Enhancing Automotive Intrusion Detection Systems with CHERI-Based Memory Protection

1. Introduction

The automotive industry is undergoing transformative innovation, driven by rapid technological advancements and the advent of autonomous vehicles. Modern vehicles are no longer purely mechanical systems; they have evolved into complex mechatronic platforms, integrating numerous Electronic Control Units (ECUs) interconnected through sophisticated communication networks [1]. These ECUs manage critical vehicle functions, such as engine control, braking, and driver assistance, as well as secondary systems like lighting, infotainment, and connectivity services. However, this increased interconnectivity introduces a broad attack surface for cyber threats, posing significant risks to vehicle security, operational reliability, and passenger safety.

One of the critical components in ensuring vehicle cybersecurity is the Intrusion Detection System (IDS). IDSs monitor network activity to identify and mitigate threats, such as unauthorized access, data manipulation, and protocol violations. Despite their importance, traditional IDSs face significant challenges in addressing sophisticated attack vectors targeting automotive systems. Common threats include IP spoofing, where attackers forge source IP addresses to impersonate legitimate devices, and rule manipulation, where IDS configurations are altered to bypass detection mechanisms.

Other notable attack vectors include denial-of-service (DoS) attacks, which flood networks with excessive traffic to overwhelm IDS processing capabilities, and message replay attacks, where previously captured valid messages are resent to disrupt operations. Payload tampering involves injecting or modifying data packets to exploit vulnerabilities, while man-in-the-middle (MITM) attacks enable malicious actors to intercept, alter, or inject messages between ECUs. Timing attacks, which exploit delays in message processing, and protocol-specific exploits targeting communication standards like CAN, CAN-FD, or SOME/IP, further complicate the security landscape. These vulnerabilities underscore the limitations of traditional IDS solutions and the critical need for robust, hardware-based security measures to safeguard IDS functionality.

As vehicles become increasingly connected and autonomous, the potential for cyberattacks targeting their ECUs grows exponentially. Attackers can exploit network vulnerabilities to inject malicious packets or spoof legitimate IP addresses, bypassing conventional IDS mechanisms. Furthermore, unauthorized access to IDS configurations can enable attackers to modify detection rules, undermining the system’s ability to flag suspicious activity. Without strong protections, these threats compromise both vehicle safety and security.

To address these challenges, this research investigates the application of Capability Hardware Enhanced RISC Instructions (CHERI), a novel hardware architecture that provides fine-grained memory protection. CHERI enforces strict access controls at the hardware level, ensuring critical components, such as IDS rule sets, remain isolated from unauthorized processes. By leveraging CHERI’s memory compartmentalization capabilities, this study demonstrates how IDSs can be made resilient against IP spoofing, rule manipulation, and other advanced attack vectors. The findings highlight how CHERI-enhanced IDSs preserve their integrity and functionality even under sophisticated attack scenarios, offering a robust solution for modern automotive networks.

This study investigates the efficacy of CHERI-based memory protections in enhancing the security of IDSs within automotive networks. Specifically, it seeks to:

• Assess the ability of a CHERI-enhanced IDS to detect and mitigate IP spoofing attacks.
• Evaluate how CHERI’s hardware-level protections prevent unauthorized access and manipulation of IDS rules.
• Provide insights into the integration of CHERI capabilities in automotive cybersecurity frameworks, highlighting their practical implications for securing ECUs and In-vehicle network communication.

The remainder of this paper is organized as follows: Section 2 provides the Background, outlining key challenges in automotive cybersecurity, IDS vulnerabilities, and an introduction to CHERI technologies. Section 3 presents the Literature Review, discussing related work on IDS frameworks, CHERI applications, and automotive network security. Section 4 explains the Methodology, detailing the experimental setup, CHERI-enhanced IDS framework, and attack simulation scenarios. Section 5 covers the Results and Analysis, highlighting the effectiveness of CHERI in mitigating IP spoofing and rule manipulation attacks. Finally, Section 6 concludes the paper, offering insights into CHERI’s potential in real-world automotive applications and recommendations for future research directions.

2. Background

2.1. CHERI Project Overview

The CHERI (Capability Hardware Enhanced RISC Instructions) project is a research initiative that integrates fine-grained memory protection and software compartmentalization into modern processor architectures. It was originally developed as a collaboration between the University of Cambridge, SRI International, and ARM Research, funded by the DARPA-sponsored CRASH and MRC programs [2,3].

At its core, CHERI extends traditional architectures with a capability-based model, replacing standard pointers with capabilities that carry metadata, including base, bounds, and access permissions. This design enforces spatial memory safety, preventing out-of-bounds memory access, and reduces the risk of vulnerabilities such as buffer overflows and code injection attacks [4]. The CHERI model is compatible with conventional C/C++ programming, making it particularly suitable for automotive systems, where these languages dominate due to their low-level control and performance efficiency [5,6].

The project also emphasizes hardware-enforced least privilege, allowing software components to operate with minimal permissions, thereby limiting the impact of potential compromises. The ARM Morello board is one of the notable implementations of the CHERI architecture, demonstrating its practical applicability in real-world scenarios [7].

CHERI’s ability to enhance memory safety and enforce strong isolation mechanisms has garnered attention in the field of automotive cybersecurity, where protecting critical systems from sophisticated attacks such as rule manipulation and IP spoofing is paramount. By adopting CHERI capabilities, automotive applications can achieve robust security by design, aligning with emerging standards such as ISO/SAE 21434 [8,9]

2.2. CHERI and ARM Morello Technologies

The CHERI (Capability Hardware Enhanced RISC Instructions) architecture represents a transformative approach to addressing memory safety vulnerabilities, one of the most critical challenges in modern computing systems. By integrating fine-grained memory protection and scalable software compartmentalization directly into hardware, CHERI provides a robust mechanism for securing both traditional and modern computing environments.

2.2.1. CHERI Architecture Overview

CHERI is built upon two foundational principles[10]:

1. Principle of Least Privilege: Each component in a system operates with only the permissions it requires, minimizing the potential impact of a compromise. For example, a pointer in a CHERI system is restricted to accessing only the memory region it is explicitly authorized for, reducing the risks posed by buffer overflow vulnerabilities.

2. Principle of Intentional Use: Actions performed by a program must explicitly state the permissions utilized. This eliminates ambiguity in authorization and mitigates risks such as the confused deputy problem, where a component inadvertently misuses its privileges due to unclear permissions.

CHERI capabilities are hardware-enforced tokens that combine memory addresses with metadata, such as bounds and permissions, ensuring that memory access is strictly controlled. Each memory region is protected by a unique capability, and these capabilities are immutable in ways that increase their security. For instance, CHERI employs tagged memory to distinguish valid capabilities from arbitrary data, preventing their corruption or unauthorized modification.

2.2.2. CHERI Enhancements and Implementation

CHERI enhances conventional architectures like MIPS, RISC-V, and ARM by introducing a capability-based memory model that coexists with existing software [11] [12]. This hybrid approach facilitates the gradual adoption of CHERI technologies, enabling legacy code to operate alongside CHERI-enabled applications. The architecture extends pointers to include additional metadata, such as base, bounds, and permissions, ensuring that only authorized memory regions are accessed.

Key features of CHERI include:

• Memory Protection: By attaching bounds and permission bits to pointers, CHERI ensures spatial memory safety, preventing unauthorized access beyond designated memory regions.
• Software Compartmentalization: CHERI supports the isolation of software components, enabling secure interaction between mutually untrusting programs or processes.
• Tagged Memory: This feature ensures that capabilities cannot be forged or corrupted, as the hardware tracks their validity independently of their location in memory.

2.2.3. ARM Morello: A Prototype for Commercial Application

ARM Morello, a prototype implementation of the CHERI architecture, extends the ARMv8-A architecture with CHERI capabilities to evaluate its feasibility in commercial processors. Developed in collaboration with the UK government, Morello explores the integration of CHERI’s fine-grained memory protection mechanisms into mass-market hardware.

The Morello board incorporates several CHERI advancements:

• Compatibility with Existing Software: Morello provides a hybrid execution environment, enabling unmodified ARMv8-A applications to coexist with CHERI-enhanced programs. This compatibility reduces adoption barriers for developers and organizations.
• Enhanced Security Properties: By integrating CHERI capabilities, Morello strengthens security guarantees for memory safety, compartmentalization, and access control at the hardware level.
• Performance Considerations: ARM Morello demonstrates that CHERI’s additional security features can be implemented with minimal performance overhead, making it viable for real-time systems like those in automotive networks.

2.3. IP Spoofing and IDS Rule Manipulation

IP spoofing is a common tactic used in cyber attacks to impersonate a legitimate entity and bypass network security measures [13]. In an automotive context, IP spoofing can allow an attacker to introduce malicious commands or data into the network, masked as a legitimate ECU communication. Traditional IDS systems, especially those reliant on IP-based filtering, struggle to accurately detect spoofed IP packets without high rates of false positives. Attackers can exploit this weakness to gain further access to the vehicle network, potentially leading to unauthorized data collection or manipulation of vehicle functions.

Once attackers establish a foothold within the network, they may attempt to alter IDS rules to avoid detection in future attacks. This manipulation could involve disabling specific detection rules or creating exceptions for their activity [14]. Without robust memory protection for IDS configurations, rule manipulation remains a persistent vulnerability, as rule-based detection alone cannot prevent access to the IDS’s internal logic if an attacker gains sufficient privileges.

3. Literature Review

Automotive networks have evolved from isolated, closed systems to highly interconnected networks due to the inclusion of wireless interfaces such as Wi-Fi, Bluetooth, and cellular connectivity [1]. These interfaces, while providing benefits like over-the-air (OTA) updates and telematics services, expose vehicles to numerous cyber risks [15,16]. One of the primary concerns is the complexity and distributed nature of automotive software, with modern vehicles containing over 100 million lines of code distributed across ECUs. These ECUs interconnect through the Controller Area Network (CAN) and Ethernet networks, using protocols such as Scalable service-Oriented Middleware over IP (SOME/IP) to enable efficient communication.

To enhance communication security in automotive electrical and electronic architectures, various approaches have been developed. One notable example is SecOC, standardized by AUTOSAR, which employs symmetric cryptography to secure communication over the Controller Area Network (CAN) [17]. Lee et al. in [18] suggest a hybrid framework leveraging blockchain technology to improve network security within vehicles. Nevertheless, the framework does not include a comprehensive explanation of the protocol’s interaction process or demonstrate the practicality of the proposed solution. Islam et al. in [19] present a CAN-based scheme designed to mitigate multiple attack scenarios. They assert that the method ensures security without requiring changes to the underlying CAN protocol. Additionally, validation experiments are conducted, demonstrating the effectiveness of the proposed approach in preventing and defending against a range of attacks. Hafeez et al. in [20,21] employ a neural network approach to authenticate messages within vehicle networks, including the conventional CAN protocol. They assert that this method significantly enhances the accuracy of electronic control unit (ECU) communication. While the study includes analysis and validation of the approach, it does not provide a detailed assessment of its security. Woo et al. in [22] propose a security architecture leveraging the CAN with Flexible Data Rate (CAN-FD) network to establish a secure transmission environment. They introduce a hierarchical encryption transmission technique for the vehicle network, which has been validated but lacks a formal verification process to confirm its feasibility. Lodge et al. [23] analyze vulnerabilities in CAN and CAN-FD protocols, such as replay, injection, and DoS attacks, emphasizing the need for robust automotive security frameworks. They propose solutions like lightweight cryptography, blockchain-based key provisioning, and multi-layer architectures to enhance communication security. While promising, these methods face challenges in compatibility with legacy systems and increased complexity, highlighting the importance of advanced IDS for Ethernet-based networks.

Kreissl et al. in [24] explored methods for securing SOME/IP-based vehicular communication networks. The authors suggest a central entity to manage key material distribution through (D)TLS during the event group subscription process. However, the "service offer" and "find offer" steps remain unprotected. To support broadcast communication, SOME/IP is enhanced with the TESLA protocol. Despite its advantages, TESLA’s delayed authentication for broadcast messages requires modifications to the SOME/IP process flow, such as caching messages until verification data is received. This introduces latency, making it unsuitable for time-sensitive data transmission. Iorio et al. [25] propose a new framework to enhance the security of SOME/IP. While the framework includes security protocol modeling and verification, offering strong assurance of the desired security properties, it imposes significant network overhead and lacks a clear and intuitive formal verification proof. Herold et al. [26] propose an Intrusion Detection System (IDS) for SOME/IP using Complex Event Processing (CEP) to detect attacks. The system identifies threats such as malformed packets, protocol violations, and timing issues. However, like other IDS solutions, it faces challenges with false positives and false negatives. Zorman et al. [27] propose a firewall implementation for embedded automotive systems, utilizing rule-based security and deep packet inspection (DPI) to validate SOME/IP payloads. The solution demonstrates feasibility in resource-constrained environments, highlighting its potential for enhancing security in automotive Ethernet communication. Qi Liu et al. [28] proposed a method that combines deep learning models with residual self-attention to analyze Ethernet traffic, aiming to detect cyberattacks like DDoS and MITM, as well as random hardware failures. This framework demonstrates high accuracy and real-time detection capabilities, highlighting the importance of robust cybersecurity solutions for modern Ethernet-based automotive communication systems.

Intrusion Detection Systems (IDS) in automotive environments monitor network traffic to identify suspicious activities that may indicate an attack. Common threats include IP spoofing, where attackers modify IP headers to disguise their identity. While IDS can flag such anomalies, conventional approaches are often limited in countering spoofing if attackers effectively mask their actions. Additionally, if attackers compromise IDS configurations, they could manipulate detection rules to allow undetected future attacks. Notably, none of the existing solutions address IP spoofing and rule manipulation attacks with a security-by-hardware level design approach.

4. Methodology

This section describes the methodology and experimental setup, including the network and components simulated, the configuration of the IDS, and the process of executing spoofing and rule manipulation attacks. The experiment evaluates the CHERI capabilities in restricting unauthorized access and protecting the IDS configuration in an automotive network.

4.1. CHERI in Automotive Security Applications

The integration of CHERI (Capability Hardware Enhanced RISC Instructions) into automotive security offers a transformative approach to mitigating critical vulnerabilities in modern vehicles. CHERI introduces fine-grained memory protection by replacing traditional pointers with capabilities, which include metadata such as base, bounds, and permissions. This architecture prevents unauthorized access and memory safety violations, addressing issues such as buffer overflows and code injection—common attack vectors in automotive systems.

In automotive applications, CHERI can enhance the security of Ethernet-based protocols like SOME/IP by safeguarding IDS configurations and protecting critical ECUs from malicious tampering. By embedding CHERI capabilities, automotive systems can enforce hardware-level isolation for IDS rules, preventing rule manipulation and ensuring secure anomaly detection. Additionally, CHERI mitigates risks associated with IP spoofing by ensuring that memory access is explicitly authorized, eliminating the possibility of attackers altering network configurations.

This approach aligns with the principles of security by design, enabling robust protections against advanced cyberattacks in the dynamic and interconnected environment of modern vehicles. CHERI’s capability-based model ensures that automotive security solutions remain both effective and resilient, providing a foundational framework for safeguarding next-generation vehicle networks.

4.2. CHERI Capability Usage

Memory safety violations often result from coding errors in unsafe languages like C and C++, making software susceptible to security vulnerabilities and unauthorized access. CHERI introduces capabilities that enforce spatial memory safety, effectively addressing these issues. Figure 1 illustrates a comparison between the behavior of ISO C and CHERI C in handling pointer arithmetic and memory access.

In ISO C, two variables, data and critical_data, are declared:

• data is allocated at address 0x20 with a value of 5.
• critical_data is allocated at address 0x24 with a value of 2023.

A pointer, ptr, is initialized to point to data. In ISO C, pointer arithmetic allows ptr to be incremented to point to 0x24, accessing and leaking the value of critical_data unintentionally. This behavior is described mathematically in Equation 1.

In CHERI C, pointers are replaced with capabilities that include metadata such as base, length, and permissions. The capability for ptr is confined to the memory bounds of data (0x20 to 0x24). Any attempt to dereference ptr outside these bounds (e.g., at 0x24) triggers a hardware trap, preventing unauthorized access to critical_data. This behaviour is defined in Equation 2. CHERI enforces the principle of least privilege by ensuring ptr cannot access memory beyond its defined bounds, maintaining memory safety by design

Memory safety violations often arise from coding errors in unsafe languages like C and C++, exposing software to security vulnerabilities. CHERI introduces capabilities to enforce spatial memory safety, addressing these issues effectively. The diagram compares the behavior of ISO C and CHERI C in handling pointer arithmetic and memory access.

In ISO C, two variables, data and critical_data, are declared:

• data is allocated at address 0x20 with a value of 5.
• critical_data is allocated at address 0x24 with a value of 2023.

A pointer, ptr, is initialized to point to data. In ISO C, pointer arithmetic allows ptr to be incremented to point to 0x24, accessing and leaking the value of critical_data unintentionally. This behavior is described mathematically in Equation 1.

$$\mathbf{ISO}\mathbf{C}:\begin{array}{cc}\hfill & \mathrm{Variable}data:\mathrm{signed}\mathrm{int},\mathrm{allocated}\mathrm{at}\mathrm{address}0x20,\mathrm{value}5.\hfill \\ \hfill & \mathrm{Variable}\mathit{critical}\_\mathit{data}:\mathrm{signed}\mathrm{int},\mathrm{allocated}\mathrm{at}\mathrm{address}0x24,\mathrm{value}2023.\hfill \\ \hfill & \mathrm{Pointer}ptr:\mathrm{signed}\mathrm{int}*,\mathrm{initialized}\mathrm{to}\mathrm{address}\mathrm{of}data.\hfill \\ \hfill & \mathrm{After}\mathrm{increment}:ptr=ptr+1\Rightarrow ptr=0x24.\hfill \\ \hfill & \mathrm{Dereferencing}:y=*ptr\Rightarrow y=\mathit{critical}\_\mathit{data}=2023.\hfill \end{array}$$

(1)

In CHERI C, pointers are replaced with capabilities that include metadata such as base, length, and permissions. The capability for ptr is confined to the memory bounds of data (0x20 to 0x24). Any attempt to dereference ptr outside these bounds (e.g., at 0x24) triggers a hardware trap, preventing unauthorized access to critical_data. This behavior is defined in Equation 2. CHERI enforces the principle of least privilege by ensuring ptr cannot access memory beyond its defined bounds, maintaining memory safety by design.

$$\mathbf{CHERI}\mathbf{C}:\begin{array}{cc}\hfill & \mathrm{Variable}data:\mathrm{signed}\mathrm{int},\mathrm{allocated}\mathrm{at}\mathrm{address}0x20,\mathrm{value}5.\hfill \\ \hfill & \mathrm{Variable}\mathit{critical}\_\mathit{data}:\mathrm{signed}\mathrm{int},\mathrm{allocated}\mathrm{at}\mathrm{address}0x24,\mathrm{value}2023.\hfill \\ \hfill & \mathrm{CHERI}\mathrm{C}\mathrm{Pointer}ptr:\mathrm{signed}\mathrm{int}*\mathrm{with}\mathrm{metadata}\mathrm{as}\mathrm{a}\mathrm{CHERI}\mathrm{capability}:\hfill \\ \hfill & \mathrm{Address}:0x20,\mathrm{Base}:0x20,\mathrm{Length}:0x4,\mathrm{Permissions}:\mathrm{R}/\mathrm{W},\mathrm{Tag}:\mathrm{Valid}.\hfill \\ \hfill & \mathrm{Dereferencing}:y=*ptr\Rightarrow \mathrm{Bounds}\mathrm{check}\mathrm{by}\mathrm{CHERI}:\mathrm{Access}\mathrm{Denied}\mathrm{if}\hfill \\ \hfill & ptr>0x20+0x4.\hfill \end{array}$$

(2)

By integrating CHERI capabilities into the program, the hardware ensures that memory safety violations, such as accessing critical_data through ptr, are impossible. This approach not only protects against common vulnerabilities like buffer overflows and out-of-bounds memory access but also mitigates intentional attacks aimed at exploiting memory corruption.

This demonstrates how CHERI implements memory safety by design on our IDS, transforming insecure C code into a secure execution model without significant performance overhead or extensive code changes. As C remains a dominant and automotive-friendly language due to its low-level hardware access, efficiency, and real-time capabilities, CHERI’s compatibility with C ensures that security can be integrated into existing automotive systems without compromising these critical advantages.

4.3. Memory Protected IDS

The proposed methodology integrates CHERI (Capability Hardware Enhanced RISC Instructions) to fortify automotive Ethernet-based Intrusion Detection Systems (IDS) against advanced attack scenarios, such as IP spoofing and rule manipulation. By leveraging CHERI’s capability-based memory protection, the framework ensures that IDS rules and configurations are isolated from unauthorized access, even in the event of system compromise. This section explains the approach with examples, attack scenarios, and code-level defences.

In IP spoofing attacks, an attacker forges the source IP address in network packets to mimic a legitimate ECU, enabling unauthorized access or manipulation of in-vehicle communication. For example, A spoofed packet may claim to originate from 192.168.1.11 (a trusted ECU) but carry malicious payloads targeting safety-critical systems. This can be defense Using CHERI, IDS rules are stored with strict memory bounds, ensuring only authenticated packets can access or modify ECU configurations. Spoofed packets are detected by comparing their source IP and payload against predefined rules confined to CHERI-protected memory as Listing 1.

Listing 1. Function to Check ECU Rules Using CHERI Capabilities.

CHERI ensures that ecu_memory is bounded and immutable, so spoofed packets cannot tamper with or bypass these rules. If the source IP and attributes do not match any defined ECU rule, the packet is flagged as a potential spoofing attempt.

In rule manipulation attacks, an attacker gains unauthorized access to the IDS configuration, modifying detection thresholds or disabling certain rules entirely. This could allow malicious packets to bypass the IDS undetected. The IDS leverages CHERI to isolate IDS rules within protected memory regions as Listing 2. Only authorized processes can modify these rules, ensuring they remain intact even during a system compromise.

Listing 2. Function to Initialize ECU Memory with CHERI Capabilities.

The cheri_setbounds function ensures that IDS rules are stored in tightly bounded memory regions. This prevents unauthorized processes from accessing or altering these rules. Any attempt to modify the rules outside authorized contexts results in a deterministic hardware trap.

Furthermore, the IDS must monitor and analyze network traffic for potential anomalies in real time, including spoofed packets and unauthorized rule manipulations. During live packet capture, the IDS compares incoming packets against the CHERI-protected rule set. CHERI ensures that only validated rules are accessed during this process, flagging spoofed or tampered packets. Packets are captured and validated against the CHERI-protected rule set, as shown in Listing 3. Any anomaly, such as a spoofed IP or a rule mismatch, triggers a warning, enabling the IDS to respond in real time. The libpcap library is used to capture network traffic in real time. Additionally, the libraries arpa/inet.h, netinet/ip.h, and netinet/udp.h are utilized to parse and analyze specific fields in the captured packets, such as IP and UDP headers.

Listing 3. Function to Process Packets and Validate Against ECU Rules.

4.4. Experimental Setup

The experimental setup includes several simulated components representing elements of an automotive network, such as ECUs, an IDS, a packet sniffer, and an attacker model, as shown in Figure 2. The network layout mimics a typical vehicular communication structure, where the IDS monitors network traffic between ECUs and detects potential anomalies.

• ECU Components (ECU1, ECU2, ECU3, ECU4 and ECU5): These scripts simulate legitimate ECUs within the vehicle’s network, transmitting standard, authorized packets. ECU1 and ECU2 generate and send routine communication packets across the network to emulate regular vehicular functions.
• Intrusion Detection System (IDS): This IDS script monitors the network for any suspicious packets or anomalies. With CHERI capabilities enabled, the IDS memory is compartmentalized, ensuring that only authorized processes can access or modify its rule set. The IDS is configured to detect IP spoofing attempts and to log unauthorized access attempts to the IDS memory or rule configurations.
• Attacker Model (Attacker): The attacker model is designed to send spoofed IP packets, using legitimate IP addresses to disguise malicious activities. The attacker’s objective is to bypass the IDS by impersonating a legitimate ECU. If successful, the attacker aims to modify IDS rules to prevent future detections and alter the rules to allow malicious data to be sent to critical ECUs.
• Packet Sniffer (Sniff): This component captures network traffic for analysis and logs all packets, enabling verification of whether spoofed packets are correctly identified by the IDS.

4.5. Execution of Attack

The Attacker: The attacker injects packets with spoofed IP addresses, mimicking the IP addresses of ECU1 and ECU2 to evade detection. The IDS monitors network traffic, comparing expected and actual packet source data to detect anomalies. CHERI capabilities within the IDS memory ensure that unauthorized packets cannot influence IDS functionality beyond their initial reception. Subsequently, the attacker attempts to access and modify the IDS rule set. By spoofing legitimate ECU IP addresses, the attacker seeks to gain access to IDS rule configurations and alter them to disable detection for future spoofing activities. However, the CHERI-enhanced IDS enforces strict memory protection, preventing unauthorized access or modification of its rules. Any access violation attempt is flagged by CHERI’s memory bounds checks, and the IDS logs the incident while ensuring the attacker’s script is terminated.

4.6. CHERI-Enhanced Memory Protections

CHERI capabilities introduce fine-grained memory protections to the IDS. In this experiment, the CHERI memory model is applied to compartmentalize IDS configurations, ensuring that:

• Access Permissions: Only authorized memory regions can be accessed by the IDS. Unauthorized attempts to modify IDS rules or configurations trigger CHERI alerts.
• Memory Bounds: The memory boundaries around IDS rules are strictly enforced, preventing any modification or access from processes outside of predefined bounds.
• Logging Violations: Each unauthorized memory access attempt is logged, providing detailed records of any access violations. This functionality allows for verification of CHERI’s effectiveness in blocking unauthorized access to IDS configurations.

By structuring the IDS with CHERI-enabled protections, the experiment tests how effectively CHERI prevents spoofed packets from bypassing IDS detection and protects against unauthorized rule manipulation.

5. Results and Analysis

The results section presents the findings from attack simulation, demonstrating the impact of CHERI capabilities on IDS effectiveness in detecting spoofed IP packets and blocking unauthorized access attempts.

The IDS successfully flagged 100% of anomalous packets originating from undefined ECUs, demonstrating a high detection rate for known attacks. In our tests, 150 undefined IPs were used to repeatedly send multiple packets over a 30-minute timeframe, all of which were accurately detected. Furthermore, packets from known IPs were sent with altered features that deviated from the predefined rules assigned to each ECU and IP. In each scenario, the IDS accurately flagged the anomalies. The CHERI capabilities enabled the IDS to maintain rule integrity, preventing unauthorized packets from influencing detection mechanisms. This demonstrates that CHERI-enhanced memory isolation significantly enhances detection robustness, even against attackers using legitimate IPs as a disguise. The latency of the IDS response to anomalous packets was also measured to evaluate the performance impact of CHERI protections. Observed latency increases were minimal, indicating that the CHERI enhancements do not significantly affect IDS performance. This minimal overhead makes CHERI a viable solution for real-time applications in automotive IDS contexts.

5.1. IDS Rule Integrity and Unauthorized Access Blocking

During the IDS rule manipulation attempt, the attacker sought to alter the IDS configuration to disable specific detection rules.

• Memory Access Violation Logs: The CHERI-enabled IDS logged multiple unauthorized access attempts by the attacker as they tried to modify the IDS rules. Each access violation was flagged by CHERI’s capability checks, which block any process outside the authorized scope from modifying memory. This illustrates CHERI’s effectiveness in maintaining the integrity of the IDS rule set, as all modification attempts were successfully prevented.
• Rule Integrity Preservation: The IDS maintained its rule configurations intact throughout the attack scenario, as evidenced by the lack of any successful modifications to the IDS rules. CHERI’s memory protection mechanisms effectively isolated the IDS configuration, preventing the attacker from altering detection logic. This result demonstrates the value of CHERI capabilities in protecting critical security configurations, ensuring consistent IDS performance even under attack.

5.2. Analysis of CHERI’s Impact on IDS Security

The experimental results indicate that CHERI’s fine-grained memory protections significantly enhance IDS security in the following ways:

• Increased Resilience to Spoofing Attacks: CHERI’s hardware-enforced memory compartmentalization makes the IDS resilient to IP-based spoofing attacks. Although the attacker could mimic legitimate IPs, CHERI’s memory protection mechanisms prevented unauthorized influence on the IDS logic.
• Enhanced Rule Protection Against Manipulation Attempts: The compartmentalized memory model prevented the attacker from modifying IDS rules, effectively securing the IDS from rule manipulation attacks. The unauthorized access logs demonstrate that CHERI successfully restricted all access attempts to the IDS configuration, ensuring rule integrity.
• Implications for Real-Time Security Applications: The minimal performance overhead observed in this experiment suggests that CHERI is suitable for real-time security applications in automotive contexts, where high-speed detection and low latency are critical.

The analysis of these results supports the conclusion that CHERI-based memory protection is an effective method for bolstering IDS security against IP spoofing and rule manipulation in automotive networks. By enforcing strict memory access boundaries, CHERI prevents attackers from bypassing IDS detection mechanisms and ensures rule integrity, highlighting its potential for broader automotive cybersecurity applications.

6. Conclusions

The results highlight the effectiveness of CHERI capabilities in securing automotive networks against advanced threats such as IP spoofing and rule manipulation. CHERI’s fine-grained memory protection mechanisms, particularly suited for systems developed in C/C++, enhance resilience while preserving performance, a critical requirement in automotive environments. C/C++ remain the dominant programming languages in the automotive domain due to their efficiency and close-to-hardware capabilities, making CHERI’s compatibility with these languages a significant advantage for adoption in vehicle systems.

Although the results are promising, implementing CHERI in automotive systems requires careful consideration of performance trade-offs, hardware costs, and integration complexity. Future research should focus on optimizing CHERI configurations for resource-constrained environments and extending its applications to other critical automotive components beyond IDS. Testing under diverse cyber-physical attack scenarios and aligning CHERI-based solutions with automotive standards, such as ISO/SAE 21434, would further validate its role in secure automotive design. Additionally, deploying CHERI on lightweight automotive-friendly platforms like the SONATA board could demonstrate its feasibility in real-world automotive systems.

This study underscores that CHERI-based memory protection significantly enhances IDS resilience against IP spoofing and rule manipulation attacks. By leveraging CHERI’s fine-grained memory control, this work showcases a hardware-based security solution that maintains IDS rule integrity under attack. The findings suggest that adopting CHERI could strengthen the cybersecurity of critical vehicle control systems while seamlessly integrating with the C/C++-centric automotive software ecosystem.