More Related Content Similar to Autonomous driving end-to-end security architecture (20) More from Andrei Kholodnyi (6) Autonomous driving end-to-end security architecture1. © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Autonomous Driving
End-to-End Security
Architecture
Andrei Kholodnyi
Wind River, Technology Office
2. 2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
The Choice for Systems That Cannot Fail
Powering 2 billion+ devices
Safety-certified devices running in
aviation, rail, auto, medical, robotic,
industrial, utility
300+ customers, 500+ projects, 90
aircraft in avionics market
Trusted by 9,000+ companies
Used by 40,000+ developers
3. 3 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
COMMON ELEMENTS ON THE PATH TO AUTONOMY
Optimized performance
Safety focus
Health monitoring
Fail-safe
Partitioned systems
Reliability
Code reuse
Standardized interfaces
4. 4 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
IVI and Cluster
Wind River Helix Cockpit
with Yocto Project IVI
Secure Linux
Media stack
Android containers
ADAS & Autonomous
Wind River Helix Drive
• 26262/ASIL-D Kernel
• Safety architecture
• Multi-Sensor fusion
• Motion planning framewrk
• Deterministic Actuation
• Advanced security
Gateways
Wind River Pulsar Linux
TCU
Smart antenna
WIND RIVER HELIX CHASSIS
Third-Party
Cloud Solutions
Wearables
Consumer Devices
Smart Homes
Infrastructure
Cloud Services
Wind River Helix App Cloud
cloud-based development
Wind River Helix Device
Cloud for device deployment
and management
SWLC Management
Wind River Helix CarSync
SOTA
FOTA
Diagnostics
Cloud Security
CSP with secure
connection
of IVN to EVN (IoT)
Sensors
Wind River Rocket
OS for MCUs
Security
Hyperscan
McAfee
Security Profile for
Wind River Linux
DPI
5. 5 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Hackathons in San Diego and Barcelona
INDUSTRY IS COMING TOGETHER
TO ADDRESS SECURITY...
BUT A LOT MORE IS NEEDED
6. 6 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
THE EVOLUTION OF MALWARE
1980 1985 1990 1995 2000 2005
Source: escrypt
Increasing Digitalization and
Digital Integration
Security Escalation:
Hypothetical Vulnerabilities
Identified
Security Threats Become
Relevant in Practice
Regular Security Breaches
with Severe Damages
Auto
ICS
Mobile Phones
PC
Servers
ICS-CERT
(2008)
20152010 2020
???
CAESS
(2010)
GSM Interface
Exploit (2015)
Stuxnet and Duqu
(2010/11)
German Steel Plant
(2014)
AS/1 Card Cracking
(2009)
IMSI Catcher, NSA
iBanking (2014)
Cabir, Premium
SMS Fraud (2008)
DOS via SMS
DoCaMo (2008)
I Love You
(2010)
Heart Bleed
(2014)
Sasser
(2004)
Melissa
(1999)
Michelangelo
(1992)
Leandro
(1993)
Brain
(1986)
F. Cohen
(1981)
Confliker
(2008)
NSA, PRISM Reign
(2014)
SQL Slammer
(2003)
Code Red
(2001)
Morris Worm
(1988)
Tribe Flood DDOS
(1998)
CCC BTX Hack
(1984)
Creeper
(1971)
7. 7 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
Source: http://scan.coverity.com
INCREASING VEHICLE CODE COMPLEXITY
0.65 Defect Density per 1 KLOC
High-End Car Contains 100M LOC
Results in 65K Possible Defects
8. 8 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
HACKING A CAR IS EASIER THAN EVER
Metasploit Framework Supports
CAN Bus Hacking
9. 9 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
CONNECTED ARCHITECTURE
V2V
Radio Data
System (RDS)
Mobile
Devices
Electric
Chargers
External systems and
networks support new
services and interactions …
and increase risk.
Ad hoc
Network
Trusted Network
(e.g., Repair Shop)
Internet
Backbone
Automotive
Company
Application
Center
Local ServiceAP
Untrusted
Network
Local
Service
Open AP
Roadside
Unit (RSU)
3rd-Party
Application
Center
ISP
BS
BS
ISP
ISP
Unidirectional Communication
Bidirectional Communication
Access Point (AP)
GPS
EXTERNAL VEHICLE CONNECTIONS
10. 10 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
RESPONSE FROM THE INDUSTRY
1. SAE J3101 – Hardware-Protected Security for Ground
Vehicle Applications
a) Secure boot
b) Secure storage
c) Secure execution environment
d) Other hardware capabilities …
e) OTA, authentication, detection, recovery
mechanisms …
2. SAE J3061 – Cybersecurity Guidebook for Cyber-Physical
Vehicle Systems
a) Enumerate all attack surfaces and conduct threat analysis
b) Reduce attack surface
c) Harden hardware and software
d) Perform security testing (penetration, fuzzing, etc.)
3. ISO 26262 2nd Edition
a) Potential interaction between safety and security
b) Cybersecurity threats to be analyzed as hazards
c) Monitoring activities for cybersecurity, including
incident response tracking
d) Refer also to SAE J3061, ISO/IEC 27001, and
ISO/IEC 15480
11. 11 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
AUTOMATION LEVELS The industry is here
12. 12 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
KEY DISTINCTIONS TRANSFORMING A CONNECTED CAR
INTO AN AUTOMATED DRIVING CAR
Level 3 – HMI notification will be provided to the driver to take over within
several seconds
More sensors – Cameras, LIDARs, RADARs, interior cameras
Communication with environment (other cars, structures, pedestrians,
etc.)
HD maps
Machine learning
Safety and security
13. 13 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
• Finding but not
exploiting
vulnerabilities
• Start a trade war (e.g.,
attack an OEM)
• Infrastructure
disruption
• Misuse the system
(e.g., enable AD
feature)
• Retrieve activity
history
• Get access to OEM
data
WHO ARE THE THREAT AGENTS?
SECURITY RESEARCHERS • Political
• Financial
• Steal IP (algorithms)
• Damage OEM brand
value
• Control a vehicle for
personal harm
• Plant a backdoor
(revenge)
• Get firmware images
TERRORISTS
CYBER ESPIONAGE
CYBER HACKTIVISTS
INSIDERSNATION STATES
LAW ENFORCEMENT
CAR OWNERS
14. AN END-TO-END AD STACK PERSPECTIVE
IN-VEHICLE HIGH-PERFORMANCE DATA CENTER
Training Data
Set
Validation Data Set
High-Performance HW
Optimized Machine
Learning Model
OTA Update Infrastructure
AD ECU HW
Automated Driving
Middleware
AutonomousDriving
“Applications”
AutonomousDriving
“Applications”
AutonomousDriving
“Applications”
Operating System
Training
Optimization / Validation
Real-Time
Telemetry
and
Analytics
Secure,
Reliable,
Compressed
Model
Training Data Annotation
DL Model Optimizer
Real-World Simulator
Optimizer Tool
HW Optimized ML
Framework
Automated Driving
Middleware
Operating System
OTA Update Infrastructure
HD Maps
Optimized Machine
Learning Model
15. 15 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
TECHNOLOGY AND TRENDS FOR HARDWARE
Computing Units
Comparator
16. 16 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
END-TO-END DATA PATH SECURITY THREATS
Actuators
Control
Computing Unit 1
Environment
Model
Strategy
Trajectory
Planning
Sensors
HMI
External input
Interface
Processing
Internal processing
Processing
Communication
External output
Interface
Processing
Intergrity
Timing
Availability
Correlation
False positive notification
False negative notification
Delayed actuation
Missing actuation
Failure in enabling control
Failure in disabling control
User mistrust
User discomfort
Main Attack Surfaces Manipulation on Data-in-Motion Major Consequences
V2X
Communication
Cloud
Computing Unit 2
Environment
Model
Strategy
Trajectory
Planning
Comparator
Trajectory
Compare
Actuators
17. 17 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SDL ECU Physical Security
HW Security
DEFENSE IN DEPTH – ECU LEVEL
SW Platform Security
CPU Security
HSM
Intrusion Prevention
SW hardening
Perimeter Hardening
Compartmentalization
Access Protection
Security Management
Secure Boot, Key Storage, etc.
Application Security
Data-in-motion Security
App Management
SW Management
Secure Extensions (SGX, TrustZone)
Hypervisors, Containers, etc.
OS Hardening, Compiler Setting, etc.
Firewalls, Debug Ports, etc.
IDPS, Virus Scans, etc.
OTA, Patch Management
SCAP, SIEM, etc.
Secure Communication (e.g., SSL, TLS)
RBAC, Trustworthiness, etc.
Security Testing
Network-Based Penetration
Testing
Dynamic Binary Analysis
Static Code Analysis
FuzzingAFL, Trinity
E.g., Kali Linux
Static Code Analysis
Tools
angr, etc.
Security Tools
Threat Analysis
Threat Modeling
Tool
Automated frameworkmechaphish
18. 18 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ActuatorsSensors Main AD ECU
Hardware Security
DEFENSE IN DEPTH – INTRA-ECU LEVEL
Hardware Identity
Software Platform Security
ECU Authentication
ECU Authorization
ECU Topology Trustworthy
Application Security
Data-in-motion Trustworthy
Application RBAC
19. 19 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ESSENTIAL DEVELOPMENT PRACTICES
Threat Analysis
and Risk
Assessment
(TARA)
Security
Requirements
Implementation Security Testing Release
Define applicable
surface attacks
Define identified
threats
Assign severity
Threat analysis
Establish security
requirements
Create quality
gates
Security and
privacy risk
assessment
Use approve
tools
Develop security
measures
Deprecate unsafe
functions
Static analysis
Dynamic analysis
Fuzz testing
Attack surface
review
Verify security
measures
Incident response
plan
Final security
review
Documentation
Response
Execute incident
response plan
20. 20 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ROAD TO SELF-ADAPTIVE SECURITY
Good: Baseline
Security core features (HW)
Security core features (SW)
Standard compliance
Better:More Security
Services
Secure OTA
Hardware Identity
IDPS
Security management
Best: Self-Optimizing
Multi-agent systems with
the aim of self-healing and
self-recovery
Security analytics
PSIRT automation
Self-Adaptive
Systems that can evaluate
and modify their own
behavior to improve
efficiency
21. 21 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SUMMARY
New security threats arise on the way to automated driving (machine
learning, AD system - driver interaction, V2X etc.)
Automotive industry works on new security standards
Defense in depth on ECU and intra-ECU levels
No safety without security (intersection of both)
Security best practicies are important (SDL, PSIRT)
Road to self-healing vehicles