U-M Scientists Create Cybersecurity System for Cars, Spacecraft

Researchers at the University of Michigan in Ann Arbor are creating a cybersecurity system designed to protect vehicles from cars to spacecraft thanks to a $1.8 million grant from the Defense Advanced Research Projects Agency (DARPA).
Ironpatch illustration
U-M researchers are creating a cybersecurity system designed to protect vehicles of all kinds. // Image courtesy of the University of Michigan

Researchers at the University of Michigan in Ann Arbor are creating a cybersecurity system designed to protect vehicles from cars to spacecraft thanks to a $1.8 million grant from the Defense Advanced Research Projects Agency (DARPA).

All vehicles are run by hundreds of processors and millions of lines of code that were designed separately but must work together to make the vehicles work. The U-M team is working on a solution to keep all of the systems updated and free of security vulnerabilities.

“It’s a little bit of a mess,” says Baris Kasikci, professor of computer science and engineering. “Traditionally, you fix the bug in the source code, you rebuild the software, and you redeploy it. But these moving environments are really hostile to that model because there’s a lot of different software and lots of different kinds of computers.”

Kasikci and his team are developing a solution called Ironpatch. Part of DARPA’s $50 million Assured Micropatching Program, the four-year project aims to develop a self-contained patching system to solve the growing problem of security vulnerabilities in vehicles.

Ironpatch is a fundamental shift from the types of software patches that are common on widely used computer systems. These patches are made by producing a replica of a computer system, then making changes to its source code. Next, the patch is tested to make sure it doesn’t interfere with the software’s functionality. The program is then rebuilt using a tool called a compiler, which converts the source code into ones and zeros the computer reads. Finally, it’s loaded onto the computer.

This doesn’t work for cars, where it can be impossible to produce an accurate replica of a system for testing, and editing and recompiling can tangle the complex web of code in ways that cannot be predicted.

“You’ve got hundreds of processors running different types of software, different versions of software, written in different languages by different people,” Kasikci says. “And the system can change over time – for example, if a spacecraft adds a new component for monitoring terrestrial events on a planet. Replicating all those systems in exactly the right way is really an insurmountable task.”

Ironpatch bypasses the source code and instead makes tiny modifications called micropatches directly to the binary heart of the running software. This eliminates the need to recompile the software and, because the changes are so minute, they can fix problems without causing others.

The solution is designed to be self-contained; once a vulnerability is identified, the system will automatically generate, verify, and apply a micropatch to eliminate it. This also eliminates the need to upload software patches to a remotely located system, which is helpful when a system is located on a spacecraft millions of miles away.

“We often assume that software developers have access to source code and sophisticated vehicle simulation environments,” Leach says. “However, some scenarios make that infeasible. We see an increasing need to develop techniques that deploy patches to vulnerable software that are generated without having an entire simulation stack or original source code available.”

To avoid the need to build a replica of the vehicle’s system for testing, Ironpatch will convert the original software and the patched version into two mathematical equations. Then it will solve the two equations, mathematically proving that both programs function in exactly the same way except for the intended modifications.

“Because we don’t have a replica of the system to test the patch on, we need another way to demonstrate that the micropatch won’t alter the baseline functionality of the system,” Kapritsos says. “So, we use mathematical proofing to reason within the binary code, showing that the patched version and the original version have the same functionality.”

The goal is for the finished system to be able to generate and deploy patches automatically when security vulnerabilities are found, keeping the most convoluted systems error-free. While the first versions of the system are being designed for trucks and spacecraft, Kasikci predicts that something similar will ultimately trickle down to more widely used systems like those in cars. In the future, it could also give technicians the ability to diagnose and repair computer software without having access to the source code.

“The broader impact of this work is the ability to patch software directly in the binary code without the need for intermediary steps like compiling and without needing access to the source code,” says Westley Weimer, professor and another researcher on the project. “So it could be used to keep cars more secure, or even other types of computers like smart home components or legacy systems. It would be possible to do an audit, to go in and make sure the software is secure and is doing what it says it’s doing.”