V2.01.00 | 2016-11-22

8th Vector Congress – 30th November 2016

Automotive Security: Challenges and Solutions

2

Introduction

Services

Embedded Security Mechanisms

Tools

Summary

Agenda

3

Vehicle is becoming a Part of the Internet of Things Introduction

4G LTE

OBD DSRC

Suppliers

Public Clouds

Service Provider

ITS Operator

OEM

4

Threats and Challenges Introduction

4G LTE

OBD DSRC

Suppliers OEM

Public Clouds

Service Provider

ITS Operator Challenges

Increasing attack surface

Need to protect features and business models

Legacy technologies not designed with security in mind

Meaningful transfer of IT security technologies required

Limited ressources for security mechanisms / performance constraints

Lack of automotive specific standards / guidance

Effects on many process areas

…

5

Building Blocks of a Security Solution Introduction

Embedded Software Tools Services

6

Security does not Start or End with Cryptography Services

Functional Security Testing

Security Validation

Asset Definition

Threat and Risk Assessment

Derivation of Security Goals

Security Architecture Design & Analysis

Security Concept Design & Analysis

Secure Implementation of Nominal Function and Security Mechanisms

Fuzz Testing

Penetration Testing

Incident Management & Response

7

Typical Customer Needs Services

Functional Security Testing

Security Validation

Asset Definition

Threat and Risk Assessment

Derivation of Security Goals

Security Architecture Design & Analysis

Security Concept Design & Analysis

Secure Implementation of Nominal Function and Security Mechanisms

Fuzz Testing

Penetration Testing

Security Studies > Examining customer defined

security concepts > Proof of concept implementation of

security mechanisms > Performance analysis

Vehicle Security Architecture Implementation

> Development of vehicle security architectures for series

> Implementation based on established standards and customer specific extensions

> Integration support

Incident Management & Response

8

Building Blocks of a Security Solution Embedded Security Mechanisms

Embedded Software Tools Services

9

Layered Security Concept (Logical View) Embedded Security Mechanisms

Secure External Communication

Secure Gateways

Secure In-Vehicle Communication

Secure Platform

Secure communication to services outside the vehicle, e.g. via TLS

Firewalls / access control

Key infrastructure / vehicle PKI

Synchronized secure time

Intrusion detection mechanisms

Authenticity of messages

Integrity and freshness of messages

Confidentiality of messages

Key storage

Crypto library

HW trust anchor (e.g. SHE, HSM, TPM,..)

Secure boot and secure update

Associated Security Concepts

10

MICROSAR 4.3 Security Modules and available Extensions Embedded Security Mechanisms

Microcontroller

1 Extensions for AUTOSAR

Vector Standard Software

RTE

SYS

CAN

COM

LIN FR ETH V2G1

AVB1

IO LIBS

Complex Driver

MCAL

OS DIAG MEM

AMD

CSM

TLS1 XML Sec1

EXT

SECOC

CRYDRV (HW)

CRYIF

CRYDRV(SW)

Application

Hardware Trust Anchor (HTA )

FVM Crypto Service Manager (CSM)

Crypto Interface (CRYIF)

Crypto Driver HW (CRYDRV(HW))

Crypto Driver SW (CRYDRV(SW))

Secure onboard Communication (SecOC)

Freshness Value Manager (FVM)

Transport Layer Security (TLS)

XML Security (XML Sec)

11

Cryptographic Functions with and without HW-Support Embedded Security Mechanisms

Microcontroller

RTE

SYS

CAN

COM

LIN FR ETH V2G1

AVB1

IO LIBS

Complex Driver

MCAL

OS DIAG MEM

AMD

TLS1 XML Sec1

EXT

SECOC

Application

Hardware Trust Anchor (HTA )

FVM FBL Application

HIS Security Module

Runtime Protection

Sec. Bootmanager (HSM)

Secure Update Manager

Update Authorization

CAN

COM

LIN FR ETH V2G1

AVB1

IO LIBS

Complex Driver

MEM

TLS XML Sec

CAL (CPL)

EXT

SECOC

ETHFW1

FWM1

CANFW1

IDSM1

ETHIDS1 CANIDS1

SCANTSYN1 SETHTSYN1

Hardware Trust Anchor (HTA )

Crypto Service Manager – CSM > SWC use CSM through RTE > BSW/CDD use CSM by inclusion > Asynchronous operation possible > Callback indicates application

Crypto Interface – CRYIF > Provides standard interfaces for specific

cryptographic functions

Crypto Driver – CRYDRV > Implementation of cryptographic functions > CRYDRV (SW): Usage of SW-libraries > CRYDRV (HW): Usage of resources and

capabilities of HW-Trust Anchors (SHE, HSM, TPM,…)

RTE

Microcontroller

SYS

COM

CDD MCAL

SWC/Application

CSM

CRYDRV (SW-LIB)

CRYDRV (HW)

HTA

CRYIF

CSM

CRYDRV (HW)

CRYIF

CRYDRV(SW)

1 Extensions for AUTOSAR

Vector Standard Software

12

Future Security Modules (not defined by AUTOSAR) Embedded Security Mechanisms

Microcontroller

1 Extensions for AUTOSAR

Future Security Modules

RTE

SYS

CAN

COM

LIN FR ETH V2G1

AVB1

IO LIBS

Complex Driver

MCAL

OS DIAG MEM

AMD

EXT

ETHFW1

FWM1

CANFW1

IDSM1

ETHIDS1 CANIDS1

KSM1

POLM1 SLOG1

Application KeyM1

Hardware Trust Anchor (HTA )

Key Manager (KeyM)

Key Store Manager (KSM)

Security Audit Log (SLOG)

Policy Manager (POLM)

Firewall Manager (FWM) > CAN Firewall (CANFW) > Ethernet Firewall (ETHFW)

Intrusion Detection System Manager (IDSM)

> CAN Intrusion Detection System (CANIDS)

> Ethernet Intrusion Detection System (ETHIDS)

13

Generic Firewall Manager (FWM): Manages state of individual bus firewalls (e.g. ETHFW). Manage security policy securely stored in HTA (SHE, HSM,…). Role management of security policy (e.g. factory, customer). Distribution of security policy to individual bus firewalls. Update of security policy via DCM.

Ethernet Firewall (ETHFW): Stateful packet filtering firewall (inspect IP/TCP/UDP packets). Own TCP/IP stack for extracting packet header information, no code

shared with module TCP/IP. Applied security policy requested from FWM on startup of ECU. Local storage of security policy for fast access (read-only). Logging of non-policy-conform packets in tamper proof SLOG

CAN Firewall (CANFW): Filtering out CAN frames whose arrival not predicted by DBC. Logging of e.g. CAN frame periodicity deviations in tamper proof

SLOG.

MICROSAR Firewall Embedded Security Mechanisms

RTE

Microcontroller

SWC/Application

SYS

CAN

COM

ETH

MCAL

DIAG

COMM

DCM

SLOG

COM

CANIF

TCPIP

ETHIF

CRYDRV (HW)

PDUR

ETHFW

FWM

CANFW

HTA

SOAD

14

Building Blocks of a Security Solution Embedded Security Mechanisms

Embedded Software Tools Services

15

Challenges for Testing Tools

Increasing integration of security mechanisms in current and new architectures

New challenges for automotive testing Testing of security Testing despite security

Tool solutions are currently in piloting phase

16

Testing of Security Tools

Automotive Security Testing

> Functional testing > Test of security related functions

for correct behavior

> Vulnerability scanning > Test for known security

vulnerabilities

> Fuzz testing > Try to find new vulnerabilities of

an implementation by sending malformed input to target system

> Good benefit-to-cost ratio.

> Penetration testing > Highly individual & creative

testing of the whole system (SW+HW) performed by a “smart human tester”

> Based on many years of “hacking” experience

Signal database

[.dbc]

CANoe Signal

database [.dbc]

Test framework

.NET COMdbLib

IronPython

boofuzz config

[Python]

boofuzz Core

[Python]

Device under Test

Bus System Fuzzed Messages

MonitoringData

17

Testing despite Security Tools

Security Sources Default Car2X OEM Backend Adapter

Security Manager

Vector Tools CANoe vFlash …

Interface

Device under Test

Bus System

Crypto Material Testing of nominal

functions regardless of security mechanisms

> Confidentiality

> „But I need to be able to read any message for debugging purposes“

> Authenticity/ Freshness

> “But I need the system to accept data from my log file in order to replicate the problem!”

Complexity drivers > Different types of

cryptographic keys

> Security protocols

> Different security architectures

> Different processes / backends

18

Key Points Summary

Embedded Software Tools Services

Security is required to enable new features and protect business models The number of security mechanisms in current and future vehicle architecture grows Security has to be considered throughout development & testing, production and after sales Standard SW components are a foundation but customer specific extensions are needed Tools can simplify testing of security and testing despite security

19 © 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V2.01.00 | 2016-11-22

For more information about Vector and our products please visit www.vector.com

Author: Dr. Eduard Metzker Vector Informatik GmbH