Abstract: Systems, methods, and other embodiments described herein relate to adaptable canary values. In one embodiment, a method includes acquiring state information about a program executing within a vehicle. The state information specifies at least a security level of segments of the program. The method includes, responsive to the program satisfying a generating threshold, generating a canary value according to the state information. The method includes inserting the canary value into a memory address associated with the program.

Abstract: Systems, methods, and other embodiments described herein relate to improving incident response within a vehicle environment. In one embodiment, a method includes, responsive to detecting an attack on a threatened component of a computing system, gathering information about the threatened component, including at least a dependency list that specifies related components to the threatened component. The method includes determining a risk score for the attack according to a risk level associated with the attack, a risk type of the threatened component, and combined risks associated with compromising the related components. The method includes providing a report specifying information about the attack, including at least the risk score.

Abstract: One embodiment of the present invention facilitates address resolution protocol (ARP) resolution in an extended subnet. A gateway of a first segment of the extended subnet can determine that a layer-2 address corresponding to a layer-3 destination address of a packet is locally unavailable. The gateway can then determine whether a respective egress interface of an ARP request for the layer-3 destination address is associated with a layer-2 subnet extension from the first segment to a second segment of the extended subnet. The extension can provide a common layer-2 broadcast domain comprising the first and second segments with a same default gateway layer-3 address. If the egress interface is associated with the extension, the gateway can insert a layer-3 address of a first endpoint associated with the extension as a source protocol address in the ARP request. The gateway can send the modified ARP request via the egress interface.

Abstract: A microphone controller includes a processor programmed to receive voice input from one or more microphones to be utilized in a voice recognition session initiated by the microphone controller. Further the microphone controller includes a key store including one or more keys configured to encrypt the received voice input to an encrypted voice data.

Abstract: Systems, methods, and other embodiments described herein relate to securing software composition information in a software management environment. In one embodiment, a method includes acquiring, in a managing device, identifying information about a software package installed on a remote device, including a unique identifier of an entity associated with the software package, and a secure identifier that combines the unique identifier with a package identifier of the software package. The method includes, responsive to identifying a vulnerability, generating a vulnerability identifier using the unique identifier of the entity and a vulnerability label that identifies a vulnerable package that includes the vulnerability. The method includes comparing the vulnerability identifier with the secure identifier to determine whether the software package includes the vulnerability. The method includes providing a response about the vulnerability when the vulnerability identifier matches the secure identifier.

Abstract: One embodiment of the present invention facilitates address resolution protocol (ARP) resolution in an extended subnet. A gateway of a first segment of the extended subnet can determine that a layer-2 address corresponding to a layer-3 destination address of a packet is locally unavailable. The gateway can then determine whether a respective egress interface of an ARP request for the layer-3 destination address is associated with a layer-2 subnet extension from the first segment to a second segment of the extended subnet. The extension can provide a common layer-2 broadcast domain comprising the first and second segments with a same default gateway layer-3 address. If the egress interface is associated with the extension, the gateway can insert a layer-3 address of a first endpoint associated with the extension as a source protocol address in the ARP request. The gateway can send the modified ARP request via the egress interface.

Abstract: Systems, methods, and other embodiments described herein relate to validating programs of a computing system in a vehicle by tracking a boot sequence. In one embodiment, a method includes, responsive to detecting initiation of a boot sequence in a computing system, tracking characteristics of programs executing as part of the boot sequence. The method includes determining whether the programs correspond with a program execution graph (PEG) by comparing the characteristics of the programs as the programs boot with the PEG. The method includes providing a response to thwart a malicious program when the boot sequence does not match the PEG.

Abstract: One embodiment of the present invention provides a system for facilitating layer-2 subnet extension. During operation, the system can query, from a first administrative domain, a remote database of a second administrative domain for configuration information associated with one or more remote network segments. The system can obtain, from a user interface of the first administrative domain, an instruction for performing layer-2 subnet extension from a first network segment under the first administrative domain to a second network segment of the one or more remote network segments for providing a common layer-2 broadcast domain. The system can then send a remote instruction executable in the second administrative domain for configuring a remote endpoint for the extension. The system can also configure a local endpoint in the first network segment for the extension. Subsequently, the system can establish a data connection between the local and remote endpoints for the extension.

Abstract: Systems, methods, and other embodiments described herein relate to validating programs of a computing system in a vehicle by tracking a boot sequence. In one embodiment, a method includes, responsive to detecting initiation of a boot sequence in a computing system, tracking characteristics of programs executing as part of the boot sequence. The method includes determining whether the programs correspond with a program execution graph (PEG) by comparing the characteristics of the programs as the programs boot with the PEG. The method includes providing a response to thwart a malicious program when the boot sequence does not match the PEG.

Abstract: Systems, methods, and other embodiments described herein relate to adaptable canary values. In one embodiment, a method includes acquiring state information about a program executing within a vehicle. The state information specifies at least a security level of segments of the program. The method includes, responsive to the program satisfying a generating threshold, generating a canary value according to the state information. The method includes inserting the canary value into a memory address associated with the program.

Abstract: Systems, methods, and other embodiments described herein relate to improving incident response within a vehicle environment. In one embodiment, a method includes, responsive to detecting an attack on a threatened component of a computing system, gathering information about the threatened component, including at least a dependency list that specifies related components to the threatened component. The method includes determining a risk score for the attack according to a risk level associated with the attack, a risk type of the threatened component, and combined risks associated with compromising the related components. The method includes providing a report specifying information about the attack, including at least the risk score.

Abstract: Systems, methods, and other embodiments described herein relate to monitoring for unauthorized access to an electronic device. In one embodiment, a method includes acquiring a fault status about observed anomalies within a device. The observed anomalies relating to unauthorized access to the device. The method includes analyzing the fault status to identify whether the fault status satisfies a fault threshold. The method includes activating a response when the fault status satisfies the fault threshold indicating the presence of the unauthorized access.

Abstract: Systems, methods, and other embodiments described herein relate to securing software composition information in a software management environment. In one embodiment, a method includes acquiring, in a managing device, identifying information about a software package installed on a remote device, including a unique identifier of an entity associated with the software package, and a secure identifier that combines the unique identifier with a package identifier of the software package. The method includes, responsive to identifying a vulnerability, generating a vulnerability identifier using the unique identifier of the entity and a vulnerability label that identifies a vulnerable package that includes the vulnerability. The method includes comparing the vulnerability identifier with the secure identifier to determine whether the software package includes the vulnerability. The method includes providing a response about the vulnerability when the vulnerability identifier matches the secure identifier.

Abstract: A system in a vehicle includes one or more sensors configured to obtain occupant information from an occupant utilizing at least facial information of the occupant. The system also includes a controller in communication with the one or more sensors. The controller is configured to determine an application policy associated with one or more applications of the vehicle and execute the one or more applications in response to facial information exceeding a first authentication layer or second authentication layer associated with the application policy.

Abstract: One embodiment of the present invention provides a system for facilitating layer-2 subnet extension. During operation, the system can query, from a first administrative domain, a remote database of a second administrative domain for configuration information associated with one or more remote network segments. The system can obtain, from a user interface of the first administrative domain, an instruction for performing layer-2 subnet extension from a first network segment under the first administrative domain to a second network segment of the one or more remote network segments for providing a common layer-2 broadcast domain. The system can then send a remote instruction executable in the second administrative domain for configuring a remote endpoint for the extension. The system can also configure a local endpoint in the first network segment for the extension. Subsequently, the system can establish a data connection between the local and remote endpoints for the extension.

Abstract: One embodiment of the present invention facilitates address resolution protocol (ARP) resolution in an extended subnet. A gateway of a first segment of the extended subnet can determine that a layer-2 address corresponding to a layer-3 destination address of a packet is locally unavailable. The gateway can then determine whether a respective egress interface of an ARP request for the layer-3 destination address is associated with a layer-2 subnet extension from the first segment to a second segment of the extended subnet. The extension can provide a common layer-2 broadcast domain comprising the first and second segments with a same default gateway layer-3 address. If the egress interface is associated with the extension, the gateway can insert a layer-3 address of a first endpoint associated with the extension as a source protocol address in the ARP request. The gateway can send the modified ARP request via the egress interface.

Abstract: A binary patch system for a vehicle may include a memory and a controller in communication with the memory and programmed to receive original source code, identify vulnerabilities in original source code, generate binary patch based on the identified vulnerabilities, insert binary patch into original source code, receive feedback of the inserted binary patch, and update the binary patch based on the feedback.

Abstract: A computer device includes a memory. The computer device also includes at least one processor configured to execute a process and manage the memory for the process. The processor is further configured to execute one or more program instructions associated with an application, reach control flow transfer for the one or more program instructions, unwind a call stack associated with the one or more program instructions in response to a failure to meet a target control flow, identify an offending function call, and rewrite the offending function call. The rewritten function call includes a memory operation boundary check.

Abstract: System, methods, and other embodiments described herein relate to improving control flow in a program for safety-related functions. In one embodiment, a method includes identifying a safety-related function of the program. The safety-related function is associated with functionality performed by the program that effects whether an associated device operates according to a functional safety standard. The method includes integrating a fault tree for the safety-related function into associated portions of a control flow graph of the program. The control flow graph identifies at least procedural control flows within the program, and the fault tree indicates combinations of conditions in the program that produce faults by the program. The method includes providing the control flow graph as an electronic output to improve the control flow of the program.

Abstract: A system in a vehicle includes one or more sensors configured to obtain occupant information from an occupant utilizing at least facial information of the occupant. The system also includes a controller in communication with the one or more sensors. The controller is configured to determine an application policy associated with one or more applications of the vehicle and execute the one or more applications in response to facial information exceeding a first authentication layer or second authentication layer associated with the application policy.