Martin Kayondo (Seoul National University), Junseung You (Seoul National University), Eunmin Kim (Seoul National University), Jiwon Seo (Dankook University), Yunheung Paek (Seoul National University)
Modern vehicles integrate Extra-Vehicle Networks (EVNs) with In-Vehicle Networks (IVNs) to support navigation, diagnostics, and over-the-air updates. This convergence introduces an EVN platform as a new source of control messages at the IVN gateway, breaking the traditional assumption that the gateway only filters traffic from simple, isolated, and implicitly trusted legacy ECUs. Instead, the EVN platform hosts a complex EVN manager with a full operating system and multiple applications, greatly enlarging the attack surface: a compromised OS or application can spoof control messages that evade gateway filtering.
We present SECV, a runtime security mechanism that enables the IVN gateway to accurately verify EVN-originated control messages even when the EVN manager is compromised. sys mediates all EVN-to-IVN traffic inside a Trusted Execution Environment (TEE), performs per-application validation, and attaches cryptographic proofs. These proofs are verified by the IVN gateway using a Hardware Security Module (HSM), providing reliable message authentication with low overhead.
SECV addresses practical challenges in TEE–HSM trust establishment, real-time mediation, and robust attribution under compromise. Implemented on an automotive SoC with ARM TrustZone and an EVITA-compliant HSM, SECV enforces strong security guarantees with only 6.5% transmission geometric mean overhead and 1.5% additional message loss during extreme communication bursts, effectively mitigating EVN-originated attacks while satisfying real-time constraints.