safety & security: an unbreakable bond for connected cars

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

Safety & Security: An Unbreakable Bond for Connected CarsConnected Vehicle Solutions

2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

Software In The Modern Era

safe, secure, certified, scalable, available, interoperable, resilient, portable, compliant, performant, flexible, configurable, updatable, proven, efficient, integrated, supported, simulated, maintainable…

…let’s just focus on the first two!


Supply Chain & System Cybersecurity

Are you a software company?No? Are you sure?

Is anything 100% secure?Safety is known, security vulnerabilities

are unknown

SAFETY

The system must not harm the world

Matures and getsmore stable over time

Known Execution Paths

SECURITY

The world must not harm the system

Becomes morechallenging over time

Unknown Execution Paths



UART NFC BT GPS

LTE/Mobile Provider

Technical background: Possible Attack vectors

SoC AVB switch

Tuner

Amplifier

AVB

AVBCamera

Main/Touch

Cluster

HDMI

LVDS

Gateway

HDM

IUA

RT

ECUs

AVB

CAN

Cloud Service BackEnd

OBD

USB LTE WiFi

Tuner

AmplifierU

SB


V2V

Radio DataSystem (RDS)

MobileDevices

Electric Chargers

Ad hoc Network

Trusted Network (e.g., Repair Shop)

Internet Backbone

AutomotiveCompany

Application Center

Local ServiceAP

Untrusted Network

Local Service

Open AP

Roadside Unit (RSU)

3rd-PartyApplication

Center

ISP

BSBS

ISP

ISP

Unidirectional Communication

Bidirectional CommunicationAccess Point (AP)

GPS

External systems and networks increase risk


Use case 10% 20 30 40 50 60 70 80 90 100 Comments

Security countermeasure All new communications modules from 2017 will have OTA capability for security

Continuous Improvement

Few car makers currently have capability to remotely improve head unit software but that will improve significantly over the next 5+ years as connectivity becomes mainstream and OEMs embed the modem into the head unit.

New features& upsell Infotainment upsell will become common over the next 5 years.

Map update(consumer)

Only a handful of systems (BMW, Audi, Tesla) have maps that are updatable over the air.More vehicles ship with Wi-Fi capability, will cellular as the backup.

Recall automation OEMs which are moving towards consolidated ECU/domain architectures will have greater ‘reach’ into the vehicle for updates.

Just In Timeupdates

Volume manufacturers such as Ford already use JIT software updates in their plants to upload the latest software versions to vehicles at line-side. This practice is likely to increase as it offers flexibility to the supply chain.

Deep learning &HD map update

Production levels of vehicles with HD maps will be low and are likely to remain below 5% of vehicle build for the next 10 years. Deep learning updates are expected to follow similar timing.

ADAS/Convenience

Infotainment

ADAS/Convenience

Infotainment

Penetration today

Next 10 years

Security is the #1 OTA use case projected for the next 10 years

Infotainment

Security countermeasure


OTA Campaign Lifecycle

Update need detected

Campaign constructed

Update downloaded &

InstalledUpdate Logged &

ReportedRemote

monitoring & insights

1. Security patch

2. Bug/Recall

3. New feature or upgrade

1. Upload new image & generate diff

2. Encrypt/Sign

3. Assign update to appropriate vehicles and schedule the release

1. Notify vehicle of an available update

2. Verify, download & install updates to 1 or more ECUs

3. Rollback & recover if update fails

1. Log update operations & status

2. Report status of update (or other error codes) back to the CarSync cloud

1. Remotely monitor vehicle health

2. Deliver actionable insights based on aggregated data

Detect Prepare Perform Report MonitorCampaign Stages

Trigger points

Capabilities


SDL and FuSa Lifecycle comparisonThreat Analysis

Security Goals

Security Architecture

Attack Tree Analysis (ATA)

Security Activities

Functional and Penetration Tests

Integration and Penetration Tests

Validate Security Assumptions

Hazard analysis and risk assessment

Safety Goals

System Safety Concept

FMEA, FTA, FMEDA Test Safety Mechanisms

Test Safety Mechanisms

Validate Safety Assumptions

Guidelines, Reviews, Analyses

Safety Activities

Safe and Secure Platform

Requirements Analysis

System Architecture

HW/SW Design

HW/SW Implementation

HW/SW Test

System Integration

System Test

Maintenance and Upgrades

Incidence Response Plan

Code and HW Implementation

Reviews

The arrow means that activities happen in parallel

Failure Mode and Effects Analysis (FMEA )Fault Tree Analysis (FTA)

Failure Modes Effects and Diagnostic Analysis (FMEDA)

! Caution: Limitations regarding safety when using Open Source !

Audit Secure Insure

FuSa: ISO26262Security: SAE j3061

• One security flaw for every several thousand lines of code

• Safety certification is ~$800k per 10,000 lines of code


Helix Chassis

A basis for future vehicle architectures:

• ADAS consolidation• Autonomous driving• Cockpit consolidation

Mixed Safety Criticality Use-Cases


ADAS Consolidation and Autonomous Driving


VxWorks

Apollo Framework

Adaptive AUTOSAR

VxWorks – Instance A

Multi-Core HW PlatformEth FPGA CAN Flash WDG Timer DSRCGPU

Core 0-4 Core 5-11 Core 12-14 Core 15

TSN Crypto OpenCL POSIX

C++

Health

Persistency

Comm Mgr

Exec Mgr HW Accel

Log / Trace

Security Mgr

Diagnostics

Health

Filesys

V2X

Sensor …n Sensor Fusion

Perception Nav/Maps

LocalizationRoute Plan Maneuvers

Output…n

Customer Application Components

Autonomous Driving SW Reference Architecture – Virtual Redundancy, Divergent algorithms in 2 of 3 voting systemMulti-OS Safety IPC

Runtime Processes

User SpaceLow level featuresType 1 HypervisorHardware

HypervisorXML Config Health MgmtVirtual Devs OS IPC

2 of 3 Trajectory Arbitration

LCLS Mgmt

ADAR Shared

ServicesVideo

Decode

CANStorage

3rd Party

HD Maps

SYCL

AI

OTA

VxWorks Instance B

VxWorks Instance C

OpenCL

C++

Perception

SYCL

Algorithms

D,E,F,…

Algorithms

G, H, I,…


Loosely Coupled Lock Step - problem

Time (ms)

Ope

ratin

g Sy

stem

s

100 200 300

Arbitration OS

Trajectorydecision

Trajectorydecision

Trajectorydecision

Reporting OS - A

Reporting OS - B

Reporting OS - C

TrajectoryOnly 1 of 3

All OS’s are reporting “regularly” but not aligned well enough for the arbitration to be effective.Each OS may have different algorithms and/or compute resources. Even if same, will phase shift.

Missed deadline>100 msjitter + latency or error

Ignored notifications Large gap between

only 2 of 3


Loosely Coupled Lock Step – Frame Aligned Processing

Time (ms)

Ope

ratin

g Sy

stem

s

100 200 300

Arbitration OS

Reporting OS - A

Reporting OS - B

Reporting OS - C

Trajectory

All OS’s report the most recent trajectory calculated during a declared time window.If two or more OS’s fail to deliver on time we fail safe. If the same OS consistently fails to deliver we fail safe.

10ms timestamp payload delivery window

1. Broadcast next deadline timestamp,start processingtogether

Deliver only most recent via timer

Always has 3 of 3 data points

Always reporting in “lock-step”

3. Payload Updated iftime allows

Tighter payload creation window

• All example timings• Payload = trajectory + deadline timestamp

4. Deliver payload and stop processing

2. Payload Generated

Decode sensor data for next frame (shared mem)

Trajectorydecision

Trajectorydecision

Trajectorydecision

Frame


Cockpit consolidation

Make it cheaper


Emerging Architectures

Ethernet

Body GW

ECU

ECU

ECU

ECU

Body Domain App

Logic

ECUECU

ADAS/ Autonomous

Driving

ECU

ECU

ECU

ECU

ECUECU

Cluster/IVI/RSE

ECU

ECU

ECU

ECU

ECUECU

Engine Control

ECU

ECU

ECU

ECU

ECUECU

CloudOTA

Move app logic

Lower uC costs

TCUSecurity GW

OTA OTA

Telematics Services

Mobile device

ARA::COMARA::COM


Super ADASRTOS

(L3 – backup to L4/5)

Cluster/HUDVxWorks

As Compute Power Increases – Continue To Consolidate

SoC1 Core

GPU

Security GW

Cloud

CAN/eAVB USB 2 Ethernet

Fastboot

OpenGL

Safe Audio Mixer

RearOSS OS

Games

TCU

IoT GW

Firewall

IDPS

Front IVIOSS OS

Smart Device Link

Wireless CarPlay

Safe HMI Stack

USB 1

ARA::COM

OTA

Adaptive Autosar

Hypervisor

OpenGL

OTA

Adaptive Autosar

OpenGL

OTA

Adaptive Autosar

OTA

Adaptive Autosar

Body CtrlLegacy OS

Applications

Monitor

OTA

Adaptive Autosar

Windows

Seat Control

HVAC

HD Maps

CAN Svc

XML Config Health MgmtVirtual Devs OS IPC

X Cores

Smart Device Link

Rear Camera

V2X3rd Party

OTA

Adaptive Autosar

DSRC drivers

V2X middleware

Applications

TOO MANY FUNCTIONS TO FAIL TOGETHER

Qt 5.9 Demo

Tomorrows Possibilities


Automotive Master Box B

Super ADASRTOS

(backup²)

Cluster/HUDRTOS

Redundancy

Security GW

RearOSS OS

Front IVIOSS OS

ARA::COM

Body CtrlLegacy OS

V2X3rd Party

Automotive Master Box A

Super ADASRTOS

(L3 backup)

Cluster/HUDRTOS

Security GW

RearOSS OS

Front IVIOSS OS

ARA::COM

Body CtrlLegacy OS

V2X3rd Party

Monitor each other


WindRiver Hypervisor

Safety HMI

Non-Safety HW

accelerated HMI

Forwarded API handler IVI apps &

frameworks IVI / RSE / ADAS app

HW Plane HW Plane HW PlaneHW Plane

Display Display Display

VMM

Root OS (VxWorks)

VMM

Guest OS (VxWorks)

VMM

GPU HOST OS (Android or Linux)

VMM

Guest OS (Linux)

Safety HMI library

API forwarding library

Render EngineRender Engine

SW rasterization to framebuffer

API forwarding

API handling via HW accelerated driver

HW assisted GPU sharing (GVT-g)

HW assisted GPU sharing (GVT-g)


With a separate autonomous driving unit....

Automotive Master Box B

Super ADASRTOS

Cluster/HUDRTOS

Security GW

RearOSS OS

Front IVIOSS OS

ARA::COM

Body CtrlLegacy OS

V2X3rd Party

Automotive Master Box A

Super ADASRTOS

Cluster/HUDRTOS

Security GW

RearOSS OS

Front IVIOSS OS

ARA::COM

Body CtrlLegacy OS

V2X3rd Party

Monitor each other

VxWorks

Autonomous Framework

Adaptive AUTOSAR

VxWorks Cert Guest OS – Instance AOTA

Multi-Core HW PlatformEth Serial RAM Flash Bus Timer DSRC GPU

Core 0-4 Core 5-9 Core 10-14 Core 15

TSN Crypto OpenCL POSIX

C++ Java Health

Persistency

Comm Mgr

Exec Mgr HW Accel

Log / Trace

Security Mgr

Diagnostics

Health

Filesys

V2X

Sensor …n

Sensor 1 Sensor Fusion

Perception

Nav/Maps

LocalizationRoute Plan Maneuvers

Output…n

Actuator 2

Actuator 1

Customer Application Components

Hel

ix D

rive

Inst

ance

B

Hel

ix D

rive

Inst

ance

C

Multi-OS Safety IPC

Runtime Processes

Black Oak HypervisorXML Config Health MgmtVirtual Devs OS IPC

Actuation

2 of 3 Trajectory Arbitration

LCLS Mgmt

Shared Service

sVideo Decode

CAN

Storage

eAVB/TSN

L4/5 autonomous driving

Uses virtualization for redundancy

L1/2/3 autonomous driving

Uses virtualization for consolidation

Backup to L4/5 failures

Only allow L1/2/3 if both units are operating ok, otherwise fall back to human driver – possibly still allow L1

Helix EdgeSync

OTAHelix Chassis – Full Picture

Body controller

Engine controller

Other tier-1 components


Helix EdgeSync

Last line of defense


Helix EdgeSyncEnd-End OTA Update and SWLC management framework

Built for automotive – Consideration for unique reliability and security requirements, not copy/paste from mobile

Modular and easy to integrate with existing OEM IT infrastructure & third party solutions. All modules can be delivered &

integrated as stand alone products or as a complete end-end solution

End-end security– Ready to integrate into OEM secure framework w/ validated reference implementation for data encryption, signing & verification, and secure channel

Provides real time insight in to the update status

Enhanced campaign management – by region, update type, selection of communication method, etc.

Agnostic – no hard dependencies on OS, HW, or Cloud to Car or In-vehicle protocols

Supports updates to multiple ECUs

Customer Campaign Engine


How EdgeSync works

Release package generation, secure distribution and tracking

Reports & statistics representation

ECU 1

ECU 2

ECU 3

ECU 4

MasterECU

CAN BUS

4G/LTE

Bluetooth

WiFi

1Secure update distribution channel

Agnostic to the communication medium2

Update download, version validation, and installation through OS agnostic CarSync Agent

3

1. CarSync Agent–Embedded Client on Master ECU

2. Updater- Extension of the Agent to support multiple ECU updates

3. Differential Updater- Application of differential Updates

OEM IT Systems integration

Internet/ Intranet

Two way secure communication

Update and vehicle data collection and reporting back to the CarSync Cloud.

4

CarSync Cloud & Differential System

1

2

3


EdgeSync has undergone a full security assessment

Architecture Threats Attack surface Mitigations

Understand the logical and component architecture

Understand every communication and any valuable data that is moved and stored

All possible threat agents

Ultimate goals of these agents

Typical attack methodsSystem-level objectives

Decompose architecture to expose possible attack surfaces

Apply attack methods for expected objectives

Filter out agents with no attack method

List existing security controls

Filter out attack surfaces which are protected

Apply new security control to the attack surfaces

A formal method to follow is the ATASM, which is taught by Brook S. E. Schoenfeld and documented in Securing Systems: Applied Security Architecture and Threat Model.

25 © 2017 WIND RIVER. ALL RIGHTS RESERVED. 25

Potential attacks identified, mitigations implemented

OEM

DownloaderSQLite

Agent

Updater Diff updater

ECU

TCU / Head unit

Portal

Diff generator

Back office

Redis

DFS

HTTP server

VBS

Consumer

reportsReport

streamingHost

SQL

Hadoop

Cassandra

SQL

REST

Server

REST SAPI

REST SAPI

ELK Logs

System services

SQLite

Different protocols

OEM user roles w X509 certMFA

OEM net accessVPN

OBFEncyptionauthentication

Firewall

Sign images by OEM

Verification in various places of data path

Sign scripts

CredentialsStore OEM creds separately

Host duplication of the whole systemDBDisaster recovery

Key mgmt systemimages + metadataOEM userssym keysper vehicle

Encrypt vehicle infoMaybe whole DBVehicle identity

Intrusion detection:SystemPortal loginhttp serverVehicles

Image verificationHOST admin

Security manual:agentOEM networkImage signing

Vuln management:AgentHostedXCCDF

MFA

Divide vehicle domain from image

Sign metadata

DMZLoad balancer

HTTPS

Report vehicle validation errors

Policy to pause failed downloads

Blacklisting of „bad“ vehicles

Encrypt SQL DB

Secure comm

Scriptsnon-root / least privPolicy

Transactions + rollback

Verify images

OS/HWSecure bootSELinux policies + docRBACSec kernel featuresCERT OS

Least priv isolationAgentScriptsDownloaderetc

Root of Trust:DB sym keyBE keysPriv key for vehicle

Revocation / mfg

Disk encryption where applicable

OEM / Tier 1 responsibility

CarSync responsibility

*High level architecture


With all the design fluidity occurring…SIMICS can help!

Virtual environment for security testing!– https://software.intel.com/en-us/blogs/2017/06/06/finding-bios-vulnerabilities-with-excite

How many cores?

What network transports?

Where are the bottlenecks?

Every time an algorithm changes, so does my compute needs, so does my system design –help!

Design development lifecycles need to be reduced, not just SW but HW also. Simics provides the most flexible means of changing designs, performing experimentation, and iterating the design.

Never enough HW in automotive – do you require HW?

https://software.intel.com/en-us/blogs/2017/06/06/finding-bios-vulnerabilities-with-excite


Simics Scope

Ethernet

Body GW

ECU

ECU

ECU

ECU

Body Domain App

Logic

ECUECU

ADAS/ Autonomous

Driving

ECU

ECU

ECU

ECU

ECUECU

Cluster/IVI/RSE

ECU

ECU

ECU

ECU

ECUECU

Engine Control

ECU

ECU

ECU

ECU

ECUECU

CloudSecurity GW

Great for I/O, networking, raw compute designs

Simics Highly multimedia devices not-so-much, too much closed IP (GPU, USB, Video, etc.)


Thank You!

safety & security: an unbreakable bond for connected cars

Documents