Home // CYBER 2022, The Seventh International Conference on Cyber-Technologies and Cyber-Systems // View article

Attack Path Generation Based on Attack and Penetration Testing Knowledge

Authors:
Florian Sommer
Reiner Kriesten

Keywords: security testing; automation; tester experience.

Abstract:
To protect modern vehicles against security attacks, new standards, such as ISO/SAE 21434, and regulations, such as UN R155, require security testing activities during development. For this purpose, penetration testing is often used, which is a manually performed, experience-based, and explorative test method. Due to the high complexity of modern vehicles, manual penetration testing methods reach their limits. As a result, potential vulnerabilities could be overlooked and thus remain in the vehicle. In case of a security attack, this can endanger passengers and road traffic participants. So far, penetration testing has been considered as difficult to automate, since it is an experience-based method. This paper presents a model-based approach which aims close that gap. Our approach uses knowledge of existing security attacks on vehicles to automate the security testing process. We apply our attack database (361 attacks, consisting of 621 attack steps) to a formal security model to automatically derive attack paths for testing. We also present a proposal of how this method can be transferred to derive attack paths based on knowledge and experience of penetration testers.

Pages: 36 to 41

Copyright: Copyright (c) IARIA, 2022

Publication date: November 13, 2022

Published in: conference

ISSN: 2519-8599

ISBN: 978-1-61208-996-6

Location: Valencia, Spain

Dates: from November 13, 2022 to November 17, 2022