Automotive Security Analyzer for Exploitability Risks: An Automated and Attack Graph-Based Evaluation of On-Board Networks
2025-10-24 , Europe

Our lives depend on automotive cybersecurity, protecting us inside and near vehicles. If vehicles go rogue, they can operate against the driver’s will and potentially drive off a cliff or into a crowd. The “Automotive Security Analyzer for Exploitability Risks” (AutoSAlfER) evaluates the exploitability risks of automotive on-board networks by attack graphs. AutoSAlfER’s Multi-Path Attack Graph algorithm is 40 to 200 times smaller in RAM and 200 to 5 000 times faster than a comparable implementation using Bayesian networks, and the Single-Path Attack Graph algorithm constructs the most reasonable attack path per asset with a computational, asymptotic complexity of only O(n * log(n)), instead of O(n²). AutoSAlfER runs on a self-written graph database, heuristics, pruning, and homogenized Gaussian distributions and boosts people’s productivity for a more sustainable and secure automotive on-board network. Ultimately, we enjoy more safety and security in and around autonomous, connected, electrified, and shared vehicles.


The Problem

Computers control steering and brakes usually nowadays, and "smart" features increase a vehicle's attack surface and occasionally introduce vulnerabilities.
Even a combination of seemingly minor vulnerabilities can undermine a vehicle's cybersecurity.
Securing automotive Information Technology (IT) is expensive and challenging, even for leading tech companies.
Compared to corporate IT, this challenge arises from a) the safety-criticality, b) homologation obligations, and c) the IT diversity within each vehicle.
[a] Safety criticality: ECUs (Electronic Control Units) cannot stay indoors with air-conditioning but must work safely and reliably outdoors in the scorching sun and on freezing winter nights, from deserts to the Arctic.
Such extreme conditions demand special software requirements, which can interfere with security patching.
[b] Homologation obligations: Securing ECUs with swift patches can be hindered by governmental homologation obligations, as patches must not interfere with certifications, e.g., for exhaust purification or crash safety.
[c] IT diversity: ECUs are challenging to secure due to their diversity, as they usually do not communicate homogeneously via TCP/IP (Transmission Control Protocol / Internet Protocol) but rather via a combination of CAN (Controller Area Network), MOST (Media Oriented Systems Transport), LIN (Local Interconnect Network), BroadR-Reach, and FlexRay. ECUs usually do not incorporate x86 CPUs but rather a combination of TriCore, Super-H, PowerPC, ARM, V850, and even less-widely known chips, as this obtains maximum dependability, energy efficiency, and sustainability.

How does this help? Who will benefit?

AutoSAlfER's automatic evaluation boosts people's productivity for a more sustainable automotive cyber security:
- Architects can automatically evaluate their designs, recheck changes for surprising attack combinations, and shape network topologies toward more security.
- Penetration testers ("red teams") get a head-start on the riskiest and most significant targets and network connections.
- Risk managers can extend their calculations onto a sound model for more precisely and reliably calculated risk reserves.
- Incident handlers ("blue teams") can enrich their situation report regarding what targets and assets could be compromised next and how acutely they are at stake.
- All stakeholders get orientation on anticipated neuralgic points and their impact on adequately prioritizing cybersecurity investments.
- Ultimately, we all gain more security and, thus, safety in and around autonomous, connected, electrified, and shared vehicles.

Why are you a good person to tell us this?

I initiated, planned, designed, implemented, documented, tested, and evaluated the Automotive Security Analyzer for Exploitability Risks (AutoSAlfER).

Agenda
1) Motivation and Survey
2) Data and Models
a. System Model, Attacker Profile, and Exploit Model
b. Attack Surface Exploitability Quantification
c. Implementation / Tech Stack
3) Practical Demo
4) Algorithms for Attack Graphs
a. Single-Path Attack Graph Algorithm (PI + PII)
b. Implementation and Evaluation of PI + PII
5) Algorithms for Total Risk
a. Probabilistic Model
b. Multi-Path Attack Graph Algorithm (P3Salfer)
c. Bayes Network Unsuitability Finding
d. Design and Implementation of an Alternative Algorithm with Bayesian Networks (P3Bayes)
e. Implementation and Evaluation of the Multi-Path Attack Graph Algorithm (P3Salfer)
6) Future Work
7) Further Material
a) Book
b) Papers, an Article, and Posters
c) Open-Source Software

Dr. Martin Salfer is an IT security researcher at the Technical University of Munich (TUM) and a tech lead at an automaker. He earned his Ph.D. in IT Security from TUM, completed his M.Sc. with honours in Software Engineering at UniA/LMU/TUM, and obtained his B.Sc. in Computer Science from HM, with a study abroad at KPU in Vancouver, Canada, and ESIEA in Paris, France, and a research visit at NII in Tokyo, Japan. He is the lead author of 28 publications, including five IT security patents.