TechPaper. Over-the-air updates what advantages does the AUTOSAR Adaptive Platform offer?

Similar documents
Adaptive AUTOSAR for high-performance in-car computers

10 th AUTOSAR Open Conference

SW-Update. Thomas Fleischmann June 5 th 2015

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

EB TechPaper. Combining the strengths of Elektrobit's SecOC with Argus IDPS. elektrobit.com

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

Cyber security mechanisms for connected vehicles

Securing the future of mobility

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Introduction to Adaptive AUTOSAR. Dheeraj Sharma July 27, 2017

OTA and Remote Diagnostics

Automotive Cybersecurity: A steep learning curve

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Efficient testing of ECUs despite Security

Automotive Security An Overview of Standardization in AUTOSAR

EB TechPaper. EB Assist Car Data Recorder Innovative test drive support. automotive.elektrobit.com

PREEvision Technical Article

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Software Architecture for Secure ECUs. Rudolf Grave EB TechDay-June 2015

Automotive Security: Challenges and Solutions

Architecture concepts in Body Control Modules

Automotive Gateway: A Key Component to Securing the Connected Car

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Trusted Platform Modules Automotive applications and differentiation from HSM

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Connected driving is the future. However, data exchange between vehicles. and roadside equipment will only become genuinely beneficial when it is

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Countermeasures against Cyber-attacks

Secure automotive on-board networks

WE IMPROVE THE WORLD THROUGH ENGINEERING!

The Adaptive Platform for Future Use Cases

AUTOSAR proofs to be THE automotive software platform for intelligent mobility

Autonomous Driving From Fail-Safe to Fail-Operational Systems

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Diagnostic Trends 2017 An Overview

MASP Chapter on Safety and Security

Linux and AUTOSAR Vector Informatik Congress, Stuttgart,

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Accelerating the implementation of trusted computing

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

A NEW CONCEPT IN OTA UPDATING FOR AUTOMOTIVE

Launch Smart Products With End-to-End Solutions You & Your Customers Can Trust

Software integration challenge multi-core experience from real world projects

M2MD Communications Gateway: fast, secure and efficient

M2MD Communications Gateway: fast, secure, efficient

Connected Car Solutions Based on IoT

Turbocharging Connectivity Beyond Cellular

Introducing Hardware Security Modules to Embedded Systems

Strong Security Elements for IoT Manufacturing

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

SECURING DEVICES IN THE INTERNET OF THINGS

WirelessHART Is Ready for the Real World

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Secure Product Design Lifecycle for Connected Vehicles

time now it has also been used productively in a multi-oem, requires precise knowledge of the protocol, the layout, the

Internet of Things Toolkit for Small and Medium Businesses

Securing Devices in the Internet of Things

Virtual Dispersive Networking Spread Spectrum IP

Market Trends and Challenges in Vehicle Security

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

End-to-End Encryption for Everybody?

Is This What the Future Will Look Like?

Adaptive AUTOSAR. Ready for Next Generation ECUs V

ARM processors driving automotive innovation

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Compute solutions for mass deployment of autonomy

10 th AUTOSAR Open Conference

Cybersecurity Engineering and Assurance for Connected and Automated Vehicles

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

Challenges and. Opportunities. MSPs are Facing in Security

10 th AUTOSAR Open Conference

BEST PRACTICES FOR PERSONAL Security

Flash Bootloader. Product Information

Scalable Security solutions to enable Cyber Security and to manage Digital Identities

OTA-On-Demand (OOD) Services with AGL

Remote Key Loading Spread security. Unlock efficiency

Driving virtual Prototyping of Automotive Electronics

Security Concerns in Automotive Systems. James Martin

Adaptive AUTOSAR Extending the Scope of AUTOSAR-based Embedded Software

EB GUIDE documentation

From Signal to Service

Guide Series. How to upgrade to Microsoft Windows 10? Guide Series

SECURING DEVICES IN THE INTERNET OF THINGS

In March 2007, over 200 developers met in Stuttgart for the. control algorithms that have become increasingly faster are

Development of an autonomous driving ECU platform for streamlining the development of autonomous driving vehicle applications

Adaptive AUTOSAR: Infrastructure Software for Advanced Driver Assistance. Chris Thibeault June 7, 2016

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Preventing External Connected Devices From Compromising Vehicle Systems Vector Congress November 7, 2017 Novi, MI

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Automotive Linux Summit 2017 May 31-June 2, 2017, Tokyo, Japan Advances and challenges in remote configuration of connected cars

Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

Automated Driving Necessary Infrastructure Shift

Welcome Note. Dr. Thomas Scharnhorst, AUTOSAR Spokesperson 10 th AUTOSAR Open Conference 8 th Nov 2017, Mountain View, California

Kaspersky Security. The Power to Protect Your Organization

Kaspersky Security Network

Quo Vadis SAE J1939 Standardization

Transcription:

TechPaper Over-the-air updates what advantages does the AUTOSAR Adaptive Platform offer?

In vehicle development, using software to realize new functions is clearly in vogue. Vehicles that are already on the market are increasingly being retrofitted with the latest functions, such as those associated with fully automated driving. At the same time, software architectures are also becoming more efficient as function modules are reloaded, for example. Over the entire life of the vehicle, its software should be continuously improved, adapted to new security requirements, or combined afresh with available functions right through to the backend. All these challenges increase the need for over-theair (OTA) software updates. For this purpose, the new Adaptive AUTOSAR software platform standardizes the basic functions and regulates access to the required system properties. The following article sheds light on the concepts and solutions within this software environment for secure updates. More and more vehicle functions are being realized using software. However, the update cycles are also becoming shorter as a result. For example, the functions involved in fully automated driving are being improved continuously thanks to machine learning. Added to this, customers clearly expect it to be possible to update or add functions retroactively as well, such as improvements to the assistance systems, new apps, and so on. The ability to offer a consistent and stable procedure for meeting these requirements is becoming a key factor in enabling vehicle manufacturers to set themselves apart from their competitors. If there is no such concept, they run the risk of damage to their image as a consequence. Looking further ahead, electromobility could also mean longer maintenance intervals. But this is a difficult message to get across when software updates can still only be performed during a visit to the workshop. As in other industries, updates will therefore have to take place over the air in future. The preconditions required for such update mechanisms can be achieved by connecting vehicles to the internet and networking the components. However, the task of updating critical vehicle functions places high demands on the security and reliability of the processes used for this purpose. Extensive design improvements in Adaptive AUTOSAR These challenges called for a new platform alongside the existing AUTOSAR software environment: Adaptive AUTOSAR. This means that OEMs and their suppliers do not constantly have to develop new and, in some cases, proprietary solutions for critical and complex functionalities. In comparison with the older Classic AUTOSAR, Adaptive AUTOSAR relies on parallelization and dynamization of the run-time environment. What this actually means is that active or required components are reloaded and logged off. Adaptive AUTOSAR provides the applications with all the necessary programming interfaces regardless of the operating system used. This enables the use of existing software libraries in the areas of high-performance computing, embedded vision, or machine learning. (Figure 1: Adaptive AUTOSAR architecture) Signal-based communication in Classic AUTOSAR on the CAN bus, for instance, has been replaced with service-oriented communication in Adaptive AUTOSAR. With this system architecture, new applications can be integrated into the entire system more easily. Modern and sometimes automated developer tools, such as Elektrobit s EB tresos, support software

End-to-end security protection of update data packages End-to-end security protection of update jobs Backend Connectivity client Update master Update slave Figure 1: Adaptive AUTOSAR architecture development for Adaptive AUTOSAR. They offer functions designed specifically for the new, more modern system architecture, such as compiler-based static and dynamic data flow analyses, automatic run-time estimates, and automatic software and hardware optimization. Responsibility for standardizing and further developing Adaptive AUTOSAR lies with the AUTOSAR consortium, which has over 250 subscribers from more than 70 different companies. New versions of Adaptive AUTOSAR will be published by the AUTOSAR consortium twice a year at the end of March and the end of October. This will ensure that specifications and functionalities are maintained and updated continuously. Detailed information is available at www.autosar.org/standards/adaptive-platform. Standardized functions for OTA updates In connection with OTA updates, Adaptive AUTOSAR provides key functions as standard for purposefully updating functions and components. While Classic AUTOSAR always required a full update of the application software, Adaptive AUTOSAR supports differential updates. The background to this is a modular architecture in which only individual application blocks are updated and also delta updates where the target application is patched to the new software version. What actually happens is that an update master receives from the connectivity client the update data sent over the air and then purposefully updates the individual software components in collaboration with the Update Configuration Manager (UCM) and the Diagnostic Manager (DM). (Figure 2: Standardized functions for over-the-air updates) To make the entire update process as simple and uncomplicated as possible for OEMs or suppliers of services, Elektrobit offers a scalable and flexible full-service solution in the form of EB s Update OTA. Depending on the OEM s specifications, it contains the cloud or backend environment required to prepare, manage, and implement the update throughout the life of the vehicle. Within an update rollout, several performance ECUs and/or the infotainment system belonging to the vehicle can also be updated at the same time. For this to work, the ECUs concerned must support standardized diagnostic protocols. End-to-end security architecture to protect the entire vehicle The connectivity of networked vehicles enables numerous meaningful functions, offering clear advantages 3

EB corbos AdaptiveCore lications Adaptive application Diagnostic service application Connectivity client Update master Runtime for adaptive applications Adaptive platform Basis (Foundation) Services OS Hypervisor Generic Hardware dependent Alternatives OTA components Figure 2: Standardized functions for over-the-air updates to drivers and vehicle manufacturers alike. At the same time, however, it also increases the number of potential points of attack. Communication channels such as Car2X, WiFi, Bluetooth, remote control via apps, OBD-II, radio transmitter keys, and so on essentially represent potential gateways for hacker attacks. Alongside the obvious risks like data loss or malfunctions, these scenarios pose potential threats to OEMs, which include damage to their reputation with customers and business partners, cost risks for recalls or countermeasures, and customer dissatisfaction, all the way through to liability risks and potential legal consequences. With this in mind, OTA software updates place special demands on the security architecture both inside and outside the vehicle. Obviously, the other points of attack listed are also purposefully protected. However, the focus below lies on the security functions of Adaptive AUTOSAR, most notably within the context of OTA updates. The underlying security architecture takes account of the vehicle components and their connections and interfaces as well as the backend and, if applicable, any end devices connected as well. The concept therefore covers all the layers affected inside and outside the vehicle environment: individual components and ECUs, bus systems inside the vehicle, external interfaces and protocols (including WLAN, for example) as well as the end-to-end encryption and protection of all relevant services. This not only ensures system integrity and prevents attempted misuse, but also meets the ever-increasing legal requirements for data protection and information security. (Figure 3: End-toend security architecture) High level of protection in Adaptive AUTOSAR To achieve these goals, solutions and approaches are used from the area of automotive security, such as SecOC (Secure Onboard Communication) and HSM (Hardware Security Modules). What is more, the security architecture is also based on Classic AUTOSAR solutions and processes from the client-server communication, such as TLS (Transport Layer Security), certificate-based authentication, and encryption. The Secure Onboard Communication (SecOC) concept ensures that data transmitted within the onboard communication are authentic. SecOC thereby prevents any manipulation of data packets, man-in-the-middle attacks, or other attack scenarios. To prevent any unauthorized access by hackers to the CAN bus, the SecOC module adds a Message Authentication Code (MAC) to every block of data transmitted on the internal bus. To prevent any manipulation due to intercepted blocks of data, the cryptographic calculation takes account of a time-dependent component which documents the up-to-dateness of the message. However, due to limitations with the classic CAN bus (the protocol used there provides for a frame size of just 8 bytes), only part of the up-to-dateness certificate and of the MAC can be transmitted with the user data. For its part, the recipient module calculates the complete MAC and the up-to-dateness

value and then compares them with the values (partially) received. If they do not match, the data packet received is rejected. SecOC is supplemented with hardware-based encryption as well as internal trust safeguards and security mechanisms in the components and ECUs. These include authentication, anti-theft protection, and the identification of anomalies or unauthorized access attempts. These security elements too profit from the architecture-related advantages of Adaptive AUTOSAR, due to the parallelized execution and therefore acceleration of complex cryptographic calculations, for example. Comprehensive protection of update processes On the basis of the security architecture and concepts described, Adaptive AUTOSAR protects the entire update process, from starting the system to receiving the OTA update data and through to installing the update. The integrity of the system environment in the vehicle is assured thanks to a secure boot mechanism. This loads and executes only authenticated software components. The verification process runs at the same time as the software in order to minimize loading and startup times. OEM-specific requirements are integrated seamlessly. An end-to-end encrypted communication connection between the backend and onboard components as well as encrypted storage of the data in both the backend and the vehicle make sure that the update data are securely transmitted and stored. The bootloader, which is independent from the program code of the applications, creates a secure environment in the vehicle for installing the update. The safeguards already described are also used for authenticating update packets and for actually importing the updated software. As Adaptive AUTOSAR has a stand-alone crypto library, the authentication and verification of software and hardware components run parallel to the update process. At the same time, the Secure Diagnostics system module monitors the communication between the diagnostic client and the ECUs concerned. The OEM has a choice between different authentication methods, such as seed-andkey or token-based authentication. Elektrobit works on all security matters in close collaboration with Continental s security software experts Argus Cyber Security. Founded in 2013, the company is headquartered in Tel Aviv, Israel, and has offices in Michigan, Silicon Valley, Stuttgart, and Tokyo. It is the world s largest independent supplier of cyber security solutions in the automotive market. This means that OEMs profit from the design advantages of Adaptive AUTOSAR and can rely on the highest possible level of protection and security. New CPU-intensive (safety-relevant) functions: e.g. sensor fusion Novel user functions: e.g. Store Takeover of existing vehicle functions from Classic AUTOSAR (SWCs) Secure startup, authentication Safety-relevant vehicle functions, monitoring of performance partitions Performance partitions Security partition Safety partition Adaptive AUTOSAR Trusted Execution Adaptive AUTOSAR Classic AUTOSAR Classic AUTOSAR Environment POSIX OS POSIX OS AUTOSAR OS Trusted OS AUTOSAR Safety OS Virtual machine Virtual machine Virtual machine Hypervisor Secure Boot Performance cores Safety cores High-performance computer Classic AUTOSAR Security-related Adaptive AUTOSAR lications / Functions Hardware functions Figure 3: End-to-end security architecture 5

Author: Börge Schmelz Studied electrical engineering at the Technical University of Cologne (TH Köln). Since 2005, he has been involved in the development of AUTOSAR control units at Elektrobit. In 2010, he took over the management of global service projects with a view to successfully realizing series production ramp-ups globally with the use of EB products. In 2017, he switched to product management for high-performance computers and Adaptive AUTOSAR. Author: Martin Böhner Has served at several sites since joining Elektrobit in 2005 and in a variety of roles, such as Engineer, Consultant, Project Manager, and Program Manager. He has been responsible for leading programs and conducting research in the area of applied automotive security. Today he is the Head of Product Management for OTA and Security at EB. Author: Peer Sterner Began his career as an IT Security and Data Protection Officer in the German Armed Forces. Since joining Elektrobit in 2011, he has held various positions, e.g. as a Product Owner and Project Manager. He has also advised car manufacturers on vehicle diagnostics, standard software, and AUTOSAR. Since 2015, he has been developing a product line focusing on connected services and OTA. He is currently a Product Manager in the areas of connected services, OTA, and vehicle safety.

Notes 7

Over-the-air updates what advantages does the AUTOSAR Adaptive Platform offer? (OHNWURELW (% /RFDWLRQV 7RN\R 1DJR\D _ -DSDQ 6HRXO _ 6RXWK.RUHD %HLMLQJ 6KDQJKDL _ &KLQD %DQJDORUH _,QGLD 7HO $YLY _,VUDHO 2XOX _ )LQODQG %UDVRY 7LPLVRDUD _ 5RPDQLD 9LHQQD _ $XVWULD %RHEOLQJHQ %UXQVZLFN (UODQJHQ,QJROVWDGW 5DGROI]HOO 0XQLFK 8OP _ *HUPDQ\ 3DULV &DUUL¹UHV VXU 6HLQH _ )UDQFH %RWKHOO :$ 6DQ -RVH &$ )DUPLQJWRQ +LOOV 0, _ 86$ About Elektrobit (EB) Elektrobit (EB) is an award-winning and visionary global supplier of embedded and connected software products and services for the automotive industry. A leader in automotive software with over 30 years serving the industry, EB s software powers over 1 billion devices in more than 90 million vehicles and offers flexible, innovative solutions for connected car infrastructure, human machine interface (HMI) technologies, navigation, driver assistance, electronic control units (ECUs), and software engineering services. EB is a wholly owned subsidiary of Continental. Elektrobit Automotive GmbH Am Wolfsmantel 46 91058 Erlangen, Germany Phone: +49 9131 7701 0 Fax: +49 9131 7701 6333 sales@elektrobit.com www.elektrobit.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback