Formalising Systematic Security Evaluations Using Attack Trees for Automotive Applications

  • Madeline CheahEmail author
  • Hoang Nga Nguyen
  • Jeremy Bryans
  • Siraj A. Shaikh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10741)


Vehicles are insecure. To protect such systems, we must begin by identifying any weaknesses. One approach is to apply a systematic security evaluation to the system under test. In this paper we present a method for systematically generating tests based on attack trees. We formalise the attack trees as provably-equivalent process-algebraic processes, then automatically generate tests from the process-algebraic representation. Attack trees may include manual input (and thus so will some test cases) but scriptable test cases are automatically executed. Our approach is inspired by model based testing, but allows for the fact that we do not have a specification of the system under test. We demonstrate this methodology on a case study and find that this is a viable method for automation of systematic security evaluations.


Automotive security Attack trees Secure design Security testing Bluetooth 


  1. 1.
    Argus Cybersecurity: Argus Cyber Security Working with Bosch to Promote Public Safety and Mitigate Car Hacking (2017).
  2. 2.
    Cheah, M., Bryans, J., Fowler, D.S., Shaikh, S.A.: Threat intelligence for bluetooth-enabled systems with automotive applications: an empirical study. In: Proceedings of the 47th IEEE/IFIP Dependable Systems and Networks Workshops: Security and Safety in Vehicles (SSIV). IEEE, Denver, June 2017Google Scholar
  3. 3.
    Cheah, M., Shaikh, S., Haas, O., Ruddle, A.: Towards a systematic security evaluation of the automotive bluetooth interface. J. Veh. Commun. 9(7), 8–18 (2017)CrossRefGoogle Scholar
  4. 4.
    Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of 20th USENIX Security Symposium, pp. 77–92. USENIX Association, San Francisco, August 2011Google Scholar
  5. 5.
    Cho, K.T., Shin, K.G.: Error handling of in-vehicle networks makes them vulnerable. In: Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, pp. 1044–1055. ACM, New York, October 2016Google Scholar
  6. 6.
    Dunning, J.: SpoofTooph (2012).
  7. 7.
    ELM Electronics: ELM Electronics: OBD.
  8. 8.
    Felderer, M., Zech, P., Breu, R., Buchler, M., Pretschner, A.: Model-based security testing: a taxonomy and systematic classification. Softw. Test. Verif. Reliab. 26(2), 119–148 (2015)CrossRefGoogle Scholar
  9. 9.
    Fowler, D.S., Cheah, M., Shaikh, S.A., Bryans, J.: Towards a testbed for automotive cyberecurity. In: Process of the 10th International Conference on Software Testing, Verification and Validation: Industry Track. IEEE, Tokyo, March 2017Google Scholar
  10. 10.
    Greenberg, A.: Hackers remotely kill a jeep on the highway-with me in it (2015).
  11. 11.
    Hoare, C.: Communicating Sequential Processes, Electronic edn. Prentice Hall International, Upper Saddle River (1985)zbMATHGoogle Scholar
  12. 12.
    Hoppe, T., Kiltz, S., Dittmann, J.: Security threats to automotive CAN networks - practical examples and selected short-term countermeasures. Reliab. Eng. Syst. Saf. 96(1), 11–25 (2011)CrossRefGoogle Scholar
  13. 13.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). Scholar
  14. 14.
    Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S.: Experimental security analysis of a modern automobile. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 447–462. IEEE, Oakland, May 2010Google Scholar
  15. 15.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). Scholar
  16. 16.
    Nogueira, S., Sampaio, A., Mota, A.: Test generation from state based use case models. Form. Asp. Comput. 26(3), 441–490 (2014)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Oka, D.K., Furue, T., Langenhop, L., Nishimura, T.: Survey of vehicle IoT bluetooth devices. In: 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, pp. 260–264. IEEE, Matsue, November 2014Google Scholar
  18. 18.
    Pretschner, A., Broy, M., Kruger, I.H., Stauner, T.: Software engineering for automotive systems: a roadmap. In: Proceedings of the FOSE’07 2007 Future of Software Engineering, pp. 55–71. IEEE, Minneapolis, May 2007Google Scholar
  19. 19.
    Robert Bosch GmbH: CAN Specification Version 2.0 (1991).
  20. 20.
    Roscoe, A.: Understanding Concurrent Systems, 1st edn. Springer, London (2010). Scholar
  21. 21.
    Ruddle, A., Ward, D., Weyl, B., Idrees, S., Roudier, Y., Friedewald, M., Leimbach, T., Fuchs, A., Gurgens, S., Henniger, O., Rieke, R., Ritsscher, M., Broberg, H., Apvrille, L., Pacalet, R., Pedroza, G.: EVITA project: deliverable D2.3 - security requirements for automotive on-board networks based on dark-side scenarios. Technical report (2009).
  22. 22.
    SAE International: SAE J1979 E/E Diagnostic Test Modes (2014).
  23. 23.
    SAE International: J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (2016).
  24. 24.
    Salfer, M., Schweppe, H., Eckert, C.: Efficient attack forest construction for automotive on-board networks. In: Chow, S.S., Camenisch, J., Hui, L.C., Yiu, S.M. (eds.) 17th International Conference (ISC) on Information Security, October 2014Google Scholar
  25. 25.
    Schneier, B.: Attack trees: modeling security threats (1999).
  26. 26.
    University of Oxford: FDR3 - The CSP Refinement Checker.
  27. 27.
    Utting, M., Pretschner, A., Legeard, B.: A taxonomy of model-based testing approaches. Softw. Test. Verif. Reliab. 22(5), 297–312 (2012)CrossRefGoogle Scholar
  28. 28.
    Vigo, R., Nielson, F., Nielson, H.R.: Automated generation of attack trees. In: Proceedings of the 27th Computer Security Foundations Symposium. IEEE, Vienna (2014)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  • Madeline Cheah
    • 1
    Email author
  • Hoang Nga Nguyen
    • 1
  • Jeremy Bryans
    • 1
  • Siraj A. Shaikh
    • 1
  1. 1.Institute for Future Transport and CitiesCoventry UniversityCoventryUK

Personalised recommendations