Security for Automotive with Multicore-based Embedded Systems


Published on

1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5. Research Challenges
6. Take Home Message

Published in: Automotive, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security for Automotive with Multicore-based Embedded Systems

  1. 1. 5/26/2012 Security for Automotive with Multi- core-based Embedded Systems Claudia Eckert TU München & Fraunhofer AISEC 1 DATE 2012, 16. March 2012 Dresden C. Eckert, AISECOutline1. Introduction2. Security Issues 3. Multi‐core architectures: Risks4. Multi‐core architectures: Opportunities5.5 Research Challenges Research Challenges6. Take Home Message©C. Eckert, AISEC, 1
  2. 2. 5/26/20121. Introduction Automotive : Today• > 80 ECUs, security/safety sensitive services• Tailored ECUs for additional functions• High energy consumption• Expensive ©C. Eckert, AISEC, 31. Introduction Tomorrow: more services more computational power required Intelligent Car Routing and Traffic info and Road Billing Navigation N i ti web cams (Location based) Fleet Management web information GPS Street Inter Car Parking Communication Parking Slots Reservation Contactless Gas Mobile TV Station High demand for few highly integrated multi-core systems©C. Eckert, AISEC, 2
  3. 3. 5/26/2012Outline1. Introduction2. Security Issues 3. Multi‐core architectures: Risks4. Multi‐core architectures: Opportunities5.5 Research Challenges Research Challenges6. Take Home Message©C. Eckert, AISEC,2. Security Issues Automotive Security: TodaySecurity level today: Security level today:Do modern cars already provide • Secure execution environment?• Hardened ECUs or security modules to reduce  vulnerabilities? • Security services like intrusion detection, access  controls, self‐monitoring?©C. Eckert, AISEC, 6 3
  4. 4. 5/26/2012 2. Security Issues Automotive: Security Risks Vulnerabilities: e.g. • ECUs which are not hardened: Code injection, data manipulation • Software updates via CAN/Ethernet insufficient access control (or even missing) • External interfaces enable : remote access/attacks: NFC, C2C ©C. Eckert, AISEC, 2. Security Issues Automotive: Security Risks M2M interfaces (GSM)  • Communication with backend of OEM  • Internet access, added‐value services Vulnerabilities:  • Car logs into every GSM BTS • Attacks  with malformed   messages from GSM network  • Possible damages:  manipulation, DoS, malware ©C. Eckert, AISEC,8 8 4
  5. 5. 5/26/20122. Security Issues Automotive: Security Risks©C. Eckert, AISEC, Lessons Learned so far Multi‐cores  • Multi‐core architectures are required to meet l h d  Increasing demands for computational power  Demands to reduce power consumption • Cars are already  exposed to severe security risks Questions Q i • Multi‐core: a security enhancing technology ? • Multi‐core: even more security/safety risks ?©C. Eckert, AISEC, 10 5
  6. 6. 5/26/2012Outline1. Introduction2. Security Issues3. Multi‐core architectures: Risks4. Multi‐core architectures: Opportunities5.5 Research Challenges Research Challenges6. Take Home Message©C. Eckert, AISEC,3. Multi-cores Even more risks …Shared resources: memory, caches, network • Data leakages: confidentiality, integrity l k fd l • Covert channels, e.g. cache  replacement strategy • Denial‐of‐service: e.g. occupying  shared memory regions: starving  safety‐critical tasksVulnerable system software, missing separation• e.g. BO attacks: malware intrusion, manipulation, …©C. Eckert, AISEC, 12 6
  7. 7. 5/26/2012Outline1. Introduction2. Security Issues3. Multi‐core architectures: Risks4. Multi‐core architectures: Opportunities5.5 Research Challenges Research Challenges6. Take Home Message©C. Eckert, AISEC,4. Multi-cores OpportunitiesAttack tolerance FAe.g. Fault injections with laser not auth• Inject jump to bypass security checks FA 0x00 0x80• Modify register content 00000000 10000000• Modify alarm signals alarm OKMulti‐core: • Redundant cores to tolerate fault‐attacks:  e.g. SLE 78  redundant computation, majority voting, monitoring©C. Eckert, AISEC, 14 14 7
  8. 8. 5/26/20124. Multi-cores Opportunities Attack tolerance Attack tolerance e.g. side‐channel attacks• Timing (execution time of cryptographic operations) and  power (power consumption)  attacks  to crack keys   Multi‐Core • Increased resistance against side‐channel attacks: e.g. using multi‐cores for randomized  execution of  cryptographic algorithms©C. Eckert, AISEC, 154. Multi-cores OpportunitiesAttack toleranceAttack tolerancee.g. resistance against software‐based modifications  • Redundant computation in different cores to detect  abnormal behavior (e.g. manipulated code) ©C. Eckert, AISEC, 16 8
  9. 9. 5/26/20124. Multi-cores OpportunitiesTake advantage of multi‐cores • Assign security/safety critical  tasks to dedicated  security cores (e.g. hardened cores): • secure execution environment • strict access controls • Distribute sensitive functions  between different cores to  enhance resistance against   reverse engineering attacks©C. Eckert, AISEC, 174. Multi-cores OpportunitiesSelf‐monitoring • Separate a security core from data processing cores : • Trusted OSs in monitoring system  • Collect data in userland OS (e.g. syscall traces) • Securely analyze data to detect malbehavior • Dynamic health monitoring • Extend  VMI to enhance  malware detection on  multi‐cores©C. Eckert, AISEC, 18 9
  10. 10. 5/26/2012Outline1. Introduction2. Security Issues3. Multi‐core architectures: Opportunities4. Multi‐core architectures: Risks5. Research Challenges Research Challenges6. Take Home Message©C. Eckert, AISEC,5. Research Challenges Secure Architectures other System on Chip M2M SIM ID ID GSM Actuator Sensor Trust Core OS Core IO-interfaces Peripherals 1 2 Core i Core n RAM Flash Hardware Security System on Chip Module©C. Eckert, AISEC, 10
  11. 11. 5/26/2012 5. Research Challenges Secure Elements Scalable hardware trust anchors:  • Secure storage:  keys, credentials, access tokens • Integrity measurement:  static (TPM‐like)  as well as dynamic attestations • Support for virtualized execution environments: attaching a virtual Secure Element to individual  environments: Secure Boot, secure Updates , …  • PUF technology for secure identification ©C. Eckert, AISEC, 21 5. Research Challenges Secure SoftwareSoftware Hardening• Compile‐time Hardening Rich OS• Operating System Extensions 3rd Party Application• Process Virtualization / Sandboxing Android• System Virtualization Secure OS including Dalvik VMSecure MonitoringSecure Monitoring Trustworthy L4Linux component with Android patches• VMI for malware detection VMM (L4 Microkernel)• Attack tolerance Multi-core (SoC) ©C. Eckert, AISEC, 22 11
  12. 12. 5/26/20126. Take Home MessageAutomotive domain: High demand for• openess, value-added services, cost and energy efficiency• Security is already a big issue (e.g. impact on safety)Multi-core architectures: security enhancing technology• Attack tolerance, self-monitoring• Partitioning: critical, non-criticalResearch issues: security architectures & controls & crypto Secure multi-cores: key enabling technology for CPS! ©C. Eckert, AISEC, Thank you for your Attention Claudia Eckert Fraunhofer AISEC, Munich TU Munich, Chair for IT Security E-Mail: http://www aisec fraunhofer de ©C. Eckert, AISEC, 12