autosar safety and security - automotive 2010 · pdf filesafety and security related features...
TRANSCRIPT
Safety and security related features in AUTOSAR
Dr. Stefan Bunzel – AUTOSAR Spokesperson (Continental)Co-Authors: S. Fürst, Dr. J. Wagenhuber (BMW), Dr. F. Stappert (Continental)
Automotive - Safety & Security 2010
22 June, 2010, Stuttgart
Safety and security related features in AUTOSAR7 July, 20102
Overview
� Background of safety and security in automotive E/E development
� Overview AUTOSAR software architecture
� Safety related features
� Security related features
Safety and security related features in AUTOSAR7 July, 20103
Safety and Security in Automotive E/E Development
E/E SystemReliability
Functional Safety
Security
…
� Safety:
“With the trend of increasing complexity, software content and mechatronic
implementation, there are increasing risks from systematic failures and random
hardware failures.”(ISO DIS 26262 Road vehicles — Functional safety)
� Security:
… means protecting a system and its information and data from unauthorized access,
use, disclosure, disruption, modification or destruction
Safety and security related features in AUTOSAR7 July, 20104
Functional Safety in Automotive E/E Development
IEC 61508Functional safety of electrical/electronic/ programmable electronic safety-related systems, 1998Generic standard
ISO DIS 26262 Road vehicles –Functional safety,2009
ISO 26262:• provides an automotive safety lifecycle (management, development, production, operation, service,
decommissioning) and supports tailoring the necessary activities during these lifecycle phases;• provides an automotive specific risk-based approach for determining risk classes (Automotive
Safety Integrity Levels, ASILs);• uses ASILs for specifying the item's necessary safety requirements for achieving an acceptable
residual risk; and• provides requirements for validation and confirmation measures to ensure a sufficient and
acceptable level of safety being achieved.
Adaptation to E/E systems in road-vehicles
Safety and security related features in AUTOSAR7 July, 20105
Why Security in Automotive E/E Development?
Political and Social Issues
Thatcham
eSecurityWorkgroup
eSafety InitiativeEU
§§§
EU 5 / EU 6
Legal regulations requiring
additional security measures in
vehicles
(Regulation EC 692/2008)
Political and administrative workgroups realize the dependency between
safety (“Betriebssicherheit”) and security (“IT Sicherheit”) resulting in new
legal requirements regarding security in the automotive domain
Product Liability
Safety and security related features in AUTOSAR7 July, 20106
Overview
� Background of safety and security in automotive E/E development
� Overview AUTOSAR software architecture
� Safety related features
� Security related features
Safety and security related features in AUTOSAR7 July, 20107
OEM f
Exchangeabilitybetween suppliers’solutions
Exchangeabilitybetween vehicle platforms
Exchangeabilitybetween manufacturers’applications
Platform d.nPlatform d.2Platform d.1
Platform e.nPlatform e.2Platform e.1
Platform f.nPlatform f.2Platform f.1
Platform c.nPlatform c.2Platform c.1
Platform a.nPlatform a.2Platform a.1
OEM e
OEM a
Platform b.nPlatform b.2Platform b.1
OEM b
OEM d
OEM c
AUTOSAR Vision
AUTOSAR aims to improve complexity management of integrated E/E architectures
through increased reuse and exchangeability of SW modules between OEMs and suppliers.
Supplier A
�Chassis
�Safety
�Body/Comfort
Supplier B
�Chassis
�Safety
�Telematics
Supplier C
�Body/Comfort
�Powertrain
�Telematics
Safety and security related features in AUTOSAR7 July, 20108
� Hardware and software will be widely independent of each other.
� Development can be de-coupled by horizontal layers. This reduces development time
and costs.
� The reuse of software increases at OEM as well as at suppliers. This enhances quality
and efficiency.
Yesterday
Application Software
Hardware
standardized
HW-specific
AUTOSARCustomer needs� Adaptive Cruise Control
� Lane Departure
Warning
� Advanced Front Lighting System
� ..
Using standards� Communication Stack
� OSEK
� Diagnostics
� CAN, FlexRayHardware
Software
AUTOSAR aims to standardize the software architecture of ECUs.
AUTOSAR paves the way for innovative electronic systems that further improve
performance, safety and environmental friendliness.
AUTOSAR Vision
Safety and security related features in AUTOSAR7 July, 20109
Up-to-date status see: http://www.autosar.org
AUTOSAR – Core Partners and Members
Status: May 6, 2010
57 Associate Members5 Attendees
9 Core Partner
General
OEM
Standard
Software
Semi-
conductors
Tools and
Services
Generic
Tier 1
11 Development
Members
39 Premium Member
Safety and security related features in AUTOSAR7 July, 201010
9 Project Objectives and 3 Main Working Topics
ApplicationInterfaces
Methodology
Architecture
PO1: Implementation and standardization of basic system functions as an OEM wide “Standard Core“ solution
PO2: Scalability to different vehicle and platform variants
PO3:Transferability of functions throughout network
PO4:Integration of functional modules from multiple suppliers
PO5:Maintainability throughout the whole “Product Life Cycle“
PO6:Increased use of “Commercial off the shelf hardware“
PO7:Software updates and upgrades over vehicle lifetime
PO8:Consideration of availability and safety requirements
PO9:Redundancy activation
Safety and security related features in AUTOSAR7 July, 201011
AUTOSARSpecifications vs. Products
Core Partners, Premium, and Development Members
AUTOSAR StandardSpecifications• Architecture• Methodology• Appl. Interfaces�AUTOSAR Releases
R4.0, R3.1, R3.0, …
Develop
Core Partners, Premium, Development, and Associate Members
Apply
AUTOSAR compliant products • SW modules• Tools• …
Build
• ECUs• Cars• …
Members Partnership
Cooperate on standards, compete on implementations.
Safety and security related features in AUTOSAR7 July, 201012
AUTOSAR Software ArchitectureOverview of Software Layers – Top View
� The AUTOSAR Architecture distinguishes on the highest abstraction level between three
software layers running on a microcontroller.
� The Application Layer
� The Run Time Environment (RTE)
� Basic Software (BSW)
Microcontroller
Application Layer
RTE
Basic Software (BSW)
Safety and security related features in AUTOSAR7 July, 201013
AUTOSAR Basic Software Coarse View and Detailed View
� The AUTOSAR Basic Software consists of the layers: Services, ECU Abstraction,
Microcontroller Abstraction and Complex Drivers.
� The BSW layers are further divided into functional groups.
� Examples of Services are
� System
� Memory
� Communication Services
Microcontroller Abstraction Layer
ECU Abstraction LayerECU Abstraction Layer
Services Layer
Co
mp
lex
Driv
ers
Co
mp
lex
Driv
ers
Microcontroller
Drivers
Memory
Drivers
I/O Drivers
I/O Hardware
Abstraction
Memory
Hardware
Abstraction
Memory
Services
System Services
Onboard
Device
Abstraction
Communication
Drivers
Communication
Hardware
Abstraction
Communication
Services
Application Layer
RTE
Microcontroller Microcontroller
Application Layer
RTE
Safety and security related features in AUTOSAR7 July, 201014
ECU Software Architecture
AUTOSAR Architecture
Co
mp
lex
Driv
ers
Hardware
Microcontroller Abstraction Layer
Services Layer
Application Layer
AUTOSAR Runtime Environment (RTE)
ECU Abstraction Layer
Layered Software Architecture
ECU-Hardware
AUTOSAR Runtime Environment
Application Software
Component
..............
AUTOSAR
Software
Basic Software
AUTOSAR Interface
Complex Device Drivers
Standardized Interface
Operating System
Actuator Software
Component
AUTOSAR Interface
Sensor Software
ComponentAUTOSAR
Interface
Application Software
Component
AUTOSAR Interface
Standardized Interface
Standardized AUTOSAR Interface
AUTOSAR Interface
AUTOSAR Interface
Services
Standardized Interface
Communication
Standardized Interface
ECUAbstraction
Standardized Interface
Microcontr. Abstraction
Standardized Interface
Sta
nd
ard
ize
d
Inte
rface
Breakdown to /
Implementation on
ECU
Safety and security related features in AUTOSAR7 July, 201015
AUTOSAR Development MethodologyPrinciple
� AUTOSAR description templates:
� SWC description:application software
� ECU description:ECU characteristics and configuration
� System description: network and assignment of SWCs to ECUs
� Descriptions for
� SWCs+
� ECUs+
� system description
� allow a tool-based deployment of SWCs to ECUs
Virtual Functional Bus
...
AU
TO
SA
RS
WC
n
AU
TO
SA
RS
WC
3
AU
TO
SA
RS
WC
2
AU
TO
SA
RS
WC
1
SWCDescription
SWCDescription
SWCDescription
SWCDescription
ECU m
...
ECU IIECU I
RTE
Basic Software
RTE
Basic
Software
RTE
Basic Software
AU
TO
SA
RS
WC
1
AU
TO
SA
RS
WC
3
AU
TO
SA
RS
WC
2
AU
TO
SA
RS
WC
n
ECUDescription
ECUDescription
ECUDescription
GatewaySystem
DescriptionCANFlexRay
Safety and security related features in AUTOSAR7 July, 201016
Overview
� Background of safety and security in automotive E/E development
� Overview AUTOSAR software architecture
� Safety related features
� Security related features
Safety and security related features in AUTOSAR7 July, 201017
AUTOSAR methodology according to ISO26262
Functional Safety Concept
Specification of Technical Safety Requirements
Specification of SW Safety Requirements
SYSTEM
SW
3-8
4-6
6-6
Software architectural design 6-7
Safety and security related features in AUTOSAR7 July, 201018
AUTOSAR methodology according to ISO26262
Functional Safety Concept
Core Tests, Flash tests…
E2E protection
Memory partitioning …
AUTOSARSupports safety by offering standard safety mechanisms
AUTOSARSPECIFICATIONS
SYSTEM
SW
REQREQREQREQ
3-8
Software
Requirements(SRS)
BSWs Config
REQ
BSWs SW-Cs Safety related CDDs SW implementation
Specification of SW Safety Requirements
6-6
Software architectural design 6-7
Some safety
requirements in
ISO26262 part6 are
related to SW
implementation
REQ
REQ
Software Specifications
(SWS)
Specification of Technical Safety Requirements
4-6
Safety and security related features in AUTOSAR7 July, 201019
AUTOSAR Safety Features
� Memory partitioning: separate software applications from each other in order to avoid
any data corruption between applications
� Defensive behavior: prevent data corruption and wrong service calls in the AUTOSAR
basic software on microcontrollers having no hardware support for memory partitioning.
� End-to-end communication protection: protect applications against the effects of
faults within the communication link
� Program flow monitoring: control the temporal and logical behavior of applications
� Time determinism and timing constraints modeling: model and implement proper
and deterministic timing behavior
� synchronized time bases (i.e. a ”global time”) across ECU networks,
� synchronized execution and deterministic timing of application software components
� controlling the timing behavior and detection of timing violations at runtime
� timing constraints like end-to-end (e.g. sensor-to-actuator or communication) delays,
minimum/ maximum execution times of runnable entities, or constraints on the
triggering rate of events.
� Hardware testing and checking: AUTOSAR basic software modules to test hardware
(e.g. RAM-Test, Core-Test) and to check the integrity of stored data (e.g. EEPROM
Manager)
Safety and security related features in AUTOSAR7 July, 201020
AUTOSAR Release 4.0Partitioning
� Partitions are used
as fault
containment
regions
� Partitions can be
terminated or
restarted during
run-time as a
result of a
detected error
� Partitions are
configured in the
ECU-C
ECU-Hardware
Application
Software
Component
..............
AUTOSAR
Software
Basic Software
AUTOSAR
Interface
Complex
Device
Drivers
Standardized
Interface
Operating
System
Actuator
Software
Component
AUTOSAR
Interface
Sensor
Software
Component
AUTOSAR
Interface
Application
Software
Component
AUTOSAR
Interface
Standardized
Interface
Standardized
AUTOSAR
Interface
AUTOSAR
Interface
AUTOSAR
Interface
Services
Standardized
Interface
Communication
Standardized
Interface
ECU
Abstraction
Standardized
Interface
Microcontroller
Abstraction
Standardized
Interface
Sta
nd
ard
ized
Inte
rface
Partition 0 (No ASIL) Partition 1 (ASIL A) Partition 4 (ASIL D)
Partition 5 (ASIL D)
AUTOSAR Runtime Environment (RTE) with build-in protection layer
Safety and security related features in AUTOSAR7 July, 201021
AUTOSAR Release 4.0Example for Partitioning
1. A violation (error) has
occurred in the
system (e.g., memory
or timing violation)
2. The partition is
terminated by the OS,
cleanup possible –
communication is
stopped
3. The partition is
restarting, initial
environment for
partition set up
4. The partition is
restarted and up and
running ECU-Hardware
Application
Software
Component
..............
AUTOSAR
Software
Basic Software
AUTOSAR
Interface
Complex
Device
Drivers
Standardized
Interface
Operating
System
Actuator
Software
Component
AUTOSAR
Interface
Sensor
Software
Component
AUTOSAR
Interface
Application
Software
Component
AUTOSAR
Interface
Standardized
Interface
Standardized
AUTOSAR
Interface
AUTOSAR
Interface
AUTOSAR
Interface
Services
Standardized
Interface
Communication
Standardized
Interface
ECU
Abstraction
Standardized
Interface
Microcontroller
Abstraction
Standardized
Interface
Sta
nd
ard
ized
Inte
rface
Partition 0 (No ASIL) Partition 1 (ASIL A) Partition 4 (ASIL D)
Partition 5 (ASIL D)
AUTOSAR Runtime Environment (RTE) with build-in protection layer
Stop
Safety and security related features in AUTOSAR7 July, 201022
AUTOSAR Release 4.0Safety End to End (E2E) Communication Protection
Libraries
CDD
Microcontroller 1 / ECU 1
AUTOSAR Runtime Environment (RTE)
Microcontroller
Drivers
Memory Drivers I/O Drivers
I/O Hardware
Abstraction
Memory
Hardware
Abstraction
Memory
Services
System Services
Onboard Device
Abstraction
Communication
Drivers
Communication
Hardware
Abstraction
Communication
Services
OS-Application 1
IOC
OS-Application 2
Receiver 1
Microcontroller 2
/ ECU 2
Typical sources of interferences causing errors
Detected by E2E protection
SW-related sources
HW-related sources
Sender
HW
HW HW
SW
SW
SW
SW
Safety and security related features in AUTOSAR7 July, 201023
AUTOSAR Release 4.0Safety End to End (E2E) Communication Protection
Libraries
CDD
Microcontroller 1 / ECU 1
AUTOSAR Runtime Environment (RTE)
Microcontroller
Drivers
Memory Drivers I/O Drivers
I/O Hardware
Abstraction
Memory
Hardware
Abstraction
Memory
Services
System Services
Onboard Device
Abstraction
Communication
Drivers
Communication
Hardware
Abstraction
Communication
Services
OS-Application 1
IOC
OS-Application 2
Receiver 1
Microcontroller 2
/ ECU 2
Typical sources of interferences causing errors
Detected by E2E protection
SW-related sources
HW-related sources
Sender
HW
HW HW
SW
SW
SW
SW
E2E protection
wrapper
E2E protection
wrapper
RT
E
wra
pp
er
E2
E L
ib
Direct function
calls
Safety and security related features in AUTOSAR7 July, 201024
Overview
� Background of safety and security in automotive E/E development
� Overview AUTOSAR software architecture
� Safety related features
� Security related features
Safety and security related features in AUTOSAR7 July, 201025
Security Use Case Examples
� Secure Programming of ECUs
� Programming only by authorized entities
� Programming only with original OEM approved software
� Application (in bootloader) uses standard cryptographic routines and services, e.g.
hash, signature verification, and public key encryption (= asymmetric encryption)
� Electronic Immobilizer
� Protect the vehicle from any unauthorized driving
� Technical details are totally OEM dependent
� But: Immobilizer application always uses a specific set of cryptographic routines
and services
� Electronic enabling of functions
� Only a specific subset shall be enabled for regular usage of the car
� Uses special data structures with cryptographic signature
� Secure diagnosis
� Only dedicated entities are allowed to use certain diagnostic services
Safety and security related features in AUTOSAR7 July, 201026
My Use CasemyApp
Function EnablingSWC
Secure FlashingAuthentication & Signature
xxx-MACMD5 RSA SHA-1 HMAC RSA AESMD5 RSA DES DH
� Each main security use case corresponds to a security application
� Each security application uses a different set of cryptographic services
� Communality of cryptographic routines may lead to slightly different crypto
implementations or to duplicated code
basic cryptographic
routines
Security and Cryptographic Architecture
Security Use Cases and corresponding security applications
Safety and security related features in AUTOSAR7 July, 201027
Function EnablingSWC
Crypto Module
MD5 SHA-1 … RSA AES DES DHECC
� Separation of security application and cryptographic routines
Secure FlashingAuthentication & Signature
SHA-256
� Crypto Module manages requests for cryptographic services from applications and
dispatches to a pool of cryptographic basic routines
� Standard generic interface from above for applications
� Standard generic interface from below for basis routines (cryptographic services
as plugins)
� Management of internal states
� Transparent access to crypto hardware devices
Security and Cryptographic Architecture
Security Use Cases and corresponding security applications
Safety and security related features in AUTOSAR7 July, 201028
� Crypto Module exposes an interface for cryptographic routines to allow for arbitrary
implementations to plug-in into crypto module and for use by security applications
� Cryptographic routines may be offered by different vendors each specified for
certain technologies (RSA, ECC, …)
� Security application is not aware of special realization of crypto routine
� Crypto routine may be realized even in hardware without notice of application
� Crypto Module exposes an interface for security applications to allow for a generic
access to standardized cryptographic routines
Function EnablingSWC
Crypto Module
MD5 SHA-1 … RSA AES DES DHECC
Secure FlashingAuthentication & Signature
SHA-256
Generic Crypto Access Interface
Generic Crypto Plug-In Interface
Security and Cryptographic Architecture
Security Use Cases and corresponding security applications
Safety and security related features in AUTOSAR7 July, 201029
Security in AUTOSAR
Embedding of Crypto Module
• Crypto service
manager (CSM) in
system services of
service layer
• configurable and
common access to
cryptographic
methods
�Optional (*):
• Support for
cryptographic
hardware
Services Layer
System Services
Crypto Service Manager
Microcontroller
Microcontroller Abstraction Layer
Application Layer
AUTOSAR Runtime Environment (RTE)
ECU Abstraction Layer
CSM
Appl. 1 Appl. 2
Driver
(HW) *
SPI-Driver
Crypto HW *
Basic Crypto
Routines (SW)
Safety and security related features in AUTOSAR7 July, 201030
Summary
� AUTOSAR has become a global standard for embedded automotive software,
providing specifications for
� Software architecture
� Development methodology
� Standardized application interfaces
� Already former releases (R2.1, R3.0, R3.1) can be used for safety related systems.
With the R4.0 and further releases safety related systems are more and more
supported.
� Security in AUTOSAR enables the use of state-of-the-art cryptography in the automotive
domain with standardized interfaces
� AUTOSAR is a key enabler for managing the growing E/E complexity
� First series cars with AUTOSAR technology are on the road
Safety and security related features in AUTOSAR7 July, 201031
Thank you for your attention!
[email protected] a member and get exploitation rights for the AUTOSAR standard.
Published ReleasesFor information only, see disclaimer.
http://www.autosar.org