Research On Reverse Analysis Of Mobile Application For In-Vehicle Bus Security

In recent years,the rapid development of Intelligent Connected Vehicles(ICVs)has been accompanied by a series of security threats and potential risks,leading to heightened concerns about automotive safety within the industry.The security of in-vehicle systems is the foundation of Vehicle-to-Everything(V2X)technology,with the primary security issues centered around the in-vehicle CAN bus.In-Vehicle Infotainment(IVI)systems,as one of the crucial attack surfaces,have become entry points to the CAN bus.Many automakers and third-party companies have introduced in-vehicle APPs that enable communication with vehicles,integrating smartphones with IVI systems.Consequently,the security threats faced by in-vehicle mobile applications are gradually being exposed.At the top security conference NDSS,researchers conducted reverse engineering of vehicle-related APPs and proposed a reverse system called CANHUNTER.They designed a CAN bus command recovery method with backward slicing and dynamic enforcement.They tested 236 APPs from Google Play and Apple App Store on Android and i OS platforms.CANHUNTER discovered 182619 CAN bus commands,covering 360 models from 21 automakers,with a recovery rate of 86.1%.This study has once again attracted the attention of academia and industry.However,there is room for improvement in the method.On the one hand,the static analysis overlooks the context information of the APP,affecting the recovery rate? on the other hand,the dynamic analysis still faces challenges such as poor backward slicing performance in complex large-scale function spaces and significant resource consumption.This paper focuses on the following work:(1)To address the static analysis problem of CANHUNTER,a static reverse analysis method based on program context is proposed to improve the recovery rate of bus commands and ECU function semantics.First,a representation and storage method based on a four-order tensor context model is designed to extract sensitive permissions,CAN message frame IDs,and ECU function semantics in the program context.Static reverse analysis is then conducted,and two basic analysis operators,(6-(88)0)()and 7)0)4)9)2)()based on hierarchical clustering,are further proposed.Finally,reverse analysis for the in-vehicle application Carly is realized,and the effectiveness of the method is verified through experiments in semantic syntax recovery,ECU function semantic similarity,and functional distribution.(2)To address the dynamic analysis problem of CANHUNTER,a dynamic reverse analysis method based on neural subgraph matching is proposed to further improve the recovery rate and reduce resource consumption based on static analysis results.First,a pattern subgraph analysis based on static analysis is proposed to identify critical pattern subgraphs.Then,neural subgraph matching is used to match the critical pattern subgraphs with forward and backward function call graphs,obtaining a set of candidate subgraphs.Finally,forward dynamic enforcement is used to perform reverse analysis for the in-vehicle application Carly,and the effectiveness of the method is verified through semantic syntax recovery and subgraph matching results.