introduction services embedded security mechanisms summary · v2.01.00 | 2016- 11-22 8th vector...
TRANSCRIPT
V2.01.00 | 2016-11-22
8th Vector Congress – 30th November 2016
Automotive Security: Challenges and Solutions
2
Introduction
Services
Embedded Security Mechanisms
Tools
Summary
Agenda
3
Vehicle is becoming a Part of the Internet of Things Introduction
4G LTE
OBD DSRC
Suppliers
Public Clouds
Service Provider
ITS Operator
OEM
4
Threats and Challenges Introduction
4G LTE
OBD DSRC
Suppliers OEM
Public Clouds
Service Provider
ITS Operator Challenges
Increasing attack surface
Need to protect features and business models
Legacy technologies not designed with security in mind
Meaningful transfer of IT security technologies required
Limited ressources for security mechanisms / performance constraints
Lack of automotive specific standards / guidance
Effects on many process areas
…
5
Building Blocks of a Security Solution Introduction
Embedded Software Tools Services
6
Security does not Start or End with Cryptography Services
Functional Security Testing
Security Validation
Asset Definition
Threat and Risk Assessment
Derivation of Security Goals
Security Architecture Design & Analysis
Security Concept Design & Analysis
Secure Implementation of Nominal Function and Security Mechanisms
Fuzz Testing
Penetration Testing
Incident Management & Response
7
Typical Customer Needs Services
Functional Security Testing
Security Validation
Asset Definition
Threat and Risk Assessment
Derivation of Security Goals
Security Architecture Design & Analysis
Security Concept Design & Analysis
Secure Implementation of Nominal Function and Security Mechanisms
Fuzz Testing
Penetration Testing
Security Studies > Examining customer defined
security concepts > Proof of concept implementation of
security mechanisms > Performance analysis
Vehicle Security Architecture Implementation
> Development of vehicle security architectures for series
> Implementation based on established standards and customer specific extensions
> Integration support
Incident Management & Response
8
Building Blocks of a Security Solution Embedded Security Mechanisms
Embedded Software Tools Services
9
Layered Security Concept (Logical View) Embedded Security Mechanisms
Secure External Communication
Secure Gateways
Secure In-Vehicle Communication
Secure Platform
Secure communication to services outside the vehicle, e.g. via TLS
Firewalls / access control
Key infrastructure / vehicle PKI
Synchronized secure time
Intrusion detection mechanisms
Authenticity of messages
Integrity and freshness of messages
Confidentiality of messages
Key storage
Crypto library
HW trust anchor (e.g. SHE, HSM, TPM,..)
Secure boot and secure update
Associated Security Concepts
10
MICROSAR 4.3 Security Modules and available Extensions Embedded Security Mechanisms
Microcontroller
1 Extensions for AUTOSAR
Vector Standard Software
RTE
SYS
CAN
COM
LIN FR ETH V2G1
AVB1
IO LIBS
Complex Driver
MCAL
OS DIAG MEM
AMD
CSM
TLS1 XML Sec1
EXT
SECOC
CRYDRV (HW)
CRYIF
CRYDRV(SW)
Application
Hardware Trust Anchor (HTA )
FVM Crypto Service Manager (CSM)
Crypto Interface (CRYIF)
Crypto Driver HW (CRYDRV(HW))
Crypto Driver SW (CRYDRV(SW))
Secure onboard Communication (SecOC)
Freshness Value Manager (FVM)
Transport Layer Security (TLS)
XML Security (XML Sec)
11
Cryptographic Functions with and without HW-Support Embedded Security Mechanisms
Microcontroller
RTE
SYS
CAN
COM
LIN FR ETH V2G1
AVB1
IO LIBS
Complex Driver
MCAL
OS DIAG MEM
AMD
TLS1 XML Sec1
EXT
SECOC
Application
Hardware Trust Anchor (HTA )
FVM FBL Application
HIS Security Module
Runtime Protection
Sec. Bootmanager (HSM)
Secure Update Manager
Update Authorization
CAN
COM
LIN FR ETH V2G1
AVB1
IO LIBS
Complex Driver
MEM
TLS XML Sec
CAL (CPL)
EXT
SECOC
ETHFW1
FWM1
CANFW1
IDSM1
ETHIDS1 CANIDS1
SCANTSYN1 SETHTSYN1
Hardware Trust Anchor (HTA )
Crypto Service Manager – CSM > SWC use CSM through RTE > BSW/CDD use CSM by inclusion > Asynchronous operation possible > Callback indicates application
Crypto Interface – CRYIF > Provides standard interfaces for specific
cryptographic functions
Crypto Driver – CRYDRV > Implementation of cryptographic functions > CRYDRV (SW): Usage of SW-libraries > CRYDRV (HW): Usage of resources and
capabilities of HW-Trust Anchors (SHE, HSM, TPM,…)
RTE
Microcontroller
SYS
COM
CDD MCAL
SWC/Application
CSM
CRYDRV (SW-LIB)
CRYDRV (HW)
HTA
CRYIF
CSM
CRYDRV (HW)
CRYIF
CRYDRV(SW)
1 Extensions for AUTOSAR
Vector Standard Software
12
Future Security Modules (not defined by AUTOSAR) Embedded Security Mechanisms
Microcontroller
1 Extensions for AUTOSAR
Future Security Modules
RTE
SYS
CAN
COM
LIN FR ETH V2G1
AVB1
IO LIBS
Complex Driver
MCAL
OS DIAG MEM
AMD
EXT
ETHFW1
FWM1
CANFW1
IDSM1
ETHIDS1 CANIDS1
KSM1
POLM1 SLOG1
Application KeyM1
Hardware Trust Anchor (HTA )
Key Manager (KeyM)
Key Store Manager (KSM)
Security Audit Log (SLOG)
Policy Manager (POLM)
Firewall Manager (FWM) > CAN Firewall (CANFW) > Ethernet Firewall (ETHFW)
Intrusion Detection System Manager (IDSM)
> CAN Intrusion Detection System (CANIDS)
> Ethernet Intrusion Detection System (ETHIDS)
13
Generic Firewall Manager (FWM): Manages state of individual bus firewalls (e.g. ETHFW). Manage security policy securely stored in HTA (SHE, HSM,…). Role management of security policy (e.g. factory, customer). Distribution of security policy to individual bus firewalls. Update of security policy via DCM.
Ethernet Firewall (ETHFW): Stateful packet filtering firewall (inspect IP/TCP/UDP packets). Own TCP/IP stack for extracting packet header information, no code
shared with module TCP/IP. Applied security policy requested from FWM on startup of ECU. Local storage of security policy for fast access (read-only). Logging of non-policy-conform packets in tamper proof SLOG
CAN Firewall (CANFW): Filtering out CAN frames whose arrival not predicted by DBC. Logging of e.g. CAN frame periodicity deviations in tamper proof
SLOG.
MICROSAR Firewall Embedded Security Mechanisms
RTE
Microcontroller
SWC/Application
SYS
CAN
COM
ETH
MCAL
DIAG
COMM
DCM
SLOG
COM
CANIF
TCPIP
ETHIF
CRYDRV (HW)
PDUR
ETHFW
FWM
CANFW
HTA
SOAD
14
Building Blocks of a Security Solution Embedded Security Mechanisms
Embedded Software Tools Services
15
Challenges for Testing Tools
Increasing integration of security mechanisms in current and new architectures
New challenges for automotive testing Testing of security Testing despite security
Tool solutions are currently in piloting phase
16
Testing of Security Tools
Automotive Security Testing
> Functional testing > Test of security related functions
for correct behavior
> Vulnerability scanning > Test for known security
vulnerabilities
> Fuzz testing > Try to find new vulnerabilities of
an implementation by sending malformed input to target system
> Good benefit-to-cost ratio.
> Penetration testing > Highly individual & creative
testing of the whole system (SW+HW) performed by a “smart human tester”
> Based on many years of “hacking” experience
Signal database
[.dbc]
CANoe Signal
database [.dbc]
Test framework
.NET COMdbLib
IronPython
boofuzz config
[Python]
boofuzz Core
[Python]
Device under Test
Bus System Fuzzed Messages
MonitoringData
17
Testing despite Security Tools
Security Sources Default Car2X OEM Backend Adapter
Security Manager
Vector Tools CANoe vFlash …
Interface
Device under Test
Bus System
Crypto Material Testing of nominal
functions regardless of security mechanisms
> Confidentiality
> „But I need to be able to read any message for debugging purposes“
> Authenticity/ Freshness
> “But I need the system to accept data from my log file in order to replicate the problem!”
Complexity drivers > Different types of
cryptographic keys
> Security protocols
> Different security architectures
> Different processes / backends
18
Key Points Summary
Embedded Software Tools Services
Security is required to enable new features and protect business models The number of security mechanisms in current and future vehicle architecture grows Security has to be considered throughout development & testing, production and after sales Standard SW components are a foundation but customer specific extensions are needed Tools can simplify testing of security and testing despite security
19 © 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V2.01.00 | 2016-11-22
For more information about Vector and our products please visit www.vector.com
Author: Dr. Eduard Metzker Vector Informatik GmbH