DoS Protection through Credit Based Metering -- Simulation-Based Evaluation for Time-Sensitive Networking in Cars
IIf you cite this paper, please use the original reference: P. Meyer, T. H¨ackel, F. Korf, and T. C. Schmidt. DoS Protectionthrough Credit Based Metering - Simulation-Based Evaluation for Time-Sensitive Networking in Cars. In:
Proceedings of the 6thInternational OMNeT++ Community Summit . September, 2019, Easychair.
DoS Protection through Credit Based Metering -Simulation-Based Evaluation for Time-SensitiveNetworking in Cars
Philipp Meyer, Timo H¨ackel, Franz Korf, and Thomas C. Schmidt
Department of Computer ScienceHamburg University of Applied Sciences, Germany { philipp.meyer, timo.haeckel, franz.Korf, t.schmidt } @haw-hamburg.de Abstract
Ethernet is the most promising solution to reduce complexity and enhance the band-width in the next generation in-car networks. Dedicated Ethernet protocols enable thereal-time aspects in such networks. One promising candidate is the IEEE 802.1Q Time-Sensitive Networking protocol suite. Common Ethernet technologies, however, increasesthe vulnerability of the car infrastructure as they widen the attack surface for many com-ponents. In this paper proposes an IEEE 802.1Qci based algorithm that on the one hand,protects against DoS attacks by metering incoming Ethernet frames. On the other hand,it adapts to the behavior of the Credit Based Shaping algorithm, which was standardizedfor Audio/Video Bridging, the predecessor of Time-Sensitive Networking. A simulation ofthis proposed Credit Based Metering algorithm evaluates the concept.
In today’s vehicles, a multitude of sensors, actors, and electronic control units (ECUs) areused to enable enhanced performance, comfort, and safety through advanced driver assistancesystems. Even autonomous driving will be realized in future generations. These additions resultin complex communication over different proprietary bus technologies in multiple domains.Ethernet technologies are used to set up efficient and straightforward communication infuture generations. Real-time Ethernet protocols enable the compliance of communicationrequirements and enhance the reliability of Standard Ethernet. Promising candidates are theTime-Sensitive Networking (TSN) protocols by the IEEE ( https://1.ieee802.org/tsn/ ).The main focus of those protocols is Quality of Service guarantees. The integration of futurecars in the IoT context opens its systems to global communication. These online capabilitiesand the domain interconnection increases the attack surface of safety-critical functions likebrakes and the motor control units. Attacks could manipulate driving characteristics and couldprovide fatal consequences for vehicle and passengers.Therefore, security has to be an essential goal for the development of the next generationsof on-board communications technologies. The TSN standard IEEE 802.1Qci addresses somesecurity concerns by filtering ingress traffic on network node ports. a r X i v : . [ c s . N I] O c t oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt This work provides a simulation-based evaluation of IEEE 802.1Qci with a Credit BasedMeter (CBM) algorithm concept. This concept enforces the reserved bandwidth of a stream andis one solution to protect network nodes from Denial of Service (DoS) attacks. IEEE 802.1Qciand the CBM concept are implemented in the OMNeT++ environment to enable evaluations.This paper is organized as follows: Section 2 presents previous and related work. In Section3, the developed simulation environment, and the credit based metering are shown. Section4 presents a case study followed by an evaluation of the implemented simulation models andconcepts. The paper closes with a conclusion and outlook in section 5.
Flow MetersStream GatesStream Filters Gate ID 1
Gate ID 2Gate ID P Queueing
Meter ID 1
Meter ID 2Meter ID Q
Stream ID 1Gate ID 1
Meter ID 1
Stream ID 2
Gate ID 1
Meter ID 2Stream ID N
Gate ID 2
Meter ID 2
Ingress
Figure 1: IEEE 802.1Qci per-stream filtering andpolicingThe on-board network of a vehicle isa highly distributed system defined byits electronic control units (ECUs). Atpresent, proprietary bus technologies(CAN, MOST, FlexRay) enable the com-munication of control units.Future development will lead toa stepwise transition towards flat,switched Ethernet networks [6]. Suchnetworks have to support simultane-ous transmission of messages with dif-ferent priorities to maintain safe time-critical communication. Real-time Eth-ernet protocols are used to guarantee thedifferent quality of service classes.The Time-Sensitive Networking (TSN) [5] real-time Ethernet standard is a collection ofprotocols which adapts to network requirements of cyber-physical systems. Domains for thisprotocol suite are, for example, industrial control facilities or in-car networks.The focus in this work is the sub-standard IEEE 802.1Qci [4]. It describes an ingresscontrol through per-stream filtering and policing. Figure 1 shows the structure of the filteringand policing specification. The shown mechanism has an instance after each port ingress of aTSN networking device. The result is that all ingress traffic is filtered. There are three stagesan incoming frame has to pass through before it is queued. The first stage consists of a setof stream filters. They configure which gates and meters are responsible for handling framesof a specific stream id. Secondly, there are stream gates. Those have one of the two states”OPEN” or ”CLOSED”. This state can change based on a static defined schedule based ona system-wide clock. If the gate is ”CLOSED”, the frame will be dropped. If the responsiblegate is in the state ”OPEN”, the frame will be handled by the responsible flow meter. Theflow meters stage contain unique algorithms to assert if a message is allowed. After the meterallows a frame, it gets queued in the network node for subsequent forwarding or processing.This work presents a meter concept called Credit Based Meter (CBM) (See section 3).The importance of security measures for in-car networks is shown in various related work [2],[10]. A fundamental work is from Checkoway et al. [1]. They examine interfaces that are partof the attack surface in a car. These interfaces are classified in three categories: Physical access(ODB-II, CD, USB), short distance wireless access (Bluetooth, WiFi, Remote-Keyless-Entry)and long distance wireless access (GPS, digital radio, mobile services). The authors gainedaccess to the on-board network in each category using reverse engineering and debugging.2 oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt
Miller and Valasek [9] described in detail how to obtain control over an unaltered passengervehicle. They gained control over safety-critical elements like engines and brakes over a remotecellular connection of the infotainment system. The infotainment system is part of the inter-nal CAN-based communication infrastructure, and CAN buses in this infrastructure containvirtually no security measures. At this point, the authors used reverse engineering to get infor-mation over the communication between in-car control units. In the next step CAN messagesare forwarded over the infotainment system into the internal communication which is receivedand processed by the control units.In consequence, security measures must be included in future automotive communicationsystems. Simulations of in-car networks [11] are an essential method to study the behavior ofsuch systems in detail. This work presents one solution for protecting the in-car communicationfrom DoS attacks and analyses it in the simulator. In those scenarios, a compromised streamis used to burst frames into networking devices to overload there capabilities. The result couldbe lost or delayed frames of not compromised streams.
R-RA BE Frame
Stream
Frame I n g r e ss C B M C r e d i t First incoming
Stream Frame
Stream
Frame
Stream
Frame t t t t t t Best Effort delays Stream
Stream Frame receiving not allowed
Third incoming
Stream Frame C B M S t a t e R-RA R-RF
Figure 2: Credit Based Metering state machineThe Credit Based Meter (CBM) is aningress counterpart for the Credit BasedShaper (CBS) egress behavior defined inIEEE 802.1Qbv [3]. In general, a CBM isbased on a credit value manipulated bytwo different gradients called ” idleslope ”and ” sendslope ”. Frame reception isallowed when the credit is greater orequal to zero. When the credit is lowerthan zero, an incoming frame will be dis-carded. idleslope = RB (1) sendslope = RB − B (2)These gradients are composed of anaccumulated reserved bandwidth ( RB )of the streams passing the meter anda total bandwidth ( B ) of the port (Seeequation 1 and 2).Additionally, the CBM contains a maximum burst size parameter ( Burst max ) configuringthe maximum count of frames that are allowed in an incoming stream burst. This is used incombination with the sending duration ( T duration ) of one frame. T duration is composed of theframe size ( F S stream ), the port bandwidth ( B ) and the Ethernet inter frame gap ( T ifg ) tocalculate the maximum credit value ( Credit max ) of the CBM shown in equations 3 and 4. T duration = F S stream B + T ifg (3) Credit max = | sendslope | ∗ T duration ∗ ( Burst max −
1) (4)Because a burst of one frame is allowed when the credit is 0
Burst max has to be substractedby one. So the definition of
Burst max = 1 results in
Credit max = 0. 3 oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt
The CBM has two states. They are ”RUNNING RECEIVING ALLOWED” (R-RA) and”RUNNING RECEIVING FORBIDDEN” (R-RF). When the CBM starts the state is R-RAand the credit is set to zero. The credit starts to increases according to idleslope till the firstframe is incoming or the credit reaches the maximum (
Credit max ).In the R-RA state, the credit is decreased by ” sendslope ” for the receiving duration of aframe. When the frame is queued the credit increases again with ” idleslope ”. If the credit isgreater or equal to zero, a new frame reception is allowed, and the credit decreases again by” sendslope ”. When the credit reaches the maximum, it stays on this value until a frame isincoming.If the credit is lower than 0, the state will be switched to R-RF. In R-RF each incomingframe will be deleted. Simultaneously, the credit increases with ” idleslope ”. The state ischanged back to R-RA when the credit reaches 0.In figure 2, an example of the CBM algorithm behavior is shown. Firstly, the state is R-RAand the credit is 0 and increases according to ” idleslope ” until the first frame arrives (see t in figure 2). The credit decreases by ” sendslope ” for the duration of the frame ( t in figure2). Now the state is changed to R-RF and the credit increases by ” idleslope ” till it reaches0. The state changes to R-RA, and the credit increases further until the next frame arrives.This is delayed by an incoming best effort (BE) frame ( t in figure 2). The next frame arrivesand the credit is decreased again ( t to t in figure 2). The credit increases till the third framereceiving starts ( t in figure 2). So again the credit decreases by ” sendslope ” until the end ofthe transmission duration.The performance of the CBM is dependent on Burst max . A target configuration of thisparameter is as low as possible and still supports a valid worst-case scenario. On the one side,this is because of the counterpart CBS. The valid maximum frame burst of a stream that isproduced by a CBS algorithm egress is dependent on its specific worst-case scenario. On theother side, an attack creating a maximum frame burst could not harm the network because itis designed to support the worst-case traffic workload.There are different ways to determine a minimal
Burst max value. One example is analyzingthe worst-case burst behavior for each streams output port (
Burst out ). Burst max has to becalculated, as shown in equation 5 to allow one closeup frame following the burst.
Burst max = Burst out + 1 (5)Another example of determining a
Burst max value is by simulating different configurationsto find one that fits the requirements.
This section evaluates the integration of the Credit Based Meter algorithm inside IEEE802.1Qci. This is done by using the OMNeT++ ( https://omnetpp.org/ ) simulationenvironment with INET ( https://inet.omnetpp.org/ ) and our CoRE4INET framework.CoRE4INET enables in-car network simulations [7] and the simulations of TSN features [8].For this work, the CoRE4INET is extended with IEEE 802.1Qci and CBM implementations.The chosen topology is known from previous work [8] and is designed to create critical linkswith multiple concurrent traffic. Figure 3 shows this topology. In this topology, time-triggeredtraffic is based on TDMA with the highest priority. Two configurations are simulated. The firstis a configuration with active CBM filtering. The second one emplaces a compromised ”Node1” into the simulation, which is spamming a DoS attack into the network.For both simulations the base configuration is as follows:4 oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt
Time-Triggered Stream Best Effort Broadcast with ReplyNode 1
Node 2
Node 3Node 4 Switch 1 Switch 2 Switch 3 Node 10Node 9Node 8Node 6 Node 7Node 5
Figure 3: Simulation Topology • All links are configured with a bandwidth of 100 Mbit / s. • ”Node 1” and ”Node 2” are the sources of ”Stream 1” and ”Stream 2” with ”Node 8”as its destination. Both streams have a reserved route with an individual bandwidth of25 Mbit / s. Each stream is passing a CBM on all devices and gates are ”OPEN”. • Full-size time-triggered frames are generated by ”Node 3”, ”Node 4”, ”Node 5” and ”Node6”. The first two are received by ”Node 7” and the latter by ”Node 9”. In all switches, agap of 123 µ s is configured to allow intermediate frame bursts. • For extra background traffic ”Node 10” is broadcasting full-size best-effort Ethernetframes. All nodes are replying by sending a full-size best-effort frame back to ”Node10”.The worst-case output stream burst sizes (
Burst out ) are known in this base configuration.They are 2 for ”Node 1” and ”Node 2” and, because of the concurrent TDMA traffic 4 for”Switch 1” and ”Switch 2”. Therefore the
Burst max value for CBM filtering in ”Switch 1” is 3for both input ports and 5 for the input metering in ”Switch 2” and ”Switch 3” (See equation5 in section 3).The results shown in this section are a selection of results generated by the simulations. Allshown simulation results are based on 10 seconds duration runs.The first result set (Figure 4 and 5) presents and compares the end-to-end latency of thestreams in both configurations. Due to the assumption that valid packets are not influenced bythe CBM, these latencies are expected to be nearly the same.The end-to-end latency of both streams in the configuration with CBM filtering is shownin figure 4. In this configuration, each node and switch is using a CBM ingress control on eachport and for each stream. The two histograms show the number of frames that arrived at thetarget with a specific consolidated end-to-end latency. Blue shows these results for ”Stream 1”and grey for ”Stream 2”. 5 oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt
400 600 80000 . . · End-to-end latency [ µ s] N o . o ff r a m e s Stream 1Stream 2Figure 4: End-to-end latency of frames perstream without attack 400 600 800 00 . . · End-to-end latency [ µ s] N o . o ff r a m e s Stream 1Stream 2Figure 5: End-to-end latency of frames perstream during an attack10 20 30 40 50 60102030405060 Input bandwidth [Mbit / s] O u t pu t b a nd w i d t h [ M b i t / s ] . · N o . o ff r a m e s d r o pp e dp e r s ec o nd Bandwidth relationshipFrames droppedFigure 6: Impact of CBM on Stream 1 in Switch 1Figure 5 shows the end-to-endlatency of the streams in a configu-ration where ”Node 1” is corrupted.All nodes and switches are usingCBM ingress control again. The dif-ference is that ”Node 1” is generat-ing the ”Stream 1” packets in an in-valid pattern. This is done by spam-ming subsequent frames.The comparison shows no signif-icant differences between the config-urations. This demonstrates thatCBM is successfully enforcing thecorrect behavior. This is done byremoving all ”Stream 1” frames ofthe corrupted source that would ex-cel the reserved bandwidth. There-fore ”Stream 2” is not affected by”Node 1” spamming.Figure 6 presents output bandwidth size and number of frames dropped in the CBM in”Switch 1” for ”Stream 1” produced by eight simulation runs. For each run, the input bandwidthproduced by ”Node 1” is incremented. The reserved bandwidth of 25 Mbit / s is fixed. It isexpected that the output would not cross this reserved bandwidth value.The result reflects the wanted CBM behavior. No frame is dropped, and the output band-width is the same as the input bandwidth until the input size overshoots the reserved bandwidthof 25 Mbit / s. At this point, the number of frames dropped increases as a function of the inputbandwidth. Because each frame, which would exceed the reserved bandwidth, will be droppedby the CBM.A selected section of this CBM algorithm is shown in Figure 7. It presents the creditvalue, frame ingress, and output bandwidth for a specific timeslot of the simulation. ”Node1” produces a valid ”Stream 1” packet flow of 25 Mbit / s in this scenario. Although the CBM6 oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt output bandwidth never exceeds the reserved bandwidth over time, it allows short crossingslike its counterpart CBS. − , , , , , , Credit max C r e d i t v a l u e F r a m e o n i n g r e ss . .
625 146 .
75 146 .
875 14701020304050 Simulation time [ms] B a nd w i d t h [ M b i t / s ] Figure 7: Section of CBM credit, frame, and bandwidthBecause no frame is received be-tween 146 .
625 ms and 146 .
75 ms thecredit increases as a function of thisduration. This continues until itreaches its maximum, which is de-pendent on
Burst max .In this case, the
Burst max valueis 3. This results in a
Credit max value of ca. 4650. The correspond-ing equation 6 shows the calculationof this
Credit max value.Next, a continuous burst of 3frames would be allowed. In thiscase, just two subsequent packagesare incoming. This results in azoomed in bandwidth of 50 Mbit / sbetween 146 .
75 ms and 146 .
875 ms.This shows that the reservedbandwidth could be overshoot mas-sively for shorter periods. This isdependent on the configuration of
Burst max . From this also followsthat
Burst max value has no influ-ence on the over-time bandwidth re-striction. Buffer sizes have to sup-port the
Burst max values to guar-antee that they did not overflow.The CBM enforces this upperbarrier. For a configured network,the maximum latencies could be calculated and are valid even if a malfunction or attack re-sults in an invalid behavior of individual network participants. This protects the integrity andavailability of the in-car communication system.
Credit max = | sendslope | ∗ T duration ∗ ( Burst max − ≈
75 Mbit / s ∗ µ s ∗ (3 −
1) = 4650 (6)
The demand for interconnecting an increasing multitude of sensors, actors, and ECUs in today’svehicles guides in-car networks to adapt real-time Ethernet technologies. Flattening the networkin this way creates new vulnerabilities within the in-car network. The CBM is a solution fora TSN meter algorithm to protect the system against DoS attacks. It protects the integrityand availability of an in-car communication system by individually controlling the stream inputon each ingress port of the network. The CBM allows all valid traffic patterns of a CBSalgorithm. An attacker could use the burst behavior to shortly overcome the reserved bandwidth7 oS Protection through Credit Based Metering Meyer, H¨ackel, Korf and Schmidt restrictions, but the credit boundary limits the bandwidth over an extended period. This limitis the same as the reserved bandwidth. The maximum burst parameter has to be as low aspossible to gain the best performance. However, it still must allow the valid worst-case scenarioof a specific input port. This trade-off between performance and worst-case estimation has tobe considered.In future work, the compatibility with other TSN traffic shaper concepts will be evaluated.Furthermore combined operation of different ingress control mechanisms will be simulated. Inaddition, the benefits of the ingress control metrics for anomaly detection will be analyzed.Our simulation models and the extensions in this work are published at sim.core-rg.de . Acknowledgments
This work is funded by the German Federal Ministry of Education and Research (BMBF) withinthe SecVI project.
References [1] Stephen Checkoway, Damon Mccoy, Brian Kantor, Danny Anderson, Hovav Shacham, StefanSavage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. ComprehensiveExperimental Analyses of Automotive Attack Surfaces.
USENIX Security , 2011.[2] K. Iehira, H. Inoue, and K. Ishida. Spoofing attack using bus-off attacks against a specific ecuof the can bus. In , pages 1–4, Jan 2018.[3] Institute of Electrical and Electronics Engineers. IEEE Standard for Local and metropolitan areanetworks – Bridges and Bridged Networks - Amendment 25: Enhancements for Scheduled Traffic.Standard, IEEE, March 2016.[4] Institute of Electrical and Electronics Engineers. IEEE Standard for Local and metropolitanarea networks–Bridges and Bridged Networks–Amendment 28: Per-Stream Filtering and Policing.Standard, IEEE, September 2017.[5] Institute of Electrical and Electronics Engineers. IEEE Standard for Local and Metropolitan AreaNetwork–Bridges and Bridged Networks. Standard, IEEE, July 2018.[6] Kirsten Matheus and Thomas K¨onigseder.
Automotive Ethernet . Cambridge University Press,Cambridge, United Kingdom, January 2015.[7] Philipp Meyer, Franz Korf, Till Steinbach, and Thomas C Schmidt. Simulation of mixed criticalin-vehicular networks. In
Recent Advances in Network Simulation , pages 317–345. Springer, 2019.[8] Philipp Meyer, Till Steinbach, Franz Korf, and Thomas C. Schmidt. Extending IEEE 802.1AVB with Time-triggered Scheduling: A Simulation Study of the Coexistence of Synchronousand Asynchronous Traffic. In , pages 47–54,Piscataway, NJ, USA, December 2013. IEEE Press.[9] Charlie Miller and Chris Valasek. Remote exploitation of an unaltered passenger vehicle.
BlackHat USA , 2015:91, 2015.[10] Syed Rizvi, Jonathan Willett, Donte Perino, Tyler Vasbinder, and Seth Marasco. Protecting anautomobile network using distributed firewall system. In
Proceedings of the Second InternationalConference on Internet of Things, Data and Cloud Computing , ICC ’17, pages 174:1–174:6, NewYork, NY, USA, 2017. ACM.[11] Till Steinbach, Hermand Dieumo Kenfack, Franz Korf, and Thomas C. Schmidt. An Extensionof the OMNeT++ INET Framework for Simulating Real-time Ethernet with High Accuracy. In
Proceedings of the 4th International ICST Conference on Simulation Tools and Techniques , pages375–382, New York, March 2011. ACM-DL., pages375–382, New York, March 2011. ACM-DL.