TY - JOUR
T1 - FirmCAN
T2 - Sensitive CAN Knowledge Leakage from Automotive ECUs
AU - Hao, Xinpeng
AU - Li, Xiangxue
N1 - Publisher Copyright:
© 2025 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2025/9/12
Y1 - 2025/9/12
N2 - As de facto standards of in-vehicle network communications among various ECUs (Electronic Control Units), CAN (Controller Area Network) protocols invented by Bosch rely on the privately defined unique identifiers CAN ID in CAN messages that do not convey any destination address. However, sticking to error-handling mechanisms in CAN protocols, an ECU with an amount of transmission errors would enter bus-off state (i.e., go offline thereupon) and shall be recovered according to some prescribed bus-off recovery mode (BOM). All this sensitive CAN knowledge concealed inside an ECU by OEMs (Original Equipment Manufacturers) shall not be revealed; however, it could have extensive practical applications, both for adversarial behavior (e.g., target ECU attacks) and for security enhancement mechanisms (e.g., intrusion detection system designs). The article presents FirmCAN, the first automatic analysis framework to dope out sensitive CAN knowledge (CAN IDs and bus-off recovery mode, in particular) compiled in automotive ECU firmwares. FirmCAN first identifies base address (using accurate absolute function entry addresses) and then performs CAN module API positioning and sensitive configuration information resolution. We buckle down to automotive ECUs that resort to fixed-address mailboxes as CAN module transmission buffers (e.g., Renesas SuperH/RA series) and present concrete algorithms for each analysis phase. Our experimental evaluations first investigate firmwares extracted from real automotive ECUs. We then develop our own applications using RA6M4 development boards, which not only produce required firmwares to evaluate FirmCAN but also create ground truth through hardware debugging. All evaluations demonstrate that FirmCAN can accurately garner above-mentioned sensitive CAN knowledge. FirmCAN can be trivially generalized to engage in extended frames and CAN modules with similar transmission logic, e.g., TI (Texas Instruments), ST (ST Microelectronics), and so on.
AB - As de facto standards of in-vehicle network communications among various ECUs (Electronic Control Units), CAN (Controller Area Network) protocols invented by Bosch rely on the privately defined unique identifiers CAN ID in CAN messages that do not convey any destination address. However, sticking to error-handling mechanisms in CAN protocols, an ECU with an amount of transmission errors would enter bus-off state (i.e., go offline thereupon) and shall be recovered according to some prescribed bus-off recovery mode (BOM). All this sensitive CAN knowledge concealed inside an ECU by OEMs (Original Equipment Manufacturers) shall not be revealed; however, it could have extensive practical applications, both for adversarial behavior (e.g., target ECU attacks) and for security enhancement mechanisms (e.g., intrusion detection system designs). The article presents FirmCAN, the first automatic analysis framework to dope out sensitive CAN knowledge (CAN IDs and bus-off recovery mode, in particular) compiled in automotive ECU firmwares. FirmCAN first identifies base address (using accurate absolute function entry addresses) and then performs CAN module API positioning and sensitive configuration information resolution. We buckle down to automotive ECUs that resort to fixed-address mailboxes as CAN module transmission buffers (e.g., Renesas SuperH/RA series) and present concrete algorithms for each analysis phase. Our experimental evaluations first investigate firmwares extracted from real automotive ECUs. We then develop our own applications using RA6M4 development boards, which not only produce required firmwares to evaluate FirmCAN but also create ground truth through hardware debugging. All evaluations demonstrate that FirmCAN can accurately garner above-mentioned sensitive CAN knowledge. FirmCAN can be trivially generalized to engage in extended frames and CAN modules with similar transmission logic, e.g., TI (Texas Instruments), ST (ST Microelectronics), and so on.
KW - CAN identifier
KW - CAN module
KW - Internet of vehicles security
KW - bus-off recovery mode
KW - information leakage
UR - https://www.scopus.com/pages/publications/105018962824
U2 - 10.1145/3711832
DO - 10.1145/3711832
M3 - 文章
AN - SCOPUS:105018962824
SN - 1539-9087
VL - 24
JO - ACM Transactions on Embedded Computing Systems
JF - ACM Transactions on Embedded Computing Systems
IS - 5
M1 - 76
ER -