Previous research works have endorsed the use of delays and clock skews for detecting intrusions or fingerprinting controllers that communicate on the CAN bus. Recently, timing characteristics of CAN frames have been also used for establishing a covert channel for cryptographic authentication, in this way cleverly removing the need for cryptographic material inside the short payload of data frames. However, the main drawback of this approach is the limited security level that can be achieved over existing CAN bus traffic. In this work we significantly improve on this by relying on optimization algorithms for scheduling CAN frames and deploy the covert channel on optimized CAN traffic. Under practical bus allocations, we are able to extract 3-5 bits of authentication data from each frame which leads to an efficient intrusion detection and authentication mechanism. By accumulating covert channel data over several consecutive frames, we can achieve higher security levels that are in line with current real-world demands. To prove the correctness of our approach, we present experiments on automotive-grade controllers, i.e., Infineon Aurix, and bus measurements with the use of industry standard tools, i.e., CANoe.

中文翻译：

---

CANTO - 通过优化 CAN 流量的定时通道进行隐蔽身份验证


先前的研究工作已经认可使用延迟和时钟偏差来检测入侵或在 CAN 总线上通信的指纹控制器。最近，CAN 帧的定时特性也被用于建立加密认证的隐蔽通道，从而巧妙地消除了数据帧短有效负载内对加密材料的需求。然而，这种方法的主要缺点是现有 CAN 总线流量所能实现的安全级别有限。在这项工作中，我们通过依赖优化算法来调度 CAN 帧并在优化的 CAN 流量上部署隐蔽通道，从而显着改进了这一点。在实际的总线分配下，我们能够从每个帧中提取 3-5 位的身份验证数据，从而形成有效的入侵检测和身份验证机制。通过在多个连续帧上累积隐蔽通道数据，我们可以实现符合当前现实世界需求的更高安全级别。为了证明我们方法的正确性，我们对汽车级控制器（即 Infineon Aurix）进行了实验，并使用行业标准工具（即 CANoe）进行了总线测量。