What is Host IDPS built with Control Flow Integrity (CFI)?

Karamba Security | November 4th, 2019
birds eye view

There is no such thing as a hermetically sealed connected device and attackers are always looking for vulnerabilities in code and ways to exploit them. With host IDPS built with Control Flow Integrity though, vehicle ECUs have a state-of-the-art cybersecurity tool to defend themselves.

In our connected world, having the right threat detection system is essential. The average connected vehicle has tens of millions of lines of code and an attack surface that presents malicious actors with plenty of options for working their way in.

You need a way to watch your connected vehicle blind spot and prevent attacks on your vehicle ECU.

cfi logo

An effective Intrusion Detection System (IDS) is crucial for spotting, logging, and preventing threats to any connected device, and for finding suspicious behavior in real-time.

There are two main types of IDS – host-based and network-based. The network IDS deciphers malicious activity in the overall CAN Bus traffic. host-based IDS (HIDS) on the other hand, is installed locally on a specific host machine itself and can detect abnormal processes and device behavior, as well as suspicious packets in the traffic to and from the device.

Because it works with a smaller canvas, host-based IDS allows for deep, detailed analysis of threats directly on the Single Purpose Device. It allows the user to not only detect threats and attack attempts but also to verify if they were successful or not. Installed on the host, HIDS takes you closer to the source of the problem, allowing you to analyze security events faster and more accurately, without the noise and extra information in the network traffic.

Automotive ECUs are single-purpose devices that are well defined and validated over a long period of time and an IDS alone does not constitute a comprehensive defense for these highly -complicated devices. Leveraging the unique characteristic of the single purpose device represented in each ECU, an intrusion detection system can be expanded to map out threats to your system and prevent attacks, creating a host-based intrusion, detection, and prevention system (IDPS)

The prevention function can only be achieved if the predetermined, approved commands of the product have been specified – what is known as the “known good.” Once established, these specifications allow the IDPS to protect the ECU in runtime from malicious behavior that is a deviation from the device behavior designed by the product’s engineers.

Control flow integrity (CFI) is today’s state-of-the-art runtime integrity tool and creates a powerful line of defense against attempts to hijack the software by using the known good. Karamba Security’s CFI-based Host IDPS not only detects these attempts to manipulate the vehicle ECU software, it can also prevent actions that deviate from the vehicle’s factory settings. And it can do so without adding new hardware or performance drag associated with costly and time-consuming machine learning or artificial intelligence.

Host defense is crucial in a connected world where no matter how simple and isolated your system is, it is part of an ever-connecting architecture, with numerous attack vectors. Each component needs to do its best to defend itself and thus break the attack chain.

Karamba’s CFI-based Host IDPS also streamlines the entire threat response pipeline and will not flood you with constant alerts and potential false positives. The integrity mechanism is triggered by deviations from the factory settings, and so alerts indicate either the presence of actual malware or that an in-memory attack is underway. The alerts can also indicate suspicious incidents that are related to “softer” security events like unusual port usage or changes in privileges. With a narrower list of possible “investigations,” your incident response team is more effective, reacting swiftly and comprehensively to ongoing threat analysis.

The preventative cybersecurity layer provided by Karamba’s CFI, combined with in-depth, focused, threat analysis on the host, creates an especially effective form of HIDPS that can watch your blind spot and identify and prevent hacking attempts. An ECU protected by HIDPS also streamlines the patching of vulnerabilities, and the deep forensics data provided by HIDPS can also expedite the R&D effort to reproduce the event, identify the affected code, and fix the vulnerability, all while the car itself is still protected on the road

Traditional Host IDS solutions are resource consuming. In a paper published by Audi this month entitled “Embedded Intrusion Detection based on AI,” the author describes how memory limitations on ECUs - as opposed to enterprise systems - means that they cannot incorporate algorithms like k-NN, as well as pruning, quantization, and precision reduction.

With a deterministic layer protecting the single purpose device the amount of analysis needed is reduced and performance is maintained within 5% of memory and CPU utilization. Furthermore, because of the deterministic nature of the cyber defense, it is applicable to safety certified components like ADAS and LKM, which require ASIL certification.

There is no such thing as a hermetically sealed connected device. Attackers are always looking for vulnerabilities in code and ways to exploit them. It is imperative that vehicle manufacturers implement ECU level protection, as a critical layer in a robust cybersecurity architecture, that maintains the integrity of the ever-growing software even under attack. CFI and other software integrity techniques make host IDPS a reality in automotive ECU.

Read more

Continue the conversation!

Want to learn more?

Contact Us


24 HaNagar Street
Hod Hasharon
Tel: +972 9 88 66 113



41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA



Landstr. 264, Munich
Tel: +49 892 1547 7583