TechPaper Over-the-air updates what advantages does the AUTOSAR Adaptive Platform offer?
In vehicle development, using software to realize new functions is clearly in vogue. Vehicles that are already on the market are increasingly being retrofitted with the latest functions, such as those associated with fully automated driving. At the same time, software architectures are also becoming more efficient as function modules are reloaded, for example. Over the entire life of the vehicle, its software should be continuously improved, adapted to new security requirements, or combined afresh with available functions right through to the backend. All these challenges increase the need for over-theair (OTA) software updates. For this purpose, the new Adaptive AUTOSAR software platform standardizes the basic functions and regulates access to the required system properties. The following article sheds light on the concepts and solutions within this software environment for secure updates. More and more vehicle functions are being realized using software. However, the update cycles are also becoming shorter as a result. For example, the functions involved in fully automated driving are being improved continuously thanks to machine learning. Added to this, customers clearly expect it to be possible to update or add functions retroactively as well, such as improvements to the assistance systems, new apps, and so on. The ability to offer a consistent and stable procedure for meeting these requirements is becoming a key factor in enabling vehicle manufacturers to set themselves apart from their competitors. If there is no such concept, they run the risk of damage to their image as a consequence. Looking further ahead, electromobility could also mean longer maintenance intervals. But this is a difficult message to get across when software updates can still only be performed during a visit to the workshop. As in other industries, updates will therefore have to take place over the air in future. The preconditions required for such update mechanisms can be achieved by connecting vehicles to the internet and networking the components. However, the task of updating critical vehicle functions places high demands on the security and reliability of the processes used for this purpose. Extensive design improvements in Adaptive AUTOSAR These challenges called for a new platform alongside the existing AUTOSAR software environment: Adaptive AUTOSAR. This means that OEMs and their suppliers do not constantly have to develop new and, in some cases, proprietary solutions for critical and complex functionalities. In comparison with the older Classic AUTOSAR, Adaptive AUTOSAR relies on parallelization and dynamization of the run-time environment. What this actually means is that active or required components are reloaded and logged off. Adaptive AUTOSAR provides the applications with all the necessary programming interfaces regardless of the operating system used. This enables the use of existing software libraries in the areas of high-performance computing, embedded vision, or machine learning. (Figure 1: Adaptive AUTOSAR architecture) Signal-based communication in Classic AUTOSAR on the CAN bus, for instance, has been replaced with service-oriented communication in Adaptive AUTOSAR. With this system architecture, new applications can be integrated into the entire system more easily. Modern and sometimes automated developer tools, such as Elektrobit s EB tresos, support software
End-to-end security protection of update data packages End-to-end security protection of update jobs Backend Connectivity client Update master Update slave Figure 1: Adaptive AUTOSAR architecture development for Adaptive AUTOSAR. They offer functions designed specifically for the new, more modern system architecture, such as compiler-based static and dynamic data flow analyses, automatic run-time estimates, and automatic software and hardware optimization. Responsibility for standardizing and further developing Adaptive AUTOSAR lies with the AUTOSAR consortium, which has over 250 subscribers from more than 70 different companies. New versions of Adaptive AUTOSAR will be published by the AUTOSAR consortium twice a year at the end of March and the end of October. This will ensure that specifications and functionalities are maintained and updated continuously. Detailed information is available at www.autosar.org/standards/adaptive-platform. Standardized functions for OTA updates In connection with OTA updates, Adaptive AUTOSAR provides key functions as standard for purposefully updating functions and components. While Classic AUTOSAR always required a full update of the application software, Adaptive AUTOSAR supports differential updates. The background to this is a modular architecture in which only individual application blocks are updated and also delta updates where the target application is patched to the new software version. What actually happens is that an update master receives from the connectivity client the update data sent over the air and then purposefully updates the individual software components in collaboration with the Update Configuration Manager (UCM) and the Diagnostic Manager (DM). (Figure 2: Standardized functions for over-the-air updates) To make the entire update process as simple and uncomplicated as possible for OEMs or suppliers of services, Elektrobit offers a scalable and flexible full-service solution in the form of EB s Update OTA. Depending on the OEM s specifications, it contains the cloud or backend environment required to prepare, manage, and implement the update throughout the life of the vehicle. Within an update rollout, several performance ECUs and/or the infotainment system belonging to the vehicle can also be updated at the same time. For this to work, the ECUs concerned must support standardized diagnostic protocols. End-to-end security architecture to protect the entire vehicle The connectivity of networked vehicles enables numerous meaningful functions, offering clear advantages 3
EB corbos AdaptiveCore lications Adaptive application Diagnostic service application Connectivity client Update master Runtime for adaptive applications Adaptive platform Basis (Foundation) Services OS Hypervisor Generic Hardware dependent Alternatives OTA components Figure 2: Standardized functions for over-the-air updates to drivers and vehicle manufacturers alike. At the same time, however, it also increases the number of potential points of attack. Communication channels such as Car2X, WiFi, Bluetooth, remote control via apps, OBD-II, radio transmitter keys, and so on essentially represent potential gateways for hacker attacks. Alongside the obvious risks like data loss or malfunctions, these scenarios pose potential threats to OEMs, which include damage to their reputation with customers and business partners, cost risks for recalls or countermeasures, and customer dissatisfaction, all the way through to liability risks and potential legal consequences. With this in mind, OTA software updates place special demands on the security architecture both inside and outside the vehicle. Obviously, the other points of attack listed are also purposefully protected. However, the focus below lies on the security functions of Adaptive AUTOSAR, most notably within the context of OTA updates. The underlying security architecture takes account of the vehicle components and their connections and interfaces as well as the backend and, if applicable, any end devices connected as well. The concept therefore covers all the layers affected inside and outside the vehicle environment: individual components and ECUs, bus systems inside the vehicle, external interfaces and protocols (including WLAN, for example) as well as the end-to-end encryption and protection of all relevant services. This not only ensures system integrity and prevents attempted misuse, but also meets the ever-increasing legal requirements for data protection and information security. (Figure 3: End-toend security architecture) High level of protection in Adaptive AUTOSAR To achieve these goals, solutions and approaches are used from the area of automotive security, such as SecOC (Secure Onboard Communication) and HSM (Hardware Security Modules). What is more, the security architecture is also based on Classic AUTOSAR solutions and processes from the client-server communication, such as TLS (Transport Layer Security), certificate-based authentication, and encryption. The Secure Onboard Communication (SecOC) concept ensures that data transmitted within the onboard communication are authentic. SecOC thereby prevents any manipulation of data packets, man-in-the-middle attacks, or other attack scenarios. To prevent any unauthorized access by hackers to the CAN bus, the SecOC module adds a Message Authentication Code (MAC) to every block of data transmitted on the internal bus. To prevent any manipulation due to intercepted blocks of data, the cryptographic calculation takes account of a time-dependent component which documents the up-to-dateness of the message. However, due to limitations with the classic CAN bus (the protocol used there provides for a frame size of just 8 bytes), only part of the up-to-dateness certificate and of the MAC can be transmitted with the user data. For its part, the recipient module calculates the complete MAC and the up-to-dateness
value and then compares them with the values (partially) received. If they do not match, the data packet received is rejected. SecOC is supplemented with hardware-based encryption as well as internal trust safeguards and security mechanisms in the components and ECUs. These include authentication, anti-theft protection, and the identification of anomalies or unauthorized access attempts. These security elements too profit from the architecture-related advantages of Adaptive AUTOSAR, due to the parallelized execution and therefore acceleration of complex cryptographic calculations, for example. Comprehensive protection of update processes On the basis of the security architecture and concepts described, Adaptive AUTOSAR protects the entire update process, from starting the system to receiving the OTA update data and through to installing the update. The integrity of the system environment in the vehicle is assured thanks to a secure boot mechanism. This loads and executes only authenticated software components. The verification process runs at the same time as the software in order to minimize loading and startup times. OEM-specific requirements are integrated seamlessly. An end-to-end encrypted communication connection between the backend and onboard components as well as encrypted storage of the data in both the backend and the vehicle make sure that the update data are securely transmitted and stored. The bootloader, which is independent from the program code of the applications, creates a secure environment in the vehicle for installing the update. The safeguards already described are also used for authenticating update packets and for actually importing the updated software. As Adaptive AUTOSAR has a stand-alone crypto library, the authentication and verification of software and hardware components run parallel to the update process. At the same time, the Secure Diagnostics system module monitors the communication between the diagnostic client and the ECUs concerned. The OEM has a choice between different authentication methods, such as seed-andkey or token-based authentication. Elektrobit works on all security matters in close collaboration with Continental s security software experts Argus Cyber Security. Founded in 2013, the company is headquartered in Tel Aviv, Israel, and has offices in Michigan, Silicon Valley, Stuttgart, and Tokyo. It is the world s largest independent supplier of cyber security solutions in the automotive market. This means that OEMs profit from the design advantages of Adaptive AUTOSAR and can rely on the highest possible level of protection and security. New CPU-intensive (safety-relevant) functions: e.g. sensor fusion Novel user functions: e.g. Store Takeover of existing vehicle functions from Classic AUTOSAR (SWCs) Secure startup, authentication Safety-relevant vehicle functions, monitoring of performance partitions Performance partitions Security partition Safety partition Adaptive AUTOSAR Trusted Execution Adaptive AUTOSAR Classic AUTOSAR Classic AUTOSAR Environment POSIX OS POSIX OS AUTOSAR OS Trusted OS AUTOSAR Safety OS Virtual machine Virtual machine Virtual machine Hypervisor Secure Boot Performance cores Safety cores High-performance computer Classic AUTOSAR Security-related Adaptive AUTOSAR lications / Functions Hardware functions Figure 3: End-to-end security architecture 5
Author: Börge Schmelz Studied electrical engineering at the Technical University of Cologne (TH Köln). Since 2005, he has been involved in the development of AUTOSAR control units at Elektrobit. In 2010, he took over the management of global service projects with a view to successfully realizing series production ramp-ups globally with the use of EB products. In 2017, he switched to product management for high-performance computers and Adaptive AUTOSAR. Author: Martin Böhner Has served at several sites since joining Elektrobit in 2005 and in a variety of roles, such as Engineer, Consultant, Project Manager, and Program Manager. He has been responsible for leading programs and conducting research in the area of applied automotive security. Today he is the Head of Product Management for OTA and Security at EB. Author: Peer Sterner Began his career as an IT Security and Data Protection Officer in the German Armed Forces. Since joining Elektrobit in 2011, he has held various positions, e.g. as a Product Owner and Project Manager. He has also advised car manufacturers on vehicle diagnostics, standard software, and AUTOSAR. Since 2015, he has been developing a product line focusing on connected services and OTA. He is currently a Product Manager in the areas of connected services, OTA, and vehicle safety.
Notes 7
Over-the-air updates what advantages does the AUTOSAR Adaptive Platform offer? (OHNWURELW (% /RFDWLRQV 7RN\R 1DJR\D _ -DSDQ 6HRXO _ 6RXWK.RUHD %HLMLQJ 6KDQJKDL _ &KLQD %DQJDORUH _,QGLD 7HO $YLY _,VUDHO 2XOX _ )LQODQG %UDVRY 7LPLVRDUD _ 5RPDQLD 9LHQQD _ $XVWULD %RHEOLQJHQ %UXQVZLFN (UODQJHQ,QJROVWDGW 5DGROI]HOO 0XQLFK 8OP _ *HUPDQ\ 3DULV &DUUL¹UHV VXU 6HLQH _ )UDQFH %RWKHOO :$ 6DQ -RVH &$ )DUPLQJWRQ +LOOV 0, _ 86$ About Elektrobit (EB) Elektrobit (EB) is an award-winning and visionary global supplier of embedded and connected software products and services for the automotive industry. A leader in automotive software with over 30 years serving the industry, EB s software powers over 1 billion devices in more than 90 million vehicles and offers flexible, innovative solutions for connected car infrastructure, human machine interface (HMI) technologies, navigation, driver assistance, electronic control units (ECUs), and software engineering services. EB is a wholly owned subsidiary of Continental. Elektrobit Automotive GmbH Am Wolfsmantel 46 91058 Erlangen, Germany Phone: +49 9131 7701 0 Fax: +49 9131 7701 6333 sales@elektrobit.com www.elektrobit.com