======= Project ======= Students will work on a hands-on group project to hack a real CPS/IoT system. The following description may change. ------------- Project topic ------------- * Project topic: **Hacking In-Vehicle Infotainment (IVI) System** * This project is based on the `Cyber Security Challenge 2021 `__ in South Korea. * Each group will be given **a Raspberry Pi (RPi) board** and necessary accessories to run a virtual `AGL `__ IVI system. * **Attack**: Identify vulnerabilities in the IVI system and develop attacks that exploit the vulnerabilities. * **Defense**: Design and develop defense mechanisms to detect or prevent the attacks. ------------- Project group ------------- * Each project group will have 2-3 students. * **Email the instructor your group members before the class meeting on Aug 31.** * If no email is received, the instructor will decide your group. ------------- AGL IVI setup ------------- * Follow the instruction `here `__ to set up the AGL IVI platform on your RPi. ---------------------- Project grading policy ---------------------- ================================= ========== Project Component Points ================================= ========== Project discussions 10 Project pitch presentation 15 Final project demo & presentation 35 Project report & code 30 Vulnerability assessment 10 + bonus ================================= ========== ------------------- Project discussions ------------------- * There will be a 40-minute project discussion session every week during class (mostly Thursday). * Students will work on the project together during the session and have discussions with their group members. * The instructor will talk to each group in turn to check their progress and give feedback to help with the project. * The number of project discussion sessions per week may change depending on the project progress and lecture schedule. * Students will be evaluated on their (1) attendance of project discussion sessions and (2) project commitment every week. -------------------------- Project pitch presentation -------------------------- * Presentation should be **15 minutes long** including Q&A. * **Each project group must submit the presentation slides to the instructor via email before the class meeting on Oct 19.** * Cover the following topics in the presentation: ================ ==================== Topic Questions to address ================ ==================== Attack strategy * What attack surface did you target? * What is your approach to find vulnerabilities? Project progress * What vulnerabilities have you found or are you trying to find? * Demonstration of attack or progress * What are the contributions of each project member? Project plan * What are you going to do next? * What is the timeline? ================ ==================== * Make sure to write the email in the following format:: Subject: [cs6301.005-f21] project pitch slides * Group Member 1: Name (NetID) * Group Member 2: Name (NetID) * Group Member 3: Name (NetID) * Demo Video URL (Optional): ... # IMPORTANT: Make sure to attach the slides file in PDF! * Presentation will be evaluated on: (1) the length of presentation (not too short, not too long), (2) how well the presentor addresses the questions, and (3) the overall project progress presented. --------------------------------- Final project demo & presentation --------------------------------- * Presentation should be **15-20 minutes long** including Q&A. * **Each project group must submit the presentation slides and demo video to the instructor via email before the class meeting on Dec 2.** * Cover the following topics in the presentation: ================ ==================== Topic Questions to address ================ ==================== Vulnerabilities * What vulnerabilities have you found or tried to find? * How to exploit them? * How difficult are they to exploit? Attack * What attack surface did you use and how? * What is the impact of the attack? Defense * How do you defend against the attack? Demo * Video demonstration of attack, defense, and/or project achievement ================ ==================== * Make sure to write the email in the following format:: Subject: [cs6301.005-f21] final project demo and slides * Group Member 1: Name (NetID) * Group Member 2: Name (NetID) * Group Member 3: Name (NetID) * Demo Video URL (Required): ... # IMPORTANT: Make sure to attach the slides file in PDF! * Demo & presentation will be evaluated on: (1) the length of presentation (not too short, not too long), (2) how well the presentor addresses the questions, and (3) the quality of the video demonstration. --------------------- Project report & code --------------------- * **Each project group must submit the following items to the instructor via email before the class meeting on Dec 7.** ============== ==================== Item Questions to address ============== ==================== Project report Detailed description of the achievements. Use the report form `here `__. Attack PoC URL of the code repository + a Docker image Defense PoC URL of the code repository + a Docker image ============== ==================== * Make sure to write the email in the following format:: Subject: [cs6301.005-f21] project report and code * Group Member 1: Name (NetID) * Group Member 2: Name (NetID) * Group Member 3: Name (NetID) * Attack Code Repo URL (Required): ... * Attack Docker Image URL (Required): ... * Defense Code Repo URL (Optional): ... * Defense Docker Image IRL (Optional): ... # IMPORTANT: Make sure to attach the report file in PDF! * Project report **must include a self-assessment of each vulnerability** based on a scoring system. * Follow the instruction `here `__ to calculate the vulnerability score. * Project report and code will be evaluated on: (1) the quality of the work and description, (2) the impact of the vulnerabilities found, and (3) the reproducibility of the PoCs. ------------------------ Vulnerability assessment ------------------------ * Each of the reported vulnerabilities will be evaluated using a modified version of the `Common Vulnerability Scoring System (CVSS) `__ described `here `__. * 10 points will be given for the first **valid** vulnerability in the project report. * CVSS score of each vulnerability in the report will be given as **bonus points** (0-10 per vulnerability).