Autonomous driving end-to-end security architecture
7 likes1,818 views
The document discusses the evolving security challenges associated with autonomous driving technology, highlighting the complexity of vehicle software and the increasing risk of cyber threats. It outlines industry responses including new security standards and practices to ensure safety and security in connected and automated vehicles. Key themes include the necessity for an end-to-end security architecture, defense in depth, and the integration of safety and security measures.
Autonomous driving end-to-end security architecture
- 1. © 2017 WIND RIVER. ALL RIGHTS RESERVED. Autonomous Driving End-to-End Security Architecture Andrei Kholodnyi Wind River, Technology Office
- 2. 2 © 2017 WIND RIVER. ALL RIGHTS RESERVED. The Choice for Systems That Cannot Fail Powering 2 billion+ devices Safety-certified devices running in aviation, rail, auto, medical, robotic, industrial, utility 300+ customers, 500+ projects, 90 aircraft in avionics market Trusted by 9,000+ companies Used by 40,000+ developers
- 3. 3 © 2017 WIND RIVER. ALL RIGHTS RESERVED. COMMON ELEMENTS ON THE PATH TO AUTONOMY Optimized performance Safety focus Health monitoring Fail-safe Partitioned systems Reliability Code reuse Standardized interfaces
- 4. 4 © 2017 WIND RIVER. ALL RIGHTS RESERVED. IVI and Cluster Wind River Helix Cockpit with Yocto Project IVI Secure Linux Media stack Android containers ADAS & Autonomous Wind River Helix Drive • 26262/ASIL-D Kernel • Safety architecture • Multi-Sensor fusion • Motion planning framewrk • Deterministic Actuation • Advanced security Gateways Wind River Pulsar Linux TCU Smart antenna WIND RIVER HELIX CHASSIS Third-Party Cloud Solutions Wearables Consumer Devices Smart Homes Infrastructure Cloud Services Wind River Helix App Cloud cloud-based development Wind River Helix Device Cloud for device deployment and management SWLC Management Wind River Helix CarSync SOTA FOTA Diagnostics Cloud Security CSP with secure connection of IVN to EVN (IoT) Sensors Wind River Rocket OS for MCUs Security Hyperscan McAfee Security Profile for Wind River Linux DPI
- 5. 5 © 2017 WIND RIVER. ALL RIGHTS RESERVED. Hackathons in San Diego and Barcelona INDUSTRY IS COMING TOGETHER TO ADDRESS SECURITY... BUT A LOT MORE IS NEEDED
- 6. 6 © 2017 WIND RIVER. ALL RIGHTS RESERVED. THE EVOLUTION OF MALWARE 1980 1985 1990 1995 2000 2005 Source: escrypt Increasing Digitalization and Digital Integration Security Escalation: Hypothetical Vulnerabilities Identified Security Threats Become Relevant in Practice Regular Security Breaches with Severe Damages Auto ICS Mobile Phones PC Servers ICS-CERT (2008) 20152010 2020 ??? CAESS (2010) GSM Interface Exploit (2015) Stuxnet and Duqu (2010/11) German Steel Plant (2014) AS/1 Card Cracking (2009) IMSI Catcher, NSA iBanking (2014) Cabir, Premium SMS Fraud (2008) DOS via SMS DoCaMo (2008) I Love You (2010) Heart Bleed (2014) Sasser (2004) Melissa (1999) Michelangelo (1992) Leandro (1993) Brain (1986) F. Cohen (1981) Confliker (2008) NSA, PRISM Reign (2014) SQL Slammer (2003) Code Red (2001) Morris Worm (1988) Tribe Flood DDOS (1998) CCC BTX Hack (1984) Creeper (1971)
- 7. 7 © 2017 WIND RIVER. ALL RIGHTS RESERVED. Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/ Source: http://scan.coverity.com INCREASING VEHICLE CODE COMPLEXITY 0.65 Defect Density per 1 KLOC High-End Car Contains 100M LOC Results in 65K Possible Defects
- 8. 8 © 2017 WIND RIVER. ALL RIGHTS RESERVED. HACKING A CAR IS EASIER THAN EVER Metasploit Framework Supports CAN Bus Hacking
- 9. 9 © 2017 WIND RIVER. ALL RIGHTS RESERVED. CONNECTED ARCHITECTURE V2V Radio Data System (RDS) Mobile Devices Electric Chargers External systems and networks support new services and interactions … and increase risk. Ad hoc Network Trusted Network (e.g., Repair Shop) Internet Backbone Automotive Company Application Center Local ServiceAP Untrusted Network Local Service Open AP Roadside Unit (RSU) 3rd-Party Application Center ISP BS BS ISP ISP Unidirectional Communication Bidirectional Communication Access Point (AP) GPS EXTERNAL VEHICLE CONNECTIONS
- 10. 10 © 2017 WIND RIVER. ALL RIGHTS RESERVED. RESPONSE FROM THE INDUSTRY 1. SAE J3101 – Hardware-Protected Security for Ground Vehicle Applications a) Secure boot b) Secure storage c) Secure execution environment d) Other hardware capabilities … e) OTA, authentication, detection, recovery mechanisms … 2. SAE J3061 – Cybersecurity Guidebook for Cyber-Physical Vehicle Systems a) Enumerate all attack surfaces and conduct threat analysis b) Reduce attack surface c) Harden hardware and software d) Perform security testing (penetration, fuzzing, etc.) 3. ISO 26262 2nd Edition a) Potential interaction between safety and security b) Cybersecurity threats to be analyzed as hazards c) Monitoring activities for cybersecurity, including incident response tracking d) Refer also to SAE J3061, ISO/IEC 27001, and ISO/IEC 15480
- 11. 11 © 2017 WIND RIVER. ALL RIGHTS RESERVED. AUTOMATION LEVELS The industry is here
- 12. 12 © 2017 WIND RIVER. ALL RIGHTS RESERVED. KEY DISTINCTIONS TRANSFORMING A CONNECTED CAR INTO AN AUTOMATED DRIVING CAR Level 3 – HMI notification will be provided to the driver to take over within several seconds More sensors – Cameras, LIDARs, RADARs, interior cameras Communication with environment (other cars, structures, pedestrians, etc.) HD maps Machine learning Safety and security
- 13. 13 © 2017 WIND RIVER. ALL RIGHTS RESERVED. • Finding but not exploiting vulnerabilities • Start a trade war (e.g., attack an OEM) • Infrastructure disruption • Misuse the system (e.g., enable AD feature) • Retrieve activity history • Get access to OEM data WHO ARE THE THREAT AGENTS? SECURITY RESEARCHERS • Political • Financial • Steal IP (algorithms) • Damage OEM brand value • Control a vehicle for personal harm • Plant a backdoor (revenge) • Get firmware images TERRORISTS CYBER ESPIONAGE CYBER HACKTIVISTS INSIDERSNATION STATES LAW ENFORCEMENT CAR OWNERS
- 14. AN END-TO-END AD STACK PERSPECTIVE IN-VEHICLE HIGH-PERFORMANCE DATA CENTER Training Data Set Validation Data Set High-Performance HW Optimized Machine Learning Model OTA Update Infrastructure AD ECU HW Automated Driving Middleware AutonomousDriving “Applications” AutonomousDriving “Applications” AutonomousDriving “Applications” Operating System Training Optimization / Validation Real-Time Telemetry and Analytics Secure, Reliable, Compressed Model Training Data Annotation DL Model Optimizer Real-World Simulator Optimizer Tool HW Optimized ML Framework Automated Driving Middleware Operating System OTA Update Infrastructure HD Maps Optimized Machine Learning Model
- 15. 15 © 2017 WIND RIVER. ALL RIGHTS RESERVED. TECHNOLOGY AND TRENDS FOR HARDWARE Computing Units Comparator
- 16. 16 © 2017 WIND RIVER. ALL RIGHTS RESERVED. END-TO-END DATA PATH SECURITY THREATS Actuators Control Computing Unit 1 Environment Model Strategy Trajectory Planning Sensors HMI External input Interface Processing Internal processing Processing Communication External output Interface Processing Intergrity Timing Availability Correlation False positive notification False negative notification Delayed actuation Missing actuation Failure in enabling control Failure in disabling control User mistrust User discomfort Main Attack Surfaces Manipulation on Data-in-Motion Major Consequences V2X Communication Cloud Computing Unit 2 Environment Model Strategy Trajectory Planning Comparator Trajectory Compare Actuators
- 17. 17 © 2017 WIND RIVER. ALL RIGHTS RESERVED. SDL ECU Physical Security HW Security DEFENSE IN DEPTH – ECU LEVEL SW Platform Security CPU Security HSM Intrusion Prevention SW hardening Perimeter Hardening Compartmentalization Access Protection Security Management Secure Boot, Key Storage, etc. Application Security Data-in-motion Security App Management SW Management Secure Extensions (SGX, TrustZone) Hypervisors, Containers, etc. OS Hardening, Compiler Setting, etc. Firewalls, Debug Ports, etc. IDPS, Virus Scans, etc. OTA, Patch Management SCAP, SIEM, etc. Secure Communication (e.g., SSL, TLS) RBAC, Trustworthiness, etc. Security Testing Network-Based Penetration Testing Dynamic Binary Analysis Static Code Analysis FuzzingAFL, Trinity E.g., Kali Linux Static Code Analysis Tools angr, etc. Security Tools Threat Analysis Threat Modeling Tool Automated frameworkmechaphish
- 18. 18 © 2017 WIND RIVER. ALL RIGHTS RESERVED. ActuatorsSensors Main AD ECU Hardware Security DEFENSE IN DEPTH – INTRA-ECU LEVEL Hardware Identity Software Platform Security ECU Authentication ECU Authorization ECU Topology Trustworthy Application Security Data-in-motion Trustworthy Application RBAC
- 19. 19 © 2017 WIND RIVER. ALL RIGHTS RESERVED. ESSENTIAL DEVELOPMENT PRACTICES Threat Analysis and Risk Assessment (TARA) Security Requirements Implementation Security Testing Release Define applicable surface attacks Define identified threats Assign severity Threat analysis Establish security requirements Create quality gates Security and privacy risk assessment Use approve tools Develop security measures Deprecate unsafe functions Static analysis Dynamic analysis Fuzz testing Attack surface review Verify security measures Incident response plan Final security review Documentation Response Execute incident response plan
- 20. 20 © 2017 WIND RIVER. ALL RIGHTS RESERVED. ROAD TO SELF-ADAPTIVE SECURITY Good: Baseline Security core features (HW) Security core features (SW) Standard compliance Better:More Security Services Secure OTA Hardware Identity IDPS Security management Best: Self-Optimizing Multi-agent systems with the aim of self-healing and self-recovery Security analytics PSIRT automation Self-Adaptive Systems that can evaluate and modify their own behavior to improve efficiency
- 21. 21 © 2017 WIND RIVER. ALL RIGHTS RESERVED. SUMMARY New security threats arise on the way to automated driving (machine learning, AD system - driver interaction, V2X etc.) Automotive industry works on new security standards Defense in depth on ECU and intra-ECU levels No safety without security (intersection of both) Security best practicies are important (SDL, PSIRT) Road to self-healing vehicles
- 22. ™ 22 © 2017 WIND RIVER. ALL RIGHTS RESERVED.