TruckSentry: Context Aware Intrusion Detection and Prevention System for J1939 Networks

Abstract

Medium and heavy-duty vehicles often have third party devices connected to their in-vehicle networks, which raises security concerns. A gateway or firewall is used as an architectural element in the vehicle network to help mitigate threats from direct access to these external connections. However, the logic used in these gateways is often unknown. As such, this paper describes and demonstrates the logic of TruckSentry, a next-generation stateful firewall for in-vehicle SAE-J1939 networks within medium and heavy-duty vehicles. TruckSentry consumes conditional rules, enforces them in a stateful manner, and can be configured to pre-empt seemingly threatening messages from being processed by the target device. By utilizing radix search trees on the bits transmitted on the Controller Area Network, the approach can apply rules during transmission. If a malicious message is detected, the system can induce bit flips in the message stream and prevent the message from reaching the application layer. Experiments with correctly configured rules show TruckSentry can identify known threats to SAE-J1939 networks while being attached to a broadcast in-vehicle network and support hundreds of rules at wire speed, even when deployed on commodity in-vehicle development hardware. TruckSentry also demonstrates the use case of next generation firewalls on serial embedded networks, especially where contextual information can be obtained and used to evaluate threatening messages.