Automotive Security: Challenges and Solutions 8 th Vector Congress 30 th November 2016 V2.01.00 2016-11-22
Agenda Introduction Services Embedded Security Mechanisms Tools Summary 2
Introduction Vehicle is becoming a Part of the Internet of Things OEM Suppliers ITS Operator OBD DSRC 4G LTE Public Clouds Service Provider 3
Introduction Threats and Challenges OEM Suppliers ITS Operator Challenges Increasing attack surface Need to protect features and business models OBD DSRC Legacy technologies not designed with security in mind Meaningful transfer of IT security technologies required 4G LTE Limited ressources for security mechanisms / performance constraints Lack of automotive specific standards / guidance Effects on many process areas Public Clouds Service Provider 4
Introduction Building Blocks of a Security Solution Services Embedded Software Tools 5
Services Security does not Start or End with Cryptography Asset Definition Threat and Risk Assessment Security Validation Derivation of Security Goals Penetration Testing Fuzz Testing Security Architecture Design & Analysis Functional Security Testing Security Concept Design & Analysis Secure Implementation of Nominal Function and Security Mechanisms Incident Management & Response 6
Services Typical Customer Needs Asset Definition Threat and Risk Assessment Derivation of Security Goals Security Architecture Design & Analysis Security Concept Design & Analysis Functional Security Testing Security Validation Penetration Testing Fuzz Testing Security Studies > Examining customer defined security concepts > Proof of concept implementation of security mechanisms > Performance analysis Vehicle Security Architecture Implementation > Development of vehicle security architectures for series > Implementation based on established standards and customer specific extensions > Integration support Secure Implementation of Nominal Function and Security Mechanisms Incident Management & Response 7
Embedded Security Mechanisms Building Blocks of a Security Solution Services Embedded Software Tools 8
Embedded Security Mechanisms Layered Security Concept (Logical View) Associated Security Concepts Secure External Communication Secure communication to services outside the vehicle, e.g. via TLS Secure Gateways Firewalls / access control Key infrastructure / vehicle PKI Synchronized secure time Intrusion detection mechanisms Secure In-Vehicle Communication Secure Platform Authenticity of messages Integrity and freshness of messages Confidentiality of messages Key storage Crypto library HW trust anchor (e.g. SHE, HSM, TPM,..) Secure boot and secure update 9
Embedded Security Mechanisms MICROSAR 4.3 Security Modules and available Extensions FVM OS SYS DIAG MEM CSM CRYIF CRYDRV(SW) AMD MCAL CRYDRV (HW) Application RTE COM IO SECOC CAN LIN FR ETH V2G 1 TLS 1 XML Sec 1 AVB 1 EXT LIBS Crypto Service Manager (CSM) Complex Driver Secure onboard Communication (SecOC) Crypto Interface (CRYIF) Crypto Driver HW (CRYDRV(HW)) Crypto Driver SW (CRYDRV(SW)) Freshness Value Manager (FVM) Transport Layer Security (TLS) XML Security (XML Sec) Microcontroller Hardware Trust Anchor (HTA ) 1 Extensions for AUTOSAR Vector Standard Software 10
Embedded Security Mechanisms Cryptographic Functions with and without HW-Support Crypto Service Manager CSM > SWC use CSM through RTE > BSW/CDD use CSM by inclusion FVM > Asynchronous Application operation possible > Callback indicates application RTE SWC/Application FBL Application OS SYS DIAG Crypto MEM Interface COM CRYIF IO LIBS > Provides SECOC standard FWM 1 interfaces IDSM 1 for specific CAL CSM SYS CSM (CPL) HIS Security Module cryptographic functions CRYIF CAN LIN FR ETH V2G 1 Complex Runtime Protection Driver CRYIF CRYDRV(SW) CANFW 1 TLS ETHFW 1 1 TLS XML Sec 1 Update Authorization Crypto Driver CRYDRV CANIDS1 ETHIDS 1 XML Sec > AMD Implementation of cryptographic functions CRYDRV COM SCANTSYN 1 Secure Update Manager SETHTSYN > CRYDRV (SW): Usage of SW-libraries 1 AVB 1 (SW-LIB) > CRYDRV (HW): Usage of resources and MCAL CRYDRV (HW) CDD MCAL capabilities of HW-Trust Anchors (SHE, HSM, EXT TPM, ) CRYDRV (HW) Microcontroller Sec. Bootmanager HTA (HSM) RTE Microcontroller Hardware Trust Anchor (HTA ) 1 Extensions for AUTOSAR Vector Standard Software 11
Embedded Security Mechanisms Future Security Modules (not defined by AUTOSAR) KeyM 1 OS SYS DIAG MEM POLM 1 SLOG 1 KSM 1 AMD MCAL Application RTE COM IO FWM 1 IDSM 1 CAN LIN FR ETH V2G 1 CANFW 1 ETHFW 1 CANIDS 1 ETHIDS 1 AVB 1 EXT Key Manager (KeyM) Key Store Manager (KSM) Security Audit Log (SLOG) Policy Manager (POLM) LIBS Firewall Manager (FWM) > CAN Firewall (CANFW) Complex Driver > Ethernet Firewall (ETHFW) Intrusion Detection System Manager (IDSM) > CAN Intrusion Detection System (CANIDS) > Ethernet Intrusion Detection System (ETHIDS) Microcontroller Hardware Trust Anchor (HTA ) 1 Extensions for AUTOSAR 12 Future Security Modules
Embedded Security Mechanisms MICROSAR Firewall Generic Firewall Manager (FWM): Manages state of individual bus firewalls (e.g. ETHFW). Manage security policy securely stored in HTA (SHE, HSM, ). SWC/Application Role management of security policy (e.g. factory, customer). RTE Distribution of security policy to individual bus firewalls. Update of security policy via DCM. Ethernet Firewall (ETHFW): Stateful packet filtering firewall (inspect IP/TCP/UDP packets). Own TCP/IP stack for extracting packet header information, no code shared with module TCP/IP. SYS COMM DIAG DCM SLOG COM FWM CAN COM PDUR ETH SOAD Applied security policy requested from FWM on startup of ECU. CANFW TCPIP ETHFW Local storage of security policy for fast access (read-only). Logging of non-policy-conform packets in tamper proof SLOG CANIF ETHIF MCAL CRYDRV (HW) CAN Firewall (CANFW): Filtering out CAN frames whose arrival not predicted by DBC. HTA Microcontroller Logging of e.g. CAN frame periodicity deviations in tamper proof SLOG. 13
Embedded Security Mechanisms Building Blocks of a Security Solution Services Embedded Software Tools 14
Tools Challenges for Testing Increasing integration of security mechanisms in current and new architectures New challenges for automotive testing Testing of security Testing despite security Tool solutions are currently in piloting phase 15
Tools Testing of Security Device under Test Monitoring Data Fuzzed Messages CANoe Test framework.net Signal database [.dbc] COMdbLib IronPython Bus System boofuzz config [Python] boofuzz Core [Python] Signal database [.dbc] Automotive Security Testing > Functional testing > Test of security related functions for correct behavior > Vulnerability scanning > Test for known security vulnerabilities > Fuzz testing > Try to find new vulnerabilities of an implementation by sending malformed input to target system > Good benefit-to-cost ratio. > Penetration testing > Highly individual & creative testing of the whole system (SW+HW) performed by a smart human tester > Based on many years of hacking experience 16
Tools Testing despite Security Crypto Material Security Sources Default Car2X OEM Backend Adapter Testing of nominal functions regardless of security mechanisms > Confidentiality > But I need to be able to read any message for debugging purposes > Authenticity/ Freshness Security Manager > But I need the system to accept data from my log file in order to replicate the problem! Vector Tools CANoe vflash Interface Bus System Device under Test Complexity drivers > Different types of cryptographic keys > Security protocols > Different security architectures > Different processes / backends 17
Summary Key Points Security is required to enable new features and protect business models The number of security mechanisms in current and future vehicle architecture grows Security has to be considered throughout development & testing, production and after sales Standard SW components are a foundation but customer specific extensions are needed Tools can simplify testing of security and testing despite security Services Embedded Software Tools 18
For more information about Vector and our products please visit www.vector.com Author: Dr. Eduard Metzker Vector Informatik GmbH 19 2015. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V2.01.00 2016-11-22