The ISO 15118-2 standard governs high level communication between electric vehicles and charging stations over the Vehicle to Grid protocol. Application layer payloads are serialised using the W3C Efficient XML Interchange format in schema informed mode, a binary encoding so strict that a single deviation in element ordering, namespace binding, or type constraint causes the parser to reject the message and close the connection. This rigidity has historically shielded EVSE business logic from scrutiny, since both mutational and LLM guided fuzzers produce payloads that fail at the EXI parser before reaching application code. As a result, no prior tool has systematically tested whether EVSE implementations correctly enforce the domain specific invariants embedded in the charging parameter fields. This thesis presents a semantic, constraint based fuzzer targeting the EVerest open source EVSE framework in a Software in the Loop environment. In an offline phase, a large language model processes the ISO 15118-2 XSD and produces both a verified Python grammar dictionary and a catalogue of semantic attack definitions expressed as first order constraints over the grammar. In the online phase, the ISLa constraint framework and the Z3 SMT solver consume this grammar and the associated attack definitions to generate field assignments that are provably valid according to the XSD yet violate physical and domain specific invariants. A SLAC bypass mechanism based on a decoy EV instance allows the fuzzer to reach the EVSE's application layer without physical PLC hardware, injecting 109 semantic constraint payloads and 10 state-machine sequence violations across eleven message types. Every payload bypasses the OpenV2G parser's syntactic defences and is forwarded to the EVSE's charging logic. The results expose three vulnerability classes with direct security impact: a semantic validation gap in the active charging loop that would allow a rogue EV to request arbitrary voltage and current levels, a silent protocol downgrade from certificate based authentication to external identification that enables charging fraud, and a parser level denial of service that can force terminate any ongoing session. These findings demonstrate that syntactic compliance alone fails to ensure the safe operation of EV charging infrastructure.

The ISO 15118-2 standard governs high level communication between electric vehicles and charging stations over the Vehicle to Grid protocol. Application layer payloads are serialised using the W3C Efficient XML Interchange format in schema informed mode, a binary encoding so strict that a single deviation in element ordering, namespace binding, or type constraint causes the parser to reject the message and close the connection. This rigidity has historically shielded EVSE business logic from scrutiny, since both mutational and LLM guided fuzzers produce payloads that fail at the EXI parser before reaching application code. As a result, no prior tool has systematically tested whether EVSE implementations correctly enforce the domain specific invariants embedded in the charging parameter fields. This thesis presents a semantic, constraint based fuzzer targeting the EVerest open source EVSE framework in a Software in the Loop environment. In an offline phase, a large language model processes the ISO 15118-2 XSD and produces both a verified Python grammar dictionary and a catalogue of semantic attack definitions expressed as first order constraints over the grammar. In the online phase, the ISLa constraint framework and the Z3 SMT solver consume this grammar and the associated attack definitions to generate field assignments that are provably valid according to the XSD yet violate physical and domain specific invariants. A SLAC bypass mechanism based on a decoy EV instance allows the fuzzer to reach the EVSE's application layer without physical PLC hardware, injecting 109 semantic constraint payloads and 10 state-machine sequence violations across eleven message types. Every payload bypasses the OpenV2G parser's syntactic defences and is forwarded to the EVSE's charging logic. The results expose three vulnerability classes with direct security impact: a semantic validation gap in the active charging loop that would allow a rogue EV to request arbitrary voltage and current levels, a silent protocol downgrade from certificate based authentication to external identification that enables charging fraud, and a parser level denial of service that can force terminate any ongoing session. These findings demonstrate that syntactic compliance alone fails to ensure the safe operation of EV charging infrastructure.

Securing the Plug: A Comprehensive Fuzzing Framework for the ISO 15118 Charging Protocol Stack

PAVAN, EDOARDO
2025/2026

Abstract

The ISO 15118-2 standard governs high level communication between electric vehicles and charging stations over the Vehicle to Grid protocol. Application layer payloads are serialised using the W3C Efficient XML Interchange format in schema informed mode, a binary encoding so strict that a single deviation in element ordering, namespace binding, or type constraint causes the parser to reject the message and close the connection. This rigidity has historically shielded EVSE business logic from scrutiny, since both mutational and LLM guided fuzzers produce payloads that fail at the EXI parser before reaching application code. As a result, no prior tool has systematically tested whether EVSE implementations correctly enforce the domain specific invariants embedded in the charging parameter fields. This thesis presents a semantic, constraint based fuzzer targeting the EVerest open source EVSE framework in a Software in the Loop environment. In an offline phase, a large language model processes the ISO 15118-2 XSD and produces both a verified Python grammar dictionary and a catalogue of semantic attack definitions expressed as first order constraints over the grammar. In the online phase, the ISLa constraint framework and the Z3 SMT solver consume this grammar and the associated attack definitions to generate field assignments that are provably valid according to the XSD yet violate physical and domain specific invariants. A SLAC bypass mechanism based on a decoy EV instance allows the fuzzer to reach the EVSE's application layer without physical PLC hardware, injecting 109 semantic constraint payloads and 10 state-machine sequence violations across eleven message types. Every payload bypasses the OpenV2G parser's syntactic defences and is forwarded to the EVSE's charging logic. The results expose three vulnerability classes with direct security impact: a semantic validation gap in the active charging loop that would allow a rogue EV to request arbitrary voltage and current levels, a silent protocol downgrade from certificate based authentication to external identification that enables charging fraud, and a parser level denial of service that can force terminate any ongoing session. These findings demonstrate that syntactic compliance alone fails to ensure the safe operation of EV charging infrastructure.
2025
Securing the Plug: A Comprehensive Fuzzing Framework for the ISO 15118 Charging Protocol Stack
The ISO 15118-2 standard governs high level communication between electric vehicles and charging stations over the Vehicle to Grid protocol. Application layer payloads are serialised using the W3C Efficient XML Interchange format in schema informed mode, a binary encoding so strict that a single deviation in element ordering, namespace binding, or type constraint causes the parser to reject the message and close the connection. This rigidity has historically shielded EVSE business logic from scrutiny, since both mutational and LLM guided fuzzers produce payloads that fail at the EXI parser before reaching application code. As a result, no prior tool has systematically tested whether EVSE implementations correctly enforce the domain specific invariants embedded in the charging parameter fields. This thesis presents a semantic, constraint based fuzzer targeting the EVerest open source EVSE framework in a Software in the Loop environment. In an offline phase, a large language model processes the ISO 15118-2 XSD and produces both a verified Python grammar dictionary and a catalogue of semantic attack definitions expressed as first order constraints over the grammar. In the online phase, the ISLa constraint framework and the Z3 SMT solver consume this grammar and the associated attack definitions to generate field assignments that are provably valid according to the XSD yet violate physical and domain specific invariants. A SLAC bypass mechanism based on a decoy EV instance allows the fuzzer to reach the EVSE's application layer without physical PLC hardware, injecting 109 semantic constraint payloads and 10 state-machine sequence violations across eleven message types. Every payload bypasses the OpenV2G parser's syntactic defences and is forwarded to the EVSE's charging logic. The results expose three vulnerability classes with direct security impact: a semantic validation gap in the active charging loop that would allow a rogue EV to request arbitrary voltage and current levels, a silent protocol downgrade from certificate based authentication to external identification that enables charging fraud, and a parser level denial of service that can force terminate any ongoing session. These findings demonstrate that syntactic compliance alone fails to ensure the safe operation of EV charging infrastructure.
ISO 15118
V2G Security
Protocol Fuzzing
State-Awareness
Automotive Security
CONTI, MAURO
Lauree magistrali
File in questo prodotto:
File Dimensione Formato  
Master_Thesis_Pavan_Edoardo_PDFA-2b.pdf

Accesso riservato

Dimensione 1.24 MB
Formato Adobe PDF
1.24 MB Adobe PDF

The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12608/108165