CN118246031A - Vehicle-mounted information security testing method and device, medium and electronic equipment - Google Patents
Vehicle-mounted information security testing method and device, medium and electronic equipment Download PDFInfo
- Publication number
- CN118246031A CN118246031A CN202410624494.4A CN202410624494A CN118246031A CN 118246031 A CN118246031 A CN 118246031A CN 202410624494 A CN202410624494 A CN 202410624494A CN 118246031 A CN118246031 A CN 118246031A
- Authority
- CN
- China
- Prior art keywords
- vehicle
- application program
- mounted information
- test
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 117
- 238000010998 test method Methods 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 23
- 230000004044 response Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 238000009781 safety test method Methods 0.000 claims description 5
- 238000012795 verification Methods 0.000 abstract description 8
- 241000700605 Viruses Species 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000011076 safety test Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Landscapes
- Stored Programmes (AREA)
Abstract
The application discloses a vehicle-mounted information security test method, a device, a medium and electronic equipment, which are characterized in that an application program which can be installed on a vehicle-mounted information entertainment system of a vehicle to be tested is obtained, an attack load aiming at the vehicle-mounted information entertainment system of the vehicle to be tested is generated, a decompilation is adopted to obtain source codes of the application program and the attack load, a calling code of the attack load is added to an entrance of the application program, then the application program carrying the attack load is compiled and signed to obtain the application program which carries the attack load and can pass through the verification of the vehicle-mounted information entertainment system, and the application program carrying the attack load is injected into the vehicle-mounted information entertainment system to realize the attack test on the vehicle to be tested, so that the program running information security of the vehicle-mounted information entertainment system of the vehicle to be tested can be tested, the possibility of the vehicle-mounted information entertainment system being invaded by viruses is reduced, and the information security of the vehicle to be tested is improved.
Description
Technical Field
The application relates to the technical field of vehicle-mounted information safety test, in particular to a vehicle-mounted information safety test method, a vehicle-mounted information safety test device, a vehicle-mounted information safety test medium and electronic equipment.
Background
With the increasing degree of intellectualization, networking and motorization of automobiles, components controlled mechanically in conventional automobiles are increasingly dependent on electronic systems for auxiliary control. Along with the integration of more and more internet-connected services and communication functions in the intelligent automobile, means such as information tampering and virus invasion influence the network security problem of the intelligent automobile.
The intelligent automobile interior parts are mostly connected through CAN (Controller Area Network ), LIN bus, ethernet and MOST bus, different functions distinguish different domains, so as to connect different controllers, and also interact with the outside through wireless input such as Bluetooth, cellular network, wiFi, GPS and the like and physical input such as a touch screen, a USB port and the like. When the parts in the vehicle are in communication, the bus content is not encrypted, all messages are broadcast and transmitted, the related message content and time sequence verification are absent, the operation such as the information of each part and malicious reset can be obtained through the local control network, so that the whole vehicle system works abnormally, the attack mode aiming at the whole vehicle is mainly divided into near-end attack and remote attack, and the near-end attack can permeate the vehicle-mounted network.
In addition, more and more vehicle-mounted infotainment systems adopt Android operating systems based on Linux, and third-party application programs can be installed for automobiles. However, the automobile information entertainment system in the current stage is in a stage of mainly realizing functions and providing more abundant experiences for passengers, and the protection against attack nodes of the automobile information entertainment system is generally lacking, so that the automobile information security risk is greatly increased; meanwhile, in the production, test and after-sale processes of the vehicle-mounted infotainment system, related personnel can not avoid the problem of checking in a ADB (Android Debug Bridge) mode, and the existence of the ADB enables a user to install a third-party application program, so that the information security of the Android-based vehicle-mounted infotainment system is possible to be permeated. Accordingly, there is a need to provide a security test method for an in-vehicle infotainment system.
Disclosure of Invention
The present application has been made to solve the above-mentioned technical problems. The embodiment of the application provides a vehicle-mounted information security testing method, a vehicle-mounted information security testing device, a vehicle-mounted information security testing medium and electronic equipment.
According to one aspect of the present application, there is provided a vehicle-mounted information security test method, including: acquiring a first application program of a vehicle-mounted information entertainment system applicable to a vehicle to be tested; generating an attack load for the vehicle to be tested; decompiling the first application program and the attack load to obtain a corresponding first source code and a corresponding second source code respectively; adding codes for calling the second source codes at program inlets of the first source codes corresponding to the first application programs to obtain third source codes; compiling the third source code to obtain a second application program; adding a signature to the second application; injecting the signed second application program into the vehicle-mounted information entertainment system; and carrying out attack test on the vehicle to be tested to obtain a test result.
In an embodiment, said adding a signature to said second application comprises: generating a key file; the key file comprises name information, unit information and address information of an application program; and adding a signature to the second application program based on the key file.
In an embodiment, the injecting the signed second application into the in-vehicle infotainment system comprises: and injecting the second application program after signature addition into the vehicle-mounted information entertainment system in a wired mode or a wireless mode.
In an embodiment, the performing an attack test on the vehicle to be tested, and obtaining a test result includes: connecting the in-vehicle infotainment system using the attack load in the second application; and sending an attack test instruction to test the vehicle to be tested, and obtaining the test result.
In an embodiment, the sending the attack test instruction to test the vehicle to be tested, and obtaining the test result includes: transmitting an information stealing instruction and an operation control instruction to the vehicle-mounted information entertainment system; and obtaining the test result according to the response strategy of the vehicle-mounted information entertainment system.
In an embodiment, the obtaining the test result according to the response policy of the in-vehicle infotainment system includes: and if the vehicle-mounted information entertainment system sends out early warning or no response, determining that the test result is qualified.
In an embodiment, the generating the attack load for the vehicle under test includes: generating the attack load based on the network environment of the vehicle to be tested; wherein the network environment comprises a public network environment and a local area network environment.
According to another aspect of the present application, there is provided a vehicle-mounted information security test apparatus comprising: the application program acquisition module is used for acquiring a first application program of the vehicle-mounted information entertainment system applicable to the vehicle to be tested; the attack load generation module is used for generating attack load aiming at the vehicle to be tested; the decompilation execution module is used for decompiling the first application program and the attack load to respectively obtain a corresponding first source code and a corresponding second source code; an attack load adding module, configured to add a code for calling the second source code at a program entry corresponding to the first application program in the first source code, so as to obtain a third source code; the recompilation execution module is used for recompilating the third source code to obtain a second application program; an application signature module for adding a signature to the second application; the application program injection module is used for injecting the second application program with the added signature into the vehicle-mounted information entertainment system; and the attack test execution module is used for carrying out attack test on the vehicle to be tested to obtain a test result.
According to another aspect of the present application, there is provided a computer-readable storage medium storing a computer program for executing any one of the above-described in-vehicle information security test methods.
According to another aspect of the present application, there is provided an electronic apparatus including: a processor; a memory for storing the processor-executable instructions; the processor is used for executing the vehicle-mounted information security testing method.
According to the vehicle-mounted information security testing method, device, medium and electronic equipment, a first application program applicable to a vehicle-mounted information entertainment system of a vehicle to be tested is obtained; generating an attack load for a vehicle to be tested; decompiling the first application program and the attack load to respectively obtain a corresponding first source code and a corresponding second source code; adding a code for calling the second source code at a program entry corresponding to the first application program in the first source code to obtain a third source code; compiling the third source code to obtain a second application program; adding a signature to the second application; injecting the signed second application program into the vehicle-mounted information entertainment system; carrying out attack test on the vehicle to be tested to obtain a test result; the method comprises the steps of acquiring an application program which can be installed on a vehicle-mounted information entertainment system of a vehicle to be tested, generating an attack load aiming at the vehicle-mounted information entertainment system of the vehicle to be tested, adopting decompilation to acquire the application program and a source code of the attack load, adding a calling code of the attack load to an inlet of the application program, then compiling and signing to obtain the application program which carries the attack load and can pass through verification of the vehicle-mounted information entertainment system, injecting the application program which carries the attack load into the vehicle-mounted information entertainment system to realize attack test on the vehicle to be tested, thereby testing the program operation information security of the vehicle-mounted information entertainment system of the vehicle to be tested, reducing the possibility that the vehicle-mounted information entertainment system is invaded by viruses, and improving the information security of the vehicle to be tested.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing embodiments of the present application in more detail with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate the application and together with the embodiments of the application, and not constitute a limitation to the application. In the drawings, like reference numerals generally refer to like parts or steps.
Fig. 1 is a system diagram to which the present application is applied.
Fig. 2 is a flowchart of a vehicle information security testing method according to an exemplary embodiment of the present application.
Fig. 3 is a schematic structural diagram of an on-vehicle information security testing device according to an exemplary embodiment of the present application.
Fig. 4 is a block diagram of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Hereinafter, exemplary embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be apparent that the described embodiments are only some embodiments of the present application and not all embodiments of the present application, and it should be understood that the present application is not limited by the example embodiments described herein.
Fig. 1 is a system diagram to which the present application is applied. As shown in fig. 1, the vehicle-mounted information security testing method provided by the application is applied to a vehicle-mounted information security testing device in a testing system, the vehicle-mounted information security testing device is connected with a vehicle-mounted information entertainment system, the vehicle-mounted information entertainment system is connected with external equipment (such as a camera, a microphone, a sound and a CAN analyzer) of a vehicle through an interface module, and the vehicle-mounted information security testing device steals related information (such as data in the camera, the microphone, the sound and the CAN analyzer) of the vehicle to be tested and inputs an operation control instruction to control the operation of the related equipment in the vehicle to be tested, so that whether potential safety hazards exist in the vehicle-mounted information entertainment system of the vehicle to be tested when an application program is downloaded in the later period is tested. The vehicle-mounted information safety testing device is connected with the vehicle-mounted information entertainment system through the communication module and the interface module, namely, the vehicle-mounted information safety testing device is connected with the vehicle-mounted information entertainment system through wireless communication and wired communication, so that the vehicle-mounted information entertainment system can acquire application programs in the actual use process, and the testing comprehensiveness is improved.
Fig. 2 is a flowchart of a vehicle information security testing method according to an exemplary embodiment of the present application. As shown in fig. 2, the vehicle-mounted information security testing method includes the following steps:
Step 210: a first application program of a vehicle-mounted infotainment system applicable to a vehicle to be tested is obtained.
Specifically, the application can download the application program of the vehicle-mounted infotainment system suitable for the vehicle to be tested from the official website, for example, download the apk installation program package apk01 in the android application market. The application can randomly download the application program from the official website, and can preferentially select the application program with more downloading times according to the downloading times ranking of the application program on the official website, preferably, the application can select a plurality of application programs to carry out safety test on the vehicle-mounted information entertainment system of the vehicle to be tested, so as to further improve the comprehensiveness of the test.
Step 220: an attack load for the vehicle under test is generated.
Specifically, the application can generate the back door attack load payload01 aiming at the vehicle to be tested on the HACK platform, wherein the HACK platform comprises Core image Pro, immunity CANVAS, metasploit and the like, and the attack load payload01 comprises reverse_http, reverse_ https, reverse _tcp, bind_tcp and the like. The attack load refers to a carrier for an attacker to initiate initial attack and establish network connection, and can be divided into delivery attack class, connection attack class and independent attack class according to functions. Preferably, the application can generate a plurality of types of attack load test vehicles to be tested so as to comprehensively test the safety performance of the vehicles to be tested.
Step 230: decompiling the first application program and the attack load to obtain corresponding first source code and second source code respectively.
Specifically, the application sequentially obtains smail codes through decompiling (reverse compiling) a first application program (apk 01) and attack load (payload 01): smail01 (first source code) and smail02 (second source code). smail is a programming language for mobile devices, whose syntax and structure is similar to Java, smail code can be run on devices supporting Android platforms, including cell phones, tablet computers, smartwatches, etc., and smail can be used to develop various types of mobile applications, including games, social media applications, and business applications, etc. Android reverse is a technical means, and relates to decompilation and source code analysis of a packaged Android application program (apk file) so as to know the implementation logic of the application program. This technique requires the use of decryption, decompilation, decompression, etc. In actual reverse analysis, the source code of the apk is usually partially restored and modified according to the analysis purpose, for example, the specific action of automatically executing the APP, such as automatic login, etc., or the function of modifying the APP, such as masking update prompts, etc., can be realized through reverse technology. The method and the device for testing the vehicle under test obtain the source codes and the realization logic of the first application program and the attack load by decompiling the first application program and the attack load, modify the source codes to realize the injection of the attack load, and provide test cases for the subsequent test of the vehicle under test.
Step 240: and adding codes for calling the second source codes at program inlets of the first source codes corresponding to the first application programs to obtain third source codes.
Specifically, the application searches the program entry of apk01 in smail codes, and adds codes for calling payload01 at the program entry of apk01, thereby obtaining the source codes of the application program carrying attack load.
Step 250: and compiling the third source code to obtain the second application program.
Specifically, after the source code of the application program carrying the attack load is obtained, the code smail (including the code for calling the payload 01) is compiled back to obtain the second application program apk02, and the second application program includes the function of the first application program, and can call the attack load payload01, namely, the second application program is the application program carrying the attack load.
Step 260: a signature is added to the second application.
Specifically, in order to combat signature verification of the vehicle-mounted information entertainment system, the correctness and legality verification of the second application program by the vehicle-mounted information entertainment system are guaranteed to pass.
Step 270: and injecting the signed second application program into the vehicle-mounted infotainment system.
Specifically, after the application program capable of bypassing the validity verification of the vehicle-mounted information entertainment system is obtained, the application program is injected into the vehicle-mounted information entertainment system, so that the aggressiveness test of the vehicle-mounted information entertainment system is realized.
Step 280: and carrying out attack test on the vehicle to be tested to obtain a test result.
Specifically, after the second application program is injected into the vehicle-mounted information entertainment system, the vehicle-mounted information entertainment system is subjected to attack test by initiating an information stealing instruction, an operation control instruction and the like, so that a corresponding test result is obtained.
According to the vehicle-mounted information security testing method provided by the application, a first application program of a vehicle-mounted information entertainment system suitable for a vehicle to be tested is obtained; generating an attack load for a vehicle to be tested; decompiling the first application program and the attack load to respectively obtain a corresponding first source code and a corresponding second source code; adding a code for calling the second source code at a program entry corresponding to the first application program in the first source code to obtain a third source code; compiling the third source code to obtain a second application program; adding a signature to the second application; injecting the signed second application program into the vehicle-mounted information entertainment system; carrying out attack test on the vehicle to be tested to obtain a test result; the method comprises the steps of acquiring an application program which can be installed on a vehicle-mounted information entertainment system of a vehicle to be tested, generating an attack load aiming at the vehicle-mounted information entertainment system of the vehicle to be tested, adopting decompilation to acquire the application program and a source code of the attack load, adding a calling code of the attack load to an inlet of the application program, then compiling and signing to obtain the application program which carries the attack load and can pass through verification of the vehicle-mounted information entertainment system, injecting the application program which carries the attack load into the vehicle-mounted information entertainment system to realize attack test on the vehicle to be tested, thereby testing the program operation information security of the vehicle-mounted information entertainment system of the vehicle to be tested, reducing the possibility that the vehicle-mounted information entertainment system is invaded by viruses, and improving the information security of the vehicle to be tested.
In an embodiment, the implementation manner of the step 260 may be: generating a key file; the key file comprises name information, unit information and address information of the application program; a signature is added to the second application based on the key file.
Specifically, the application uses keytool tools to generate a key file, including name information, unit information, address information and the like of the application program, signs the second application program based on the key file, and can specifically adopt JARsigner as apk02 signature to obtain the application program capable of passing the validity check of the vehicle-mounted information entertainment system, thereby being capable of deeply carrying out the aggressiveness test on the vehicle-mounted information entertainment system.
In an embodiment, the implementation manner of the step 270 may be: and injecting the signed second application program into the vehicle-mounted information entertainment system in a wired mode or a wireless mode.
The application can inject the second application program into the vehicle-mounted information entertainment system in a wired mode so as to simulate the website to release the apk application program which induces the user to download and install, namely simulate the aggressiveness test during the wireless downloading and installation in the actual use process; the application can also wirelessly inject a second application into the vehicle infotainment system to simulate ADB (Android Debug Bridge) intrusion of the debug interface into a near-end test of the vehicle infotainment system.
In an embodiment, the implementation manner of the step 280 may be: connecting the vehicle-mounted information entertainment system by utilizing an attack load in the second application program; and sending an attack test instruction to test the vehicle to be tested, and obtaining a test result.
Specifically, the application can establish connection with the vehicle-mounted information entertainment system on the HACK platform to monitor, start a monitoring window (for example msfconsole) after establishing connection, and configure attack load consistent with payload01, corresponding monitoring IP and port to start monitoring; and meanwhile, an attack test instruction is sent to realize the test of the vehicle-mounted information entertainment system.
In an embodiment, the implementation manner of the step 280 may be: transmitting an information stealing instruction and an operation control instruction to the vehicle-mounted information entertainment system; and obtaining a test result according to a response strategy of the vehicle-mounted information entertainment system.
Specifically, the application utilizes the attack load to send information stealing instructions to test the vehicle-mounted information entertainment system, wherein the information stealing instructions comprise: the method comprises the steps of obtaining version information of a vehicle-mounted information entertainment system, obtaining network connection information, obtaining hardware information, obtaining current position information, reading CAN messages, reversing and the like. The method comprises the steps of sending an information stealing instruction to acquire relevant information of the vehicle-mounted equipment connected with the vehicle-mounted information entertainment system by using the vehicle-mounted information entertainment system, so that the invasiveness test of the vehicle-mounted information entertainment system is realized. The present application may also utilize the attack load to send an operation control instruction to test the in-vehicle infotainment system, wherein the operation control instruction includes: snapshot from the appointed camera, real-time video stream from the appointed camera, recording monitoring, file uploading and downloading, CAN command execution and the like. The operation control instruction is sent to transmit the corresponding operation instruction to the vehicle-mounted equipment connected with the vehicle-mounted information entertainment system by utilizing the vehicle-mounted information entertainment system so as to control the corresponding equipment to execute the corresponding operation, thereby realizing the intrusion test on the vehicle-mounted information entertainment system.
In an embodiment, the implementation manner of the step 280 may be: if the vehicle-mounted information entertainment system sends out early warning or no response, the test result is determined to be qualified.
The application monitors the test information fed back by the vehicle-mounted information entertainment system by utilizing the monitoring window, such as the acquired related information of the vehicle-mounted equipment, the signal feedback after the corresponding equipment is controlled to execute the corresponding operation, and the like. If the vehicle-mounted information entertainment system sends out early warning or no response (namely, does not acquire the related information of the vehicle-mounted equipment or does not execute an operation control instruction), the vehicle-mounted information entertainment system is not in compliance with the attack instruction of the attack load, and the test result of the vehicle-mounted information entertainment system is qualified; if the vehicle-mounted information entertainment system does not send out early warning and executes an attack instruction of the attack load, the test result of the vehicle-mounted information entertainment system is unqualified.
In an embodiment, the specific implementation manner of the step 220 may be: generating an attack load based on the network environment of the vehicle to be tested; the network environment comprises a public network environment and a local area network environment.
Specifically, according to the application, a monitoring port is set according to the self IP of the HACK platform, the shell type is selected according to the network environment, and the msfvenom is utilized to generate attack load. Wherein the network environment comprises: the attacker is located inside the local area network, and the attacked is located in the public network; or the attacker is in the public network, and the attacked is in the local area network; the attacker and the attacked are in the same network environment, e.g. within a local area network or simultaneously in a public network.
Fig. 3 is a schematic structural diagram of an on-vehicle information security testing device according to an exemplary embodiment of the present application. As shown in fig. 3, the in-vehicle information security test apparatus 30 includes: an application acquisition module 31 for acquiring a first application of a vehicle-mounted infotainment system suitable for a vehicle to be tested; an attack load generation module 32 for generating an attack load for a vehicle to be tested; the decompilation execution module 33 is configured to decompil the first application program and the attack load to obtain a corresponding first source code and a corresponding second source code respectively; an attack load adding module 34, configured to add a code for calling the second source code at a program entry corresponding to the first application program in the first source code, so as to obtain a third source code; a recompilation execution module 35, configured to recompile the third source code to obtain a second application program; an application signature module 36 for adding a signature to the second application; an application injection module 37 for injecting the signed second application into the in-vehicle infotainment system; the attack test execution module 38 is configured to perform attack test on the vehicle to be tested, and obtain a test result.
According to the vehicle-mounted information safety testing device provided by the application, the first application program of the vehicle-mounted information entertainment system suitable for the vehicle to be tested is acquired through the application program acquisition module 31; the attack load generation module 32 generates an attack load for the vehicle to be tested; decompilation executing module 33 decompiles the first application program and attack load to obtain corresponding first source code and second source code respectively; the attack load adding module 34 adds a code for calling the second source code at a program entry corresponding to the first application program in the first source code to obtain a third source code; the recompilation execution module 35 recompilates the third source code to obtain a second application program; the application signature module 36 adds a signature to the second application; the application program injection module 37 injects the signed second application program into the in-vehicle infotainment system; the attack test execution module 38 performs attack test on the vehicle to be tested to obtain a test result; the method comprises the steps of acquiring an application program which can be installed on a vehicle-mounted information entertainment system of a vehicle to be tested, generating an attack load aiming at the vehicle-mounted information entertainment system of the vehicle to be tested, adopting decompilation to acquire the application program and a source code of the attack load, adding a calling code of the attack load to an inlet of the application program, then compiling and signing to obtain the application program which carries the attack load and can pass through verification of the vehicle-mounted information entertainment system, injecting the application program which carries the attack load into the vehicle-mounted information entertainment system to realize attack test on the vehicle to be tested, thereby testing the program operation information security of the vehicle-mounted information entertainment system of the vehicle to be tested, reducing the possibility that the vehicle-mounted information entertainment system is invaded by viruses, and improving the information security of the vehicle to be tested.
In one embodiment, the application signature module 36 may be further configured to: generating a key file; the key file comprises name information, unit information and address information of the application program; a signature is added to the second application based on the key file.
In one embodiment, the application injection module 37 may be further configured to: and injecting the signed second application program into the vehicle-mounted information entertainment system in a wired mode or a wireless mode.
In one embodiment, the attack test execution module 38 may be further configured to: connecting the vehicle-mounted information entertainment system by utilizing an attack load in the second application program; and sending an attack test instruction to test the vehicle to be tested, and obtaining a test result.
In one embodiment, the attack test execution module 38 may be further configured to: transmitting an information stealing instruction and an operation control instruction to the vehicle-mounted information entertainment system; and obtaining a test result according to a response strategy of the vehicle-mounted information entertainment system.
In one embodiment, the attack test execution module 38 may be further configured to: if the vehicle-mounted information entertainment system sends out early warning or no response, the test result is determined to be qualified.
In an embodiment, the attack load generation module 32 may be further configured to: generating an attack load based on the network environment of the vehicle to be tested; the network environment comprises a public network environment and a local area network environment.
Next, an electronic device according to an embodiment of the present application is described with reference to fig. 4. The electronic device may be either or both of the first device and the second device, or a stand-alone device independent thereof, which may communicate with the first device and the second device to receive the acquired input signals therefrom.
Fig. 4 illustrates a block diagram of an electronic device according to an embodiment of the application.
As shown in fig. 4, the electronic device 10 includes one or more processors 11 and a memory 12.
The processor 11 may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device 10 to perform desired functions.
Memory 12 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on the computer readable storage medium that can be executed by the processor 11 to implement the methods of the various embodiments of the present application described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, and the like may also be stored in the computer-readable storage medium.
In one example, the electronic device 10 may further include: an input device 13 and an output device 14, which are interconnected by a bus system and/or other forms of connection mechanisms (not shown).
When the electronic device is a stand-alone device, the input means 13 may be a communication network connector for receiving the acquired input signals from the first device and the second device.
In addition, the input device 13 may also include, for example, a keyboard, a mouse, and the like.
The output device 14 may output various information to the outside, including the determined distance information, direction information, and the like. The output means 14 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc.
Of course, only some of the components of the electronic device 10 that are relevant to the present application are shown in fig. 4 for simplicity, components such as buses, input/output interfaces, etc. are omitted. In addition, the electronic device 10 may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the application may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform steps in a method according to various embodiments of the application described in the "exemplary methods" section of this specification.
The computer program product may write program code for performing operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the application may also be a computer-readable storage medium, having stored thereon computer program instructions, which when executed by a processor, cause the processor to perform steps in a method according to various embodiments of the application described in the "exemplary method" section of the description above.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The basic principles of the present application have been described above in connection with specific embodiments, but it should be noted that the advantages, benefits, effects, etc. mentioned in the present application are merely examples and not intended to be limiting, and these advantages, benefits, effects, etc. are not to be construed as necessarily possessed by the various embodiments of the application. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, as the application is not necessarily limited to practice with the above described specific details.
The block diagrams of the devices, apparatuses, devices, systems referred to in the present application are only illustrative examples and are not intended to require or imply that the connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
It is also noted that in the apparatus, devices and methods of the present application, the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present application.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the application. Thus, the present application is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the application to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.
Claims (10)
1. The vehicle-mounted information safety testing method is characterized by comprising the following steps of:
acquiring a first application program of a vehicle-mounted information entertainment system applicable to a vehicle to be tested;
generating an attack load for the vehicle to be tested;
decompiling the first application program and the attack load to obtain a corresponding first source code and a corresponding second source code respectively;
adding codes for calling the second source codes at program inlets of the first source codes corresponding to the first application programs to obtain third source codes;
Compiling the third source code to obtain a second application program;
adding a signature to the second application;
injecting the signed second application program into the vehicle-mounted information entertainment system;
And carrying out attack test on the vehicle to be tested to obtain a test result.
2. The method of claim 1, wherein the adding a signature to the second application program comprises:
Generating a key file; the key file comprises name information, unit information and address information of an application program;
And adding a signature to the second application program based on the key file.
3. The method of claim 1, wherein the injecting the signed second application into the in-vehicle infotainment system comprises:
And injecting the second application program after signature addition into the vehicle-mounted information entertainment system in a wired mode or a wireless mode.
4. The method for testing the safety of vehicle-mounted information according to claim 1, wherein the performing an attack test on the vehicle to be tested to obtain a test result includes:
Connecting the in-vehicle infotainment system using the attack load in the second application;
and sending an attack test instruction to test the vehicle to be tested, and obtaining the test result.
5. The method for testing the vehicle-mounted information security according to claim 4, wherein the step of sending an attack test command to test the vehicle to be tested, and the step of obtaining the test result comprises:
transmitting an information stealing instruction and an operation control instruction to the vehicle-mounted information entertainment system;
and obtaining the test result according to the response strategy of the vehicle-mounted information entertainment system.
6. The method for testing the vehicle-mounted information security according to claim 5, wherein the obtaining the test result according to the response strategy of the vehicle-mounted information entertainment system comprises:
And if the vehicle-mounted information entertainment system sends out early warning or no response, determining that the test result is qualified.
7. The vehicle information security test method according to claim 1, wherein the generating an attack load for the vehicle under test includes:
Generating the attack load based on the network environment of the vehicle to be tested; wherein the network environment comprises a public network environment and a local area network environment.
8.A vehicle-mounted information security test device, characterized by comprising:
the application program acquisition module is used for acquiring a first application program of the vehicle-mounted information entertainment system applicable to the vehicle to be tested;
The attack load generation module is used for generating attack load aiming at the vehicle to be tested;
The decompilation execution module is used for decompiling the first application program and the attack load to respectively obtain a corresponding first source code and a corresponding second source code;
An attack load adding module, configured to add a code for calling the second source code at a program entry corresponding to the first application program in the first source code, so as to obtain a third source code;
The recompilation execution module is used for recompilating the third source code to obtain a second application program;
an application signature module for adding a signature to the second application;
the application program injection module is used for injecting the second application program with the added signature into the vehicle-mounted information entertainment system;
And the attack test execution module is used for carrying out attack test on the vehicle to be tested to obtain a test result.
9. A computer readable storage medium, characterized in that the storage medium stores a computer program for executing the vehicle information security test method according to any one of the preceding claims 1 to 7.
10. An electronic device, comprising:
A processor;
a memory for storing the processor-executable instructions;
The processor is configured to execute the vehicle information security testing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410624494.4A CN118246031B (en) | 2024-05-20 | Vehicle-mounted information security testing method and device, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410624494.4A CN118246031B (en) | 2024-05-20 | Vehicle-mounted information security testing method and device, medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118246031A true CN118246031A (en) | 2024-06-25 |
| CN118246031B CN118246031B (en) | 2024-08-27 |
Family
ID=
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130086558A1 (en) * | 2011-09-29 | 2013-04-04 | Microsoft Corporation | Testing Program Code in Multiple Process Modes |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111813696A (en) * | 2020-08-25 | 2020-10-23 | 中国工商银行股份有限公司 | Application testing method, device and system and electronic equipment |
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130086558A1 (en) * | 2011-09-29 | 2013-04-04 | Microsoft Corporation | Testing Program Code in Multiple Process Modes |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111813696A (en) * | 2020-08-25 | 2020-10-23 | 中国工商银行股份有限公司 | Application testing method, device and system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wen et al. | {Plug-N-Pwned}: Comprehensive vulnerability analysis of {OBD-II} dongles as a new {Over-the-Air} attack surface in automotive {IoT} | |
| US9792440B1 (en) | Secure boot for vehicular systems | |
| US9282110B2 (en) | Cloud-assisted threat defense for connected vehicles | |
| Jo et al. | Vulnerabilities of android OS-based telematics system | |
| TW201915809A (en) | Safe scanning method and device for mini application and electronic equipment | |
| CN104331662B (en) | Android malicious application detection method and device | |
| Mandal et al. | Vulnerability analysis of android auto infotainment apps | |
| Mandal et al. | Static analysis of Android Auto infotainment and on‐board diagnostics II apps | |
| Mahmood et al. | Systematic threat assessment and security testing of automotive over-the-air (OTA) updates | |
| CN111866083A (en) | Equipment debugging system and method, equipment to be debugged, remote debugging equipment and transfer server | |
| JP7176569B2 (en) | Information processing device, log analysis method and program | |
| CN112966257B (en) | Authorization method and device for application program | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| CN115563618A (en) | Penetration testing method and device based on central computing platform | |
| CN110968400A (en) | Application program execution method and device, computer equipment and storage medium | |
| CN118246031B (en) | Vehicle-mounted information security testing method and device, medium and electronic equipment | |
| CN106529297B (en) | Obtain the method and device of application state information | |
| CN118246031A (en) | Vehicle-mounted information security testing method and device, medium and electronic equipment | |
| Veeraraghava | Security analysis of vehicle to vehicle arada locomate on board unit | |
| CN115543812A (en) | Code coverage rate testing method, device, system and medium based on dynamic injection | |
| CN115988503A (en) | Vehicle-based application function processing method, device and medium | |
| CN112636981B (en) | Block chain host, and proxy method, device and storage medium thereof | |
| CN115391801A (en) | Method and device for updating encryption module in block chain system and related products | |
| CN112311767B (en) | Car networking vulnerability analysis method, device, medium and equipment based on correlation analysis | |
| Chawan et al. | Security enhancement of over-the-air update for connected vehicles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |