Abstract: A CFI system constituted of: at least one protection module, each comprising a respective allowable flow model associated with at least one of a plurality of portions of a process; and at least one process protection manager, arranged, responsive to a control flow instruction in one of the plurality of portions of the process, to: compare one or more parameters of the control flow instruction to the allowable flow model of the associated protection module; and responsive to an outcome of the comparison indicating that the compared parameters do not meet a respective parameter of the allowable flow model, generate a predetermined signal, wherein each protection module is implemented as a shared object, wherein each process protection manager is implemented as a shared object, and wherein the at least one protection module and the process protection manager are loaded into the process.

Abstract: An ROP attack protection method for a plurality of ECUs, the method constituted of: receiving data destined for one of the plurality of ECUs; determining which of the plurality of ECUs the received data is destined for; responsive to a unique model associated with the determined ECU, analyzing the received data to identify control flow instructions addressed to one or more predetermined addresses; responsive to the analyzation, generate a statistical analysis of the identified control flow instructions; and responsive to the generated statistical analysis, outputting a signal indicating a possibility of an attack.

Abstract: An ROP attack protection apparatus constituted of: a first region of memory having stored therein a protection function, the first region of memory set as executable; and a second region of memory having stored thereon a plurality of operation functions, the second region of memory set as non-executable, wherein the protection function is arranged to: responsive to a call to one of the plurality of operation functions and further responsive to at least one predetermined rule, allow execution of the called operation function; and after receiving a return from the executed operation function, set the executed operation function as non-executable.

Abstract: A system for monitoring intrusion anomalies in an automotive environment, the system comprising: a telematic control unit; a plurality of engine control units, each of the plurality of engine control units associated with a local security monitor and a diagnostic communications manager arranged to receive information regarding intrusion anomalies detected by the local security monitor; and an anomaly analyzer in communication with each of the diagnostic communication managers and the telematics control unit, the communication utilizing a diagnostic over Internet protocol, the anomaly analyzer arranged to aggregate the information regarding intrusion anomalies detected by the respective local security monitors.

Abstract: A bus control device is enabled for placement between an input port to which a suspect device would be connected and the bus. In this manner, all message received from the suspect device, such an infotainment system, must pass through the bus control device. A separate intrusion detection device is coupled to the bus. The bus control device is arranged to output a notification message to the intrusion detection device, the notification message comprising information about the received message. The intrusion detection device is arranged to determine the validity of the received message responsive to the received notification message.