Assuring Trustworthiness via Structured Assurance Cases
legitimate update without that signed
checksum. Once they had access to the CAN
bus from the head-unit they could issue all
the commands they wanted to the others on
the bus, including opening windows, closing
the window, changing speeds, turning the
wheels, turning on the blinkers and
windshield wipers and so on.
inherent weakness could have identified the
mistakes leveraged by the Jeep hacks.
Expecting engineers and developers to think
of the myriad of ways software can be
influenced and attacked to do things that
were not intended by its creators without
standard methods of identifying what to
look for and proving a rigorous method for
collecting and analyzing what is done is one
of the most common mistakes enterprises
make. Through knowledge-bases such as
CVE, CWE, and CAPEC, an organization can
leverage the expertise of the world’s
software security and assurance experts and
apply it into their specific type of software-
enabled capabilities. All of the different
testing techniques introduced and discussed
in this section can be brought together as
part of the evidence supporting an
assurance case.
Now the actual attacks in 2015 did not work
at highway speed, because it was based on a
hack to the diagnostic system that does not
allow changes to be made above 5 MPH, but
it turned out that the tire pressure
monitoring system was the source of the
information about what speed the vehicle
was going. So, in 2016, the Jeep Hack was
evolved to spoof the tire pressure monitor
messages to tell the car that it was going
slow when it really wasn't. This was possible
because the protocol for the bus discarded
duplicate messages. Once they figured out
how to get illegitimate message and
message numbers onto the bus before the
actual tire pressure monitoring systems
messages through a spoof attack, they could
go at highway speeds. Now when the tire
pressure management system put its
message out, it was discarded as duplicative
and the car paid attention to the spoofed
messages that it was going slow when in fact
it was not.
The DEIS (dependability engineering,
innovation for cyber physical systems)
project 35 is one example of an effort
applying assurance cases. DEIS is exploring
the idea of a digital dependability identity,
which basically has all the information about
the dependability characteristics of the
cyber physical system. We offer that you can
swap the word trustworthiness for
dependability. Thus, the idea they are
investigating is to have the vehicle itself,
from its creation on, carry in digital form, the
assurance case for why it is trustworthy and
under what conditions it is trustworthy.
Then, as it goes out into the world it can offer
up to others in its ecosystem an explicit
machine process-able document that
A more structured review of the possible
weaknesses in the design, architecture, code
and deployed configurations of the
software-enabled capabilities in the Jeep
ecosystem, guided by a broad understanding
of how software can be attacked through its
35
Dependability Engineering Innovation for Cyber Physical Systems (CPS), http://www.deis-project.eu/
September 2018
- 58 -