Ryan Gerdes

Nikhil Muralidhar, Abdullah Zubair, Nathanael Weidler et al.

The availability of wide-ranging third-party intellectual property (3PIP) cores enables integrated circuit (IC) designers to focus on designing high-level features in ASICs/SoCs. The massive proliferation of ICs brings with it an increased number of bad actors seeking to exploit those circuits for various nefarious reasons. This is not surprising as integrated circuits affect every aspect of society. Thus, malicious logic (Hardware Trojans, HT) being surreptitiously injected by untrusted vendors into 3PIP cores used in IC design is an ever present threat. In this paper, we explore methods for identification of trigger-based HT in designs containing synthesizable IP cores without a golden model. Specifically, we develop methods to detect hardware trojans by detecting triggers embedded in ICs purely based on netlists acquired from the vendor. We propose GATE-Net, a deep learning model based on graph-convolutional networks (GCN) trained using supervised contrastive learning, for flagging designs containing randomly-inserted triggers using only the corresponding netlist. Our proposed architecture achieves significant improvements over state-of-the-art learning models yielding an average 46.99% improvement in detection performance for combinatorial triggers and 21.91% improvement for sequential triggers across a variety of circuit types. Through rigorous experimentation, qualitative and quantitative performance evaluations, we demonstrate effectiveness of GATE-Net and the supervised contrastive training of GATE-Net for HT detection.

Ishmaal Erekson, Rajnikant Sharma, Ashwini Ratnoo et al.

In this paper, we formulate a virtual target-based path following guidance law aimed towards multi-vehicle path following problem. The guidance law is well suited to precisely follow circular paths while minting desired distance between two adjacent vehicles where path information is only available to the lead vehicle. We analytically show lateral and longitudnal stability and convergence on the path. This is also validated through simulation and experimental results.

Chenyi Wang, Yanmao Man, Raymond Muller et al.

Multi-Object Tracking (MOT) is a critical task in computer vision, with applications ranging from surveillance systems to autonomous driving. However, threats to MOT algorithms have yet been widely studied. In particular, incorrect association between the tracked objects and their assigned IDs can lead to severe consequences, such as wrong trajectory predictions. Previous attacks against MOT either focused on hijacking the trackers of individual objects, or manipulating the tracker IDs in MOT by attacking the integrated object detection (OD) module in the digital domain, which are model-specific, non-robust, and only able to affect specific samples in offline datasets. In this paper, we present AdvTraj, the first online and physical ID-manipulation attack against tracking-by-detection MOT, in which an attacker uses adversarial trajectories to transfer its ID to a targeted object to confuse the tracking system, without attacking OD. Our simulation results in CARLA show that AdvTraj can fool ID assignments with 100% success rate in various scenarios for white-box attacks against SORT, which also have high attack transferability (up to 93% attack success rate) against state-of-the-art (SOTA) MOT algorithms due to their common design principles. We characterize the patterns of trajectories generated by AdvTraj and propose two universal adversarial maneuvers that can be performed by a human walker/driver in daily scenarios. Our work reveals under-explored weaknesses in the object association phase of SOTA MOT systems, and provides insights into enhancing the robustness of such systems.

Chenyi Wang, Ruoyu Song, Raymond Muller et al.

Autonomous vehicles depend on online HD map construction to perceive lane boundaries, dividers, and pedestrian crossings -- safety-critical road elements that directly govern motion planning. While existing pixel perturbation attacks can disrupt the mapping, they can be neutralized by standard adversarial defenses. We present MIRAGE, a framework for systematic discovery of semantic attacks that bypass adversarial defenses and degrade mapping predictions by finding plausible environmental variation (e.g. shadows, wet roads). MIRAGE exploits the latent manifold of real-world data learned by diffusion models, and searches for semantically mutated scenes neighboring the ground truth with the same road topology yet mislead the mapping predictions. We evaluate MIRAGE on nuScenes and demonstrate two attacks: (1) boundary removal, suppressing 57.7% of detections and corrupting 96% of planned trajectories; and (2) boundary injection, the only method that successfully injects fictitious boundaries, while pixel PGD and AdvPatch fail entirely. Both attacks remain potent under various adversarial defenses. We use two independent VLM judges to quantify realism, where MIRAGE passes as realistic 80--84% of the time (vs. 97--99% for clean nuScenes), while AdvPatch only 0--9%. Our findings expose a categorical gap in current adversarial defenses: semantic-level perturbations that manifest as legitimate environmental variation are substantially harder to mitigate than pixel-level perturbations.

Austin Costley, Chase Kunz, Ryan Gerdes et al.

An open-source vehicle testbed to enable the exploration of automation technologies for road vehicles is presented. The platform hardware and software, based on the Robot Operating System (ROS), are detailed. Two methods are discussed for enabling the remote control of a vehicle (in this case, an electric 2013 Ford Focus). The first approach used digital filtering of Controller Area Network (CAN) messages. In the case of the test vehicle, this approach allowed for the control of acceleration from a tap-point on the CAN bus and the OBD-II port. The second approach, based on the emulation of the analog output(s) of a vehicle's accelerator pedal, brake pedal, and steering torque sensors, is more generally applicable and, in the test vehicle, allowed for the full control vehicle acceleration, braking, and steering. To demonstrate the utility of the testbed for vehicle automation research, system identification was performed on the test vehicle and speed and steering controllers were designed to allow the vehicle to follow a predetermined path. The resulting system was shown to be differentially flat, and a high level path following algorithm was developed using the differentially flat properties and state feedback. The path following algorithm is experimentally validated on the automation testbed developed in the paper.

Chenyi Wang, Ruoyu Song, Raymond Muller et al.

Cooperative perception (CP) enhances situational awareness of connected and autonomous vehicles by exchanging and combining messages from multiple agents. While prior work has explored adversarial integrity attacks that degrade perceptual accuracy, little is known about CP's robustness against attacks on timeliness (or availability), a safety-critical requirement for autonomous driving. In this paper, we present CP-FREEZER, the first latency attack that maximizes the computation delay of CP algorithms by injecting adversarial perturbation via V2V messages. Our attack resolves several unique challenges, including the non-differentiability of point cloud preprocessing, asynchronous knowledge of the victim's input due to transmission delays, and uses a novel loss function that effectively maximizes the execution time of the CP pipeline. Extensive experiments show that CP-FREEZER increases end-to-end CP latency by over $90\times$, pushing per-frame processing time beyond 3 seconds with a 100% success rate on our real-world vehicle testbed. Our findings reveal a critical threat to the availability of CP systems, highlighting the urgent need for robust defenses.

Tanmaya Mishra, Thidapat Chantem, Ryan Gerdes

Computing systems, including real-time embedded systems, are becoming increasingly connected to allow for more advanced and safer operation. Such embedded systems are resource-constrained, such as lower processing capabilities, as compared to general purpose computing systems like desktops or servers. However, allowing external interfaces to such embedded systems increases their exposure to attackers. With an increase in attacks against embedded systems ranging from home appliances to industrial control systems operating critical equipment that have hard real-time requirements, it is imperative that defense mechanisms be created that explicitly consider such resource and real-time constraints constraints. Control-flow integrity (CFI) is a family of defense mechanisms that prevent attackers from modifying the flow of execution. We survey CFI techniques, ranging from the basic to state-of-the-art, that are built for embedded systems and real-time embedded systems and find that there is a dearth, especially for real-time embedded systems, of CFI mechanisms. We then present open challenges to the community to help drive research in this domain.

Pratham Oza, Mahsa Foruhandeh, Ryan Gerdes et al.

Rapid urbanization calls for smart traffic management solutions that incorporate sensors, distributed traffic controllers and V2X communication technologies to provide fine-grained traffic control to mitigate congestion. As in many other cyber-physical systems, smart traffic management systems typically lack security measures. This allows numerous opportunities for adversarial entities to craft attacks on the sensor networks, wireless data sharing and/or the distributed traffic controllers. We show that such vulnerabilities can be exploited to disrupt mobility in a large urban area and cause unsafe conditions for drivers and the pedestrians on the roads. Specifically, in this paper, we look into vulnerabilities in model-based traffic controllers and show that, even with state-of-the-art attack detectors in place, false-data injection can be used to hamper mobility. We demonstrate a replay attack by modeling an isolated intersection in VISSIM, a popular traffic simulator and also discuss countermeasures to thwart such attacks.

Yanmao Man, Ming Li, Ryan Gerdes

In vision-based object classification systems imaging sensors perceive the environment and machine learning is then used to detect and classify objects for decision-making purposes; e.g., to maneuver an automated vehicle around an obstacle or to raise an alarm to indicate the presence of an intruder in surveillance settings. In this work we demonstrate how the perception domain can be remotely and unobtrusively exploited to enable an attacker to create spurious objects or alter an existing object. An automated system relying on a detection/classification framework subject to our attack could be made to undertake actions with catastrophic results due to attacker-induced misperception. We focus on camera-based systems and show that it is possible to remotely project adversarial patterns into camera systems by exploiting two common effects in optical imaging systems, viz., lens flare/ghost effects and auto-exposure control. To improve the robustness of the attack to channel effects, we generate optimal patterns by integrating adversarial machine learning techniques with a trained end-to-end channel model. We experimentally demonstrate our attacks using a low-cost projector, on three different image datasets, in indoor and outdoor environments, and with three different cameras. Experimental results show that, depending on the projector-camera distance, attack success rates can reach as high as 100% and under targeted conditions.

Kaveh Bakhsh Kelarestaghi, Mahsa Foruhandeh, Kevin Heaslip et al.

In this study, we attempt to add to the literature of Connected and Automated Vehicle (CAV) security by incorporating the security vulnerabilities and countermeasures of the Vehicular Ad hoc Networks (VANETs) and their access technologies. Compounding VANETs and modern vehicles will allow adversaries to gain access to the in-vehicle networks and take control of vehicles remotely to use them as a target or a foothold. Extensive attention has been given to the security breaches in VANETs and in-vehicle networks in literature but there is a gap in literature to assess the security vulnerabilities associated with VANETs access technologies. That is, in this paper we contribute to the CAV security literature in threefold. First, we synthesize the current literature in order to investigate security attacks and countermeasures on VANETs as an ad hoc network. Second, we survey security challenges that emerge from application of different VANETs access technologies. To augment this discussion, we investigate security solutions to thwart adversaries to compromise the access technologies. Third, we provide a detailed comparison of different access technologies performance, security challenges and propound heterogeneous technologies to achieve the highest security and best performance in VANETs. These access technologies extend from DSRC, Satellite Radio, and Bluetooth to VLC and 5G. The outcome of this study is of critical importance, because of two main reasons: (1) independent studies on security of VANETs on different strata need to come together and to be covered from a whole end-to-end system perspective, (2) adversaries taking control of the VANETs entities will compromise the safety, privacy, and security of the road users and will be followed by legal exposures, as well as data, time and monetary losses.

Kaveh Bakhsh Kelarestaghi, Mahsa Foruhandeh, Kevin Heaslip et al.

Intelligent Transportation Systems (ITS) are critical infrastructure that are not immune to both physical and cyber threats. Vehicles are cyber/physical systems which are a core component of ITS, can be either a target or a launching point for an attack on the ITS network. Unknown vehicle security vulnerabilities trigger a race among adversaries to exploit the weaknesses and security experts to mitigate the vulnerability. In this study, we identified opportunities for adversaries to take control of the in-vehicle network, which can compromise the safety, privacy, reliability, efficiency, and security of the transportation system. This study contributes in three ways to the literature of ITS security and resiliency. First, we aggregate individual risks that are associated with hacking the in-vehicle network to determine system-level risk. Second, we employ a risk-based model to conduct a qualitative vulnerability-oriented risk assessment. Third, we identify the consequences of hacking the in-vehicle network through a risk-based approach, using an impact-likelihood matrix. The qualitative assessment communicates risk outcomes for policy analysis. The outcome of this study would be of interest and usefulness to policymakers and engineers concerned with the potential vulnerabilities of the critical infrastructures.