autonomous driving end-to-end security architecture

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

Autonomous Driving End-to-End Security ArchitectureAndrei KholodnyiWind River, Technology Office

2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

The Choice for Systems That Cannot Fail

� Powering 2 billion+ devices

� Safety-certified devices running in

aviation, rail, auto, medical, robotic,

industrial, utility

� 300+ customers, 500+ projects, 90

aircraft in avionics market

� Trusted by 9,000+ companies

� Used by 40,000+ developers


COMMON ELEMENTS ON THE PATH TO AUTONOMY

� Optimized performance� Safety focus� Health monitoring� Fail-safe � Partitioned systems� Reliability� Code reuse � Standardized interfaces


IVI and Cluster

Wind River Helix Cockpitwith Yocto Project IVISecure LinuxMedia stackAndroid containers

ADAS & Autonomous

Wind River Helix Drive• 26262/ASIL-D Kernel• Safety architecture• Multi-Sensor fusion• Motion planning framewrk• Deterministic Actuation• Advanced security

Gateways

Wind River Pulsar LinuxTCU

Smart antenna

WIND RIVER HELIX CHASSIS

Third-PartyCloud Solutions

Wearables

Consumer Devices

Smart Homes

Infrastructure

Cloud Services

Wind River Helix App Cloud cloud-based development

Wind River Helix Device Cloud for device deployment and management

SWLC Management

Wind River Helix CarSyncSOTAFOTADiagnostics

Cloud Security

CSP with secure connectionof IVN to EVN (IoT)

Sensors

Wind River RocketOS for MCUs

Security

HyperscanMcAfeeSecurity Profile forWind River LinuxDPI


Hackathons in San Diego and Barcelona

INDUSTRY IS COMING TOGETHER TO ADDRESS SECURITY... BUT A LOT MORE IS NEEDED


THE EVOLUTION OF MALWARE

1980 1985 1990 1995 2000 2005

Source: escrypt

Increasing Digitalization and Digital Integration

Security Escalation:Hypothetical Vulnerabilities

IdentifiedSecurity Threats Become

Relevant in PracticeRegular Security Breaches

with Severe Damages

Auto

ICS

Mobile Phones

PC

Servers

ICS-CERT(2008)

20152010 2020

???

CAESS(2010)

GSM Interface Exploit (2015)

Stuxnet and Duqu(2010/11)

German Steel Plant (2014)

AS/1 Card Cracking (2009)

IMSI Catcher, NSA iBanking (2014)

Cabir, Premium SMS Fraud (2008)

DOS via SMSDoCaMo (2008)

I Love You(2010)

Heart Bleed(2014)

Sasser(2004)

Melissa(1999)

Michelangelo(1992)

Leandro(1993)

Brain(1986)

F. Cohen(1981)

Confliker(2008)

NSA, PRISM Reign(2014)

SQL Slammer(2003)

Code Red(2001)

Morris Worm(1988)

Tribe Flood DDOS(1998)

CCC BTX Hack(1984)

Creeper(1971)


Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/

Source: http://scan.coverity.com

INCREASING VEHICLE CODE COMPLEXITY

0.65 Defect Density per 1 KLOC

High-End Car Contains 100M LOC

Results in 65K Possible Defects


HACKING A CAR IS EASIER THAN EVER

Metasploit Framework Supports CAN Bus Hacking


CONNECTED ARCHITECTURE

V2V

Radio DataSystem (RDS)

MobileDevices

Electric Chargers

External systems and networks support new services and interactions … and increase risk.

Ad hoc Network

Trusted Network (e.g., Repair Shop)

Internet Backbone

AutomotiveCompany

Application Center

Local ServiceAP

Untrusted Network

Local Service

Open AP

Roadside Unit (RSU)

3rd-PartyApplication

Center

ISP

BS

BS

ISP

ISP

Unidirectional Communication

Bidirectional CommunicationAccess Point (AP)

GPS

EXTERNAL VEHICLE CONNECTIONS


RESPONSE FROM THE INDUSTRY1. SAE J3101 – Hardware-Protected Security for Ground

Vehicle Applications

a) Secure boot

b) Secure storage

c) Secure execution environment

d) Other hardware capabilities …

e) OTA, authentication, detection, recovery mechanisms …

2. SAE J3061 – Cybersecurity Guidebook for Cyber-Physical Vehicle Systems

a) Enumerate all attack surfaces and conduct threat analysis

b) Reduce attack surface

c) Harden hardware and software

d) Perform security testing (penetration, fuzzing, etc.)

3. ISO 26262 2nd Edition

a) Potential interaction between safety and security

b) Cybersecurity threats to be analyzed as hazards

c) Monitoring activities for cybersecurity, including incident response tracking

d) Refer also to SAE J3061, ISO/IEC 27001, and ISO/IEC 15480


AUTOMATION LEVELS The industry is here


KEY DISTINCTIONS TRANSFORMING A CONNECTED CAR INTO AN AUTOMATED DRIVING CAR

� Level 3 – HMI notification will be provided to the driver to take over within several seconds

� More sensors – Cameras, LIDARs, RADARs, interior cameras

� Communication with environment (other cars, structures, pedestrians, etc.)

� HD maps

� Machine learning

� Safety and security


• Finding but not exploiting vulnerabilities

• Start a trade war (e.g., attack an OEM)

• Infrastructure disruption

• Misuse the system (e.g., enable AD feature)

• Retrieve activity history

• Get access to OEM data

WHO ARE THE THREAT AGENTS?

SECURITY RESEARCHERS • Political• Financial

• Steal IP (algorithms)• Damage OEM brand

value

• Control a vehicle for personal harm

• Plant a backdoor (revenge)

• Get firmware images

TERRORISTS

CYBER ESPIONAGE

CYBER HACKTIVISTS

INSIDERSNATION STATES

LAW ENFORCEMENT

CAR OWNERS

AN END-TO-END AD STACK PERSPECTIVEIN-VEHICLE HIGH-PERFORMANCE DATA CENTER

Training Data Set

Validation Data Set

High-Performance HW

Optimized Machine Learning Model

OTA Update Infrastructure

AD ECU HW

Automated Driving Middleware

Aut

onom

ous

Driv

ing

“App

licat

ions

”

Aut

onom

ous

Driv

ing

“App

licat

ions

”

Aut

onom

ous

Driv

ing

“App

licat

ions

”

Operating System

Training

Optimization / Validation

Real-Time Telemetry

and Analytics

Secure, Reliable,

Compressed Model

Training Data Annotation

DL Model Optimizer

Real-World Simulator

Optimizer Tool

HW Optimized ML Framework

Automated Driving Middleware

Operating System

OTA Update Infrastructure

HD Maps

Optimized Machine Learning Model


TECHNOLOGY AND TRENDS FOR HARDWARE

Computing Units

Comparator


END-TO-END DATA PATH SECURITY THREATS

Actuators Control

Computing Unit 1

Environment Model Strategy Trajectory

Planning

Sensors

HMI

External input� Interface� Processing Internal processing� Processing� CommunicationExternal output� Interface� Processing

� Intergrity� Timing� Availability� Correlation

� False positive notification� False negative notification� Delayed actuation� Missing actuation� Failure in enabling control� Failure in disabling control� User mistrust� User discomfort

Main Attack Surfaces Manipulation on Data-in-Motion Major Consequences

V2XCommunication

Cloud

Computing Unit 2

Environment Model Strategy Trajectory

PlanningComparator

Trajectory Compare

Actuators


SDL ECU Physical Security

HW Security

DEFENSE IN DEPTH – ECU LEVEL

SW Platform Security

CPU Security

HSM

Intrusion Prevention

SW hardening

Perimeter Hardening

Compartmentalization

Access Protection

Security Management

Secure Boot, Key Storage, etc.

Application Security

Data-in-motion Security

App Management

SW Management

Secure Extensions (SGX, TrustZone)

Hypervisors, Containers, etc.

OS Hardening, Compiler Setting, etc.

Firewalls, Debug Ports, etc.

IDPS, Virus Scans, etc.

OTA, Patch Management

SCAP, SIEM, etc.

Secure Communication (e.g., SSL, TLS)

RBAC, Trustworthiness, etc.

Security Testing

Network-Based Penetration Testing

Dynamic Binary Analysis

Static Code Analysis

FuzzingAFL, Trinity

E.g., Kali Linux

Static Code Analysis Tools

angr, etc.

Security Tools

Threat AnalysisThreat Modeling Tool

Automated frameworkmechaphish


ActuatorsSensors Main AD ECU

Hardware Security

DEFENSE IN DEPTH – INTRA-ECU LEVEL

Hardware Identity

Software Platform Security

ECU Authentication

ECU Authorization

ECU Topology Trustworthy

Application Security

Data-in-motion Trustworthy

Application RBAC


ESSENTIAL DEVELOPMENT PRACTICES

Threat Analysis and Risk

Assessment (TARA)

Security Requirements Implementation Security Testing Release

� Define applicable surface attacks

� Define identified threats

� Assign severity

� Threat analysis

� Establish security requirements

� Create quality gates

� Security and privacy risk assessment

� Use approve tools

� Develop security measures

� Deprecate unsafe functions

� Static analysis

� Dynamic analysis

� Fuzz testing

� Attack surface review

� Verify security measures

� Incident response plan

� Final security review

� Documentation

Response

� Execute incident response plan


ROAD TO SELF-ADAPTIVE SECURITY

Good: Baseline� Security core features (HW)� Security core features (SW)� Standard compliance

Better: More Security Services� Secure OTA� Hardware Identity� IDPS� Security management

Best: Self-Optimizing� Multi-agent systems with

the aim of self-healing and self-recovery

� Security analytics� PSIRT automation

Self-Adaptive� Systems that can evaluate

and modify their own behavior to improve efficiency


SUMMARY

� New security threats arise on the way to automated driving (machine learning, AD system - driver interaction, V2X etc.)

� Automotive industry works on new security standards

� Defense in depth on ECU and intra-ECU levels

� No safety without security (intersection of both)

� Security best practicies are important (SDL, PSIRT)

� Road to self-healing vehicles

™
