Autonomous Vehicle Security: Composing Attack, Defense, and Policy Surfaces

An attack surface enumerates resources accessible to an attacker for cyber attacks on a system. These resources are: methods that can be called as part of an attack; channels that an attacker outside the system can use to get to a system's interface; and untrusted data that an attacker can use in conjunction with the system's programs and channels. Historically, a system's attacks surface has provided a metric on the vulnerability of a system, in part to compare two systems' exposure to attack. In this paper we extend the attack surface to (1) include rules on the system's methods and channels that if enforced would prevent many attacks, and (2) be a composition of more primitive surfaces each characterizing vulnerabilities associated with types of resources, application-specific or system-specific, e.g., files, directories, and channels. We also introduce two additional surfaces. The defense surface identifies system mechanisms that can thwart cyber-attacks through prevention, or through detection followed by mitigation of an attack in progress and then system restoration. The policy surface defines the security policy of a system as reflected by constraints on its interface expected to be satisfied in the system's operation. The security policy for a corporation would include steps the organization takes to prevent attacks and actions required to address a security incident. More relevant to this paper, the security policy for a community of autonomous vehicles would specify the minimum separation among vehicles that must be maintained even in the presence of a cyber-attack, i.e. a (safety) property. Through an analysis of the intersection of the three surfaces, it is, in principle, possible to determine if a defense exists for every attack that causes a policy violation. And, through computationally-efficient model checking, the defense action can be identified. If more than one defense action exists, model checking will identify all of them, thus enabling the selection of the optimal action based on criteria associated with a CAV.