An Enhanced Method for Reverse Engineering CAN Data Payload

Abstract

Recently, numerous electronic components are installed in vehicles, providing drivers and passengers with increased safety and convenience. The electronic components construct an in-vehicle network that internally shares relevant status information about the vehicle. As modern vehicles become more computerized, the potential for automotive cyber-security threats also increases a fact that has been illustrated clearly by various car-hacking demonstrations. Using the controller area network (CAN), the de facto standard protocol in the automotive industry that facilitates in-vehicle network communication, car-hacking demonstrations inject critical CAN messages to control vehicular functions. In efforts to address this security issue, car manufacturers, in turn, have made confidential the CAN database (i.e., DBC format file), where signal information assigned in the CAN data payload is specified. However, it has since become known that this policy does not hermetically seal a vehicular network against cyber attacks. On the contrary, in-depth automotive security research has been hindered significantly because of the limited information accessible by researchers. For example, automotive intrusion detection systems (IDS) identify and alert when there is a vehicular break-in, and this technology is a major area of study in automotive cyber security research. For the automotive IDS that analyzes CAN traffic, information in the DBC format file greatly improves detection veracity. However, most IDS technologies to date have been independently developed without the confidential CAN DB information and, as a result, do not mitigate threats to a satisfactory standard. In this paper, we propose an enhanced method that identifies signal boundaries in a CAN data payload, which is specified in the DBC format file. Unlike an existing method that is designed based on total bit-flip rates, our method analyzes bit-flip time series not total bit-flip rates so that signal boundaries can be more clearly identified. In this paper, we use a publicly available DBC format file called OpenDBC as a reference, and show that our method outperforms the existing method.