Chair: Michaël Lauer (LAAS-CNRS)
Welcome address
Paper 1: Vehicular Platoon Communication: Cybersecurity Threats and Open Challenges, Sean Taylor, Farhan Ahmad, Hoang Nga Nguyen, Siraj A. Shaikh, David Evans† and David Price
Vehicle platooning is an emerging technology that promises to save space on congested roadways, improve safety and utilise less fuel for transporting goods, reducing greenhouse gas emissions. This technology will draw the attention of attackers seeking to profit or prove themselves to their peers by disrupting the platoons. A platoon has several attack surfaces that attackers can exploit to achieve their goals (either personal or financial). This paper aims to discuss various attacks that the attackers can launch against platoons by exploiting wireless communication weaknesses. Furthermore, we will present different known strategies which are currently used to defend platoons from attackers. This paper's primary contribution we believe will help new researchers in this domain, as well as automotive industries and smart cities planners.
Paper 2: SaSeVAL: A Safety/Security-Aware Approach for Validation of Safety-Critical Systems, Christian Wolschke, Behrooz Sangchoolie, Jacob Simon, Stefan Marksteiner, Tobias Braun and Hayk Hamazaryan
Increasing communication and self-driving capabilities for road vehicles lead to threats imposed by attackers. Especially attacks leading to safety violations have to be identified to address them by appropriate measures. The impact of an attack depends on the threat exploited, potential countermeasures and the traffic situation. In order to identify such attacks and to use them for testing, we propose the systematic approach SaSeVAL for deriving attacks of autonomous vehicles.
SaSeVAL is based on threats identification and safety-security analysis. The impact of automotive use cases to attacks is considered. The threat identification considers the attack interface of vehicles and classifies threat scenarios according to threat types, which are then mapped to attack types. The safety-security analysis identifies the necessary requirements which have to be tested based on the architecture of the system under test. It determines which safety impact a security violation may have, and in which traffic situations the highest impact is expected. Finally, the results of threat identification and safety-security analysis are used to describe attacks.
The goal of SaSeVAL is to achieve safety validation of the vehicle w.r.t. security concerns. It traces safety goals to threats and to attacks explicitly. Hence, the coverage of safety concerns by security testing is assured. Two use cases of vehicle communication and autonomous driving are investigated to prove the applicability of the approach.
— 5 minutes break —
Chair: João Carlos Cunha (Coimbra Polytechnic, Portugal)
Paper 3: Suraksha: A Quantitative AV Safety Evaluation Framework to Analyze Safety Implications of Perception Design Choices, Hengyu Zhao, Siva Kumar Sastry Hari, Timothy Tsai, Michael B. Sullivan, Stephen W. Keckler and Jishen Zhao
This paper proposes an automated AV safety evaluation framework, Suraksha that quantifies and analyzes the sensitivities of different design parameters on AV safety in a set of generated driving conditions based on a user-specified difficulty target.
It enables the exploration of tradeoffs in requirements either in existing AV implementations to find opportunities for improvement or during the development process to explore the component-level requirements for an optimal and safe AV architecture.
As perception is a resource demanding task, we employ Suraksha to analyze the safety effects of using various perception parameters on an industrial AV system.
Paper 4: Evaluation of a Fail-Over Mechanism for 1oo2D Architectures in Highly-Automated Driving, Rupert Schorn and Wilfried Steiner
While self-driving cars show remarkable progress in their autonomy capabilities, they are still lacking a necessary and sufficient level of dependability. As a consequence, todays self-driving cars require a human operator to monitor the car for potential safety violations and to take over control in critical situations. The challenges on the way to a truly dependable and trustworthy self-driving car are manifold. One of the challenges is the design of an appropriate fault-tolerant architecture. In this paper we investigate the 1-out-of-2 with Diagnostics (1oo2D) architecture paradigm for highly-automated driving and study the fail-over mechanism in detail. We present an implementation based on industrial techniques and technologies and evaluation results of fault-injection studies.
Paper 5: Safety Verification of Neural Network Controlled Systems, Arthur Clavière, Eric Asselin, Christophe Garion and Claire Pagetti
In this paper, we propose a system-level approach for verifying the safety of systems combining a continuous-time physical system with a discrete-time neural network based controller. We define a generic modelling approach and an associated reachability analysis that soundly approximates the reachable states of the overall system. We illustrate our approach through a real-world use case.
— 5 minutes break —
Chair: Kalinka Branco (Universidade de São Paulo, Brazil)
Paper 6: Certifying Emergency Landing for Safe Urban UAV, Joris Guerin, Kevin Delmas and Jérémie Guiochet
Unmanned Aerial Vehicles (UAVs) have the potential to be used for many applications in urban environments. However, allowing UAVs to fly above densely populated areas raises concerns regarding safety. One of the main safety issues is the possibility for a failure to cause the loss of navigation capabilities, which can result in the UAV falling/landing in hazardous areas such as busy roads, where it can cause fatal accidents. Current standards, such as the SORA published in 2019, do not consider applicable mitigation techniques to handle this kind of hazardous situations. Consequently, certifying UAV urban operations implies to demonstrate very high levels of integrity, which results in prohibitive development costs. To address this issue, this paper explores the concept of Emergency Landing (EL). A safety analysis is conducted on an urban UAV case study, and requirements are proposed to enable the integration of EL as an acceptable mitigation mean in the SORA. Based on these requirements, an EL implementation was developed, together with a runtime monitoring architecture to enhance confidence in the system. Preliminary qualitative results are presented and the monitor seem to be able to detect errors of the EL system effectively.
Paper 7: CyberGSN: A Semi-formal Language for Specifying Safety Cases, Tewodros A. Beyene and Carmen Carlan
The use of safety cases to explicitly present safety argumentation considerations and decisions is a common practice in the safety-critical domain. A safety case can be used to scrutinize the safety assessment approach used by practitioners internally, or as an input for the certification process for an external certifying authority. However, safety cases are still created manually using notations such as the Goal Structuring Notation (GSN) to explicate the followed safety assessment and assurance measures. In addition, although safety cases may be created in a modular way by multiple entities, and it may be critical for each entity to digitally sign its part of the assurance for accountability, the common notations such as GSN are not expressive enough to include the notion of entity. Especially in cyber-security applications, the notion of entity is very critical. In this paper, we propose a formal logic based language called CyberGSN, with an explicit notion of entity, that can be used for specifying safety cases and safety case patterns, enabling the automated creation and maintenance of safety cases.
Paper 8: A Safety Architecture for Centralized E/E Architectures, Victor Bandur, Vera Pantelic, Timofey Tomashevskiy and Mark Lawford
A safety architecture for domain-centralized E/E (Electric and/or Electronic) architectures is proposed to specifically address the scenario where the domain controller of a centralized vehicle domain fails catastrophically. The proposed architecture is based on decentralized control implementing a functional fallback strategy that is distributed over the remaining functioning ECUs in the affected domain. The safety architecture is also applicable to cross-domain E/E architectures.
— 5 minutes break —
Chair: Jean-Charles Fabre (LAAS-CNRS, INP-Toulouse, France)
Panelists:
Michael Paulitsch (Intel, Germany)
David Espes (Univ. Bretagne Occidentale, France)
Márjory da Costa-Abreu (Sheffield, Hallam University, UK)
Jelena Frtunikj (Agro AI, Germany)