autonomous driving end-to-end security architecture
TRANSCRIPT
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
Autonomous Driving End-to-End Security ArchitectureAndrei KholodnyiWind River, Technology Office
2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
The Choice for Systems That Cannot Fail
� Powering 2 billion+ devices
� Safety-certified devices running in
aviation, rail, auto, medical, robotic,
industrial, utility
� 300+ customers, 500+ projects, 90
aircraft in avionics market
� Trusted by 9,000+ companies
� Used by 40,000+ developers
3 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
COMMON ELEMENTS ON THE PATH TO AUTONOMY
� Optimized performance� Safety focus� Health monitoring� Fail-safe � Partitioned systems� Reliability� Code reuse � Standardized interfaces
4 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
IVI and Cluster
Wind River Helix Cockpitwith Yocto Project IVISecure LinuxMedia stackAndroid containers
ADAS & Autonomous
Wind River Helix Drive• 26262/ASIL-D Kernel• Safety architecture• Multi-Sensor fusion• Motion planning framewrk• Deterministic Actuation• Advanced security
Gateways
Wind River Pulsar LinuxTCU
Smart antenna
WIND RIVER HELIX CHASSIS
Third-PartyCloud Solutions
Wearables
Consumer Devices
Smart Homes
Infrastructure
Cloud Services
Wind River Helix App Cloud cloud-based development
Wind River Helix Device Cloud for device deployment and management
SWLC Management
Wind River Helix CarSyncSOTAFOTADiagnostics
Cloud Security
CSP with secure connectionof IVN to EVN (IoT)
Sensors
Wind River RocketOS for MCUs
Security
HyperscanMcAfeeSecurity Profile forWind River LinuxDPI
5 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Hackathons in San Diego and Barcelona
INDUSTRY IS COMING TOGETHER TO ADDRESS SECURITY... BUT A LOT MORE IS NEEDED
6 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
THE EVOLUTION OF MALWARE
1980 1985 1990 1995 2000 2005
Source: escrypt
Increasing Digitalization and Digital Integration
Security Escalation:Hypothetical Vulnerabilities
IdentifiedSecurity Threats Become
Relevant in PracticeRegular Security Breaches
with Severe Damages
Auto
ICS
Mobile Phones
PC
Servers
ICS-CERT(2008)
20152010 2020
???
CAESS(2010)
GSM Interface Exploit (2015)
Stuxnet and Duqu(2010/11)
German Steel Plant (2014)
AS/1 Card Cracking (2009)
IMSI Catcher, NSA iBanking (2014)
Cabir, Premium SMS Fraud (2008)
DOS via SMSDoCaMo (2008)
I Love You(2010)
Heart Bleed(2014)
Sasser(2004)
Melissa(1999)
Michelangelo(1992)
Leandro(1993)
Brain(1986)
F. Cohen(1981)
Confliker(2008)
NSA, PRISM Reign(2014)
SQL Slammer(2003)
Code Red(2001)
Morris Worm(1988)
Tribe Flood DDOS(1998)
CCC BTX Hack(1984)
Creeper(1971)
7 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
Source: http://scan.coverity.com
INCREASING VEHICLE CODE COMPLEXITY
0.65 Defect Density per 1 KLOC
High-End Car Contains 100M LOC
Results in 65K Possible Defects
8 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
HACKING A CAR IS EASIER THAN EVER
Metasploit Framework Supports CAN Bus Hacking
9 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
CONNECTED ARCHITECTURE
V2V
Radio DataSystem (RDS)
MobileDevices
Electric Chargers
External systems and networks support new services and interactions … and increase risk.
Ad hoc Network
Trusted Network (e.g., Repair Shop)
Internet Backbone
AutomotiveCompany
Application Center
Local ServiceAP
Untrusted Network
Local Service
Open AP
Roadside Unit (RSU)
3rd-PartyApplication
Center
ISP
BS
BS
ISP
ISP
Unidirectional Communication
Bidirectional CommunicationAccess Point (AP)
GPS
EXTERNAL VEHICLE CONNECTIONS
10 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
RESPONSE FROM THE INDUSTRY1. SAE J3101 – Hardware-Protected Security for Ground
Vehicle Applications
a) Secure boot
b) Secure storage
c) Secure execution environment
d) Other hardware capabilities …
e) OTA, authentication, detection, recovery mechanisms …
2. SAE J3061 – Cybersecurity Guidebook for Cyber-Physical Vehicle Systems
a) Enumerate all attack surfaces and conduct threat analysis
b) Reduce attack surface
c) Harden hardware and software
d) Perform security testing (penetration, fuzzing, etc.)
3. ISO 26262 2nd Edition
a) Potential interaction between safety and security
b) Cybersecurity threats to be analyzed as hazards
c) Monitoring activities for cybersecurity, including incident response tracking
d) Refer also to SAE J3061, ISO/IEC 27001, and ISO/IEC 15480
12 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
KEY DISTINCTIONS TRANSFORMING A CONNECTED CAR INTO AN AUTOMATED DRIVING CAR
� Level 3 – HMI notification will be provided to the driver to take over within several seconds
� More sensors – Cameras, LIDARs, RADARs, interior cameras
� Communication with environment (other cars, structures, pedestrians, etc.)
� HD maps
� Machine learning
� Safety and security
13 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
• Finding but not exploiting vulnerabilities
• Start a trade war (e.g., attack an OEM)
• Infrastructure disruption
• Misuse the system (e.g., enable AD feature)
• Retrieve activity history
• Get access to OEM data
WHO ARE THE THREAT AGENTS?
SECURITY RESEARCHERS • Political• Financial
• Steal IP (algorithms)• Damage OEM brand
value
• Control a vehicle for personal harm
• Plant a backdoor (revenge)
• Get firmware images
TERRORISTS
CYBER ESPIONAGE
CYBER HACKTIVISTS
INSIDERSNATION STATES
LAW ENFORCEMENT
CAR OWNERS
AN END-TO-END AD STACK PERSPECTIVEIN-VEHICLE HIGH-PERFORMANCE DATA CENTER
Training Data Set
Validation Data Set
High-Performance HW
Optimized Machine Learning Model
OTA Update Infrastructure
AD ECU HW
Automated Driving Middleware
Aut
onom
ous
Driv
ing
“App
licat
ions
”
Aut
onom
ous
Driv
ing
“App
licat
ions
”
Aut
onom
ous
Driv
ing
“App
licat
ions
”
Operating System
Training
Optimization / Validation
Real-Time Telemetry
and Analytics
Secure, Reliable,
Compressed Model
Training Data Annotation
DL Model Optimizer
Real-World Simulator
Optimizer Tool
HW Optimized ML Framework
Automated Driving Middleware
Operating System
OTA Update Infrastructure
HD Maps
Optimized Machine Learning Model
15 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
TECHNOLOGY AND TRENDS FOR HARDWARE
Computing Units
Comparator
16 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
END-TO-END DATA PATH SECURITY THREATS
Actuators Control
Computing Unit 1
Environment Model Strategy Trajectory
Planning
Sensors
HMI
External input� Interface� Processing Internal processing� Processing� CommunicationExternal output� Interface� Processing
� Intergrity� Timing� Availability� Correlation
� False positive notification� False negative notification� Delayed actuation� Missing actuation� Failure in enabling control� Failure in disabling control� User mistrust� User discomfort
Main Attack Surfaces Manipulation on Data-in-Motion Major Consequences
V2XCommunication
Cloud
Computing Unit 2
Environment Model Strategy Trajectory
PlanningComparator
Trajectory Compare
Actuators
17 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SDL ECU Physical Security
HW Security
DEFENSE IN DEPTH – ECU LEVEL
SW Platform Security
CPU Security
HSM
Intrusion Prevention
SW hardening
Perimeter Hardening
Compartmentalization
Access Protection
Security Management
Secure Boot, Key Storage, etc.
Application Security
Data-in-motion Security
App Management
SW Management
Secure Extensions (SGX, TrustZone)
Hypervisors, Containers, etc.
OS Hardening, Compiler Setting, etc.
Firewalls, Debug Ports, etc.
IDPS, Virus Scans, etc.
OTA, Patch Management
SCAP, SIEM, etc.
Secure Communication (e.g., SSL, TLS)
RBAC, Trustworthiness, etc.
Security Testing
Network-Based Penetration Testing
Dynamic Binary Analysis
Static Code Analysis
FuzzingAFL, Trinity
E.g., Kali Linux
Static Code Analysis Tools
angr, etc.
Security Tools
Threat AnalysisThreat Modeling Tool
Automated frameworkmechaphish
18 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ActuatorsSensors Main AD ECU
Hardware Security
DEFENSE IN DEPTH – INTRA-ECU LEVEL
Hardware Identity
Software Platform Security
ECU Authentication
ECU Authorization
ECU Topology Trustworthy
Application Security
Data-in-motion Trustworthy
Application RBAC
19 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ESSENTIAL DEVELOPMENT PRACTICES
Threat Analysis and Risk
Assessment (TARA)
Security Requirements Implementation Security Testing Release
� Define applicable surface attacks
� Define identified threats
� Assign severity
� Threat analysis
� Establish security requirements
� Create quality gates
� Security and privacy risk assessment
� Use approve tools
� Develop security measures
� Deprecate unsafe functions
� Static analysis
� Dynamic analysis
� Fuzz testing
� Attack surface review
� Verify security measures
� Incident response plan
� Final security review
� Documentation
Response
� Execute incident response plan
20 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ROAD TO SELF-ADAPTIVE SECURITY
Good: Baseline� Security core features (HW)� Security core features (SW)� Standard compliance
Better: More Security Services� Secure OTA� Hardware Identity� IDPS� Security management
Best: Self-Optimizing� Multi-agent systems with
the aim of self-healing and self-recovery
� Security analytics� PSIRT automation
Self-Adaptive� Systems that can evaluate
and modify their own behavior to improve efficiency
21 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SUMMARY
� New security threats arise on the way to automated driving (machine learning, AD system - driver interaction, V2X etc.)
� Automotive industry works on new security standards
� Defense in depth on ECU and intra-ECU levels
� No safety without security (intersection of both)
� Security best practicies are important (SDL, PSIRT)
� Road to self-healing vehicles