intrusion detection adapted for automotive challenges for ... · infineon presentation @ ieee tech...
TRANSCRIPT
Intrusion Detection Adapted for Automotive – Challenges for Hardware - An Implementation Example
2018 IEEE-SA Ethernet & IP @ Automotive Technology Day Harald Zweck, Infineon Technologies Ronny Schulze, Infineon Technologies
Infineon Presentation @ IEEE Tech Day London 2018
Motivation
Source: I Am The Cavalry / Five Star Automotive Cyber Safety Framework / February 2015 / Link: https://www.iamthecavalry.org/
Statement given by “I Am The Cavalry”
Safety investigations drive substantial improvements, and records of electronic systems
operations give visibility into root causes that may otherwise be opaque. These records
can plainly show sources of error, be they malfunctions, design defects, human error or
deliberate attack. Those waiting for proof of hacking or electronic sabotage will not find
evidence without such logging and evidence collection in place. This capability will
require more effort, over time, than others on this list, but it is foundational for improving
safety in the long-term so starting now will help us achieve this goal.
Evidence Capture
Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate
safety investigations?
I read => Electronic systems shall record events like malfunctions, defects, errors, attacks etc.
2
Network
Automotive Ethernet CAN / Sensor Bus
ECU ECU with Ethernet connectivity
OBD Antenna
Infineon Presentation @ IEEE Tech Day London 2018 3
Network Traffic Clustering
› Unexpected traffic example related to Microcontroller Units
cable defect
connector defect
unknown packet addresses
Unknown multicasts
Unused VLAN priority levels
Unexpected packets
Ethernet MAC
Microcontroller
PHY
Connector
Software Stack
Ethernet MAC
Microcontroller
PHY
Connector
Software Stack
Infineon Presentation @ IEEE Tech Day London 2018 4
Network Traffic Clustering
› Unexpected traffic example related to OSI Layer 1 / 2 / 2.5
MAC Address Ethertype
VLAN Tag
Physical Layer
cable defect
connector defect
unknown packet addresses
Unknown multicasts
Unused priority levels
Unexpected packets
Ethernet MAC
Microcontroller
PHY
Connector
Software Stack
Infineon Presentation @ IEEE Tech Day London 2018 5
Network Traffic Monitoring – Layer 1
› Layer 1 Traffic Evaluation
Infineon Presentation @ IEEE Tech Day London 2018
Front Processing
Rear Processing
Side Processing
Microcontroller
Stack
Task 1 Task 2
Stack
Ethernet MAC
500Fps
33
33
33
Fro
m T
ask 1
200Fps
30
40
30
Fro
m T
ask 2
Microcontroller
Stack
Task 1 Task 2
Stack
Ethernet MAC
Microcontroller
Stack
Task 1 Task 2
Stack
Ethernet MAC
6
1000Fps
25
50
25
To T
ask 1
500Fps
40
30
30
To T
ask 2
to / from Side Processing and Rear Processing
Network Traffic Monitoring – Layer 1
› Layer 1 Traffic Evaluation Example – Based on Frame Length
Infineon Presentation @ IEEE Tech Day London 2018
Front Processing
Microcontroller
Stack
Task 1 Task 2
Stack
Ethernet MAC 500Fps
40 30 30
1000Fps 25 50 25
Frame Profile (length in bytes) Task 1 reception Task 2 reception Total
Short frame
< 128
50% of 1000Fps
=> 500Fps
30% of 500Fps
=> 150Fps
500Fps + 150Fps
=> 650Fps
Mid range frame
128 < frame < 1023
25% of 1000Fps
=> 250Fps
40% of 500Fps
=> 200Fps
250Fps + 200Fps
=> 450Fps
Long frame
> 1023
25% of 1000Fps
=> 250Fps
30% of 500Fps
=> 150Fps
250Fps + 150Fps
=> 400Fps
Task 1
Task 2
7
IEEE Standard Ethernet Frame
Addressing
Schemes
Link Layer
Network Layer
Transport Layer
Application Layer
Ethernet Frame
IP Packet
TCP/UDP Datagram
MAC Address Ethertype VLAN Tag TCP/UDP IP Header CRC
TCP/UDP IP Header
TCP/UDP
Session Layer
Data
(D)TLS Record
Data
Data
Data
Data
Infineon Presentation @ IEEE Tech Day London 2018 8
Network Traffic Monitoring – Layer 1
› Layer 1 Traffic Monitoring Example – Based on Frame Length
Infineon Presentation @ IEEE Tech Day London 2018
Microcontroller
Security Task
Security Stack
Eth
ern
et
MA
C
Qu
eu
es
Short Frame Counter
Mid Size Frame Counter
Long Frame Counter
Frame Filters
4x
3x
2x
Task 1
Stack
Task 2 Task 3
Inbound E
thern
et F
ram
es
9
Infineon Presentation @ IEEE Tech Day London 2018 10
Network Traffic Profiling – Layer 1
› Layer 1 Traffic Profiling Example – Based on Frame Length
Security Task
Security Stack
Eth
ern
et
MA
C
Short Frame Counter
Mid Size Frame Counter
Long Frame Counter
Microcontroller
time
Counter
Value Snapshot
Snapshot
Snapshot
Frame Length Profiles for Forensic Center
Infineon Presentation @ IEEE Tech Day London 2018 11
Network Traffic Profiling – Layer 1
› Layer 1 - Limitations
MAC Address
VLAN Tag
Physical Layer
Frame Layer
Packet Addresses
VLAN Tag
Priority (PCP)
Broadcast
Multicast
Frame Length
CRC Error
Covered
Not Covered
Ethernet MAC
Frame Filters
Qu
eu
es
Counters
Network Traffic Profiling – Layer 2
MAC Address VLAN Tag
Infineon Presentation @ IEEE Tech Day London 2018
› Layer 2 - Challenges
6 bytes = 48 bits 4 bytes = 32 bits
› 248
counters ??
› Realistic solution:
– Capture counters for passing frames -> 2 digit number range
– Capture rejected frames in one special stack process
Ethertype TCP/UDP IP Header
12
Infineon Presentation @ IEEE Tech Day London 2018 13
Network Traffic Profiling – Layer 2
› Layer 2 Ethernet Frame Profiling
Microcontroller
Eth
ern
et
MA
C
Qu
eu
es
Task 1
Stack
Task 2
Inbound Ethernet Frames
Task 3
Stack
Intrusion Detection
Stack
Address Filters
MAC Addr. Range 1 MAC Addr. Range 2 MAC Addr. Range 3 Residual Addr. Range
Infineon Presentation @ IEEE Tech Day London 2018 14
Network Traffic Profiling – Layer 2
› Multi-Layer Profiling Example
– Classify property ranges
– Capture property rate
– Count properties
MAC Address
VLAN Tag
Ethertype
TCP/UDP Port
IP Header
Count
Value Range
Rate
Intrusion Detection
Profile Values
Stack
Qu
eu
e
Address Filters
Residual Addr. Range
Task / Code Intrusion Detection
Stack
Infineon Presentation @ IEEE Tech Day London 2018 15
Simplified Network Demo
› Switched networks – Expectations
– Intelligent packet routing by switches
– Switches provide as well features for traffic analyzes
Demo Network
Device A
Device B
Device c
Switch
Infineon Presentation @ IEEE Tech Day London 2018 16
Traffic profiling/monitoring
› Using Hardware support in form of IETF MIB counter inside the Ethernet MAC
– Using register for number of good and bad packets with different length
– We count frames with a length of 64to 256 bytes, 256 – 512 bytes and 512 to 1023 bytes
› Device B and C will send there profile in a cyclic way to device A
Device A
Device B
Device C
Switch
Layer 2 implementation of residual Filter
› Packets which not pass the Uni/multicast addresses or VLAN filter will not be dropped
› These packets are forwarded to a residual filter queue
› Separating these traffic allows to route the traffic to a independent CPU inside the MCU to analyze
17 Infineon Presentation @ IEEE Tech Day London 2018
Eth
ern
et
MA
C
xMII
Qu
eu
es
D
MA
s
Filte
r
VLAN Tag / PCP FAIL
MAC Addresses
Resid
ual
Fil
ter
FAIL
Microcontroller
Separating traffics inside the MCU
Crossbar
CPU 0
RAM
Status
Control
Data
CPU x
RAM
Status
Control
Data
Eth
ern
et
MA
C
Qu
eu
es
D
MA
s
Qu
eu
es
D
MA
s
18 Infineon Presentation @ IEEE Tech Day London 2018
› Sorted packets inside the residual queue can be forwarded to an separate/isolated CPU to process the data independent
› CPU x counts periodical packets based on MAC addresses, Types etc…
Infineon Presentation @ IEEE Tech Day London 2018 19
At the End …
› See the Demo at the Infineon booth!
› What to do with all that data?
– Device B and C will report their traffic behavior to Device A which manage the switch
– Device A can analyze and may change the configuration of the switch ports for Device B and C
– Device A sends the network healthiness state to a forensic center
Infineon Presentation @ IEEE Tech Day London 2018 20