Security, Cloud and Edge Lab

Dario Stabili

External Collaborator

Department of Engineering "Enzo Ferrari"
University of Modena and Reggio Emilia
Via Vivarelli, 10
41125 - Modena, Italy
Tel.: +39 0592056273
E-mail: dario.stabili[AT]
GPG Key: 0x9923C81814840139

Curriculum Vitae (last update: July 2022) Italian (Extended) English (Short)

Research Interests

  • Automotive Cyber-Security
  • Misbehaviour Detection in C-ITS
  • Reverse Engineering and Digital Forensics
  • Embdedded Systems Security


Stabili, D.; Ferretti, L.; Andreolini, M.; Marchetti, M.

Recent research showcased several cyber-attacks against unmodified licensed vehicles, demonstrating the vulnerability of their internal networks. Many solutions have already been proposed by industry and academia, aiming to detect and prevent cyber-attacks targeting in-vehicle networks. The majority of these proposals borrow security algorithms and techniques from the classical ICT domain, and in many cases they do not consider the inherent limitations of legacy automotive protocols and resource-constrained microcontrollers. This paper proposes DAGA, an anomaly detection algorithm for in-vehicle networks exploiting n-gram analysis. DAGA only uses sequences of CAN message IDs for the definition of the n-grams used in the detection process, without requiring the content of the payload or other CAN message fields. The DAGA framework allows the creation of detection models characterized by different memory footprints, allowing their deployment on microcontrollers with different hardware constraints. Experimental results based on three prototype implementations of DAGA showcase the trade off between hardware requirements and detection performance. DAGA outperforms the state-of-the-art detectors on the most performing microcontrollers, and can execute with lower performance on simple microcontrollers that cannot support the vast majority of IDS approaches proposed in literature. As additional contributions, we publicly release the full dataset and our reference DAGA implementations.

Year: 2022 | Pages: 1 - 15

ISSN: 0018-9545 | DOI: 10.1109/TVT.2022.3190721

Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.

Cooperative Intelligent Transportation Systems (C-ITS) improve driving experience and safety through secure Vehicular Ad-hoc NETworks (VANETs) that satisfy strict security and performance constraints. Relevant standards, such as the IEEE 1609.2, prescribe network-efficient cryptographic protocols to reduce communication latencies through a combination of the Elliptic Curve Qu-Vanstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA). However, literature lacks open implementations and performance evaluations for vehicular systems. This paper assesses the applicability of IEEE 1609.2 and of ECQV and ECDSA schemes to C-ITSs. We release an open implementation of the standard ECQV scheme to benchmark its execution time on automotive-grade hardware. Moreover, we evaluate its performance in real road and traffic scenarios and show that compliance with strict latency requirements defined for C-ITS requires computational resources that are not met by many automotive-grade embedded hardware platforms. As a final contribution, we propose and evaluate novel heuristics to reduce the number of signatures to be verified in real C-ITS scenarios.

Year: 2021 | Pages: 12946 - 12959

ISSN: 0018-9545 | DOI: 10.1109/TVT.2021.3122333

Dagan, Tsvika; Montvelisky, Yuval; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai

This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.

Year: 2020 | Pages: 19 - 39

ISSN: 2572-1046 | DOI: 10.4271/11-02-02-0006

Marchetti, M.; Stabili, D.

Security analytics and forensics applied to in-vehicle networks are growing research areas that gained relevance after recent reports of cyber-attacks against unmodified licensed vehicles. However, the application of security analytics algorithms and tools to the automotive domain is hindered by the lack of public specifications about proprietary data exchanged over in-vehicle networks. Since the controller area network (CAN) bus is the de-facto standard for the interconnection of automotive electronic control units, the lack of public specifications for CAN messages is a key issue. This paper strives to solve this problem by proposing READ: A novel algorithm for the automatic Reverse Engineering of Automotive Data frames. READ has been designed to analyze traffic traces containing unknown CAN bus messages in order to automatically identify and label different types of signals encoded in the payload of their data frames. Experimental results based on CAN traffic gathered from a licensed unmodified vehicle and validated against its complete formal specifications demonstrate that the proposed algorithm can extract and classify more than twice the signals with respect to the previous related work. Moreover, the execution time of signal extraction and classification is reduced by two orders of magnitude. Applications of READ to CAN messages generated by real vehicles demonstrate its usefulness in the analysis of CAN traffic.

Year: 2019 | Pages: 1083 - 1097

ISSN: 1556-6013 | DOI: 10.1109/TIFS.2018.2870826

Zoccoli, G. G.; Pollicino, F.; Stabili, D.; Marchetti, M.
21st IEEE International Symposium on Network Computing and Applications, NCA 2022

This paper proposes SixPack v2, an enhanced version of the SixPack attack that allows to evade even state-of-the-art misbehavior detection systems. As the original SixPack, SixPack v2 is a dynamic attack targeting other C-ITS entities by simulating the sudden activation of the braking system with consequent activation of the Anti-lock Braking System. SixPack v2 achieves better evasion by improving the main phases of the attack (FakeBrake, Recovery, and Rejoin) through a novel path-reconstruction algorithm that generates a more realistic representation of the real vehicle trajectory. We experimentally evaluate the evasion capabilities of SixPack v2 using the F2MD framework on the LuSTMini city scenario, and we compared the detection performance of the F2MD framework on both versions of SixPack. Results show that SixPack v2 evades detection with a significantly higher likelihood with respect to the initial version of the attack, even against the latest version of F2MD.

Year: 2022 | Pages: 243 - 249

ISBN: 979-8-3503-9730-7 | DOI: 10.1109/NCA57778.2022.10013565

Venturi, A.; Stabili, D.; Pollicino, F.; Bianchi, E.; Marchetti, M.
21st IEEE International Symposium on Network Computing and Applications, NCA 2022

This paper presents a comparative analysis of different Machine Learning-based detection algorithms designed for Controller Area Network (CAN) communication on three different datasets. This work focuses on addressing the current limitations of related scientific literature, related to the quality of the publicly available datasets and to the lack of public implementations of the detection solutions presented in literature. Since these issues are preventing the reproducibility of published results and their comparison with novel detection solutions, we remark that it is necessary that all security researchers working in this field start to address them properly to advance the current state-of-the-art in CAN intrusion detection systems. This paper strives to solve these issues by presenting a comparison of existing works on publicly available datasets.

Year: 2022 | Pages: 81 - 88

ISBN: 979-8-3503-9730-7 | DOI: 10.1109/NCA57778.2022.10013527

Pollicino, F.; Ferretti, L.; Stabili, D.; Marchetti, M.
20th IEEE International Symposium on Network Computing and Applications, NCA 2021

The transportation sector is undergoing rapid changes to reduce pollution and increase life quality in urban areas. One of the most effective approaches is flexible car rental and sharing to reduce traffic congestion and parking space issues. In this paper, we envision a flexible car sharing framework where vehicle owners want to make their vehicles available for flexible rental to other users. The owners delegate the management of their vehicles to intermediate services under certain policies, such as municipalities or authorized services, which manage the due infrastructure and services that can be accessed by users. We investigate the design of an accountable solution that allow vehicles owners, who want to share their vehicles securely under certain usage policies, to control that delegated services and users comply with the policies. While monitoring users behavior, our approach also takes care of users privacy, preventing tracking or profiling procedures by other parties. Existing approaches put high trust assumptions on users and third parties, do not consider users' privacy requirements, or have limitations in terms of flexibility or applicability. We propose an accountable protocol that extends standard delegated authorizations and integrate it with Security Credential Management Systems (SCMS), while considering the requirements and constraints of vehicular networks. We show that the proposed approach represents a practical approach to guarantee accountability in realistic scenarios with acceptable overhead.

Year: 2021 | Pages: 1 - 7

ISBN: 978-1-6654-9550-9 | DOI: 10.1109/NCA53618.2021.9685942

Pollicino, F.; Stabili, D.; Bella, G.; Marchetti, M.
93rd IEEE Vehicular Technology Conference, VTC 2021-Spring

This paper presents SixPack, a cyber attack to VANET communications that is able to go undetected by the current state-of-the-art anomaly detectors. The SixPack attack is a dynamic attack conducted by an insider attacker who modifies the content of the Basic Safety Messages to pretend a sudden activation of the braking system with the consequent activation of the Anti-lock Braking System, and create a fake representation of the vehicle. The attacker then rejoins the fake representation of the vehicle with the real one, avoiding the current state-of-the-art anomaly detectors. We experimentally evaluated the evasion capabilities of the SixPack attack using the F2MD test framework on the LuST and LuSTMini city scenarios, demonstrating the ability of the attacker to generate a high percentage of false positives that prevent the attack from being detected consistently.

Year: 2021 | Pages: 1 - 6

ISSN: 1550-2252 | DOI: 10.1109/VTC2021-Spring51267.2021.9448656

Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.
92nd IEEE Vehicular Technology Conference, VTC 2020-Fall

Emerging Cooperative Intelligent Transportation Systems (C-ITS) enable improved driving experience and safety guarantees, but require secure Vehicular Ad-hoc NETworks (VANETs) that must comply to strict performance constraints. Specialized standards have been defined to these aims, such as the IEEE 1609.2 that uses network-efficient cryptographic protocols to reduce communication latencies. The reduced latencies are achieved through a combination of the Elliptic Curve Qu-Vantstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA), to guarantee data integrity and authenticity. However, literature lacks implementations and evaluations for vehicular systems. In this paper, we consider the IEEE 1609.2 standard for secure VANETs and investigate the feasibility of ECQV and ECDSA schemes when deployed in C-ITSs. We propose a prototype implementation of the standard ECQV scheme to evaluate its performance on automotive-grade hardware. To the best of our knowledge, this is the first open implementation of the scheme for constrained devices that are characterized by low computational power and low memory. We evaluate its performance against C-ITS communication latency constraints and show that, although even highly constrained devices can support the standard, complying with stricter requirements demands for higher computational resources.

Year: 2020 | Pages: 1 - 6

ISSN: 1550-2252 | DOI: 10.1109/VTC2020-Fall49728.2020.9348712

Stabili, D.; Marchetti, M.
90th IEEE Vehicular Technology Conference, VTC 2019 Fall

Recent cyber-attacks to real vehicles demonstrated the risks related to connected vehicles, and spawned several research effort aimed at proposing algorithms and architectural solutions to improve the security of these vehicles. Most of the documented attacks to the connected vehicles require the injection of maliciously forged messages to subvert the normal behaviour of the electronic microcontrollers. More recently, researchers discovered that by abusing error isolation mechanisms of the Controller Area Network (CAN), one of the protocols deployed for in-vehicle networking, it is possible to isolate a microcontroller from the vehicle internal network (namely bus-off attack), with possible severe implication on both safety and security. This vulnerability has already been exploited for gaining remote control of a vehicle, by driving a targeted microcontroller in bus-off and impersonating it through the injection of malicious messages on the CAN bus. This paper strives to counter bus-off attacks by proposing an algorithm for the detection of missing messages from the in- vehicle CAN bus. Bus-off attacks to in-vehicle network are simulated by removing messages from valid CAN traces recorded from an unmodified licensed vehicle. Experimental evaluations of our proposal and comparisons with previous work demonstrate that the proposed algorithms outperforms other detection algorithms, achieving almost perfect detection (F-score equal or near to 1.0) across different tests.

Year: 2019 | Pages: 1 - 7

DOI: 10.1109/VTCFall.2019.8891068

Burzio, G.; Cordella, G. F.; Colajanni, M.; Marchetti, M.; Stabili, D.
2018 International Conference of Electrical and Electronic Technologies for Automotive, AUTOMOTIVE 2018

The concordant vision of the future automotive landscape foresees vehicles that are always connected to infrastructure and Cloud services, and that are equipped with autonomous driving or advanced driver assistance systems. It is clear that in a similar scenario cybersecurity of modern and future vehicles is paramount. With connected autonomous vehicles the protection from external attack will be an essential requirement, motivated by the outstanding safety implications of an autonomous vehicles remotely controlled by an attacker or a malware. However, the automotive industry still lacks reliable and repeatable methods to assess the cybersecurity level of modern cars. This paper has a twofold contribution. First, it describes the ongoing effort of regulatory bodies within the European Union toward the definition of cybersecurity certification schemes. Second, it outlines the main requirements of a cybersecurity ranking approach that is suitable for certifying the security level of connected vehicles. Since improved cybersecurity guarantees will come at the expense of increased complexity and costs, the proposed ranking approach allows to assess whether the cybersecurity level is appropriate by considering the potential safety risks of a successful attack to the ranked system or subsystem.

Year: 2018 | Pages: 1 - 6

ISBN: 978-8-8872-3738-2 | DOI: 10.23919/EETA.2018.8493180

Stabili, D.; Ferretti, L.; Marchetti, M.
4th IEEE International Conference on Smart Computing, SMARTCOMP 2018

Modern vehicles are complex cyber physical systems where communication protocols designed for physically isolated networks are now employed to connect Internet-enabled devices. This unforeseen increase in connectivity creates novel attack surfaces, and exposes safety-critical functions of the vehicle to cyber attacks. As standard security solutions are not applicable to vehicles due to resource constraints and compatibility issues, research is proposing tailored approaches to cope with existing systems and to design next generations vehicles. In this paper we focus on solutions based on cryptographic protocols to protect in-vehicle communications and prevent unauthorized manipulation of the vehicle behaviors. Existing proposals consider vehicles as monolithic systems and evaluate performance and costs of the proposed solutions without considering the complex life-cycle of automotive components and the multifaceted automotive ecosystem that includes a large number of actors. The main contribution of this paper is a study of the impact of security solutions by considering vehicles life-cycle. We model existing proposals and highlight their impacts on vehicles production and maintenance operations by taking into consideration interactions among multiple players. Finally, we give insights on the requirements of architectures for secure intra-vehicular protocols.

Year: 2018 | Pages: 452 - 457

ISBN: 9781538647059 | DOI: 10.1109/SMARTCOMP.2018.00045

Dagan, Tsvika; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Avishai, Wool
2017 Embedded Security in Cars conference (ESCAR Europe 2017)

This paper describes a concept for vehicle safe-mode, that may help reduce the potential damage of an identified cyber-attack. Unlike other defense mechanisms, that try to block the attack or simply notify of its existence, our mechanism responds to the detected breach, by limiting the vehicle’s functionality to relatively safe operations, and optionally activating additional security counter-measures. This is done by adopting the already existing mechanism of Limp-mode, that was originally designed to limit the potential damage of either a mechanical or an electrical malfunction and let the vehicle “limp back home” in relative safety. We further introduce two modes of safe-modemoperation: In Transparent-mode, when a cyber-attack is detected the vehicle enters its pre-configured Limp-mode; In Extended-mode we suggest to use custom messages that offer additional flexibility to both the reaction and the recovery plans. While Extended-mode requires modifications to the participating ECUs, Transparent-mode may be applicable to existing vehicles since it does not require any changes in the vehicle’s systems—in other words, it may even be deployed as an external component connected through the OBD-II port. We suggest an architectural design for the given modes, and include guidelines for a safe-mode manager, its clients, possible reactions, and recovery plans. We note that our system can rely upon any deployed anomaly-detection system to identify the potential attack.

Year: 2017 | Pages: n/a - n/a

DOI: n/a

Stabili, Dario; Marchetti, Mirco; Colajanni, Michele
IEEE 2017 AEIT International Annual Conference - Infrastructures for Energy and ICT (AEIT 2017)

Analysis of in-vehicle networks is an open research area that gained relevance after recent reports of cyber attacks against connected vehicles. After those attacks gained international media attention, many security researchers started to propose different algorithms that are capable to model the normal behaviour of the CAN bus to detect the injection of malicious messages. However, despite the automotive area has different constraint than classical IT security, many security research have been conducted by applying sophisticated algorithm used in IT anomaly detection, thus proposing solutions that are not applicable on current Electronic Control Units (ECUs). This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. Moreover, the proposed algorithm has been designed and implemented with the very strict constraint of low-end ECUs, having low computational complexity and small memory footprints. The proposed algorithm identifies anomalies in the sequence of the payloads of different classes of IDs by computing the Hamming distance between consecutive payloads. Its detection performance are evaluated through experiments carried out using real CAN traffic gathered from an unmodified licensed vehicle.

Year: 2017 | Pages: 1 - 6

ISBN: 9788887237375 | DOI: n/a

Marchetti, Mirco; Stabili, Dario
28th IEEE Intelligent Vehicles Symposium, IV 2017

This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. The proposed algorithm identifies anomalies in the sequence of messages that flow in the CAN bus and is characterized by small memory and computational footprints, that make it applicable to current ECUs. Its detection performance are demonstrated through experiments carried out on real CAN traffic gathered from an unmodified licensed vehicle.

Year: 2017 | Pages: 1577 - 1583

ISBN: 9781509048045 | DOI: 10.1109/IVS.2017.7995934

Marchetti, Mirco; Stabili, Dario; Guido, Alessandro; Colajanni, Michele
IEEE 2nd International Forum on Research and Technologies for Society and Industry

This paper evaluates the effectiveness of information-theoretic anomaly detection algorithms applied to networks included in modern vehicles. In particular, we focus on providing an experimental evaluation of anomaly detectors based on entropy. Attacks to in-vehicle networks were simulated by injecting different classes of forged CAN messages in traces captured from a modern licensed vehicle. Experimental results show that if entropy-based anomaly detection is applied to all CAN messages it is only possible to detect attacks that comprise a high volume of forged CAN messages. On the other hand, attacks characterized by the injection of few forged CAN messages attacks can be detected only by applying several independent instances of the entropy based anomaly detector, one for each class of CAN messages.

Year: 2016 | Pages: 429 - 434

ISBN: 9781509011315 | DOI: 10.1109/RTSI.2016.7740627

Ph.D. Thesis
Stabili, Dario

Cyber-physical systems (CPS) are highly integrated mechanisms in which one or more subsystems are monitored and controlled by software, possibly with a high degree of autonomy and minimal external inputs coming from users. A prominent example of widespread cyber-physical systems are modern passenger vehicles, that are composed by many mechanical parts controlled by Electronic Control Units (ECUs), which are programmed to perform different tasks in the automotive system. Mechanisms controlled through ECUs range from simple tasks activated by drivers, such as windshield wipers or power windows, to completely automated, complex and real-time systems, such as engine control, power steering, Electronic Stability Program (ESP) or the Anti-lock Braking System (ABS). These software-driven safety-relevant features are extremely effective in reducing the overall number of car accidents and fatalities. However, they also open new avenue for cyber-attackers, that can now explore (and possibly exploit) a wide range of software-based attacks against the control logic implemented by ECUs. These threats are also magnified by the current trend toward an increasing connectivity of modern vehicles. It is now common even for low-tier vehicles to integrate Bluetooth connectivity with smartphones (hence an indirect connection to the Internet) or direct Internet connectivity through cellular networks. Similar threats are not only theoretical. Recent research and media reports showcased several cyber-attacks against recent, unmodified licensed vehicles, which exploited cellular connections to penetrate the automotive network and obtain remote control over the engine, brakes and power steering systems. These recent works exposed different vulnerabilities of the networking protocols and communication buses enabling communication among safety-relevant ECUs. These systems are based on outdated standards, that have been designed for simpler ECUs and completely isolated networks, and do not provide any security guarantee. This thesis proposes many solutions for improving the cyber-security of the internal network communications of modern vehicles, and addresses the whole cyber-security lifecycle ranging from the prevention of cyber-attacks to their detection in operational vehicles and up to the proposal of automatic countermeasure that can mitigate the physical consequences of cyber-attacks. Prevention of cyber-attacks requires the adoption of secure protocols that include integrity and authentication guarantees for safety-relevant in-vehicle communications. In this field this thesis explores the trade-offs among different strategies for the management and distribution of cryptographic material, taking into consideration the full lifecycle of a modern vehicle. Attack detection represents the main focus of this thesis, that proposes several novel intrusion detection algorithms specifically designed for the detection of realistic cyber-attacks against modern internal vehicle networks. All the proposed intrusion detection algorithms have been validated through experiments carried out over real communications among ECUs, gathered from modern unmodified vehicles. The proposed algorithms meet the hard computational and memory constraints of common automotive ECUs. To overcome the limitations caused by the lack of public specifications of internal communications in real vehicles, this thesis also proposes a novel algorithm for automatic reverse-engineering of automotive data-frames that allows to apply more fine-grained intrusion detection algorithms. Finally, the thesis proposes a novel strategy for reacting to a detected cyber-attack by leveraging the limp-home mode (a protection mechanism already implemented by ECUs) in the service of cybersecurity.

Year: 2020 | Pages: n/a - n/a

DOI: n/a

Academic Service

Program Committee
International Conference on Advances in Vehicular Systems, Technologies and Applications (VEHICULAR) 2022
IEEE Network Computing and Applications (NCA) 2020, 2021
Technical Program Committee
IEEE Network Computing and Applications 2019
International Conference on Advances in Vehicular Systems, Technologies and Applications (VEHICULAR) 2021
IEEE Vehicular Technology Conference 2019, 2020