Project

Students will work on a hands-on group project to hack a real CPS/IoT system. The following description may change.

Project topic

  • Project topic: Hacking In-Vehicle Infotainment (IVI) System

  • This project is based on the Cyber Security Challenge 2021 in South Korea.

  • Each group will be given a Raspberry Pi (RPi) board and necessary accessories to run a virtual AGL IVI system.

  • Attack: Identify vulnerabilities in the IVI system and develop attacks that exploit the vulnerabilities.

  • Defense: Design and develop defense mechanisms to detect or prevent the attacks.

Project group

  • Each project group will have 2-3 students.

  • Email the instructor your group members before the class meeting on Aug 31.

  • If no email is received, the instructor will decide your group.

AGL IVI setup

  • Follow the instruction here to set up the AGL IVI platform on your RPi.

Project grading policy

Project Component

Points

Project discussions

10

Project pitch presentation

15

Final project demo & presentation

35

Project report & code

30

Vulnerability assessment

10 + bonus

Project discussions

  • There will be a 40-minute project discussion session every week during class (mostly Thursday).

  • Students will work on the project together during the session and have discussions with their group members.

  • The instructor will talk to each group in turn to check their progress and give feedback to help with the project.

  • The number of project discussion sessions per week may change depending on the project progress and lecture schedule.

  • Students will be evaluated on their (1) attendance of project discussion sessions and (2) project commitment every week.

Project pitch presentation

  • Presentation should be 15 minutes long including Q&A.

  • Each project group must submit the presentation slides to the instructor via email before the class meeting on Oct 19.

  • Cover the following topics in the presentation:

    Topic

    Questions to address

    Attack strategy

    • What attack surface did you target?

    • What is your approach to find vulnerabilities?

    Project progress

    • What vulnerabilities have you found or are you trying to find?

    • Demonstration of attack or progress

    • What are the contributions of each project member?

    Project plan

    • What are you going to do next?

    • What is the timeline?

  • Make sure to write the email in the following format:

    Subject: [cs6301.005-f21] project pitch slides
    
    * Group Member 1: Name (NetID)
    * Group Member 2: Name (NetID)
    * Group Member 3: Name (NetID)
    * Demo Video URL (Optional): ...
    # IMPORTANT: Make sure to attach the slides file in PDF!
    
  • Presentation will be evaluated on: (1) the length of presentation (not too short, not too long), (2) how well the presentor addresses the questions, and (3) the overall project progress presented.

Final project demo & presentation

  • Presentation should be 15-20 minutes long including Q&A.

  • Each project group must submit the presentation slides and demo video to the instructor via email before the class meeting on Dec 2.

  • Cover the following topics in the presentation:

    Topic

    Questions to address

    Vulnerabilities

    • What vulnerabilities have you found or tried to find?

    • How to exploit them?

    • How difficult are they to exploit?

    Attack

    • What attack surface did you use and how?

    • What is the impact of the attack?

    Defense

    • How do you defend against the attack?

    Demo

    • Video demonstration of attack, defense, and/or project achievement

  • Make sure to write the email in the following format:

    Subject: [cs6301.005-f21] final project demo and slides
    
    * Group Member 1: Name (NetID)
    * Group Member 2: Name (NetID)
    * Group Member 3: Name (NetID)
    * Demo Video URL (Required): ...
    # IMPORTANT: Make sure to attach the slides file in PDF!
    
  • Demo & presentation will be evaluated on: (1) the length of presentation (not too short, not too long), (2) how well the presentor addresses the questions, and (3) the quality of the video demonstration.

Project report & code

  • Each project group must submit the following items to the instructor via email before the class meeting on Dec 7.

    Item

    Questions to address

    Project report

    Detailed description of the achievements. Use the report form here.

    Attack PoC

    URL of the code repository + a Docker image

    Defense PoC

    URL of the code repository + a Docker image

  • Make sure to write the email in the following format:

    Subject: [cs6301.005-f21] project report and code
    
    * Group Member 1: Name (NetID)
    * Group Member 2: Name (NetID)
    * Group Member 3: Name (NetID)
    * Attack Code Repo URL (Required): ...
    * Attack Docker Image URL (Required): ...
    * Defense Code Repo URL (Optional): ...
    * Defense Docker Image IRL (Optional): ...
    # IMPORTANT: Make sure to attach the report file in PDF!
    
  • Project report must include a self-assessment of each vulnerability based on a scoring system.

  • Follow the instruction here to calculate the vulnerability score.

  • Project report and code will be evaluated on: (1) the quality of the work and description, (2) the impact of the vulnerabilities found, and (3) the reproducibility of the PoCs.

Vulnerability assessment

  • Each of the reported vulnerabilities will be evaluated using a modified version of the Common Vulnerability Scoring System (CVSS) described here.

  • 10 points will be given for the first valid vulnerability in the project report.

  • CVSS score of each vulnerability in the report will be given as bonus points (0-10 per vulnerability).