vector cybersecurity symposium 2019 - cybersecurity best ... · v1.0 | 2019-04-03 3. vector...
TRANSCRIPT
V1.0 | 2019-04-03
3. Vector Security Symposium, Stuttgart, 3. April 2019 @VectorVCS
Cybersecurity Best Practice – From TARA to PenTestDr. Christof Ebert, Vector Consulting
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
1. Challenge Cybersecurity
2. Security Engineering Across the Life-Cycle
3. Case Study: Vector Grey-Box PenTesting
4. Conclusions and Outlook
Agenda
2/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Vector Client Survey 2019
Challenge Cybersecurity
Safety and Security are Biggest Challenge – Today and Tomorrow
Mid
-term
ch
all
en
ges
Short-term challenges
Vector Client Survey 2019. Details: www.vector.com/trends.
Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges.
Sum > 300% due to 5 answers per question. Strong validity with 4% response rate of 2000 recipients from different industries worldwide.
Innovation
Competences
Efficiency
Flexibility
Distributed teamsConnectivity
Quality
Complexity
Digital transformation
Compliance
Others0%
10%
20%
30%
40%
50%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Competitiveness
Innovation
: The Fight of the Two Forces
Safety / Security
3/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
4/5G
OBD DSRC
SuppliersOEM
Public Clouds
Service Provider
ITS Operator
ACES (Autonomy, Connectivity, e-Mobility, Services)
Challenge Cybersecurity
Automotive cybersecurity will be the major liability risk in the future.Average security gap is detected in 70% of cases by a third party – and will be exploited.
Cyberattacks Hazards
Password attacks
Application vulnerabilities
Rogue clients, malware
Man in the middle attacks
Eavesdropping, Data leakage
Command injection, data corruption,
back doors
Physical attacks,Sensor confusion
Trojans,Ransomware
4/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
1. Challenge Cybersecurity
2. Security Engineering Across the Life-Cycle
3. Case Study: Vector Grey-Box PenTesting
4. Conclusions and Outlook
Agenda
5/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Assets, Threats and Risk
Assessment
Security Goals and
Requirements
Technical Security Concept
Security Implementation
Security Validation
Security Case, Assessment, Compliance
Security Verification
Security Mgmt in Production,
Operation, Service
Risk-Based Security Engineering Covers the Entire Life-Cycle
Security Engineering Across the Life-Cycle
Systematic risk-oriented security engineering across the life-cycle
1) Threat and risk analysis drive risk oriented hardening2) Verification and validation with grey-box approach
6/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
From TARA to Requirements and Traceability
Security Engineering Across the Life-Cycle
TestArchitectureRequirements
Functional security requirements
Assets, TARA,Security Goals
Technical security requirements
Grey-Box Penetration Test, Robustness Tests, Fuzzing
Functional Tests, Security Testing
Unit Test, Static Code Analysis
cmp High lev el architecture
Seed/Key
Transmit
Abstract memory
operation
Indications
Diagnostics
Seed/Key
IndicationsTransmit
TaskAbstract memory
operation
IndicationsVerification Data Processing
Abstract memory
operationStream Output Memory I/O
Memory Handling Library
Verification Data Processing
Abstract memory
operationStream Output Memory I/O
Memory block
operation
Abstract memory
operation
Task
Indications
Memory I/O
Multiple Memory I/O
Manager
Memory I/O
Memory I/O
Decompression
Decompression
Memory block
operation
Delta Download
Library
Stream OutputMemory block
operation
Decryption Decompression
Data Processing
Decryption Decompression
Data Processing
Memory Driv ers
Memory I/O
Indications
Communication Stack
IndicationsTransmitTask
Timer
Timer
Com Task Diag TaskTrigger Mem TaskTimer
Task Handling
Com Task Diag TaskTrigger Mem TaskTimer
Interprocessor
Communication
Stack
Abstract
memory
operation Memory I/O
Watchdog
Trigger
Security Module
Seed/Key Verification Decryption
System
Functional
SW/HW
7/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
HSM design objectives
Harden ECUs against SW and selected HW attacks
Provide HW acceleration for crypto functions
Support ECU to ECU communication protection
HSM profiles, e.g. EVITA
HSM full: > Support strong authentication (e.g. via RSA,
ECC)> Support complex block ciphers
> High performance
HSM medium: > Secure ECU 2 ECU communication
HSM small:> Secure critical sensors / actuators
> Simple block ciphers> Low cost modules
Security by Design and Security by Lifecycle: Hardware Security Module (HSM)
Security Engineering Across the Life-Cycle
Microcontroller
HSM
CPU
RAM FlashHW
Crypto
Network Interface
internal connection
vehicle network
Secure Memory
CPU
SW Crypto
Secure Zone
8/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Microcontroller
vHSM
Rte
CRYPTO
KeyM vSecMod (OEM X)
Csm
CryIf
Crypto(SW) Crypto(vHSM)
CertM
Addon Asymmetric
Crypto
Addon vHSM
Updater
FBL
DIAG
DcmDpm
Application
DemSem SecOC
COM
V2G
Tls
IPSec
vEthFw vXMLSecurtity
vKeyM(OEM X)
vFVM(OEM X)
MEM
Nvm
ETH
vECUAuth
PduR
Secure Boot
Secure Update
Enc. NVM blocks
Safety and Security by Design: MICROSAR 4.3 upwards
Security Engineering Across the Life-Cycle
ASIL A-D hardened
Secure On-Board
Communication
Key management,
crypto handling
Firewall, Intrusion Detection
HW based security: secure boot and HSM
9/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Design
Defensive coding, e.g. memory allocation, avoid injectable code, least privileges
Programming rules such as MISRA-C, SEI CERT
High cryptographic strength in line with performance needs
Key management and HW-based security
Awareness and governance towards social engineering
V&V Methods and Tools
Static / dynamic code analyzer
Unit test with focused coverage, e.g. MCDC
Interface scanner, layered fuzzing tester, encryption cracker, vulnerability scanner
Risk-based penetration testing
Security Implementation, Verification and Validation
Security Engineering Across the Life-Cycle
Classic coverage test is not sufficient anymore. Test for the known – and for the unknown.Ensure automatic regression tests are running with each delivery.
10/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Vector SecurityCheck with COMPASS for TARA and Continuous Documentation
Security Engineering Across the Life-Cycle
Vector SecurityCheck facilitates Systematic risk assessment and mitigation Traceability and Governance with auditable risk and measure list Heuristic checklists with continuously updated threats and mitigation
COMPASS information: www.vector.com/compass
11/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
1. Challenge Cybersecurity
2. Security Engineering Across the Life-Cycle
3. Case Study: Vector Grey-Box PenTesting
4. Conclusions and Outlook
Agenda
12/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
At Vector we have developed a grey-box security testing method for more efficiency and effectiveness
We follow the black-box security testing approach, while considering specific risks due to attacks and implementation.
Case study: Gateway ECU
Assets and TARA with COMPASS
Test focus PenTesting based on identified assets and risks
Quality results and findings
Cost and time effective
Vector Grey-Box PenTesting
Case Study: Vector Grey-Box PenTesting
Gateway
Rather than brute force PenTest, we deploy with clients the grey-box PenTesting based on TARA, abuse/misuse cases and architecture know-how
13/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
On this basis we conduct a mini-TARA and identify the attack vectors and scenarios for each asset.
We refine these security goals into negative requirements (e.g. misuse, abuse, confuse cases), functional and technical security requirements which help to achieve them
This allows setting priorities to subsequent PenTesting steps to connect with security risk, i.e. window of opportunity and attack consequences
Vector Grey-Box PenTesting
Case Study: Vector Grey-Box PenTesting
14/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Vector Grey-Box PenTesting
Case Study: Vector Grey-Box PenTesting
By taking our TARA as input, We put our focus into the Flash asset and with physical access to the board we initiate an attack to read the contents of the flash during runtime
After analyzing the data dump we got from the flash we can read in clear text:
The root certificate at address 0x06F2A0(i.e. while it is ok to read it, it must be ensured to be not replaced)
ECU specific key at address 0x06F6A0
Grey-box PenTest yields higher detevtion effectiveness with much lower effort and time.
15/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
1. Challenge Cybersecurity
2. Security Engineering Across the Life-Cycle
3. Case Study: Vector Grey-Box PenTesting
4. Conclusions and Outlook
Agenda
16/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Security as well as Safety Must Cover the Entire Life-Cycle
Conclusions and Outlook
Needs for safety and security along the life-cycle: Systems and service engineering methods for embedded and IT Scalable techniques for design, upgrades, regressions, services Multiple modes of operation (normal, attack, emergency, etc.)
Safety hazards
and security threats
Safety / Security by design
Development
Secured supply chain
Production
Monitoring and upgrades
Operations
Secure provisioningand governance
Services
17/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Vector Offers the most Complete Portfolio for Security/Safety
Conclusions and Outlook
Vector Cybersecurity Solutions
Consulting and services• SecurityCheck and
SafetyCheck• TARA• Security concept• Code analysis• PenTesting• Virtual Security Manager
AUTOSAR Basic Software
Tools • COMPASS SecurityCheck
and TARA• VectorCAST for code
analysis and coverage• Security Manager
Extension for Vector Tools und Fuzz Testing
• PLM with PREEvision• Diagnosis
Engineering Services for Security
vHSM for HW based Security
www.vector.com/security
18/19
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Don‘t Take Cybersecurity Easy
Conclusions and Outlook
© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-04-03
Thank you for your attention.For more information please contact us.
Passion. Partner. Value.
Vector Consulting Services
@VectorVCS
www.vector.com/[email protected]: +49-711-80670-1520