Hochschule Karlsruhe Hochschule Karlsruhe - University of Applied Sciences
NewsTerminePersonenim Notfall
Hochschule Karlsruhe Hochschule Karlsruhe - University of Applied Sciences Hochschule Karlsruhe Hochschule Karlsruhe - University of Applied Sciences
Hochschule Karlsruhe Hochschule Karlsruhe - University of Applied Sciences

Reasonable disclosure grace periods for security vulnerabilities in vehicle software

Criticality-based vulnerability disclosure, rather than blanket deadlines to better protect drivers worldwide

For many years, the number of detected cyber-attacks assigned to the automotive sector has been growing steadily. With the integration of intrusion detection and prevention systems (IDPS), the amount of information processed about cyber incidents is expected to increase significantly, making efficient incident response management (IRM) necessary. In addition to the categorization of security events, the rapid prioritization and remediation of detected vulnerabilities will also gain in importance. Time is of the essence when reacting to vulnerabilities. With UN regulation R155 coming into force in 2021, the implementation of processes for IRM has become relevant for type approval for all OEMs in many parts of the world. Accordingly, the implementation of processes capable of detecting cyber incidents and responding to vulnerabilities must be demonstrated. The regulation demands response within a ’reasonable time frame’. We provide a tool to make assessment of the reasonable remediation time for automotive software vulnerabilities quantifiable. Thus, we introduce an objectifiable metric that can harmonize vulnerability management and disclosure more efficient. Potential use cases for our tool are prioritization of vulnerability remediation actions, as well as assessment of appropriate grace periods in the context of Coordinated Vulnerability Disclosure (CVD) processes. learn more

You are a CVD process coordinator or car manufacturer.

Use our tool to assess time- & process criticality of the disclosure process
and make timelining transparent, 
reasonable and fair for all stakeholders.

       Free to use       GPC-Glossary
Avoiding 0-day disclosure

Harmonization and escalation prevention through transparent evaluation criteria.

Resource efficient

More efficient vulnerability prioritization by including process criticality.

SecForCARs compliant

Driving mitigation of vulnerabilities in reasonable timeframes.

Use the WebTool now

           Let's go!          

Unlicensed and free to use

Our tool and the underlying metric are unlicensed and free to use and modify. A continuous improvement and further development process by the community is explicitly desired. We ask everyone interested to communicate changes and improvements to the calculation tool or the underlying metric with us.

Contact us

How our calculating tool works

The tool calculates the reasonable grace period TGP by scaling a given default grace period T0. The extent of scaling depends on factors time and process criticality (TCF and PCF, resp.) and additional summands. The value of default grace period T0 can be defined by the user and can be scaled between 0-100% and additionally prolonged by certification and approval demands (APP) and remediation dissemination possibilities (R) (see Figure below).

Calculation formula

TGP = T0 ⋅ GP + APP + [r ⋅ R]

T1 = T0 ⋅ (1 + PCF)
T2 = T1 ⋅ (1 − TCF)
GP = (1 + PCF) ⋅ (2 − TCF)

The TCF is influenced by the factors Vulnerability Risk Value RV, Exploit Code Maturity EM, Remediation Level RL, Report Confidence RC, Exploit Code Dissemination ED and Incident Scale ISC.

TCF = RV · EM · RL · RC · ED · ISC
0,5 ≤ TCF ≤ 1
Underlying logic, source: Robin Bolz

Background and overall context

The UN regulation R155 demands response to vulnerabilities in vehicle software within a 'reasonable time frame'. However, precise specifications as well as an evaluation basis for adequacy is not given. Efficient Incident Response Management (IRM) may require cooperation along the supply chain with as little friction as possible. An industry-wide common understanding of the term 'reasonableness' is necessary to implement a corresponding internal resource allocation. From our point of view, there is a lack of sufficient experience and data in the automotive sector to evaluate 'reasonableness'.

Use our tool to make assessment of the reasonable remediation time for automotive software vulnerabilities quantifiable.

CVD stakeholder and principles, source: Robin Bolz

Use Case CVD

A CVD program can help to continuously maintain or enhance the cybersecurity of a product during its lifetime. Various strategies have been established in practice for the disclosure of vulnerabilities. ISO/IEC 29147 standardizes these processes with the goal of minimizing 0-day disclosures and thus potential threats from exploits.

Stakeholders (see Figure beside) perspectives and expectations on a Coordinated Vulnerability Disclosure (CVD) process may differ. A key goal is to prevent escalations such as 0-day disclosure or even exploits. Harmonizing the understanding of the appropriate remediation time or the associated disclosure period (grace period) can help prevent escalation. For this to happen, there needs to be a common understanding of which assessment criteria are valid. Our cross-industry research has shown that blanket, strict grace periods for disclosing information on -at worst- unaddressed vulnerabilities are often specified1. This procedure could lack a consideration of the appropriateness for a given individual vulnerability (escalation management). Especially for enormously safety relevant and complex systems-of-systems such as vehicles, the blanket definition of strict deadlines does not seem to be appropriate and even negligent. We welcome the handling of the Automotive Security Research Group (ASRG)2, which specifies a fixed grace period of 90 days, but explicitly allows leeway when it makes sense. Our tool builds on this by defining valid criteria to reasonably measure this leeway.

Our tool enables the determination of individual grace periods that address the time and process criticality of an individual CVD process, rather than setting blanket strict and unreasonable deadlines.

1 Rapid7 Disclosure Policy. www.rapid7.com/security/disclosure/
Project Zero Disclosure Policy. googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html
CERT/CC Disclosure Policy. vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy.
Zero day Initiative Disclosure Policy. www.zerodayinitiative.com/advisories/disclosure_policy/
2 ASRG Disclosure Policy. asrg.io/disclosure/

 

Test our 
WebTool now!

Grace Period Calculator

                      

Further documents & links

Metric & Criteria specification

Specification document

White paper

Web Calculation Tool

Our WebTool is a non-licensed open source project and was developed within SecForCARs

Technical documentation of the WebTool (GER)

Our Security-Projects

SAVE

Securing Automated Vehicles – Japan-Germany. Extension of the SecForCARs Project.

Duration: 11/2020 – 06/2023

learn more

SecForCARs

Security For Connected, Autonomous CARs.

Duration: 04/2018 – 12/2021

learn more

„Next Level“-Main Inspection

Research Project for More Road Safety of Autonomous Vehicles.

Duration: 04/2018 – 03/2023

learn more

AUTO-SIMA

Secure Control of Data in the Vehicle.

Duration: 10/2017 – 03/2022 

learn more

 

Some publications

  • Bolz R: Evaluating reasonable patching times for security product vulnerabilities in the automotive field. In: Feßler D, Kettner M, Kriesten R, Nenninger P, Offermann P (Hrsg.): Reports on Energy Efficient Mobility. 3 Aufl., 2023, S. 140-156 (Elektronische Veröffentlichung: dx.doi.org/10.5281/zenodo.7573669)
  • Can Kaya U, Bolz R: Survey on Vulnerability Report Handling in the Automotive Environment. In: Feßler D, Kettner M, Kriesten R, Nenninger P, Offermann P (Hrsg.): Reports on Energy Efficient Mobility : Volume 2. 2022 (Reports on Energy Efficient Mobility 2), S. 17-31 (Elektronische Veröffentlichung: doi.org/10.5281/zenodo.6373380)
  • Bolz, R., Kriesten, R.: Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges. In: Journal of Cybersecurity and Privacy, ISSN 2624-800X, Vol. 1 (2021), Nr. Issue 2, 14 S. (Elektronische Veröffentlichung: doi.org/10.3390/jcp1020015)
  • Bolz, R., Ahmed, R.,: Continuous Maintenance of Automotive Security in the Post-Production Phase through Coordinated Vulnerability Disclosure. Vol. 1 Aufl., Zenodo 2021, 55 S. (Elektronische Veröffentlichung:  doi.org/10.5281/zenodo.4569338)
  • Sommer F, Rumez M, Dürrwang J, Bolz R, Kriesten R: Enhancement of Cyber Security for Cyber Physical Systems in the Automotive Field Through Attack Analysis. In: Embedded World Exhibition & Conference ... it's a smarter world. Embedded World Exhibition & Conference (Nuremberg, 25.-27.02.2020), Haar: Weka Fachmedien 2020, 7 S.- ISBN 978-3-645-50186-6
  • Bolz R, Dürrwang J, Rumez M, Sommer F, Kriesten R: Unterstützung der Security-Entwicklung von Fahrzeugen durch Angriffsanalysen. In: Forschung aktuell, ISSN 1613-4958 (2020), S. 28-33 (Elektronische Veröffentlichung: Forschung aktuell 2020)

Further publications

Interested in a Research Cooperation?

Feel free to contact us!

Contact

Head of Automotive Security
Prof. Dr.-Ing. Reiner Kriesten
Tel.: +49 (0)721 925-1423 
reiner.kriestenspam prevention@h-ka.de

address & post

Main focus

(Model-based) Security Testing 
Vulnerability Management
Firewalls
Access control procedures
Service-oriented architectures (SOA)
Intrusion detection systems (IDS)

learn more

Equipment

Automotive Mobility Lab

Publications

Completed Doctorates

All IEEM Publications

Karlsruhe
Institut für Energieeffiziente Mobilität (IEEM)
Moltkestr. 30
76133 Karlsruhe

Post  >
Institut für Energieeffiziente Mobilität (IEEM)
Postfach 2440
76012 Karlsruhe