[Paper reading] Research status and challenges of autonomous driving safety

Paper title: Autonomous Driving Security: State of the Art and Challenges
Year of publication: 2022-IoTJ (IEEE Internet of Things Journal)
Author information: Cong Gao (Xi'an University of Posts and Telecommunications), Geng Wang ( Xi'an University of Posts and Telecommunications), Weisong Shi (Wayne State University, USA), Zhongmin Wang (Xi'an University of Posts and Telecommunications), Yanping Chen (Xi'an University of Posts and Telecommunications) Note
: A review document on autonomous driving safety, published in the top issue of Internet of Things in 2022 IEEE Internet of Things Journal (Region 1, Chinese Academy of Sciences/CCF-C Journal)

Terminology explanation

• IoVs: Internet of Vehicles Internet of Vehicles
• V2X: Vehicle to Everything vehicle wireless communication technology
• V2V: Vehicle to Vehicle Vehicle to Vehicle
• V2I: Vehicle to Infrastructure Vehicle to facility
• V2P: Vehicle to Pedestrian Vehicle to Pedestrian
• V2N: Vehicle to Network Vehicle to Network

Summary

The autonomous driving industry has developed rapidly over the past decade. Although autonomous driving has undoubtedly become one of the most promising technologies of this century, its development faces multiple challenges, among which safety is the main issue. In this article, we provide a comprehensive analysis of autonomous driving safety. First, the attack surface of autonomous driving is proposed. After analyzing the operation of autonomous driving from the aspects of key components and technologies, the safety of autonomous driving is explained from four dimensions: 1) sensors; 2) operating system; 3) control system; 4) vehicle-to-everything (V2X) communication. The security of the sensor was studied from five aspects: self-positioning of the sensor and environmental perception. The security analysis of operating systems is the second dimension of operating systems, which mainly focuses on robot operating systems. In terms of control system security, we mainly discuss the vulnerabilities and protective measures of the controller LAN. The fourth dimension, V2X communication security , is discussed from four types of attacks: 1) authenticity/identification; 2) availability; 3) data integrity; 4) confidentiality, with corresponding solutions. In addition, the shortcomings of existing methods in four dimensions are also pointed out. Finally, a conceptual multi-layered defense framework is proposed to protect the flow of information from external communications to the physical autonomous vehicle.

Keywords: Attack surface, autonomous driving, control area network, data distribution service, robot operating system, security, sensor, unmanned vehicle, vehicle-to-everything (V2X) communication Network communication)

1 Introduction

With the development of smart cars, autonomous vehicles have attracted more and more research attention. Self-driving cars are believed to be beneficial in easing traffic congestion and reducing traffic accidents. However, the current autonomous driving technology is not yet mature and is still in the development stage. The safety of passengers and the vehicle itself is far from guaranteed [1], [2]. For example, in 2018, during a road test in Arizona, an Uber self-driving car collided with a pedestrian pushing a bicycle across the road [3]. This is the world's first self-driving car accident resulting in the death of a pedestrian. The incident subsequently sparked a heated discussion about the safety of self-driving cars.

1.1.Autonomous driving safety

An autonomous vehicle is a comprehensive system, mainly including positioning system , perception system , planning system and control system [4]. The safety of autonomous vehicles generally refers to the safety during driving, including the safety of sensors , operating systems , control systems , and V2X (vehicle-to-everything) communications .

• 1) Sensor security: Sensor security mainly deals with the security of actual components, such as on-board sensors and on-board chips. For example, Google's self-driving cars use a variety of sensors to detect the driving environment. The collected sensor data is used to analyze whether the vehicle is in a safe driving condition.
• 2) Operating system security: Operating system security refers to ensuring the integrity and availability of the operating system and preventing unauthorized access. Currently, most self-driving cars are developed based on robotic systems. For example, Baidu's self-driving car platform Apollo[5] is based on the most famous robot operating system ROS[6]. ROS is a robotics middleware platform that provides basic operating system functions for heterogeneous computer clusters. However, ROS was not originally designed with security in mind. Other similar operating systems also have this problem.
• 3) Control system security: The control system security ensures that the on-board decision-making system makes correct instructions for the steering, acceleration, deceleration and parking of the autonomous vehicle based on the collected environmental data and the data of the vehicle itself. However, as the types of vehicle external interfaces increase, new attack surfaces continue to emerge. Therefore, the control system is vulnerable to illegal intrusion.
• 4) V2X communication security: V2X communication security refers to the security of vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), vehicle-to-pedestrian (V2P), and vehicle-to-network (V2N) communications. The design of the vehicle network system should ensure that the above communications are not attacked. In addition, information about surrounding vehicles and environmental conditions from V2X communications further contributes to vehicle safety.

1.2. Attack surface

The concept of attack surface is generally credited to Microsoft's Michael Howard. It was introduced informally as an indicator of software system security [7].

Early attack surface research [8]-[12] mainly focused on software systems, laying a solid foundation for subsequent research. Michael Howard believes that the attack surface is a set of attack characteristics: open sockets, open RPC endpoints, open named pipes, services, etc. [7]. Manadhata et al. [12] gave the definition of a system attack surface as a subset of resources that an attacker can use to attack the system.

Ren et al. [2] briefly divided the security threats surrounding autonomous vehicles into three groups of attack surfaces: 1) various sensors; 2) vehicle access control systems; 3) vehicle network protocols.

The recent literature on attack surfaces has mainly focused on creating empirical and theoretical measures for the attack surface of software systems or computer networks [13], such as [14]-[17].

In the field of autonomous driving, there are the following noteworthy documents on the attack surface.

Maple et al. [18] developed a reference architecture for attack surface analysis of connected autonomous vehicles (CAVs) using a hybrid functional-communication perspective.

Salfer and Eckert [19] proposed an automated method for automotive electronic control unit (ECU) attack surface and vulnerability assessment based on development data and software flash images.

Checkoway et al. [20] conducted a detailed analysis of the external attack surface of automobiles. This work mainly focuses on remote intrusion.

Literature [21] discusses the threat areas of vehicle infotainment systems. Seven vulnerabilities and 15 potential attack surfaces for Linux-based in-vehicle infotainment systems were identified.

Chattopadhyay et al. [22] developed a safety design framework for autonomous vehicles. The framework includes a high-level model that defines the attack surface of autonomous vehicles into three layers.

Dominic et al. [23] proposed a risk assessment framework for autonomous driving and collaborative autonomous driving. A threat model is proposed based on the threat model described by the National Highway Traffic Safety Administration (NHTSA) [24] and the safety requirements described by the E-safety vehicle intrusion protected applications (EVITA) project [25]. The attack surface is divided into five categories: 1) Inertial/odometry attack surface; 2) Distance sensor; Global Positioning System (GPS); 4) Map update; 5) V2V/V2I.

Petit and Shladover [26] studied potential cyberattacks against autonomous vehicles. The attack surfaces of autonomous vehicles and cooperative autonomous vehicles are analyzed separately.

Through the analysis of the above literature, we roughly divide the attack surface of autonomous driving into three categories . As shown in Figure 1, they are sensors , vehicle systems and V2X . For sensors: GNSS/IMU stands for Global Navigation Satellite System and Inertial Measurement Unit. LiDAR is the abbreviation for Light Detection and Ranging. On-board system: OBD-II is the abbreviation of the second generation on-board diagnostic system. TPMS stands for Tire Pressure Monitoring System. ADAS is the abbreviation of Advanced Driving Assistance System. For V2X: OTA stands for wireless. It's essentially just a synonym for wireless. DSRC is the abbreviation for Dedicated Short Range Communications. Figure 1 is not exhaustive but is intended to raise safety issues for autonomous vehicles.

1.3.Content and Roadmap

The research status and challenges of the above four aspects of autonomous driving are reviewed, and the shortcomings of existing solutions are pointed out. The main components and related technologies of autonomous driving are introduced; the safety issues of sensors such as cameras, GNSS/IMUs, ultrasonic sensors, millimeter-wave radar and lidar are focused on . Discussion of operating system security mainly focuses on ROS. Detailed introduction to the security-enhanced Data Distribution Service (DDS) adopted by ROS version 2. Security analysis of control systems mainly focuses on the Controller Area Network (CAN). The vulnerability of the CAN network is analyzed based on 5 attack paths: 1) OBD-II; 2) electric vehicle charger; 3) CD player; 4) comprehensive; 5) Bluetooth. Two types of protection methods are proposed: 1) encryption/authentication-based protection methods and 2) intrusion detection-based protection methods. The latest progress of the CAN bus-based control area network standard (CAN FD) is introduced. The security of V2X communication is analyzed based on 4 types of attacks: 1) authentication/identification; 2) availability; 3) data integrity; 4) confidentiality. In addition, blockchain-based in-vehicle network security measures are reviewed. Finally, 6 real self-driving car safety incidents are given. Then, a conceptual multi-layered defense framework for autonomous driving safety is proposed;

The remainder of this paper is structured as follows. In Section 2, we review the main components and technologies of autonomous driving systems. In Section 3, we discuss the safety of five key sensors for autonomous vehicles. In Section 4, we analyze the security of popular autonomous vehicle operating systems. Focus on ROS, which dominates the field of autonomous driving. The fifth part discusses the security of control systems based on CAN bus. The weaknesses, attacks and protective measures of CAN networks are introduced. Based on CAN FD, a new CAN standard is proposed. The sixth part summarizes the attacks and solutions for Internet of Vehicles communications. In Section VII-a, six real-life safety incidents of autonomous vehicles are introduced. These events are divided into 4 categories: 1) sensor security; 2) operating system security; 3) control system security; 4) V2X communication security. In Section VII-b, we propose a conceptual defense framework for automotive information security. Finally, we present our conclusions in Section 8.

2.Autonomous driving technology

2.1.Composition

2.2. Technology

3. Sensor safety

3.1.Camera

3.2.GNSS (Global Navigation System)/IMU (Inertial Measurement Unit)

3.3. Ultrasonic sensor

3.4. Millimeter wave radar

3.5. LiDAR

3.6. Multi-sensor cross-validation

3.7. Sensor failure

4. Operating system security

4.1. Early mobile robot operating system

4.2.ROS

4.3.ROS security

4.4.ROS2 security enhancements

4.5.Disadvantages of ROS2

5. Control system security

5.1.CAN

5.2.

6.V2X communication security

When a self-driving car drives on the road, it becomes part of the IoV. V2X is a catch-all term used to describe the communication mechanism of the Internet of Vehicles. As mentioned in Section 1, these mechanisms generally include V2V, V2I, V2P and V2N. Vehicles can obtain a series of traffic information (such as real-time traffic conditions, pedestrians, surrounding vehicle status, etc.) through V2X. Securing V2X communications is an important area of ​​autonomous driving. This section mainly discusses: V2X security risks and solutions .

6.1.V2X communication

The four communication methods in V2X are shown in the figure:

• In V2V, the most common application scenarios are urban streets and highways, where vehicles send data to each other to share information. This information includes the vehicle's speed, direction of movement, acceleration, braking, relative position, steering, etc. By predicting the driving behavior of other vehicles, vehicles can take safety measures in advance.
• In V2I, vehicle-mounted devices communicate with infrastructure point roadside units (rsu). rsu obtains information about nearby vehicles and publishes real-time information on the portal.
• In V2P, vehicles identify the behavior of nearby pedestrians through multiple sensors. When necessary, warnings can be given with lights and horns. Pedestrians are expected to be aware of the potential hazard by then.
• In V2N, in-vehicle devices communicate with cloud servers to exchange information. The cloud (server) stores and analyzes uploaded data and provides a variety of services to the vehicle, such as: navigation, remote monitoring, emergency assistance and in-car entertainment.

6.2.V2X communication attacks and solutions

Hasrouy et al. [153] classified V2X attacks according to the compromised service. Attacks are divided into four categories:

• 1) Authenticity/identification;
• 2) Availability;
• 3) Data integrity;
• 4) Keep it confidential.
• Here, we conduct an in-depth study based on this classification and review some well-known literature. Table 1 summarizes representative studies in these four categories:

6.3.V2X communication simulator

Research on V2X communication security requires strong experimental support. Since conducting experiments in a real environment consumes manpower and other material resources, excessive experiments may be a waste of time for immature autonomous driving technology. There are generally two types of simulators: 1) Network Simulator and 2) Traffic Simulator . A network simulator is used to test the performance of network protocols and applications, and a traffic simulator is used to generate vehicle trajectories.

Table II summarizes commonly used simulators in V2X communication research, as shown in the figure below.

6.4. Disadvantages of existing methods

7. Discussion and Solutions

8.Conclusion

Safety is the primary requirement for autonomous driving. This article conducts retrospective and prospective research from four aspects: 1) sensor security; 2) operating system security; 3) control system security; 4) V2X communication security. Each attack path is discussed in detail along with existing defenses against them. The security issues of autonomous vehicles are caused by hackers intruding and tampering with data, which fall into the category of information security. Therefore, this work proposes a conceptual framework to build efficient vehicle information security. However, if mass production of autonomous vehicles is to be achieved, additional research on the attack surface of autonomous driving modules will be needed from both academia and industry. We hope this article gets the attention of the computing and automotive communities.