Visual_gallia_framework_Tatschner_Specht_Fraunhofer_AISEC

gallia – An Extendable Pentesting Framework

gallia is an extendable pentesting framework with the focus on the automotive domain, developed by Fraunhofer AISEC under the Apache 2.0 license. The scope of the toolchain is conducting penetration tests from a single ECU up to whole cars. Currently, the main focus lies on the UDS interface but is not limited to it. Acting as a generic interface, the logging functionality implements reproducible tests and enables post-processing tasks. The following blog post introduces gallia's architecture, its plugin interface, and its intended use case. The post covers the interaction between its components and shows how gallia can be extended for other use cases.

The work on gallia was partly funded by the German Federal Ministry of Education and Research (BMBF) as part of the SecForCARs project (grant no. 16KIS0790). A short presentation and demo video are available on YouTube.

Disclaimer: Keep in mind that this project is intended for research and development usage only! Inappropriate usage might cause irreversible damage to the device under test. We do not take any responsibility for damage caused by the usage of this tool.

Metadata

tl;dr:

Architecture

The following paragraphs gives a short overview over gallia and its architecture. At a glance, gallia is structured into several modules ensuring reproducible scans. gallia‘s modules provide interfaces where gallia can be extended by third party modules, called plugins. The basic idea of gallia is the concept of a so called ‘test run’.

Test runs

Since gallia is a general tool for software testing (with the focus on penetration testing), its architecture ensures reproducibility. Software tests can usually be divided into small self-contained test runs where each test run fulfills a particular purpose.
The basic idea of a test run is a corresponding artifacts dir where all relevant information is stored. The following information is always included in an artificats dir for a particular test run:
  • command line invocation,
  • process environment,
  • start of test,
  • end of test,
  • exit code, and
  • JSON formatted log file.
Optionally, a pcap file containing all relevant network traffic during the test can be created as well. The meta data is stored in a document using the JSON data format. An example testrun includes the following metadata.
In other words, the previous listing describes a successfully finished scan run. The command line invocation was gallia scan uds services –sessions 0x01 0x02 0x03. The start_time and end_time attributes are self-explanatory.

Software Architecture

Around the basic idea of performing self contained test runs, gallia is based on  a core component. The core component provides modules and interfaces for creating own tools that make use of gallia‘s features.
This core library can be extended with plugins. A gallia plugin consists of Python code loaded during startup. The plugin may be called by different gallia modules. Possible plugins are custom transport protocols, e.g. a special serial line, or support for switching UDS sessions for different OEMs. All possible entry points for plugins are documented on Github. The mentioned core component can be used with two approaches: the first approach is using the builtin CLI system for writing own scanners. By using the builtin CLI system own scanners are exposed as a gallia subcommand using the system shell. The second approach is using a standalone Python program by using gallia as a library. The differences are subtle and only relevant for the user interface. From a functional point of view there is no difference between both approaches. Digging more into the core component yields the following architecture for a certain UDS scanner module:

The core component is divided into multiple, logically separated blocks:

  • core: The software core provides basic functionality. Used by the scanner.
  • transports: Implementations of relevant network protocols, in this example UDS, DoIP, et cetera. The transports module can be extended via plugins.
  • automation: Modules that implement triggering power supplies enabling power cycles during a scan.

Use Case

At Fraunhofer AISEC gallia is used for conducting automotive penetration tests utilizing the UDS interface. As explained in the previous sections, gallia‘s architecture is not limited to automotive penetration tests, but can be used for every test where the presented test run concept makes a good match. Mentioning the UDS implementation, gallia e. g. supports endpoint enumeration of automotive ECUs. Automotive ECUs usually provide several so called UDS services which are available in different modes of operation, called UDS sessions. Each service provides specific endpoints.
gallia can be used to discover and enumerate the UDS service structure of multiple automotive ECUs. The available UDS scan techniques are explained on the documentation page.

Command Line Interface

The main user interface is the CLI. Every scanner is exposed as a command to the gallia command enabling scripting. Each command offers a help page which can be accessed via –help providing further information. The following video shows a UDS service scan.

Future Work

There are several areas of improvement for gallia. The idea of the framework is adoptable for different scenarios and the architecture of gallia is scalable. We are always open to ideas and contributions from the community. For future development, we want to work on the following topics:
  • Additional transports: Currently, there are only a few generic and UDS specific transports implemented. A few ideas for additional transports are: subprocess, ssh, http, …
  • Additional scanners: Currently there are only UDS specific scanners available. gallia could benefit from more general scanners that e. g. perform more different discovery scans. Examples are DLT or XCP which are used in automotive networks as well.
  • Split gallia into a core library and a collection of scanners: This would reduce dependencies for projects willing to use the test run concept.
Authors
Grau_Logo_Blog_Author
Stefan Tatschner

Stefan Tatschner joined the Fraunhofer AISEC in 2015. His research focus is penetration and software testing in the automotive domain. Together with his college Tobias Specht, he maintains the gallia project.

Contact: Stefan.Tatschner@aisec.fraunhofer.de 

Grau_Logo_Blog_Author
Tobias Specht

Tobias Specht is an IT security researcher in the field of penetration testing and static code analysis with a focus on the embedded and automotive domain. He has been working at Fraunhofer AISEC since 2018 and has contributed to industry and research projects such as the gallia framework. Together with his colleague Stefan Tatschner, he is maintainer of the gallia project.

Contact: Tobias.Specht@aisec.fraunhofer.de

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.
Twitter Linkedin Youtube Xing

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Articles

Multi-Party Computation in the Head – an Introduction

Thomas Bellebaum 30. April 2025

In 2016, the National Institute of Standards and Technology (NIST) announced a standardization process for quantum-secure cryptographic primitives. The goal was to find secure key encapsulation mechanisms (KEM) and signature schemes. One unique approach was the PICNIC signature scheme, a scheme utilizing the MPC-in-the-Head (MPCitH) paradigm. This made PICNIC an interesting approach, since its security relies on well researched block ciphers and hash functions. PICNIC was announced as an alternative candidate by NIST. A lot of follow-up schemes based on PICNIC, like BBQ, Banquet, and FEAST, were proposed using different block ciphers and variations on the original construction paradigm. In 2022, NIST announced a second call specifically for signature schemes. MPC-in-the-Head-based signature schemes became their own category, with multiple submissions in this call. This articel explains the core idea and functionality of early MPCitH based signature schemes and how we at Fraunhofer AISEC make use of the concepts.

Read More »

How to build suitable datasets for successful detection of audio deepfakes

Nicolas Müller 31. March 2025

Deepfakes are a significant threat to democracy as well as private individuals and companies. They make it possible to spread disinformation, to steal intellectual property and to commit fraud, to name but a few. While robust AI detection systems offer a possible solution, their effectiveness depends largely on the quality of the underlying data, simply put: »Garbage in, garbage out.« But how do you create a dataset that is well suited to identifying the ever-evolving deepfakes and enables robust detection? And what constitutes high-quality training data?

Read More »

Parsing X.509 Certificates: How Secure Are TLS Libraries?

Stefan Tatschner 26. February 2025

Digital certificates like X.509 are essential for secure internet communication by enabling authentication and data integrity. However, differences in how they are parsed by various TLS libraries can introduce security risks. A recent study by Fraunhofer AISEC analyzed six widely used X.509 parsers with real-world certificates. The findings reveal inconsistencies that could impact security-critical applications. In this article, we summarize the key results and explain why companies need to scrutinize their cryptographic libraries.

Read More »

Fortifying Cryptography with Impeccable Circuits: Impeccable Keccak Explained

Ivan Gavrilan 13. January 2025

Cybersecurity threats are evolving, and cryptographic implementations face growing risks from fault injection attacks. Fraunhofer AISEC’s research introduces Impeccable Keccak, a new approach to secure SPHINCS+, a post-quantum cryptography digital signature scheme that has been standardized by NIST in 2024. By leveraging impeccable circuits and ensuring active security, this represents a new approach to fault-resilient cryptography.

Read More »