Automotive communication systems: from dependability to security
0 likes1,408 views
The document discusses the challenges related to dependability and security in automotive communication systems, emphasizing the increasing complexity and safety requirements of embedded systems. It outlines various impediments to safety, such as the lack of formal verification and the externalization of development, while also addressing security risks from both physical and remote attacks. The presentation highlights the need for improved verification methods and potential solutions like virtualization to enhance security in automotive systems.
![Dependability vs Security [from Laprie et al, ref.3]
“absence of unauthorized access to,
or handling of, system state”
“ability to
deliver a
service that Dependability Security
can justifiably
be trusted ”
Availability Reliability Safety Confidentiality Integrity Maintenability
Readiness for Continuity of Absence of Absence of Absence of Ability to
usage service catastrophic unauthorized improper undergo
consequences disclosure of system repairs and
for authorized information alterations evolutions
users only
“unauthorized”
system alteration
© 2011 INRIA / RealTime-at-Work - 2](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-2-320.jpg)
![Electronics is the driving force of innovation
Many new functions are safety
critical: brake assist, cruise control,
lane keeping, dynamic lights, etc
Picture from [10]
– 90% of new functions use software
– Electronics: 40% of total costs
– Huge complexity: 70 ECUs, 2500 signals,
>6 comm. protocols, multi-layered run-time
environment (AUTOSAR), multi-source
software, multi-core CPUs, number of
variants, etc
Strong costs and time-to-market constraints !
© 2011 INRIA / RealTime-at-Work - 4](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-4-320.jpg)
![BMW 7 Series networking architecture [10]
ZGW = central
gateway
4 CAN buses
1 FlexRay Bus
1 MOST bus
Several LIN Buses
(not shown here)
1 Ethernet bus
Wireless
Picture from [4]
© 2011 INRIA / RealTime-at-Work - 5](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-5-320.jpg)
![Impediments to safety: complexity!
Technologies: numerous, complex and not
explicit. conceived for critical systems
– e.g.: more than 150 specification documents
(textual) for Autosar, no two implementations
can behave identically!
Size of the system!
– Number of functional domains, buses, gateways, Autosar Basic Software
ECUs, size of code, tasks, wiring, number of
variants, etc
Design process
– Most developments are not done in-house :
less control on externalized developments
– Carry-over / Vehicle Family Management : need to
share/re-use architecture and sub-systems between
several brands/models with different requirements [2]
– Optimized solutions for each component / function
does not lead to a global optimal! [2] Wiring harness
Picture from [4]
© 2011 INRIA / RealTime-at-Work - 6](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-6-320.jpg)
![impediments to safety: cultural/regulatory
Eg: Automotive embedded systems have not been designed
with the same standards as airplanes - different tradeoff costs
/ safety :
little (no?) fault-tolerance using hardware redundancy
Technical parameters are regarded as less important than cost for
supplier / components selection [2]
ISO2626-2 upcoming standard: no safety quantification, in-house
certification accepted
Lack well-accepted design process, decision on experience, “gut-
feeling”, poor tool support [2]
Verification / validation does not ensure 100% coverage
Formal verification is gaining acceptance:
code analysis, timing analysis, etc
© 2011 INRIA / RealTime-at-Work - 7](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-7-320.jpg)
![Several hundreds of timing constraints:
responsiveness, data refresh rate
Constraint :
brake light on < 50ms
Stimulus Response
Figure from [12]
© 2011 INRIA / RealTime-at-Work - 9](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-9-320.jpg)
![Why timing constraints may not be respected
occasionally?
Middleware
Lack of precise specification : hard to identify Frame-packing task
5ms
the right timing requirements for each function
Lack of traceability : from the architects to the suppliers
Flaws in the verification:
– Knowledge of the system and its environment is incomplete: Waiting queue:
• What is done by the suppliers?
- FIFO
• Implementation choices really matter and standards do
not say everything 2 - Highest Priority
• Environmental issues: EMI, α-particles, heat, etc First
• Traffic is not always well characterized and/or well modeled 1 - OEM specific
e.g. aperiodic traffic ?! see [5]
– Testing /simulation alone is not enough CAN Controller
– Analysis is not enough too:
• Analytic models, especially complex ones, can be wrong 9 6 8
(remember “ CAN analysis refuted, revisited, etc” [6] ?!)
• They are often much simplified abstraction of reality buffer Tx
and might become optimistic: neglect FIFOs, hardware limitations
CAN Bus
© 2011 INRIA / RealTime-at-Work - 10](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-10-320.jpg)
![Threats to dependability:
Faults → errors → service failures [3]
When faults are introduced in the development phase ?
– Requirements capture + Specification + SW development: 99% (infineon [10])
– HW development : ε
Why ? The factors :
– Technologies: not conceived with dependability as a priority
– Complexity / size of the system
– Developments are mainly externalized
– Strong cost / time-to-market pressure
– Limited regulatory constraints
– Limited used of formal methods for verification
– Human factors
– etc
© 2011 INRIA / RealTime-at-Work - 12](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-12-320.jpg)
![Physical access to the vehicle:
experiments in [11]
Connection to the OBD-II port
Attacks performed :
Picture from [11]
– Manipulate speedometer
– Injection of malicious code by re-flashing ECUs
(while driving!)
– Disable communications on the CAN buses
– Disable all lights
– Stop the engine
– Disable / lock (specific) brakes
– Were able to manipulate all ECUs!
© 2011 INRIA / RealTime-at-Work - 15](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-15-320.jpg)
![References [1] N. Navet, F. Simonot-Lion, editors, The Automotive Embedded Systems
Handbook, Industrial Information Technology series, CRC Press / Taylor and
Francis, ISBN 978-0849380266, December 2008.
[2] RealTime-at-Work (RTaW), RTaW-Sim: a Fine-Grained Simulator of Controller
Area Network with Fault-Injection Capabilities, freely available on RTaW web
site: http://www.realtimeatwork.com, 2010.
[3] A. Avizienis, J.C. Laprie, B. Randell, “Dependability and its threat: a
taxonomy", IFIP Congress Topical Sessions 2004.
[4] D. Khan, R. Bril, N. Navet, “Integrating Hardware Limitations in CAN
Schedulability Analysis“, WiP at the 8th IEEE International Workshop on
Factory Communication Systems (WFCS 2010), Nancy, France, May 2010.
[5] D. Khan, N. Navet, B. Bavoux, J. Migge, “Aperiodic Traffic in Response Time
Analyses with Adjustable Safety Level“, IEEE ETFA2009, Mallorca, Spain,
September 22-26, 2009.
[6] R. Davis, A. Burn, R. Bril, and J. Lukkien, “Controller Area Network (CAN)
schedulability analysis: Refuted, revisited and revised”, Real-Time Systems,
vol. 35, pp. 239–272, 2007.
[7] M. D. Natale, “Evaluating message transmission times in Controller Area
Networks without buffer preemption”, in 8th Brazilian Workshop on Real-Time
Systems, 2006.
[8] C. Braun, L. Havet, N. Navet, "NETCARBENCH: a benchmark for techniques
and tools used in the design of automotive communication systems", Proc IFAC
FeT 2007, Toulouse, France, November 7-9, 2007.
[9] R. Kaiser, D. Zöbel, “Quantitative Analysis and Systematic Parametrization of a
Two-Level Real-Time Scheduler”, paper and slides at IEEE ETFA’2009.
[10] P. Leteinturier, “Next Generation Powertrain Microcontrollers”, International
Automotive Electronics Congress, November 2007.
[11] K. Koscher et al, “Experimental Security Analysis of a Modern Automobile”,
IEEE Symposium on Security and Privacy, 2010.
[12] AUTOSAR, “Specification of Timing Extensions”, Release 4.0 Rev 2, 2010.
© 2011 INRIA / RealTime-at-Work - 19](https://image.slidesharecdn.com/vca2011color-110606025645-phpapp02/85/Automotive-communication-systems-from-dependability-to-security-19-320.jpg)
Automotive communication systems: from dependability to security
- 1. Automotive communication systems : from dependability to security Nicolas NAVET Real-Time and Interoperability (TRIO) Group at INRIA Nancy 1st Seminar on Vehicular Communications and Applications (VCA 2011) NetLab / SnT, Luxembourg - 30/05/2011
- 2. Dependability vs Security [from Laprie et al, ref.3] “absence of unauthorized access to, or handling of, system state” “ability to deliver a service that Dependability Security can justifiably be trusted ” Availability Reliability Safety Confidentiality Integrity Maintenability Readiness for Continuity of Absence of Absence of Absence of Ability to usage service catastrophic unauthorized improper undergo consequences disclosure of system repairs and for authorized information alterations evolutions users only “unauthorized” system alteration © 2011 INRIA / RealTime-at-Work - 2
- 3. Outline 1. Trends in automotive embedded systems: increasing safety requirements and complexity 2. The (numerous) impediments/threats to dependability: with a focus on timing constraints verification 3. Security against malicious attacks : physical access to the vehicle or wireless access Focus on the verification issues at the development phase of the communication systems - highlight issues, not about solutions © 2011 INRIA / RealTime-at-Work - 3
- 4. Electronics is the driving force of innovation Many new functions are safety critical: brake assist, cruise control, lane keeping, dynamic lights, etc Picture from [10] – 90% of new functions use software – Electronics: 40% of total costs – Huge complexity: 70 ECUs, 2500 signals, >6 comm. protocols, multi-layered run-time environment (AUTOSAR), multi-source software, multi-core CPUs, number of variants, etc Strong costs and time-to-market constraints ! © 2011 INRIA / RealTime-at-Work - 4
- 5. BMW 7 Series networking architecture [10] ZGW = central gateway 4 CAN buses 1 FlexRay Bus 1 MOST bus Several LIN Buses (not shown here) 1 Ethernet bus Wireless Picture from [4] © 2011 INRIA / RealTime-at-Work - 5
- 6. Impediments to safety: complexity! Technologies: numerous, complex and not explicit. conceived for critical systems – e.g.: more than 150 specification documents (textual) for Autosar, no two implementations can behave identically! Size of the system! – Number of functional domains, buses, gateways, Autosar Basic Software ECUs, size of code, tasks, wiring, number of variants, etc Design process – Most developments are not done in-house : less control on externalized developments – Carry-over / Vehicle Family Management : need to share/re-use architecture and sub-systems between several brands/models with different requirements [2] – Optimized solutions for each component / function does not lead to a global optimal! [2] Wiring harness Picture from [4] © 2011 INRIA / RealTime-at-Work - 6
- 7. impediments to safety: cultural/regulatory Eg: Automotive embedded systems have not been designed with the same standards as airplanes - different tradeoff costs / safety : little (no?) fault-tolerance using hardware redundancy Technical parameters are regarded as less important than cost for supplier / components selection [2] ISO2626-2 upcoming standard: no safety quantification, in-house certification accepted Lack well-accepted design process, decision on experience, “gut- feeling”, poor tool support [2] Verification / validation does not ensure 100% coverage Formal verification is gaining acceptance: code analysis, timing analysis, etc © 2011 INRIA / RealTime-at-Work - 7
- 8. Threats to safety : the case of timing constraints © 2011 INRIA / RealTime-at-Work - 8
- 9. Several hundreds of timing constraints: responsiveness, data refresh rate Constraint : brake light on < 50ms Stimulus Response Figure from [12] © 2011 INRIA / RealTime-at-Work - 9
- 10. Why timing constraints may not be respected occasionally? Middleware Lack of precise specification : hard to identify Frame-packing task 5ms the right timing requirements for each function Lack of traceability : from the architects to the suppliers Flaws in the verification: – Knowledge of the system and its environment is incomplete: Waiting queue: • What is done by the suppliers? - FIFO • Implementation choices really matter and standards do not say everything 2 - Highest Priority • Environmental issues: EMI, α-particles, heat, etc First • Traffic is not always well characterized and/or well modeled 1 - OEM specific e.g. aperiodic traffic ?! see [5] – Testing /simulation alone is not enough CAN Controller – Analysis is not enough too: • Analytic models, especially complex ones, can be wrong 9 6 8 (remember “ CAN analysis refuted, revisited, etc” [6] ?!) • They are often much simplified abstraction of reality buffer Tx and might become optimistic: neglect FIFOs, hardware limitations CAN Bus © 2011 INRIA / RealTime-at-Work - 10
- 11. Illustration: Worst-Case Response Times on a CAN bus Frame waiting queues are HPF, except ECU1 where queue is FIFO the OEM does not know or verification software cannot handle it … Analysis Setup: - Typical body network with 15 ECUs generated by NETCARbench (freely available) - WCRT computed with NETCAR-Analyzer (freely available) Many high-priority frames are delayed here because a single ECU (out of 15) has a FIFO queue … © 2011 INRIA / RealTime-at-Work - 11
- 12. Threats to dependability: Faults → errors → service failures [3] When faults are introduced in the development phase ? – Requirements capture + Specification + SW development: 99% (infineon [10]) – HW development : ε Why ? The factors : – Technologies: not conceived with dependability as a priority – Complexity / size of the system – Developments are mainly externalized – Strong cost / time-to-market pressure – Limited regulatory constraints – Limited used of formal methods for verification – Human factors – etc © 2011 INRIA / RealTime-at-Work - 12
- 13. Security : some identified risks and scenarios © 2011 INRIA / RealTime-at-Work - 13
- 14. Security : two scenarios Case 1 : attackers have physical access to the vehicle − Easy to get access to internal networks through the On-Board Diagnostic (OBDII) port − AFAIK, automotive systems are not protected at all − Open question: should we go beyond basic protection measures? Can we afford it? Case 2 : remote access through wireless networks − Strong protection needed against remote attacks because of Internet access, manufacturer telematics services, Car-to-Car & Car-to-infrastructure communication, , etc − Open question: is it the case today ? © 2011 INRIA / RealTime-at-Work - 14
- 15. Physical access to the vehicle: experiments in [11] Connection to the OBD-II port Attacks performed : Picture from [11] – Manipulate speedometer – Injection of malicious code by re-flashing ECUs (while driving!) – Disable communications on the CAN buses – Disable all lights – Stop the engine – Disable / lock (specific) brakes – Were able to manipulate all ECUs! © 2011 INRIA / RealTime-at-Work - 15
- 16. Attacks through the wireless interfaces Issue: there are a number of ECUs that have access to both the internal networks and wireless networks, e.g. radio player, bluetooth transmitters, wireless tire pressure sensors, etc Code injection in other ECUs, Code injection Denial-of-service by flooding, external attack Falsification, etc Telematics & Networks for Multimedia networks real-time control (wired / wireless ) (CAN, FlexRay, Lin) An “infected” vehicle may contaminate others. © 2011 INRIA / RealTime-at-Work - 16
- 17. Virtualization as a means to enforce security Example: Radio-player or Body Control Module with both an infotainment (eg., Linux, Android) and an Autosar Virtual Machine (VM) Communication between VMs through the hypervisor “secure” mechanisms Benefits – Security despite open systems Hypervisor – Preserve segregation in “vehicle domains” – Best of both worlds in terms of know-how, Telematics & Networks for time-to-market Multimedia networks real-time control – etc (wired / wireless ) (CAN, FlexRay, Lin) A likely use-case of virtualization – open questions: which technical solutions? role/business model among actors? change wrt aftermarket? etc © 2011 INRIA / RealTime-at-Work - 17
- 18. References © 2011 INRIA / RealTime-at-Work - 18
- 19. References [1] N. Navet, F. Simonot-Lion, editors, The Automotive Embedded Systems Handbook, Industrial Information Technology series, CRC Press / Taylor and Francis, ISBN 978-0849380266, December 2008. [2] RealTime-at-Work (RTaW), RTaW-Sim: a Fine-Grained Simulator of Controller Area Network with Fault-Injection Capabilities, freely available on RTaW web site: http://www.realtimeatwork.com, 2010. [3] A. Avizienis, J.C. Laprie, B. Randell, “Dependability and its threat: a taxonomy", IFIP Congress Topical Sessions 2004. [4] D. Khan, R. Bril, N. Navet, “Integrating Hardware Limitations in CAN Schedulability Analysis“, WiP at the 8th IEEE International Workshop on Factory Communication Systems (WFCS 2010), Nancy, France, May 2010. [5] D. Khan, N. Navet, B. Bavoux, J. Migge, “Aperiodic Traffic in Response Time Analyses with Adjustable Safety Level“, IEEE ETFA2009, Mallorca, Spain, September 22-26, 2009. [6] R. Davis, A. Burn, R. Bril, and J. Lukkien, “Controller Area Network (CAN) schedulability analysis: Refuted, revisited and revised”, Real-Time Systems, vol. 35, pp. 239–272, 2007. [7] M. D. Natale, “Evaluating message transmission times in Controller Area Networks without buffer preemption”, in 8th Brazilian Workshop on Real-Time Systems, 2006. [8] C. Braun, L. Havet, N. Navet, "NETCARBENCH: a benchmark for techniques and tools used in the design of automotive communication systems", Proc IFAC FeT 2007, Toulouse, France, November 7-9, 2007. [9] R. Kaiser, D. Zöbel, “Quantitative Analysis and Systematic Parametrization of a Two-Level Real-Time Scheduler”, paper and slides at IEEE ETFA’2009. [10] P. Leteinturier, “Next Generation Powertrain Microcontrollers”, International Automotive Electronics Congress, November 2007. [11] K. Koscher et al, “Experimental Security Analysis of a Modern Automobile”, IEEE Symposium on Security and Privacy, 2010. [12] AUTOSAR, “Specification of Timing Extensions”, Release 4.0 Rev 2, 2010. © 2011 INRIA / RealTime-at-Work - 19
- 20. Questions / feedback ? Please get in touch at : nicolas.navet@inria.fr © 2011 INRIA / RealTime-at-Work - 20