{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,28]],"date-time":"2026-03-28T18:09:08Z","timestamp":1774721348485,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":64,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"The State University of New York's Empire Innovation Program","award":["None"],"award-info":[{"award-number":["None"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,30]]},"DOI":"10.1145\/3678890.3678927","type":"proceedings-article","created":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T22:23:36Z","timestamp":1727648616000},"page":"594-612","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["A Comprehensive, Automated Security Analysis of the Uptane Automotive Over-the-Air Update Framework"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9242-019X","authenticated-orcid":false,"given":"Robert","family":"Lorch","sequence":"first","affiliation":[{"name":"Department of Computer Science, The University of Iowa, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5305-7340","authenticated-orcid":false,"given":"Daniel","family":"Larraz","sequence":"additional","affiliation":[{"name":"Department of Computer Science, The University of Iowa, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6726-775X","authenticated-orcid":false,"given":"Cesare","family":"Tinelli","sequence":"additional","affiliation":[{"name":"Department of Computer Science, The University of Iowa, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1356-6279","authenticated-orcid":false,"given":"Omar","family":"Chowdhury","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Stony Brook University, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2024,9,30]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Accessed","year":"2024","unstructured":"Airbiquity. 2024. Airbiquity. https:\/\/www.airbiquity.com\/. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-007-0041-y"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2018.2858422"},{"key":"e_1_3_2_1_4_1","volume-title":"Easycrypt: A tutorial. International School on Foundations of Security Analysis and Design","author":"Barthe Gilles","year":"2012","unstructured":"Gilles Barthe, Fran\u00e7ois Dupressoir, Benjamin Gr\u00e9goire, C\u00e9sar Kunz, Benedikt Schmidt, and Pierre-Yves Strub. 2012. Easycrypt: A tutorial. International School on Foundations of Security Analysis and Design (2012), 146\u2013166."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.001.1900125"},{"key":"e_1_3_2_1_6_1","volume-title":"Evading Voltage-Based Intrusion Detection on Automotive CAN. In Network and Distributed System Security Symposium.","author":"Bhatia Rohit","year":"2021","unstructured":"Rohit Bhatia, Vireshwar Kumar, Khaled Serag, Z.\u00a0Berkay Celik, Mathias Payer, and Dongyan Xu. 2021. Evading Voltage-Based Intrusion Detection on Automotive CAN. In Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_7_1","unstructured":"Bruno Blanchet. 2007. CryptoVerif: Computationally sound mechanized prover for cryptographic protocols. In Dagstuhl seminar \u201cFormal Protocol Verification Applied Vol.\u00a0117. 156."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1561\/3300000004"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SMC53992.2023.10394216"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/iCCECOME.2018.8658720"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-41540-6_29"},{"key":"e_1_3_2_1_14_1","volume-title":"Comprehensive Experimental Analyses of Automotive Attack Surfaces. In 20th USENIX Security Symposium (USENIX Security 11)","author":"Checkoway Stephen","year":"2011","unstructured":"Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In 20th USENIX Security Symposium (USENIX Security 11). USENIX Association, San Francisco, CA. https:\/\/www.usenix.org\/conference\/usenix-security-11\/comprehensive-experimental-analyses-automotive-attack-surfaces"},{"key":"e_1_3_2_1_15_1","volume-title":"Safe and Secure Automotive Over-the-Air Updates","author":"Chowdhury Thomas","unstructured":"Thomas Chowdhury, Eric Lesiuta, Kerianne Rikley, Chung-Wei Lin, Eunsuk Kang, BaekGyu Kim, Shinichi Shiraishi, Mark Lawford, and Alan Wassyng. 2018. Safe and Secure Automotive Over-the-Air Updates. In Computer Safety, Reliability, and Security, Barbara Gallina, Amund Skavhaug, and Friedemann Bitsch (Eds.). Springer International Publishing, Cham, 172\u2013187."},{"key":"e_1_3_2_1_16_1","unstructured":"Catalin Cimpanu. 2017. Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software. Available at https:\/\/www.bleepingcomputer.com\/news\/security\/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software\/."},{"key":"e_1_3_2_1_17_1","volume-title":"Accessed","author":"Clark Linday","year":"2023","unstructured":"Linday Clark. 2023. CAN do attitude: How thieves steal cars using network bus. https:\/\/www.theregister.com\/2023\/04\/06\/can_injection_attack_car_theft. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_19_1","volume-title":"Accessed","author":"Curry Sam","year":"2023","unstructured":"Sam Curry. 2023. Web Hackers vs. The Auto Industry. https:\/\/samcurry.net\/web-hackers-vs-the-auto-industry\/. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_20_1","volume-title":"Accessed","year":"2003","unstructured":"Debian. 2003. Debian Investigation Report after Server Compromises. https:\/\/www.debian.org\/News\/2003\/20031202. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1983.1056650"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2022.100508"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.vehcom.2019.100214"},{"key":"e_1_3_2_1_24_1","volume-title":"Fast and Vulnerable: A Story of Telematic Failures. In 9th USENIX Workshop on Offensive Technologies (WOOT 15)","author":"Foster Ian","year":"2015","unstructured":"Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage. 2015. Fast and Vulnerable: A Story of Telematic Failures. In 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C.https:\/\/www.usenix.org\/conference\/woot15\/workshop-program\/presentation\/foster"},{"key":"e_1_3_2_1_25_1","first-page":"2023","article-title":"Automotive Grade Linux. https:\/\/www.automotivelinux.org\/. Accessed","volume":"15","author":"Foundation Linux","year":"2024","unstructured":"Linux Foundation. 2024. Automotive Grade Linux. https:\/\/www.automotivelinux.org\/. Accessed: Mar 15, 2023.","journal-title":"Mar"},{"key":"e_1_3_2_1_26_1","first-page":"2023","article-title":"Uptane \u2013 Securing Software Updates for Automobiles. https:\/\/uptane.github.io\/. Accessed","volume":"15","author":"Foundation Linux","year":"2024","unstructured":"Linux Foundation. 2024. Uptane \u2013 Securing Software Updates for Automobiles. https:\/\/uptane.github.io\/. Accessed: Mar 15, 2023.","journal-title":"Mar"},{"key":"e_1_3_2_1_27_1","first-page":"2023","article-title":"Uptane Deployment Best Practices v.2.1.0. https:\/\/uptane.org\/docs\/2.1.0\/deployment\/best-practices. Accessed","volume":"15","author":"Foundation Linux","year":"2024","unstructured":"Linux Foundation. 2024. Uptane Deployment Best Practices v.2.1.0. https:\/\/uptane.org\/docs\/2.1.0\/deployment\/best-practices. Accessed: Mar 15, 2023.","journal-title":"Mar"},{"key":"e_1_3_2_1_28_1","first-page":"2023","article-title":"Uptane Standard for Design and Implementation 2.1.0. https:\/\/uptane.org\/docs\/2.1.0\/standard\/uptane-standard. Accessed","volume":"15","author":"Foundation Linux","year":"2024","unstructured":"Linux Foundation. 2024. Uptane Standard for Design and Implementation 2.1.0. https:\/\/uptane.org\/docs\/2.1.0\/standard\/uptane-standard. Accessed: Mar 15, 2023.","journal-title":"Mar"},{"key":"e_1_3_2_1_29_1","volume-title":"Accessed","author":"Frields W","year":"2008","unstructured":"P.\u00a0W Frields. 2008. Infrastructure report, 2008-08-22 UTC 1200. https:\/\/listman.redhat.com\/archives\/fedora-announce-list\/2008-August\/msg00012.html. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_30_1","volume-title":"Accessed","author":"Inc. GitHub.","year":"2012","unstructured":"Inc. GitHub. 2012. Public Key Security Vulnerability and Mitigation. https:\/\/github.blog\/2012-03-04-public-key-security-vulnerability-and-mitigation\/. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3312614.3312649"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23313"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354263"},{"key":"e_1_3_2_1_34_1","volume-title":"Communication Technologies for Vehicles, Thomas Strang, Andreas Festag, Alexey Vinel, Rashid Mehmood, Cristina Rico\u00a0Garcia, and Matthias R\u00f6ckl (Eds.)","author":"Idrees Muhammad\u00a0Sabir","unstructured":"Muhammad\u00a0Sabir Idrees, Hendrik Schweppe, Yves Roudier, Marko Wolf, Dirk Scheuermann, and Olaf Henniger. 2011. Secure Automotive On-Board Protocols: A Case of Over-the-Air Firmware Updates. In Communication Technologies for Vehicles, Thomas Strang, Andreas Festag, Alexey Vinel, Rashid Mehmood, Cristina Rico\u00a0Garcia, and Matthias R\u00f6ckl (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 224\u2013238."},{"key":"e_1_3_2_1_35_1","unstructured":"Swati Khandelwal. 2018. CCleaner Attack Timeline\u2014Here\u2019s How Hackers Infected 2.3 Million PCs. Available at https:\/\/thehackernews.com\/2018\/04\/ccleaner-malware-attack.html."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/WF-IoT.2016.7845430"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/QRS-C55045.2021.00124"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jlamp.2022.100812"},{"key":"e_1_3_2_1_39_1","volume-title":"Brokenwire: Wireless disruption of ccs electric vehicle charging. arXiv preprint arXiv:2202.02104","author":"K\u00f6hler Sebastian","year":"2022","unstructured":"Sebastian K\u00f6hler, Richard Baker, Martin Strohmeier, and Ivan Martinovic. 2022. Brokenwire: Wireless disruption of ccs electric vehicle charging. arXiv preprint arXiv:2202.02104 (2022)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.34"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/MVT.2017.2778751"},{"key":"e_1_3_2_1_42_1","volume-title":"Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories. In 2017 USENIX Annual Technical Conference (USENIX ATC 17)","author":"Kuppusamy Trishank\u00a0Karthik","year":"2017","unstructured":"Trishank\u00a0Karthik Kuppusamy, Vladimir Diaz, and Justin Cappos. 2017. Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 673\u2013688. https:\/\/www.usenix.org\/conference\/atc17\/technical-sessions\/presentation\/kuppusamy"},{"key":"e_1_3_2_1_43_1","volume-title":"13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16)","author":"Kuppusamy Trishank\u00a0Karthik","year":"2016","unstructured":"Trishank\u00a0Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using Delegations to Protect Community Repositories. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). USENIX Association, Santa Clara, CA, 567\u2013581. https:\/\/www.usenix.org\/conference\/nsdi16\/technical-sessions\/presentation\/kuppusamy"},{"key":"e_1_3_2_1_44_1","volume-title":"Accessed","author":"Secure\u00a0Systems Lab NYU","year":"2023","unstructured":"NYU Secure\u00a0Systems Lab. 2023. Uptane Reference Implementation. https:\/\/github.com\/uptane\/obsolete-reference-implementation. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-85248-1_14"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3591335.3591337"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSTW50294.2020.00019"},{"key":"e_1_3_2_1_49_1","first-page":"2023","article-title":"I\u2019m Sorry, Dave, I\u2019m Afraid I Can\u2019t Make a U-Turn. https:\/\/slate.com\/technology\/2010\/02\/should-we-be-worried-that-our-cars-are-controlled-by-software.html. Accessed","volume":"15","author":"Manjoo Farhad","year":"2010","unstructured":"Farhad Manjoo. 2010. I\u2019m Sorry, Dave, I\u2019m Afraid I Can\u2019t Make a U-Turn. https:\/\/slate.com\/technology\/2010\/02\/should-we-be-worried-that-our-cars-are-controlled-by-software.html. Accessed: Mar 15, 2023.","journal-title":"Mar"},{"key":"e_1_3_2_1_50_1","first-page":"2023","article-title":"Vehicle Dynamics International. https:\/\/www.vehicledynamicsinternational.com\/features\/vehicle-cybersecurity-control-the-code-control-the-road.html. Accessed","volume":"15","author":"Martin Anthony","year":"2020","unstructured":"Anthony Martin. 2020. Vehicle Dynamics International. https:\/\/www.vehicledynamicsinternational.com\/features\/vehicle-cybersecurity-control-the-code-control-the-road.html. Accessed: Mar 15, 2023.","journal-title":"Mar"},{"key":"e_1_3_2_1_51_1","volume-title":"The TAMARIN Prover for the Symbolic Analysis of Security Protocols","author":"Meier Simon","unstructured":"Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN Prover for the Symbolic Analysis of Security Protocols. In Computer Aided Verification, Natasha Sharygina and Helmut Veith (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 696\u2013701."},{"key":"e_1_3_2_1_52_1","volume-title":"Black Hat USA 2015","author":"Miller Charlie","year":"2015","unstructured":"Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, S 91 (2015), 1\u201391."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.3390\/s20247160"},{"key":"e_1_3_2_1_54_1","first-page":"1","article-title":"Free-fall: Hacking tesla from wireless to can bus","volume":"25","author":"Nie Sen","year":"2017","unstructured":"Sen Nie, Ling Liu, and Yuefeng Du. 2017. Free-fall: Hacking tesla from wireless to can bus. Briefing, Black Hat USA 25 (2017), 1\u201316.","journal-title":"Briefing, Black Hat USA"},{"key":"e_1_3_2_1_55_1","volume-title":"Over-the-air: How we remotely compromised the gateway, BCM, and autopilot ECUs of Tesla cars. Briefing, Black Hat USA","author":"Nie Sen","year":"2018","unstructured":"Sen Nie, Ling Liu, Yuefeng Du, and Wenkai Zhang. 2018. Over-the-air: How we remotely compromised the gateway, BCM, and autopilot ECUs of Tesla cars. Briefing, Black Hat USA (2018), 1\u201319."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/GLOCOMW.2008.ECP.56"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jksuci.2021.05.005"},{"key":"e_1_3_2_1_58_1","volume-title":"USENIX Security Symposium, Vol.\u00a010","author":"Rouf Ishtiaq","year":"2010","unstructured":"Ishtiaq Rouf, Robert\u00a0D Miller, Hossen\u00a0A Mustafa, Travis Taylor, Sangho Oh, Wenyuan Xu, Marco Gruteser, Wade Trappe, and Ivan Seskar. 2010. Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study.. In USENIX Security Symposium, Vol.\u00a010."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866315"},{"key":"e_1_3_2_1_60_1","volume-title":"ZBCAN: A Zero-Byte CAN Defense System.","author":"Serag Khaled","year":"2023","unstructured":"Khaled Serag, Rohit Bhatia, Akram Faqih, Muslum\u00a0Ozgur Ozmen, Vireshwar Kumar, Z.\u00a0Berkay Celik, and Dongyan Xu. 2023. ZBCAN: A Zero-Byte CAN Defense System."},{"key":"e_1_3_2_1_61_1","volume-title":"USENIX Security Symposium. 4241\u20134258","author":"Serag Khaled","year":"2021","unstructured":"Khaled Serag, Rohit Bhatia, Vireshwar Kumar, Z\u00a0Berkay Celik, and Dongyan Xu. 2021. Exposing New Vulnerabilities of Error Handling Mechanism in CAN.. In USENIX Security Symposium. 4241\u20134258."},{"key":"e_1_3_2_1_62_1","unstructured":"SolarWinds. 2019. SolarWinds Security Advisory. Available at https:\/\/www.solarwinds.com\/securityadvisory."},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.2197\/ipsjjip.25.220"},{"key":"e_1_3_2_1_64_1","volume-title":"Accessed","author":"Team Apache\u00a0Infrastructure","year":"2009","unstructured":"Apache\u00a0Infrastructure Team. 2009. apache.org incident report for 8\/28\/2009. https:\/\/blogs.adobe.com\/conversations\/2012\/09\/adobe-to-revoke-code-signing-certificate.html. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_65_1","volume-title":"Accessed","author":"Tindell Ken","year":"2023","unstructured":"Ken Tindell. 2023. CAN Injection: keyless car theft. https:\/\/kentindell.github.io\/2023\/04\/03\/can-injection\/. Accessed: March 25, 2023."},{"key":"e_1_3_2_1_66_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Wen Haohuang","year":"2020","unstructured":"Haohuang Wen, Qi\u00a0Alfred Chen, and Zhiqiang Lin. 2020. Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 949\u2013965. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/wen"},{"key":"e_1_3_2_1_67_1","first-page":"993","article-title":"A practical wireless attack on the connected car and security protocol for in-vehicle CAN","volume":"16","author":"Woo Samuel","year":"2014","unstructured":"Samuel Woo, Hyo\u00a0Jin Jo, and Dong\u00a0Hoon Lee. 2014. A practical wireless attack on the connected car and security protocol for in-vehicle CAN. IEEE Transactions on intelligent transportation systems 16, 2 (2014), 993\u20131006.","journal-title":"IEEE Transactions on intelligent transportation systems"}],"event":{"name":"RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Padua Italy","acronym":"RAID '24"},"container-title":["The 27th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678927","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3678890.3678927","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:00Z","timestamp":1750295880000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678927"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":64,"alternative-id":["10.1145\/3678890.3678927","10.1145\/3678890"],"URL":"https:\/\/doi.org\/10.1145\/3678890.3678927","relation":{},"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-09-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}