Vehicular On-board Security: EVITA Project



Similar documents
EVITA-Project.org: E-Safety Vehicle Intrusion Protected Applications

Security risk analysis approach for on-board vehicle networks

Safety and security related features in AUTOSAR

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

Vehicular Security Hardware The Security for Vehicular Security Mechanisms

Security in Vehicle Networks

Hardware Security Modules for Protecting Embedded Systems

Identification of Authenticity Requirements in Systems of Systems by Functional Security Analysis

The relevance of cyber-security to functional safety of connected and automated vehicles

NEXT GENERATION OF AUTOMOTIVE SECURITY: SECURE HARDWARE AND SECURE OPEN PLATFORMS

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

OSI Layers in Automotive Networks

Automotive and Industrial Data Security

Developing software for Autonomous Vehicle Applications; a Look Into the Software Development Process

SHE Secure Hardware Extension

Automotive Software Development Challenges Virtualisation and Embedded Security

COSC 472 Network Security

Hardware Security for Trustworthy C2X Applications Marko Wolf

Defense in Cyber Space Beating Cyber Threats that Target Mesh Networks

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

future data and infrastructure

Embedded Java & Secure Element for high security in IoT systems

WIND RIVER SECURE ANDROID CAPABILITY

An OSGi based HMI for networked vehicles. Telefónica I+D Miguel García Longarón

Chap. 1: Introduction

Chapter 1: Introduction

Car Connections. Johan Lukkien. System Architecture and Networking

Securing Wireless Access for Vehicular Environments (WAVE)

Security architecture Integrating security into the communicating vehicle. Norbert Bissmeyer, Fraunhofer SIT June 18 th 2015

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

AUTOSAR Software Architecture

Applied and Integrated Security. C. Eckert

How To Write A Transport Layer Protocol For Wireless Networks

SECURITY ASPECTS IN MOBILE AD HOC NETWORK (MANETS)

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

Threat Modelling and Risk Assessment Within Vehicular Systems

Customer Experience. Silicon. Support & Professional Eng. Services. Freescale Provided SW & Solutions

Standardized software components will help in mastering the. software should be developed for FlexRay were presented at

Embedding Trust into Cars Secure Software Delivery and Installation

Wireless Sensor Network: Challenges, Issues and Research

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

Full Drive Encryption Security Problem Definition - Encryption Engine

Cryptography and Network Security

CTR System Report FISMA

Information System Security

UNCLASSIFIED Version 1.0 May 2012

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Simple and error-free startup of the communication cluster. as well as high system stability over long service life are

Security and Privacy Controls for Federal Information Systems and Organizations

Mobile Security Wireless Mesh Network Security. Sascha Alexander Jopen

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Basics of Internet Security

Security Threats in Demo Steinkjer

Internet of things (IOT) applications covering industrial domain. Dev Bhattacharya

Chapter 6: Fundamental Cloud Security

Secure Data Exchange Solution

Taxonomic Modeling of Security Threats in Software Defined Networking

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Security Overview of the Integrity Virtual Machines Architecture

Wireless Sensor Network Security. Seth A. Hellbusch CMPE 257

Secure Key Management A Key Feature for Modern Vehicle Electronics

Cryptography and Network Security Chapter 1

MOST Training and Workshops

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

IoT Security Platform

ISO Controls and Objectives

Introduction to Information Security

Trusted Platforms for Homeland Security

Notes on Network Security - Introduction

M2M For industrial and automotive

CHANCES AND RISKS FOR SECURITY IN MULTICORE PROCESSORS

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

05.0 Application Development

Electronic Registration Identification (ERI)

ECU State Manager Module Development and Design for Automotive Platform Software Based on AUTOSAR 4.0

Wireless Microcontrollers for Environment Management, Asset Tracking and Consumer. October 2009

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

Information Security Basic Concepts

AutoSAR Overview. FESA Workshop at KTH Prof. Jakob Axelsson Volvo Cars and Mälardalen University

Secure software updates for ITS communications devices

USB Portable Storage Device: Security Problem Definition Summary

Standard Statement Data and System Security

Data Storage Security in Cloud Computing

Wireless traffic Safety network between Cars. CoMoSeF TULEVAT TRENDIT AUTOJEN M2M KOMMUNIKAATIOSSA WISAFECAR JA COMOSEF PROJEKTIT

ISO27001 Controls and Objectives

M-Shield mobile security technology

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

SecureD Technical Overview

Information Security for Modern Enterprises

Secure cloud access system using JAR ABSTRACT:

2.1 What are distributed systems? What are systems? Different kind of systems How to distribute systems? 2.2 Communication concepts

Transcription:

C2C-CC Security Workshop 5 November 2009 VW, MobileLifeCampus Wolfsburg Hervé Seudié Corporate Sector Research and Advance Engineering Robert Bosch GmbH Outline 1. Project Scope and Objectives 2. Security Requirement Analysis 3. Hardware Security Modules as security anchor 4. Software Architecture 5. Summary & Outlook 2

Project Scope (1): Focus on in-vehicular systems Securing the external car2x communication: Via wireless interface Goals: Prevention from attacks, Detection from attacks, Containment of attacks Securing the in-vehicular system infrastructure via physical access via wireless interface Goals: Prevention from attacks, Detection from attacks, Containment of attacks 3 Project Scope (2): Focus on in-vehicular systems Targeting requirements of esafety, esecurity WG and C2C-CC Research on a secure on-board architecture: Protection of high critical esafety applications Defining overall on-board security architecture for cooperative vehicles Software is not secure enough for tomorrow s cooperative esafety applications: Looking for appropriate SW and HW measures for ensuring security Finding a suitable partitioning of SW and HW security Defining hardware co-processor: Secure storage and processing of secret material High throughput only possible with hardware acceleration 4

Project Scope (2): Complementary Security Activities Secure vehicular Communication In-vehicular Security Hardware Consolidation Harmonization Standardization Privacy for ITS Communication Field Test Preparation 5 Project partners 6

Project Structure and Objectives Dissemination and external interfaces Open specifications Liaison with related initiatives in the field of esafety Goals Milestones 7 Security Requirement Analysis Use Case Categories Car2MyCar, MyCar2Car, Car2I, I2Car Nomadic Devices, USB Sticks, MP3 Aftermarket Components, Diagnosis Risk and Threat analysis Risk associated with an attack is a function of: severity of impact (i.e. harm to stakeholders) probability of successful attack for safety-related risks, controllability of hazardous situations needs to be considered Not possible to quantify severity and probability in many applications need to relate severity and probability to attack trees resulting from security threat analysis 8

Interpretation of attack trees Level 0: Goal (Illegal benefit to attacker) Goal Level 1: Objectives (Harm for stakeholders severity) Level 2: Methods (Combined probability of successful attack) Intermediate/dummy nodes Level 3: Asset s ( potential related to probability of success for specific attacks on particular assets) severity RISK probability Asset 1 Objective 1 Method 1 Intermediate step Asset 2 Objective 2 Asset 3 Method 2 Asset 4 Objective 3 AND node Asset 4 9 Security severity classification a 4-component vector Class Safety Privacy Financial Operational S0 No injuries. No data access. No financial loss. S1 S2 S3 S4 Light/moderate injuries. Severe injuries (survival probable). Moderate injuries for multiple units. Life threatening or fatal injuries. Severe injuries for multiple units. Fatal for multiple vehicles. Anonymous data only (no specific user or vehicle data). Vehicle specific data (vehicle or model). Anonymous data for multiple units. Driver identity compromised. Vehicle data for multiple units. Driver identity access for multiple units. Low level loss (~ 10). Moderate loss (~ 100). Low losses for multiple units. Heavy loss (~ 1000). Multiple moderate loss. Multiple heavy losses. No impact on operation. Impact not discernible to driver. Driver aware. Not discernible in multiple units. Significant impact. Multiple units with driver aware. Significant impact for multiple units. 10

potential and probability potential evaluation using established, structured approach from Common Criteria applied at asset attack level Indicative of attack probability (inverse relationship) numerical scale used to represent relative ranking of attack probability potential probability Rating Description Likelihood Ranking 0 9 Basic Highly likely 5 10 13 Enhanced basic Likely 4 14 19 Moderate Possible 3 20 24 High Unlikely 2 25 Beyond high Remote 1 11 Sample asset attack ratings tree node Asset (attack) Required attack potential Value Rating Asset-attack probability [6.2.2.1] GPS (jamming) 4 Basic 5 [6.3.2.2], [9.1.1.1], [9.3.3.3], [15.1.1], [15.2.1] [3.2.2.4.2.2], [4.3.2.1.2.2] [8.3.1] Communications Unit (denial of service) In-car User Hardware Interfaces (access) In-car Sensors (spoof) Environment Sensors (flash malicious code to firmware) 11 Enhanced- Basic 15 Moderate 3 24 High 2 41 Beyond High 1 4 12

Risk analysis attack tree table Sample risk analysis attack active brake Objective 9.1 Delay active braking (e.g. by x ms) Severity (S) S S =0 S P =0 S F =0 S O =2 Method Delay computation Delay data transmission Risk level (R) R S =R0 R P =R0 R F =R0 R O =R3 R S =R0 R P =R0 R F =R0 R O =R4 Combined attack method Asset (attack) probability (A) 9.1.1.2 Chassis Safety Controller (denial of service) 4 9.1.1.1 Communications Unit (denial of service) 9.1.2.1 Wireless Communications (jamming) 5 9.1.2.2 Backbone Bus (jamming) 9.1.2.3 Chassis Safety Bus (jamming) Asset attack probability (P) 2 4 5 4 4 13 Prioritising security requirements Requirements classified in terms of security properties that they represent confidentiality, privacy, availability, authenticity etc. Requirements mapped to use cases, attack trees and asset attacks Priority indicated by summary of risk analysis collates results from risk assessment of all attack trees organized by asset (what to protect) and attack type (how to protect it) mapped to groups of security requirements identifies risk levels found from attack trees and the number of occurrences Interpretation few instances and/or low risk suggest low priority for protection high risk and/or many instances suggest higher priority for protection 14

Risk-based security requirement priorities Chassis Safety Controller Wireless Comms Identified threats Risk analysis results Asset Risk level Instances 1 3 Denial of service 2 1 Exploit 4 1 implementation flaws 5 1 2 5 3 5 Corrupt or fake 4 4 messages 5 1 6 4 7 3 Jamming 4 5 3 2 Security requirements Authenticity_6, Availability_102, Availability_106 Low priority Authenticity_1, Authenticity_2, Authenticity_3 Confidentiality_1, Confidentiality_2, Authenticity_101 Important to protect against this asset attack Availability_107, Availability_108, Integrity_102 15 Vehicular On-board Architecture Requirements Integrity of hardware security module: Prevention/detection of tampering with hardware security modules Integrity and authenticity of in-vehicle software and data: Unauthorized alteration of any in-vehicle software must be infeasible / detectable Integrity and authenticity of in-vehicular communication: Unauthorized modification of data can be detected by the receiver Confidentiality of in-vehicular communication and data: Unauthorized disclosure of confidential data sent or stored must be infeasible. Proof of platform integrity and authenticity to other (remote) entities: Capability to prove the integrity and authenticity of its platform configuration Access Control to in-vehicle data and resources: Enabling availability and well-defined access to all data and resources 16

Basic Idea: EVITA Overall On-Board Architecture 17 Hardware Security Module as security anchor Main goal Providing secure platform for cryptographic functionalities that support use cases Features Secure Storage HW Cryptographic Engines Secure CPU Core Scalable Security Architecture Advantages Flexibility Extendability Migration Path from existing SW solutions 18

Hardware Security Module: Analysis HSM physically separate from CPU Less secure than a single chip: connection between CPU and HSM not secure. Suitable for short-term designs or low-security applications with very small production runs Expensive: extra chip costs more due to the extra pins HSM in the same chip as the CPU but with a state machine More secure than external chip and more cost-effective Not flexible: Hardware structure not modifiable. Automotive microcontroller life cycle is more than 20 years Suitable for very high security applications with very short lifetimes Cryptographic applications will need to be implemented at the application CPU level: possible performance issues. Changing a state machine requires hardware redesign and is very expensive HSM in the same chip as the CPU but with a programmable secure core proposed solution Secure and cost-effective Flexible because of programmable core. Usable for other industries 19 Different topologies of HSM EVITA light version (Sensor/Actuator level) 20

Different topologies of HSM EVITA Medium version (ECU Level) 21 Different topologies of HSM EVITA Full version ( ECU Level V2X) 22

Hardware interface between HSM and application CPU HSM and application CPU has write/read rights for the Shared Memory Trigger through interrupt Polling optional: periodically check of the result buffer Interrupts EVITA Hardware Shared Memory Application CPU Databus 23 EVITA On-Board Architecture Deployment 24

Software Architecture: Autosar Approach Software Module Host Core (ECU) App. 1 App. 2 App. 3 Service Abstraction Layer Library Driver Abstraction Layer Low-Level Interface HSM Core Driver Channel Reuse of SW Modules Service Abstraction Layer Library Driver Hardware Accelerator AES TRNG ECC... Core Hardware Module 25 Summary & Outlook Summary: Focus on securing in-vehicular applications and components Requirements analysis based on Standards: ISO 26262 & ISO/IEC (15408 & 18045) Design of a three-leveled HW architecture Design of a security software architecture based on AUTOSAR Outlook: Open specification of soft- and hardware design and protocols: Input for standardization Proof-of-concept by designing with formal methods and tools Prototypical implementation using the AUTOSAR stack CUBAS from Bosch Integration into a demonstrator 26

Thank you for your attention. www.evita-project.org Hervé Seudié Robert Bosch GmbH Corporate Sector Research and Advance Engineering Herve.seudie@de.bosch.com 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information