| shutdown
info: "When the ECU is taken offline by some other attack step. The effort needed to achieve this is applied on the distributions of the parent attacks."
rationale: "<denialOfService> deny access to data and executees."
-> bypassMessageConfliction,
denialOfService
& changeOperationMode
info: "Put the ECU into diagnostics (if vehicle is moving slowly or is stopped) or even update mode (bootmode)."
rationale: "This can bypass message conflictions and IDPS because the legitimate ECU will no lorger send messages and the attacker can imitate it, if carefull."
-> bypassMessageConfliction
& attemptChangeOperationMode [ExponentialDistribution(10.0)]
info: "Put the ECU into diagnostics (if vehicle is moving slowly or is stopped) or even update mode (bootmode) but after some effort."
-> bypassMessageConfliction
# operationModeProtection
info: "Either prevent diagnostics mode after vehicles starts moving or allow diagnostics mode only after some physical change is done on vehicle."
-> changeOperationMode,
attemptChangeOperationMode
| bypassMessageConfliction
info: "Bypass message confliction protection mechanisms by changing ECU's operation mode -> no conflicts -> service message injection."
rationale: "Reaching this step is enough."
//AUTOSARLang specific ---------------------
| busOff
info: "A state that an ECU is shutdown forever."
rationale: "This attack step can be reached from vehicle bus network"
-> denialOfBodyControl
| injectWakeUpFunction
-> batteryDrain
| denialOfBodyControl
info: "Because of ECUs bus-off state, communication between the keyfob and vehicle is cut-off and make driver unable to start the vehicle."
-> vehicleImmobilization
| batteryDrain
-> vehicleImmobilization
| vehicleImmobilization
info: "Vehicle cannot be mobilized unless dead ECUs are changed."
rationale: "Reaching this step is enough."
}
//Directly taken from vehicleLang
asset Firmware extends Software
info: "Specifies the firmware running on an ECU as a basic software."
{
| maliciousFirmwareModification
info: "Validate a firmware update either by cracking (brute forcing) the checksum or worse by exploiting the absence of verification."
-> bypassFirmwareValidation,
crackFirmwareValidation
| crackFirmwareValidation [ExponentialDistribution(20.0)]
info: "Crack firmware validation if it is enabled."
-> hardware.maliciousFirmwareUpload
& bypassFirmwareValidation
info: "Bypass firmware validation if it is not enabled."
-> hardware.maliciousFirmwareUpload
# firmwareValidation
info: "Code signing and verification during upload, use of strong checksum functions and/or don’t distribute the private keys for signing."
rationale: "Rubicon - Zero-knowledge Armor for Automotive Security, RubiconLabs"
-> bypassFirmwareValidation
}
//Directly taken from coreLang
asset NetworkService extends Service {
| access
-> _softwareAccess,
dataflows.respond
}
asset NetworkClient extends Client {
| access
-> _softwareAccess,
dataflows.request
}
//AUTOSARLang specific ---------------------
asset NetworkServiceAndClient extends AdaptivePlatformFoundation {
| access
info: "Get access to the communication management or REST."
rationale: "Once an attacker gets access to CM or REST, she can act as both network service and network client."
-> _adaptivePlatformAccess,
dataflows.request,
dataflows.respond,
denialOfService
| denialOfService
-> dataflows.denialOfService
}
asset CommunicationManagement extends NetworkServiceAndClient
info: "CM is a foundational functionality that the platform should constitute. It handles network services request and reply with a service-oriented architecture model." {}
asset REST extends NetworkServiceAndClient
info: "RESTful is a foundational functionality that handles network services request and reply with a network binding via HTTP/JSON communication format." {}
}
category Networking {
asset Network
info: "Networks include Ethernet LANs, the Internet, and Wifi networks."
{
| access
info: "Access implies the possibility to submit packets over the network. It does not imply the possibility to listen to others' traffic on the network. You are outside the router but with a possibility to communicate in to the network."
-> trafficRouters.forwarding,
denialOfService,
service.connect
| eavesdrop
info: "Attackers can sometimes eavesdrop."
-> dataflows.eavesdrop
| manInTheMiddle
info: "Attackers can sometimes intercept and tamper with communications."
-> access,
eavesdrop,
dataflows.manInTheMiddle,
trafficRouters.denialOfService
| denialOfService
info: "The network is made unavailable."
-> dataflows.denialOfService
}
asset Router extends NetworkService {
& access
-> _machineAccess,
trafficNetworks.manInTheMiddle,
forwarding
| forwarding
rationale: "Forwarding is the lightest interaction with the router, where the router simply retransmits received messages. Vulnerabilities may, however, lead to compromise of the router as well as of the associated firewall. Therefore, Forwarding leads to Connect."
-> connect
| denialOfService
-> trafficNetworks.denialOfService
}
//AUTOSARLang specific ---------------------
asset VehicleNetwork extends Network
info: "Vehicular network refers to in-vehicle network in this context. It AUTOSAR AP, in-vehicle network includes Ethernet network and bus networks."
{
| physicalAccess
info: "Get physical access to the in-vehicle network."
-> denialOfService,
eavesdrop,
access
| access
info: "Get access to the vehicular network."
-> denialOfService,
trafficInjection,
networkedEcus.connect,
trafficRouters.forwarding,
service.connect
| trafficInjection
rationale: "Reaching this step is enough. It'll be redefined by its child assets."
}
asset BusNetwork extends VehicleNetwork
info: "Bus network includes CAN, LIN, FlexRay networks, and the like."
{
| trafficInjection
info: "An adversary injects traffic for further exploitation, e.g. wakeup messages, or exceed the maximum allowed Transmit Error Counter threshold."
-> wakeUpMessageInjection,
busNetworkedEcus.busOff
| wakeUpMessageInjection
info: "Specialized form of traffic injection"
-> busNetworkedEcus.batteryDrain
& impersonation
rationale: "No way for a correct ECU to prove that it has not sent or receive a given message."
-> manInTheMiddle
# msgAuthenticated
-> impersonation
}
asset EthernetNetwork extends VehicleNetwork {
| physicalAccess
rationale: "A technician attacker can get an opportunity to access the Ethernet network, maybe, for maintenance. However, in an Ethernet network, physical access merely can't help the attacker to eavesdrop messages or act as a man-in-the-middle."
-> denialOfService,
access,
unauthorizedNetworkExpansion,
resetSwitchPassword
& unauthorizedNetworkExpansion
-> manInTheMiddle
| access
-> denialOfService,
trafficInjection,
networkedEcus.connect,
trafficRouters.forwarding,
service.connect,
arpCachePoisoning,
macSpoofing,
dhcpSpoofing,
macFlooding
| denialOfService
-> dataflows.denialOfService
| eavesdrop
-> sessionHijacking,
replay,
dataflows.eavesdrop
| sessionHijacking
-> impersonation
| replay
-> impersonation
| dhcpSpoofing
-> manInTheMiddle
& arpCachePoisoning
-> manInTheMiddle
& macSpoofing
-> manInTheMiddle
& impersonation
-> manInTheMiddle
| resetSwitchPassword
-> switchAccess
| switchAccess
-> overwriteSwitchMACTable,
resetSwitchPassword,
denialOfService,
networkedEcus.connect
| overwriteSwitchMACTable
info: "Switch MAC table is overwritten."
-> macFlooding
| macFlooding
-> eavesdrop,
denialOfService
| shutdown
-> denialOfService
| trafficInjection
-> denialOfService
# sARP
-> arpCachePoisoning
# idps
-> macSpoofing
# limitNewMACAddress
-> unauthorizedNetworkExpansion
# msgAuthenticated
-> impersonation
}
}
category Communication {
asset Dataflow
info: "Dataflow is a channel that contains Data in transit."
rationale: "As opposed to securiLang1, missing network paths cannot stop modelled dataflows. If there is a dataflow but no network infrastructure to support it, this logic will assume that the unmodelled infrastructure exists."
{
| eavesdrop
info: "An attacker that eavesdrops on the data flow, can access the contained data. That data may, in turn, be encrypted, thus preventing a breach of confidentiality."
-> data.read
| manInTheMiddle
info: "An attacker that man-in-the-middles the data flow, can control the contained data. That data may, in turn, be encrypted and authenticated, thus preventing a breach of confidentiality and integrity."
-> eavesdrop,
denialOfService,
request,
respond,
data.write,
data.read,
data.delete
| denialOfService
info: "A denial-of-service-attack on the dataflow makes the contained data inaccessible. The information may, however also be available elsewhere."
-> data.delete
| request
-> services.connect,
nsc.connect // new
| respond
-> clients.connect,
executingClients.access,
nsc.connect, //new
nsc.access //new
}
}
associations {
Network [trafficNetworks] * <-- Connection --> * [trafficRouters] Router
Network [networks] * <-- Communication --> * [dataflows] Dataflow
Network [networks] * <-- Listening --> * [service] NetworkService
Dataflow [dataflows] * <-- Request --> * [clients] NetworkClient
Dataflow [dataflows] * <-- Response --> * [services] NetworkService
Dataflow [dataflows] * <-- RequestRequest --> * [nsc] NetworkServiceAndClient
Dataflow [programDistributionFlow] * <-- ProgramDistributionToClient --> * [executingClients] NetworkClient
info: "Some servers distribute programs to clients, e.g. software updates, or Web applications."
Dataflow [programDistributionFlow] * <-- ProgramDistributionFromServer --> * [providingServices] NetworkService
info: "Some servers distribute programs to clients, e.g. software updates, or Web applications."
Dataflow [dataflow] 0-1 <-- Transmission --> 0-1 [data] Data
CommunicationManagement [com] * <-- CmDataflow --> * [dataflows] Dataflow
REST [rest] * <-- RestDataflow --> * [dataflows] Dataflow
ECU [hardware] 1 <-- FirmwareExecution --> 0-1 [firmware] Firmware
info: "Every ECU can have (up to one) firmware running on it."
ECU [networkedEcus] * <-- Connection --> 0-1 [vNetworks] VehicleNetwork
ECU [busNetworkedEcus] * <-- Connection --> 0-1 [busNetwork] BusNetwork
}