safety & security: an unbreakable bond for connected cars
TRANSCRIPT
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
Safety & Security: An Unbreakable Bond for Connected CarsConnected Vehicle Solutions
2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Software In The Modern Era
safe, secure, certified, scalable, available, interoperable, resilient, portable, compliant, performant, flexible, configurable, updatable, proven, efficient, integrated, supported, simulated, maintainable…
…let’s just focus on the first two!
3 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Supply Chain & System Cybersecurity
Are you a software company?No? Are you sure?
Is anything 100% secure?Safety is known, security vulnerabilities
are unknown
SAFETY
The system must not harm the world
Matures and getsmore stable over time
Known Execution Paths
SECURITY
The world must not harm the system
Becomes morechallenging over time
Unknown Execution Paths
4 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
5 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
UART NFC BT GPS
LTE/Mobile Provider
Technical background: Possible Attack vectors
SoC AVB switch
Tuner
Amplifier
AVB
AVBCamera
Main/Touch
Cluster
HDMI
LVDS
Gateway
HDM
IUA
RT
ECUs
AVB
CAN
Cloud Service BackEnd
OBD
USB LTE WiFi
Tuner
AmplifierU
SB
6 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
V2V
Radio DataSystem (RDS)
MobileDevices
Electric Chargers
Ad hoc Network
Trusted Network (e.g., Repair Shop)
Internet Backbone
AutomotiveCompany
Application Center
Local ServiceAP
Untrusted Network
Local Service
Open AP
Roadside Unit (RSU)
3rd-PartyApplication
Center
ISP
BSBS
ISP
ISP
Unidirectional Communication
Bidirectional CommunicationAccess Point (AP)
GPS
External systems and networks increase risk
7 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Use case 10% 20 30 40 50 60 70 80 90 100 Comments
Security countermeasure All new communications modules from 2017 will have OTA capability for security
Continuous Improvement
Few car makers currently have capability to remotely improve head unit software but that will improve significantly over the next 5+ years as connectivity becomes mainstream and OEMs embed the modem into the head unit.
New features& upsell Infotainment upsell will become common over the next 5 years.
Map update(consumer)
Only a handful of systems (BMW, Audi, Tesla) have maps that are updatable over the air.More vehicles ship with Wi-Fi capability, will cellular as the backup.
Recall automation OEMs which are moving towards consolidated ECU/domain architectures will have greater ‘reach’ into the vehicle for updates.
Just In Timeupdates
Volume manufacturers such as Ford already use JIT software updates in their plants to upload the latest software versions to vehicles at line-side. This practice is likely to increase as it offers flexibility to the supply chain.
Deep learning &HD map update
Production levels of vehicles with HD maps will be low and are likely to remain below 5% of vehicle build for the next 10 years. Deep learning updates are expected to follow similar timing.
ADAS/Convenience
Infotainment
ADAS/Convenience
Infotainment
Penetration today
Next 10 years
Security is the #1 OTA use case projected for the next 10 years
Infotainment
Security countermeasure
8 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
OTA Campaign Lifecycle
Update need detected
Campaign constructed
Update downloaded &
InstalledUpdate Logged &
ReportedRemote
monitoring & insights
1. Security patch
2. Bug/Recall
3. New feature or upgrade
1. Upload new image & generate diff
2. Encrypt/Sign
3. Assign update to appropriate vehicles and schedule the release
1. Notify vehicle of an available update
2. Verify, download & install updates to 1 or more ECUs
3. Rollback & recover if update fails
1. Log update operations & status
2. Report status of update (or other error codes) back to the CarSync cloud
1. Remotely monitor vehicle health
2. Deliver actionable insights based on aggregated data
Detect Prepare Perform Report MonitorCampaign Stages
Trigger points
Capabilities
9 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SDL and FuSa Lifecycle comparisonThreat Analysis
Security Goals
Security Architecture
Attack Tree Analysis (ATA)
Security Activities
Functional and Penetration Tests
Integration and Penetration Tests
Validate Security Assumptions
Hazard analysis and risk assessment
Safety Goals
System Safety Concept
FMEA, FTA, FMEDA Test Safety Mechanisms
Test Safety Mechanisms
Validate Safety Assumptions
Guidelines, Reviews, Analyses
Safety Activities
Safe and Secure Platform
Requirements Analysis
System Architecture
HW/SW Design
HW/SW Implementation
HW/SW Test
System Integration
System Test
Maintenance and Upgrades
Incidence Response Plan
Code and HW Implementation
Reviews
The arrow means that activities happen in parallel
Failure Mode and Effects Analysis (FMEA )Fault Tree Analysis (FTA)
Failure Modes Effects and Diagnostic Analysis (FMEDA)
! Caution: Limitations regarding safety when using Open Source !
Audit Secure Insure
FuSa: ISO26262Security: SAE j3061
• One security flaw for every several thousand lines of code
• Safety certification is ~$800k per 10,000 lines of code
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
Helix Chassis
A basis for future vehicle architectures:
• ADAS consolidation• Autonomous driving• Cockpit consolidation
Mixed Safety Criticality Use-Cases
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
ADAS Consolidation and Autonomous Driving
12 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
VxWorks
Apollo Framework
Adaptive AUTOSAR
VxWorks – Instance A
Multi-Core HW PlatformEth FPGA CAN Flash WDG Timer DSRCGPU
Core 0-4 Core 5-11 Core 12-14 Core 15
TSN Crypto OpenCL POSIX
C++
Health
Persistency
Comm Mgr
Exec Mgr HW Accel
Log / Trace
Security Mgr
Diagnostics
Health
Filesys
V2X
Sensor …n Sensor Fusion
Perception Nav/Maps
LocalizationRoute Plan Maneuvers
Output…n
Customer Application Components
Autonomous Driving SW Reference Architecture – Virtual Redundancy, Divergent algorithms in 2 of 3 voting systemMulti-OS Safety IPC
Runtime Processes
User SpaceLow level featuresType 1 HypervisorHardware
HypervisorXML Config Health MgmtVirtual Devs OS IPC
2 of 3 Trajectory Arbitration
LCLS Mgmt
ADAR Shared
ServicesVideo
Decode
CANStorage
3rd Party
HD Maps
SYCL
AI
OTA
VxWorks Instance B
VxWorks Instance C
OpenCL
C++
Perception
SYCL
Algorithms
D,E,F,…
Algorithms
G, H, I,…
13 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Loosely Coupled Lock Step - problem
Time (ms)
Ope
ratin
g Sy
stem
s
100 200 300
Arbitration OS
Trajectorydecision
Trajectorydecision
Trajectorydecision
Reporting OS - A
Reporting OS - B
Reporting OS - C
TrajectoryOnly 1 of 3
All OS’s are reporting “regularly” but not aligned well enough for the arbitration to be effective.Each OS may have different algorithms and/or compute resources. Even if same, will phase shift.
Missed deadline>100 msjitter + latency or error
Ignored notifications Large gap between
only 2 of 3
14 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Loosely Coupled Lock Step – Frame Aligned Processing
Time (ms)
Ope
ratin
g Sy
stem
s
100 200 300
Arbitration OS
Reporting OS - A
Reporting OS - B
Reporting OS - C
Trajectory
All OS’s report the most recent trajectory calculated during a declared time window.If two or more OS’s fail to deliver on time we fail safe. If the same OS consistently fails to deliver we fail safe.
10ms timestamp payload delivery window
1. Broadcast next deadline timestamp,start processingtogether
Deliver only most recent via timer
Always has 3 of 3 data points
Always reporting in “lock-step”
3. Payload Updated iftime allows
Tighter payload creation window
• All example timings• Payload = trajectory + deadline timestamp
4. Deliver payload and stop processing
2. Payload Generated
Decode sensor data for next frame (shared mem)
Trajectorydecision
Trajectorydecision
Trajectorydecision
Frame
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
Cockpit consolidation
Make it cheaper
16 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Emerging Architectures
Ethernet
Body GW
ECU
ECU
ECU
ECU
Body Domain App
Logic
ECUECU
ADAS/ Autonomous
Driving
ECU
ECU
ECU
ECU
ECUECU
Cluster/IVI/RSE
ECU
ECU
ECU
ECU
ECUECU
Engine Control
ECU
ECU
ECU
ECU
ECUECU
CloudOTA
Move app logic
Lower uC costs
TCUSecurity GW
OTA OTA
Telematics Services
Mobile device
ARA::COMARA::COM
17 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Super ADASRTOS
(L3 – backup to L4/5)
Cluster/HUDVxWorks
As Compute Power Increases – Continue To Consolidate
SoC1 Core
GPU
Security GW
Cloud
CAN/eAVB USB 2 Ethernet
Fastboot
OpenGL
Safe Audio Mixer
RearOSS OS
Games
TCU
IoT GW
Firewall
IDPS
Front IVIOSS OS
Smart Device Link
Wireless CarPlay
Safe HMI Stack
USB 1
ARA::COM
OTA
Adaptive Autosar
Hypervisor
OpenGL
OTA
Adaptive Autosar
OpenGL
OTA
Adaptive Autosar
OTA
Adaptive Autosar
Body CtrlLegacy OS
Applications
Monitor
OTA
Adaptive Autosar
Windows
Seat Control
HVAC
HD Maps
CAN Svc
XML Config Health MgmtVirtual Devs OS IPC
X Cores
Smart Device Link
Rear Camera
V2X3rd Party
OTA
Adaptive Autosar
DSRC drivers
V2X middleware
Applications
TOO MANY FUNCTIONS TO FAIL TOGETHER
Qt 5.9 Demo
Tomorrows Possibilities
18 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Automotive Master Box B
Super ADASRTOS
(backup²)
Cluster/HUDRTOS
Redundancy
Security GW
RearOSS OS
Front IVIOSS OS
ARA::COM
Body CtrlLegacy OS
V2X3rd Party
Automotive Master Box A
Super ADASRTOS
(L3 backup)
Cluster/HUDRTOS
Security GW
RearOSS OS
Front IVIOSS OS
ARA::COM
Body CtrlLegacy OS
V2X3rd Party
Monitor each other
19 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
WindRiver Hypervisor
Safety HMI
Non-Safety HW
accelerated HMI
Forwarded API handler IVI apps &
frameworks IVI / RSE / ADAS app
HW Plane HW Plane HW PlaneHW Plane
Display Display Display
VMM
Root OS (VxWorks)
VMM
Guest OS (VxWorks)
VMM
GPU HOST OS (Android or Linux)
VMM
Guest OS (Linux)
Safety HMI library
API forwarding library
Render EngineRender Engine
SW rasterization to framebuffer
API forwarding
API handling via HW accelerated driver
HW assisted GPU sharing (GVT-g)
HW assisted GPU sharing (GVT-g)
20 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
With a separate autonomous driving unit....
Automotive Master Box B
Super ADASRTOS
Cluster/HUDRTOS
Security GW
RearOSS OS
Front IVIOSS OS
ARA::COM
Body CtrlLegacy OS
V2X3rd Party
Automotive Master Box A
Super ADASRTOS
Cluster/HUDRTOS
Security GW
RearOSS OS
Front IVIOSS OS
ARA::COM
Body CtrlLegacy OS
V2X3rd Party
Monitor each other
VxWorks
Autonomous Framework
Adaptive AUTOSAR
VxWorks Cert Guest OS – Instance AOTA
Multi-Core HW PlatformEth Serial RAM Flash Bus Timer DSRC GPU
Core 0-4 Core 5-9 Core 10-14 Core 15
TSN Crypto OpenCL POSIX
C++ Java Health
Persistency
Comm Mgr
Exec Mgr HW Accel
Log / Trace
Security Mgr
Diagnostics
Health
Filesys
V2X
Sensor …n
Sensor 1 Sensor Fusion
Perception
Nav/Maps
LocalizationRoute Plan Maneuvers
Output…n
Actuator 2
Actuator 1
Customer Application Components
Hel
ix D
rive
Inst
ance
B
Hel
ix D
rive
Inst
ance
C
Multi-OS Safety IPC
Runtime Processes
Black Oak HypervisorXML Config Health MgmtVirtual Devs OS IPC
Actuation
2 of 3 Trajectory Arbitration
LCLS Mgmt
Shared Service
sVideo Decode
CAN
Storage
eAVB/TSN
L4/5 autonomous driving
Uses virtualization for redundancy
L1/2/3 autonomous driving
Uses virtualization for consolidation
Backup to L4/5 failures
Only allow L1/2/3 if both units are operating ok, otherwise fall back to human driver – possibly still allow L1
Helix EdgeSync
OTAHelix Chassis – Full Picture
Body controller
Engine controller
Other tier-1 components
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
Helix EdgeSync
Last line of defense
22 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Helix EdgeSyncEnd-End OTA Update and SWLC management framework
Built for automotive – Consideration for unique reliability and security requirements, not copy/paste from mobile
Modular and easy to integrate with existing OEM IT infrastructure & third party solutions. All modules can be delivered &
integrated as stand alone products or as a complete end-end solution
End-end security– Ready to integrate into OEM secure framework w/ validated reference implementation for data encryption, signing & verification, and secure channel
Provides real time insight in to the update status
Enhanced campaign management – by region, update type, selection of communication method, etc.
Agnostic – no hard dependencies on OS, HW, or Cloud to Car or In-vehicle protocols
Supports updates to multiple ECUs
Customer Campaign Engine
23 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
How EdgeSync works
Release package generation, secure distribution and tracking
Reports & statistics representation
ECU 1
ECU 2
ECU 3
ECU 4
MasterECU
CAN BUS
4G/LTE
Bluetooth
WiFi
1Secure update distribution channel
Agnostic to the communication medium2
Update download, version validation, and installation through OS agnostic CarSync Agent
3
1. CarSync Agent–Embedded Client on Master ECU
2. Updater- Extension of the Agent to support multiple ECU updates
3. Differential Updater- Application of differential Updates
OEM IT Systems integration
Internet/ Intranet
Two way secure communication
Update and vehicle data collection and reporting back to the CarSync Cloud.
4
CarSync Cloud & Differential System
1
2
3
24 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
EdgeSync has undergone a full security assessment
Architecture Threats Attack surface Mitigations
Understand the logical and component architecture
Understand every communication and any valuable data that is moved and stored
All possible threat agents
Ultimate goals of these agents
Typical attack methodsSystem-level objectives
Decompose architecture to expose possible attack surfaces
Apply attack methods for expected objectives
Filter out agents with no attack method
List existing security controls
Filter out attack surfaces which are protected
Apply new security control to the attack surfaces
A formal method to follow is the ATASM, which is taught by Brook S. E. Schoenfeld and documented in Securing Systems: Applied Security Architecture and Threat Model.
25 © 2017 WIND RIVER. ALL RIGHTS RESERVED. 25
Potential attacks identified, mitigations implemented
OEM
DownloaderSQLite
Agent
Updater Diff updater
ECU
TCU / Head unit
Portal
Diff generator
Back office
Redis
DFS
HTTP server
VBS
Consumer
reportsReport
streamingHost
SQL
Hadoop
Cassandra
SQL
REST
Server
REST SAPI
REST SAPI
ELK Logs
System services
SQLite
Different protocols
OEM user roles w X509 certMFA
OEM net accessVPN
OBFEncyptionauthentication
Firewall
Sign images by OEM
Verification in various places of data path
Sign scripts
CredentialsStore OEM creds separately
Host duplication of the whole systemDBDisaster recovery
Key mgmt systemimages + metadataOEM userssym keysper vehicle
Encrypt vehicle infoMaybe whole DBVehicle identity
Intrusion detection:SystemPortal loginhttp serverVehicles
Image verificationHOST admin
Security manual:agentOEM networkImage signing
Vuln management:AgentHostedXCCDF
MFA
Divide vehicle domain from image
Sign metadata
DMZLoad balancer
HTTPS
Report vehicle validation errors
Policy to pause failed downloads
Blacklisting of „bad“ vehicles
Encrypt SQL DB
Secure comm
Scriptsnon-root / least privPolicy
Transactions + rollback
Verify images
OS/HWSecure bootSELinux policies + docRBACSec kernel featuresCERT OS
Least priv isolationAgentScriptsDownloaderetc
Root of Trust:DB sym keyBE keysPriv key for vehicle
Revocation / mfg
Disk encryption where applicable
OEM / Tier 1 responsibility
CarSync responsibility
*High level architecture
26 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
With all the design fluidity occurring…SIMICS can help!
Virtual environment for security testing!– https://software.intel.com/en-us/blogs/2017/06/06/finding-bios-vulnerabilities-with-excite
How many cores?
What network transports?
Where are the bottlenecks?
Every time an algorithm changes, so does my compute needs, so does my system design –help!
Design development lifecycles need to be reduced, not just SW but HW also. Simics provides the most flexible means of changing designs, performing experimentation, and iterating the design.
Never enough HW in automotive – do you require HW?
27 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Simics Scope
Ethernet
Body GW
ECU
ECU
ECU
ECU
Body Domain App
Logic
ECUECU
ADAS/ Autonomous
Driving
ECU
ECU
ECU
ECU
ECUECU
Cluster/IVI/RSE
ECU
ECU
ECU
ECU
ECUECU
Engine Control
ECU
ECU
ECU
ECU
ECUECU
CloudSecurity GW
Great for I/O, networking, raw compute designs
Simics Highly multimedia devices not-so-much, too much closed IP (GPU, USB, Video, etc.)
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
Thank You!