Embedded Policing and Policy Enforcement based Security in the era of
  Digital-Physical Convergence for Next-Generation Vehicular Electronics by Siddiqui, Fahad et al.
Embedded Policing and Policy Enforcement based Security in the
era of Digital-Physical Convergence for Next-Generation Vehicular
Electronics
Fahad Siddiqui, Matthew Hagan, Sakir Sezer
The Centre for Secure Information Systems (CSIT),
Queen’s University Belfast, Belfast, UK
(e-mail: f.siddiqui, m.hagan, s.sezer @qub.ac.uk)
Abstract
The emergence of intelligent, connected vehicles, con-
taining complex functionality has potential to greatly
benefit society by improving safety, security and effi-
ciency of vehicular transportation. Much of this has
been enabled by technological advancements in embed-
ded system architectures, which provided opportunities
for vehicle manufacturers to implement intelligent vehi-
cle services and consolidate them within a small number
of flexible and integrable domain controllers. Thus al-
lowing for increasingly centralised operations consisting
of both new and legacy functionalities. While this era of
digital-physical convergence of critical and non-critical
vehicle services presents advantages in terms of reducing
the cost and electronic footprint of vehicular electron-
ics, it has produced significant security and safety chal-
lenges. One approach to this research problem is to intro-
duce fail-over mechanisms that can detect unexpected or
malicious behaviours, caused by attack or malfunction,
and pro-actively respond to control and minimise physi-
cal damage or safety hazards. This paper presents a novel
embedded policing and policy enforcement platform ar-
chitecture and the accompanied security modelling ap-
proach for next-generation in-vehicle domain controllers.
To demonstrate the proposed approach, a connected ve-
hicle case study is conducted. A realistic attack scenarios
have been considered to derive security policies and en-
forced by the proposed security platform to provide se-
curity and safety to domain-specific features.
1 Introduction
Development of Intelligent Transportation Systems (ITS)
offers great potential to provide enhanced reliability and
safety of road users, while simultaneously shortening
journey times and increasing highway capacity [1], [2].
Developments in wireless connectivity, including IEEE
802.11p and cellular 3GPP Cellular Vehicle-to-Everything
(V2X), have provided capability for communication be-
tween vehicles and roadside infrastructures. Contribu-
tion of vehicle data to the cloud has enabled further ca-
pability for Data Analytics and Machine Learning (ML) al-
gorithms to determine intuitive vehicle and driver infor-
mation make informed decisions [1], [2].
Embedded architectures are widely used in vehicular
electronics in the form of Electronic Control Units (ECUs)
that control a series of electrical and electronic systems or
subsystems to ensure optimal performance, comfort and
safety. They are used for both general (infotainment and
navigation etc.) and safety critical (air-bag and anti-lock
braking etc.) purposes. Communication among inter-
connected ECUs is typically achieved using vehicle com-
munication networks [1], [4]. The normally inaccessible
and closed nature of vehicular electronics has meant that
until recently, securing these systems has not of signifi-
cant concern to industry stakeholders, who instead pri-
oritised safety and efficiency [4]. Security technologies
within vehicles have been confined largely to physical
security, including locking, ignition, immobiliser, radio
and alarm systems. However integration of advanced
embedded technologies and on-board connectivity have
enabled the possibility for adversaries to carry out at-
tacks, potentially adapted from existing attacks aimed
at embedded systems, which may enable existing crimes
such as vehicle theft or unauthorised access to the vehi-
cle’s critical controls when in motion [4], [5] [6].
As consumer expectations and industry standards have
continued to rise, vehicle manufacturers have been faced
with rising design costs due to greater system complex-
ity. Requirements to additionally incorporate security
within vehicular electronics is therefore, a challenging
design and integration problem. Technological advance-
ments and the emergence of Multiprocessing System-on-
chip (MPSoC) architectures have provided opportunities
for vehicle manufacturers to consolidate different vehic-
ular services into a smaller number of more flexible and
integrable domain controllers [7], [8], allowing increas-
ingly centralised operations. However, adopting a cen-
tralised vehicular electronic system also brings a wide-
range of security and safety challenges, since vehicles
typically contain applications of differing levels of func-
tional safety. Digital-physical convergence [9], [10] of this
mixture of critical and non-critical vehicle services onto
the same device requires consideration for sufficient fail-
over mechanisms to confine, control and minimise phys-
ical damage and harm to the passengers and pedestrians
1
ar
X
iv
:2
00
4.
10
67
2v
1 
 [c
s.C
R]
  1
7 A
pr
 20
20
Figure 1: Block diagram view of a next-generation vehicular electronic system. Heterogeneous multiprocessing
platforms offer diverse on-chip computing and power optimisation opportunities, communication protocols and
architectural support to implement in-vehicle safety critical and non-critical domain controllers [3]. This approach
consolidates vehicle services and subsystems into a centralised communication and control architecture.
in event of failure or malicious event.
To assist in alleviating these issues, existing security
modelling approaches used within embedded security ar-
chitectures will be investigated. Our research on policing
and policy enforcement architecture and security mod-
elling approach for vehicular electronics will be intro-
duced. Being based on the principles of access control, it
provides a safety net against physical damage and harm
that can be caused by a compromised system component
or malfunctioning intelligent vehicle service (AI/ML),
providing a means to build consumer trust in the use of
intelligent services within next-generation vehicles. This
following are the novel research contributions:
1. A flexible, policy-based security modelling approach
to alleviate the problem of defining an access-control
driven security model for application use-cases with
differing security requirements. The proposed ap-
proach can be integrated within existing security de-
sign practices including risk assessment and threat
modelling (Section 4).
2. An embedded policing and policy enforcement sys-
tem architecture to realise the proposed policy-
based security modelling approach. The architec-
ture monitors system bus-level communication, pro-
vides a pro-active fail-over mechanism to confine,
control and minimise physical damage and harm
that can be caused by malicious attack or malfunc-
tion of intelligent vehicle services (Section 5).
3. An embedded architecture that implements a pro-
active approach providing core functionalities (iden-
tify, detect, protect, respond and recover) essential
for next-generation self-healing embedded systems.
It detects malfunction/malicious behaviour as pol-
icy violation and pro-actively deploy fail-over mech-
anism to ensure safe and healthy system operation
(Section 5.4).
4. A connected vehicle use case to present the threat
modelling process, that establishes critical assets
and potential attacks using STRIDE to identify
threat types and DREAD to quantify the potential
damage of a realised attack. Policies, derived to mit-
igate the identified threats, are enforced by the pro-
posed policy enforcement architecture (Section 7).
2 Background and Related Work
2.1 In-vehicle Electronics
Advancements within embedded technologies and de-
mands to integrate intelligent features has significantly
impacted vehicular electronics, increasing ECU numbers
to unsustainable levels [11], [12]. ECUs control vari-
ous critical and non-critical functions and are connected
through vehicle communication networks and buses, in-
cluding [12], [13]:
• Controller Area Network (CAN) - Multi-master based.
The most widely used protocol in automobiles.
• Local Interconnect Network (LIN) - Single master
Polling based. Low level, low bandwidth.
• FlexRay - Multi master - Redundant real-time secu-
rity critical ‘X by wire’ protocol.
• Automotive Ethernet - High bandwidth, high latency
protocol used for non-critical peripherals including
multimedia, Advanced Driver Assistance Systems
(ADAS) cameras & network connectivity.
2
To approach this problem, vehicle and original equip-
ment manufacturers (OEM) have adopted design strate-
gies to centralise broad groups of in-vehicle electronic
features into streamlined architectures. To enable
this, vehicle manufacturers have developed the con-
cept of domain centralisation by introducing domain con-
trollers [7], [8]. This limits the complexity that has re-
sulted from the addition of hundreds of decision making
ECUs that use different networking protocols, operating
systems and software, by forming a centralised, flexible
and integrable embedded architecture to control differ-
ent vehicular features. This helps manufacturers sim-
plify their designs and support growing demands for in-
telligent features and services [8], [14].
Emerging embedded multi-core computing architec-
tures, such as heterogeneous MPSoC, provide a mix of
powerful general purpose, specialised graphics and de-
terministic real-time processors tightly coupled with re-
configurable logic [15], [16]. This presents significant de-
sign opportunities for vehicle manufacturers to explore
and implement different intelligent automotive applica-
tions [17], by partitioning and deploying multiple do-
main functions into a compact vehicular electronic sys-
tem [3] as illustrated in Figure 1. Significant architectural
and design benefits can be availed, such as reducing com-
munication overheads among ECUs, providing a holistic
view of the overall vehicular system, and providing cost
benefits by reducing electronic footprint and wiring re-
quired within the vehicle. These architectural benefits
suggest that MPSoC is a viable candidate that can allow
in-vehicle domain controllers to meet diverse application
requirements of performance, safety and power.
However, adopting a centralised vehicular electronic
system also brings a wide-range of security and safety
challenges, since vehicles typically contain applications
of differing levels of functional safety, as categorised by
Automotive Safety Integrity Level (ASIL) within the ISO
26262 standard [18]. Complex and mixed critical appli-
cations such as advanced driver assistance system (ADAS),
adaptive cruise control (ACC), autonomous emergency brak-
ing (AEB) and anti-lock braking system (ABS), require real-
time performance [17], [19]. Safety critical features of
the vehicle, such as air-bag and braking mechanisms,
have strict timing requirements, unlike non-critical com-
ponents such as infotainment and window controls.
The mixture of critical and non-critical vehicle services,
within the same embedded system, requires considera-
tion for sufficient fail-over mechanism [10]. This fail-over
mechanism shall provide a pro-active safety net against
vehicle’s security and safety threats caused by compro-
mised, malicious software/hardware components or out-
sider attacks. Nevertheless based on existing state-of-the-
art attacks against ML models and methods, such attacks
would be inevitable within vehicular electronics and
would lead to life threatening consequences [14], [20].
Therefore, should a non-critical element within the ve-
hicle fail, the reliability of any safety critical vehicular
services should not be affected [10].
To approach these vehicular electronic design and se-
curity issues, there is a need for a self healing security
platform architecture for next-generation in-vehicle elec-
tronics. The architecture shall provide flexible isolation
and segregation of mixed critical in-vehicle electronic
services and domain controllers, a pro-active safety-
net/fail-over mechanism to ensure functional and physi-
cal safety of critical services.
2.2 Embedded Heterogeneous System-on-
Chip
Field programmable gate array (FPGA) is a proven, recon-
figurable technology that provides glue-logic to develop,
optimise and implement custom hardware logic to accel-
erate computationally intensive applications. Emerging
heterogeneous FPGA MPSoC architectures extend this
appeal, providing versatile general-purpose, real-time
and graphics processing computing resources (Figure 1),
suitable to deliver the performance and power demands
of next-generation intelligent data and control applica-
tions [15], [16], [19], [21], [22]. Moreover, the increas-
ing demand for intelligent and mixed criticality appli-
cations has led to integration of multiple levels of secu-
rity, safety and advance power management mechanisms
into new MPSoC architectures. These architectures have
extended support for the automotive industry, including
ISO 26262 ASIL-C [23] certification.
MPSoC architectures offer improved on-chip hardware
security features to build system-level security founda-
tion based on the principles of information assurance
and trust [24]. They facilitate realisation of a software-
controlled and hardware-enforced security mechanisms
that allow partitioning of system resources by dividing a
system into subsystems and isolating the memory-space
of these subsystem. ARM TrustZone technology is an ex-
ample, that virtually segregates hardware resources into
secure and non-secure zones. These security mechanisms
are extended down to the FPGA glue logic (beyond the
multiprocessing cores) which ensures application and
user-level security while facilitating existing hardware-
software co-design practices. Such systems can run AU-
TOSAR compliant software stacks, bare-metal software
applications or rich-operating systems such as embedded
Linux. The on-chip real-time processing cores support
a lock-step execution mode to implement safety critical
and fault tolerant automotive applications, making the
system more robust and recoverable from faulty situa-
tions, without severely degrading performance. The on-
chip availability of these diverse features makes FPGA
MPSoC an appealing platform for next-generation in-
vehicle domain controller and vehicular electronics. De-
spite the benefits of MPSoC architectures, open literature
has reported a range of software and micro-architectural
vulnerabilities within system and ARM TrustZone secu-
rity [25] that have been widely used in vehicular electron-
ics and safety-critical systems.
Chen et al. exploited a lack of proper roll-back protec-
tion during the secure boot process used by ARM Trust-
Zone technology [27]. They breached loading verification
processes by reusing an old key. Jacob et al. described a
similar attack on the secure boot mechanism on FPGA MP-
SoC, which ensures secure system start-up by building
chain-of-trust [28]. Mitigation of such attacks requires
3
Figure 2: Step-wise illustration of secure development life-cycle covering the threat modelling and secure testing
process [26], in accordance with the different product development phases. It is important to observe that secure
testing process (implementation and verification) strongly relies on the security model. Modification of the security
requirements can negatively impact the implementation and verification phases.
a well-defined methodology for distributing patches and
updating keys across a wide range of devices. This is
practically challenging due to differing implementations
and update practices. Ning et al. presented a compre-
hensive security analysis of ARM technology, exploit-
ing the debugging architecture and summarising secu-
rity vulnerabilities and their implications [29]. They im-
plemented NAILGUN attack, that exploits the debug au-
thentication mechanism to break logical isolation, deliv-
ering privileged access to the processor’s secure area.
To approach these problems, the research community
has proposed various security micro-architectures that
leverage execution tracing, data protection and monitor-
ing techniques to enhance system-level security. Arora et
al. introduced a hardware-assisted, run-time execution
trace monitoring approach by embedding it deep into the
processor pipeline [30]. It can detect malicious activi-
ties and safeguards the execution of programs running on
embedded processors. The proposed design uses control-
flow graphs to extract benign program behaviours and
automatically synthesise an application-specific hard-
ware monitor which is fixed and un-adaptable. Maene et
al. proposed a hardware-based security architecture (At-
las) that uses memory encryption to protect instructions
and cache data against system-level attack [31], using a
developed encryption unit inserted between the cache
and main memory. However, this resulted in a significant
performance overhead. Coburn et al. proposed a security-
enhanced communication architecture (SECA) [32] that ex-
ploits bus-based system communication architectures. A
wide-range of security attacks can manifest as abnor-
malities in system-level communication traffic. This can
monitor and regulate interactions between various sys-
tem components. SECA is a centralised access-control
enforcement module that provides intrusion detection
capabilities to the system. On the contrary, Cotret et
al. adopted a distributed access-control security enforce-
ment approach and proposed a hardware firewall archi-
tecture that serves as a security bridge between the sys-
tem resources and system communication bus to moni-
tor control activities [33]. Though the discussed related
work provides both distributed and centralised security
micro-architectures to address the discussed embedded
security challenges, they are limited to the detection of
malicious activities. As discussed, detection alone is in-
sufficient to meet the security and safety requirements
of next-generation intelligent vehicle services and em-
bedded architectures and must support active fail-over
safety mechanisms [34].
2.3 Threat and Security Modelling
The Secure Development Lifecycle [26] is a process of iden-
tifying an application use case’s security requirements as
shown in Figure 2. This consists of a 1O Risk Assessment
carried out in the requirements phase and 2O Threat Mod-
elling during design and development phase. The outcome
is a security model, a set of guidelines that aims to har-
nesses resilience against considered attacks. Once im-
plemented, the secure testing process verifies and validates
the robustness of the security using a 3O Security Review,
followed by 4O Security Testing to verify the implementa-
tion as shown in Figure 2. These steps are:
• Risk assessment: This decomposes the use case to
identify security risks within service interactions,
used to formulate the system’s security requirements.
• Quantify Assets: Examined from a data flow per-
spective, this identifies assets requiring protection.
• Entry Points: These are system or application inter-
faces that may expose critical assets to an attacker.
• Threat Identification: This identifies potential vul-
nerabilities within the system at risk of exploitation
by an attacker. STRIDE is a method that can be used
to categorise identified threats within the system.
4
• Threat Severity: Risk-based quantification models
such as DREAD can be used to evaluate risks for de-
termined threats. This is based upon their likelihood
of occurrence and severity of damage if successful.
• Establish countermeasures: Adequate countermea-
sures are determined based upon the previously es-
tablished risk ratings. These can be technical-based,
or can be adopted through security practices.
The security modelling process faces several chal-
lenges. The implementation of the guidelines should
strictly comply to the requirements as they are used for
the secure application testing phase. Issues are likely to
occur when using third-party blocks to implement dedi-
cated tasks. Since the OEM has less influence over these
components, they are constrained in mitigating potential
vulnerabilities, or alternatively face delays and costs re-
questing modifications.
As vehicular technology has developed, from funda-
mental mechanics to the incorporation of electronics,
software and connectivity used in embedded computing
systems, so too have the methods used by adversaries,
within the scope of cyber threats. Attacks against elec-
tronic vehicular systems, which have enabled unautho-
rised control or theft of the vehicle [14], [35] demonstrate
a clear need to improve automotive security. Such vul-
nerabilities and attacks may arise from a lack of process
driven security modelling, a lack of strong hardware se-
curity mechanisms or poor software implementations. As
legacy automotive standards do not take into considera-
tion the cyber domain, attempts have been made to rec-
tify this through the introduction of the SAE J3061 stan-
dard [36], that builds upon ISO 26262’s Hazard Analysis
and Risk Assessment (HARA) to define Threat Analysis and
Risk Assessment (TARA), that observes the potential for
cyber security attack [18].
While threat modelling methodologies such as STRIDE
have been developed for software environments, exist-
ing work has adapted these towards physical devices and
hardware. Within open literature, implementations of
threat modelling methodologies have been defined for
relevant use cases. Macher et al. [37] examined threat
and risk assessment techniques integrating security and
safety, presenting the application of both STRIDE and
ISO26262-HARA. Their approach, named Safety-aware
hazard analysis and risk assessment (SAHARA) was used
to determine appropriate countermeasures, with an au-
tomotive battery management use case provided. Mc-
Carthy et al. [38] described a composite modelling ap-
proach for security threats to vehicles. They observed
existing threat modelling methodologies, proposing sys-
tem decomposition and creation of data flow diagrams,
before identifying threats and developing use case sce-
narios where attacks could occur. Dominic et al. [39]
proposed a risk assessment framework for automated ve-
hicles. This work assessed differences between standard
and automated vehicles. Expanding on McCarthy’s work,
they included threat agents to capture intentions of at-
tackers to determine likelihood of attack. They provided
an assessment, using a reference architecture and threat
model. Tan et al. used resource isolation as a security
foundation within their decentralised system-level secu-
rity architecture [40]. Isolation of resources was achieved
using access control-based policies. Akatyev et al. investi-
gated state of the art threats against inter-connected sys-
tems [41]. A holistic approach, using the STRIDE and
DREAD models, was used to categorise relevant attacks
and related threats. While a detailed investigation of a
real-world case study was performed, implementation of
their findings into existing practises was not covered.
The standard security modelling process faces several
challenges. To be effective, implementation of the guide-
lines by developers should adhere to the identified re-
quirements as they are necessary for the secure application
testing phase. The guidelines also direct developers while
designing sensitive aspects the device. The use of third-
party blocks to implement special or dedicated tasks is a
particular risk. Since the OEM has lesser influence over
these components, they are constrained in mitigating po-
tential vulnerabilities, or alternatively face delays and
costs requesting modifications to the components used.
Threats may be overlooked due to errors by the software
developer or simply because they were unknown during
product development. Ray et al. [42] recognised that
threat modelling is a process driven analysis that is de-
pendent on human insights. Applying mitigation for a
list of threats for each component within the device is
also an onerous task [43]. In addition, should a new vul-
nerability be discovered, a new security model shall be
devised to incorporate the change in risk profile.
To help overcome these identified issues, this work in-
troduces a flexible and adaptable policy-based security
modelling approach that can be incorporated into exist-
ing security practises. This approach compliments the
published works [29], [32], [44], [45], [46] and extends
[33], [34], [41] by presenting threat analysis of a con-
nected vehicle case study to enforce countermeasures in
the form of security policies.
3 Shortcomings of existing ap-
proaches
The presented detailed background and related work
clearly articulates that vehicle manufacturers, OEM ven-
dors and embedded designers have faced severe security
modelling and security architecture design challenges.
The following are design and architectural shortcomings
identified within these existing security approaches:
• Heavy reliance on the principle of trust to harness
and maintain security, which includes building and
maintaining chain-of-trust. The majority of embed-
ded security micro-architectures follow Device Trust
Architecture [47]. This comprises a series of nested
tasks and as vulnerable as its weakest link. If bro-
ken, compromises the security of the system. In the
commercial domain, Secure Boot is a widely used se-
cure component and found vulnerable [27].
• The need for compliance (in accordance with au-
tomotive cyber security standards [36]), has com-
5
Figure 3: The security model is a bridge between threat modelling and secure testing processes. The adoption of a
agile security model simplifies this process, easing modification of security requirements during the life-cycle.
pelled embedded security architects to design de-
fence mechanisms that are often ad-hoc and passive
in nature [48], targeting and mitigating known class
of attacks. This approach may be effective to rectify
software vulnerabilities through software updates,
but insufficient for micro-architecture security, as
cannot be updated after release.
• A lack of clear device security ownership, where
third party components are used, insufficient adop-
tion of security-aware design practises and an ab-
sence of baseline security requirements. In prac-
tice, design engineers do not perceive themselves ac-
countable for security requirements and effectively
embedding them into the device life-cycle, leading
to security inconsistencies and vulnerabilities.
• A lack of independent run-time monitoring
and fail-over mechanism that can detect unex-
pected/malicious behaviours and constrain vehicle
critical control to minimise physical damage and
harm to the user.
Nevertheless, integration of vehicle electronics, that
make use of AI/ML to provide intelligent services, exac-
erbates the risks associated with security vulnerabilities
and therefore they must be handled appropriately.
4 Policy-based Embedded Security
Approach
4.1 Policy-based Security Modelling
We propose an agile policy-based security model ap-
proach, in contrast to widely used standard guideline-
based security model as shown in Figure 3. This ap-
proach allows tailoring of the underlying embedded ar-
chitecture to implement diverse security requirements of
the application use case, without requiring redesign of
the underlying architecture. This would enable automo-
tive OEMs to customise, implement, verify, deploy and
maintain different use case based critical security models,
independent of silicon and third-party vendors, during
the life-cycle of the system. This can be performed, based
on access-control principles, by modifying security poli-
cies at the memory and peripheral interface boundaries.
These policies deploy mechanisms that physically isolate
and segregate the system resources by run-time monitor-
ing (policing) of their entry and exit points. Should a new
use case be introduced, or a new vulnerability found, that
changes the system’s security profile, a new system secu-
rity model should be generated and applied by the OEM,
with updated resource specific security policies.
4.2 Policing & policy enforcement
To realise the proposed policy-based security modelling
approach and alleviate the identified shortcomings, Sec-
tion 5 proposes an embedded policing and policy en-
forcement system architecture. This architecture pro-
vides a safety net against the harm that can be caused by
a compromised system component or malfunctioning in-
telligent vehicle service. It inspects the undergoing com-
munications of system resources, comparing them to ex-
pected benign system behaviours. In case of unexpected
behaviour caused by malfunction, malicious activity or
unauthorised access by a compromised application, the
system can take pro-active countermeasures as a fail-
over mechanism to confine, control and minimise phys-
ical damage and harm. Expected behaviours of the sys-
tem are defined as security policies, which can be updated
during the system life-cycle. The proposed policy-based
embedded security approach is transparent and indepen-
dent of existing system architectures as deployed at the
system communication layer. Therefore it compliments
the security extension (ARM TrustZone) of de-facto in-
dustry bus standard (ARM AMBA-AXI4). The proposed
approach can be integrated across different embedded
software stacks i.e. (bare-metal, embedded Linux, real-
time and AUTOSAR compliant operating systems).
5 Embedded policing and policy en-
forcement system architecture
To realise the proposed policing and policy enforcement
approach for next-generation vehicular electronics, Fig-
ure 4 presents a system architecture that uses Xilinx
Zynq UltraScale+ MPSoC platform architecture. This
platform provides diverse architectural features such as
re-configurable glue logic to implement and accelerate
domain-specific vehicle services; on-chip hardware se-
curity features such as cryptographic primitives, Physi-
cally Unclonable Function (PUF) and ARM TrustZone se-
curity extension to establish strong security foundation
and root-of-trust. The platform features versatile pro-
cessing capabilities. It has a quad-core ARM Cortex-A53
Application Processing Unit (APU) and a dual-core ARM
6
Figure 4: Block diagram of the policing and policy-based security platform architecture for next-generation in-
vehicle domain controllers.
Cortex-R5 Real-time Processing Unit (RPU) as shown in
Figure 4, suitable for general purpose and deterministic
time computing respectively [24].
For the proposed system architecture, it is assumed
that the untrusted software stack executes on the APU and
can access connected resources. This can involve exe-
cution of low risk ASIL-A or ASIL-B classified services
as defined by ISO 26262. On the other hand, tasks re-
lated to embedded security and policy enforcement such
as secure configuration, provisioning and management
are handled by the Platform Security Manager (i.e. one of
the available Real-time Processing Units RPUs). The rele-
vant software stack that runs on this RPU is considered
a trusted application. In addition, the second RPU can
be used to execute higher risk ASIL-C classified services,
that involve time or safety critical functions, including
ABS or air-bag system control.
The APU memory is composed of two levels of cache
(L1 and L2), while the RPU has a tightly-coupled mem-
ory (TCM). Both memories are physically isolated from
each other as illustrated in Figure 4, which ensures by
design that any untrusted application has no access to the
trusted application. This physical isolation and segrega-
tion assures that untrusted software services cannot read
and modify the trusted secure application running on the
platform security manager. This system security bound-
ary of the proposed architecture, highlighted in Figure 4,
provides strong physical isolation and overcomes a major
shortcoming of virtualised security architectures.
Embedded policing is an integral part of the proposed
security approach, that serves as a monitor that gathers
resource specific in-vehicle information. The proposed
architecture leverages the bus-based communication ar-
chitecture (ARM AMBA-AXI4), as a wide-range of attacks
and malfunction can manifest as abnormalities within
system-level communication traffic [32]. Abnormalities
and malfunctions of intelligent vehicle services are prop-
agated down to resources as AXI4 transactions. Policy en-
forcement can therefore be used to confirm whether is-
sued transactions correspond to healthy behaviour, de-
fined in the security policy.
According to ARM AMBA-AXI4 protocol specifica-
tion [24], five separate channels; address write, write data,
write response, address read and read data are used to
establish a communication link between a master and
slave system components. The xVALID and xREADY sig-
nals are used to establish master-slave handshake mech-
anism, while data exchange occurs when both VALID
and READY signals are high. In addition, the AXI4 pro-
tocol specification supports additional control and sta-
tus signals such as 3-bit AWPROT and ARPROT signal
of address write and address read channels to incorporate
system-level security [24]. The second bit of which is the
Non-Secure (NS)-bit that defines the security attribute of
the transaction. During system operation, these signals
propagate down through the system interconnect to the
FPGA glue logic to harness and maintain security which
is the working concept of ARM TrustZone Security Tech-
nology. The value of the NS-bit is used to virtually segre-
gates system resources into secure (0) and non-secure (1)
worlds used by ARM TrustZone technology. The 2-bits
RRESP and BRESP response signals of write response and
read data channel are used to acknowledge write and read
data transfers back to the host processor. The 2-bits value
of these response signals (OKAY, SLVERR, DECERR) is
used to inform the status back to the master, whether the
data transfer transaction is successfully completed or re-
sulted in error. However, if the NS-Bit, RRESP or BRESP
signals are exposed to the compromised software or ma-
licious hardware attack, as demonstrated in Figure 5 and
Figure 6. They can be exploited to launch a man-in-
the-middle, denial-of-service or slave impersonation at-
tacks [45]. To realise proposed embedded policing and
policy enforcement approach, the following hardware se-
curity components are essential as shown in Figure 4:
1. Security Policy Engine (SPE)
2. Bus Sanity Checker (SCK)
7
3. Anti-Tamper Engine (ATE)
4. Security Response Engine (SRE)
The AXI4-Lite interface allows configuration and man-
agement of each hardware security components via a
trusted application. This enables third-party vendors
and security architects to explicitly provision, implement
and maintain a security model during the system life-
cycle [49]. This provisioning can involve actions such
as explicitly disabling features and irrespective of soft-
ware services running on the system. The SPE and SCK
are implemented on FPGA glue logic and integrated as
a hardware component, while SRE and ATE utilise hard-
ware security features of MPSoC.
5.1 Security Policy Engine (SPE)
The SPE is designed to check the issued AXI4-bus trans-
actions, compare them against a list of approved masters
and their defined policies, and make a decision whether
to grant or limit access to an attached slave. The Fig-
ure 4 shows a distributed deployment of SPEs that ac-
tively police the communication between the system-bus
and slave peripherals including memory, sensors or ac-
tuators and enforce resource specific security measures.
The SPE is a four-stage pipeline architecture as illustrated
in Figure 4, comprising of the following five hardware
blocks:
1. Engine Configuration Block
2. AXI4-Sniffer
3. Device Table
4. Policy Table
5. Decision Block
5.1.1 Engine configuration block
This enables secure configuration of the SPE’s security
parameters by the Platform Security Manager, using the
AXI4-Lite interface as shown in Figure 4. This al-
lows configuring and updating security policies to de-
fine resource-specific access-control rights and safe be-
haviour.
5.1.2 AXI4-Sniffer
The role of AXI4-Sniffer is to ensure physical isolation be-
tween master and salve until the decision block either
grants or blocks access. For this purpose, it also main-
tains the compulsory handshake signals to ensure cor-
rect AXI4-bus operations. It samples master and slave
addresses using Once sampled, the address is passed to
the device table, shown in Figure 4. During this process,
it deassert the xVALID signals to the slave and xREADY
signals to the master to maintain physical isolation be-
tween the master and slave.
5.1.3 Device table
This contains a list of trusted masters with access permis-
sion to slaves. Each device table entry holds a base-address
of assigned policies in policy table, as shown in Figure. 4.
5.1.4 Policy table
The policy table contains fine-grained (register-specific)
security policies for each trusted master as shown in Fig-
ure 4. These policies can be simple as read and write
permissions to the memory and peripheral control regis-
ters, or security tailored AXI4 attributes (AxPROT). From
provisioning perspective, this allows secure and dynamic
provisioning capabilities for next-generation vehicular
electronics by defining policies, independent of silicon
manufacturers and third-party vendors.
5.1.5 Decision block
The decision block detects compromised service, malfunc-
tion or malicious activity, such as modification of security
attributes, as shown in Figure 5 and 6. It references ex-
pected security attributes from the Policy table, compares
against issued security attributes and makes a decision
as shown in Figure 4. The result is passed to the AXI4-
Sniffer which either grants or blocks access to the slave
and reporting slave’s health status to SRE to initiate pro-
active response.
5.2 Bus sanity checker (SCK)
The SCK is deployed at the interface of AMBA-AXI4
system-bus and the slaves as shown in Figure 4, to en-
sure the integrity of bus response channel signals issued
by slaves. These response channel signals are vulnera-
ble and can be exploited through a compromised slave
or malicious service as illustrated in Figure 6. These in-
clude main-in-the-middle and denial-of-service attacks.
The SCK is designed to detect and mitigate such at-
tacks [45]. SCK is composed of a three state finite-state
machine (FSM) and a programmable 32-bit timer, which
is accessible only by the Platform Security Manager. It
Figure 5: Logical isolation and segregation of slaves into
secure and non-secure zones based on the AXI4 security
attribute (NS-bit). This diagram shows the insider attack
(from PS to PL) scenarios [45]. Moreover, how SPE can be
used to detect such attacks and mitigate by the SRE.
8
Figure 6: This block diagram illustrates an insider attack
scenario (PL to PS) exploiting AXI4 write response and
read data channel signals (xRESP) [45]. How such attack
can be detected by SCK and curtailed by SRE.
has CONTROL and STATUS registers for enabling or dis-
abling the peripheral, alongside reading the real-time
system status reported by the SRE.
In case of (SLVERR or DECERR) attack, FSM moves from
NORMAL to DETECTION state, starting a free running
timer that decrements from a set value at each clock cy-
cle. If de-assertion of SLVERR or DECERR is detected before
time-out, FSM returns back to NORMAL state, otherwise
it moves to ATTACK state. The ATTACK state informs the
SRE to take programmed countermeasures. The OKAY at-
tack is detected by comparing the status of SRE and SCK.
5.3 Anti-tamper Engine (ATE)
The ATE enforces system level anti-tamper countermea-
sures initiated by the SRE. It also provides passive phys-
ical security protection against hardware level attacks,
such as side-channel analysis, by monitoring the physi-
cal parameters such as voltage and temperature. If the
system hardware violates the set conditions, a system ir-
regularity will be triggered, in the form of a system-level
interrupt. The following are anti-tamper features:
• Maintaining uninterrupted internal clock sources.
• Monitoring on single-event-upset to ensure fault tol-
erant execution during operational life-cycle.
• Voltage/temperature monitoring to ensure system
operation and resist against active hardware attacks.
5.4 Security Response Engine (SRE)
The SRE manages policy violations reported by the SPE
and SCK as illustrated in Figure 4, Figure 5 and Figure 6.
It initiates and enforces programmed pro-active coun-
termeasures against detected malicious activities. The
Zynq UltraScale+ MPSoC interrupt architecture has been
used, allowing communication of status, events, requests,
and errors within the heterogeneous processing system
as shown in Figure 7. The interrupt architecture sup-
ports private processor interrupts, for the APU and RPU,
and shared inter-processor interrupts (IPI) to exchange sta-
tus, events and errors. The IPI structure allows exchange
of interrupt-driven short messages using associated IPI
channels with the APU, RPU and PL. These IPI chan-
nels are used for sending messages and receiving re-
sponses across the system, without the complication of
autonomous read-write transactions and polling ineffi-
ciencies. In the SRE architecture, the APU interrupt
channel has been disabled explicitly, as shown in Fig-
ure 7, to physically prevent APU access at the architec-
ture’s security boundary.
The SRE architecture comprises of hardware and soft-
ware components, as shown in Figure 7. The hardware
component uses the described interrupt architecture to
receive the SPE and SCK status, in the form of policy vi-
olations at the RPU. The software component is a trusted
application that runs on the Platform Security Manager, al-
lowing enforcement of programmed pro-active counter-
measures against detected malicious activities. For low-
latency responses, the SRE uses Fast Interrupt Requests
(FIQs), which are of higher priority to normal Interrupt
Requests (IRQs). The trusted application comprises two
blocks of code as shown in Figure 7. The code block
SRE main() has initialisation, detection and response
software functions that enable necessary interrupts, sus-
pend normal RPU execution and execute the relevant in-
terrupt service routines SRE Response() to enforce the
defined pro-active fail-over responses. Peripheral-level re-
sponses that isolate or deactivate specific peripheral inter-
faces are realised by the SPE and SCK. The ATE is used
to realise system-level responses, which can include:
• Deletion of stored secret keys.
• Permanently disable cryptographic func-
tions/services.
• Disable compromised interfaces.
• Initiate secure system lock-down.
• Initiation system reset.
From a system-level perspective, the SRE provides a
holistic view of the system’s resources and integrity sta-
tus, detecting anomalous behaviours which would not be
Figure 7: Block diagram representation of interrupt-
based system architecture and pseudo code of Security
Response Engine (SRE).
9
Table 1: Synthesis results of proposed hardware components to realise policing approach on Zynq-7000 and Zynq
UltraScale+ MPSoC.
Hardware MPSoC Speed Area Frequency
Component Grade LUT LUTRAM FF BRAM (MHz)
SPE Zynq-7000 (28nm) -3 156 10 464 1 250
Zynq UltraScale+ EG (16nm) -3 185 10 464 1 300
SCK Zynq-7000 (28nm) -3 48 0 39 0 250
Zynq UltraScale+ EG (16nm) -3 56 0 39 0 333
possible using an atomistic view. This can be used to
robustly deploy system-level security measures, essen-
tial for next-generation vehicular electronics and domain
controllers.
6 Implementation Results
The proposed architecture has been coded in Verilog
HDL and simulated, synthesised and implemented us-
ing Xilinx Vivado v2018.4 on Zynq-7000 and Zynq Ul-
traScale+ MPSoC platforms. Table 1 reports the syn-
thesis results of the developed SPE and SCK hardware
security components to realise the proposed embedded
policing and policy enforcement approach. The SCK and
an instance of SPE consumes less than 1% of FPGA pro-
grammable logic resources. The device table has been im-
plemented using Distributed RAM, utilises 10 LUTRAM,
while the policy table use a BRAM, allowing storage up
to 1024 policies. The timing results show that the SPE
can operate at up to 250 MHz and 300 MHz on Artix-7
and Kintex UltraScale+ chips respectively. The proposed
approach can be integrated within any AMBA-AXI4 com-
pliant ASIC or SoC based embedded architecture. It can
be integrated into existing and next-generation vehicu-
lar electronics and domain controllers to incorporate fail-
over safety and enhance security.
7 Case Study: A connected Vehicle
A connected vehicle scenario has been undertaken as a
threat and security modelling case study. This encom-
passes both the creation of guideline and the proposed
policy-based security approaches. Smart and connected
vehicles feature an array of complex intelligent services
and interconnected systems having diverse safety-critical
requirements [50]. Examples include network connec-
tivity can be used for navigation and entertainment by
the user, telemetry and firmware update by the manu-
facturer, or to notify emergency services in event of an
accident.
Modern vehicles have been found vulnerable to at-
tacks, with potentially serious consequences. For exam-
ple, disabling of ECUs during operation has been shown
possible through CAN-bus tampering. By using a ma-
licious node to induce error messages, the selected con-
trollers can shut off once an error threshold is reached, as
per CAN protocol specification [51]. Furthermore, out-
sider attacks, launched by introducing malicious nodes
to the CAN network, may further tamper with CAN sig-
nals to induce errors, causing eventual shut-down of de-
vices [52].
Figure 8: Block diagram of multiple CAN nodes con-
nected via CAN bus. Each node has a dedicated CAN
transceiver and controller, connected to a shared AMBA-
AXI4 bus and susceptible to attacks.
For the purpose of covering the wider scope of this case
study, we have considered three operation modes under
which the vehicle may operate:
1. Normal: Standard drive or park modes.
2. Diagnostic: For authorised personnel.
3. Fail-safe: Reserved for safety-critical situations.
For following threat modelling processes within the ve-
hicle, the critical assets we have chosen to demonstrate
this example are the Electronic vehicle (EV)-ECU, elec-
tronic power steering (EPS), Engine, 3G/4G/WiFi commu-
nications, infotainment, door locks and safety critical de-
vices that fall under ASIL safety levels A-D, such as the
immobiliser, air-bags and brake control. For the speci-
fied vehicle modes, potential threats and corresponding
entry points have been identified in Table 2. STRIDE
threat analysis has been conducted to understand how
exploited threats can affect the system, while DREAD
risk-assessment has been used to analyse and quantify
the likelihood of occurrence and severity of the damage
in event of successful attack. In this case study, poli-
cies have been defined with read or write permissions.
However, complex behavioural or situation aware poli-
cies may also be derived. Policies can be dynamically up-
dated by the Platform Security Manager.
10
Table 2: Domain-specific threat modelling of a connected vehicle. The three vehicle modes and number of relevant
threats to each domain are considered. The domain critical assets are identified to derive policy-based security model
of different vehicle services.
Domain Vehicle Mode DREAD
Assets v J Y Entry Points Potential Threats STRIDE (Avg.) Policy
• Door locks Spoofed data over CANbus causing STD 8,5,4,6,4 (5.4) R
EV-ECU • Sensors disablement of ECU STD 8,5,4,6,4 (5.4) R
(accel, brake, • 3g/4g/wifi Disabled remote tracking system after theft SD 6,3,3,6,4 (4.4) RW
transmission) • 3g/4g/wifi Override of failsafe protections to reactivate vehicle STE 5,5,5,7,6 (5.6) R
EPS (Steering) • Any node EPS deactivation through compromised CAN node. STD 5,5,5,6,7 (5.6) R
Engine • Sensors Deactivation through compromised sensor STD 6,5,4,7,5 (5.4) R
• EV-ECU, Sensors Critical component modification during operation STIDE 7,5,5,9,4 (6.0) R
3G/4G/WiFi • Infotainment system Privacy attack using modified radio firmware TIE 7,5,5,6,5 (5.6) R
• Emergency, door locks Prevent operation of failsafe comms by TDE 6,6,7,8,6 (6.6) RW
• Sensors, Airbags disabling modem. TDE 6,6,7,8,6 (6.6) R
Infotainment • Media player browser Exploit to gain access to higher control level STE 7,5,6,8,6 (6.4) R
System • Sensors, EV-ECU Modification of vehicle status, GPS, speed, etc STR 3,5,6,4,5 (4.6) R
Door locks • 3g/4g/wifi, Manual open Unlock attempt while in motion TDE 8,5,3,8,5 (5.8) R
• 3g/4g/wifi Lock mechanism triggered during accident TDE 8,6,7,8,5 (6.8) W
Safety • Sensors False triggering of failsafe mode to unlock vehicle STE 7,4,5,8,4 (5.6) R
Critical • Sensors Disable alarm and locking system to allow theft TE 9,4,5,9,4 (6.2) W
v = Normal ; J = Diagnostics ; Y = Fail-safe
STRIDE: S=Spoofing ; T=Tampering ; R=Repudiation ; I=Information Disclosure ; D=Denial of service ; E=Elevation of Privilege.
DREAD: D=Damage ; R=Reproducibility ; E=Exploitability ; A=Affected Users ; D=Discoverability.
7.1 Threat and Security Modelling
Figure 8 shows a block diagram of several CAN nodes
connected through the CAN bus. It also shows the possi-
ble location of insider attacks caused by a compromised
node or malicious modules introduced to the CAN bus.
In this regard, a series of assets and corresponding threats
are identified in Table 2.
7.1.1 Guideline-based security model
Within a standard security modelling approach, the
threat scenarios in Table 2 can be approached using a
guideline-based security model. As an example within
the EV-ECU and infotainment threat scenarios, the fol-
lowing security model guidelines may be adhered to dur-
ing development.
• EV-ECU: Limitation of physical access to CAN-bus
and allow only authorised devices to connect. Allow
read-only access on diagnostic port.
• Infotainment system: Provide immediate system up-
dates when vulnerabilities are discovered.
• Infotainment system: Employ software protections
to prevent unauthorised software installation
As a consequence of adopting a guideline-based ap-
proach, the OEM would have to redesign relevant appli-
cations in line with new requirements before redeploy-
ment. In severe cases, a recall may be required to rectify
issues. Alternatively, the OEM may patch it through an
update and integrate fixes in the next product cycle.
7.1.2 Policy-based security model
Based on the proposed security modelling, new policies
can be introduced during the life-cycle of the embedded
device, in case of a threat being discovered. This is per-
formed through a trusted software update of the platform
security manager.This process is significantly faster and
less costly to implement than a product redesign or re-
call. Table 2 describes read and write policies that can be
enforced at peripheral entry points. Fine-grained policies
can also include:
• Infotainment system: Prevent software installations
initiated from the media display.
• Infotainment system: Enforce system command ac-
cess using SELinux-based policies.
• CAN nodes: Enforce CAN ID verification at read and
write filters within controller (Section 7.2).
By utilising the policy-based approach, the OEM is not
limited to addressing threats during design only. Upon
detection of a new threat, policies can be defined to mit-
igate the attack and be distributed through a policy up-
date. The modelling, implementation, testing, verifica-
tion and deployment process has potential to be more
effective than the necessary actions within a standard
guideline-based approach.
7.2 Pro-active Policing and Policy enforce-
ment
The concept of enforcement is a vital aspect of the pro-
posed policy-based security modelling approach. The
CAN-bus presents a security challenge, being vulnerable
to attack as shown in Figure 8. Within a regular CAN
node, the CAN controller utilises a software-based filter,
programmed using an application and as such may be
vulnerable to software layer attacks, such as firmware
modification or signal-level error inducing attacks, that
cause eventual shut-down of CAN-based devices [52]. A
CAN Security Enhancement (CAN-SE) is shown in Fig-
ure 9. It monitors issued read/write CAN messages, fil-
tering them based on message IDs using hardware-based
read/write filters to detect malfunction or malicious activ-
ity. It consists of the following hardware components:
11
Figure 9: Block diagram of CAN node with integrated
hardware-based policy engine that filters incoming and
outgoing CAN messages.
• Approved read/write lists: Hardware components
hold a list of approved CAN messages IDs to block
malicious CAN messages originating either from a
compromised or an introduced malicious node.
• Error Limit Check: Hardware-based transmit/receive
components measure the number of errors intro-
duced within the CAN bus network, notifying the
presence of a malicious node to the SRE.
• Decision Block: This references an approved list of
message IDs, compares it to issued/received messages
and grants or blocks access as shows in Figure. 9.
Once the sanity check is completed, CAN messages can
be either be used by the local CAN node (read) or sent
(write) to the CAN bus to be utilised by other nodes thus,
suppressing insider and outsider attacks to the CAN bus.
8 Conclusion and future work
The paper has discussed technological advancements in
embedded system architectures and the opportunities
they bring to vehicle manufacturers to consolidate di-
verse intelligent vehicular services into smaller, flexible
and integrable vehicular electronics and domain con-
trollers. However, digital-physical convergence, mixture
of critical and non-critical, secure and non-secure vehi-
cle services and shortcomings in existing embedded se-
curity approaches present significant challenges. Seri-
ous security and safety concerns are inevitable particu-
larly where malicious events or malfunction of intelli-
gent vehicle services occur. This work has proposed a
novel pro-active policing and policy-based security plat-
form architecture for next-generation in-vehicle domain
controllers, providing a pro-active fail-over mechanism
for intelligent vehicle services. This security platform
continuously monitors system bus-level communications
to detect unexpected and malicious behaviours and pro-
actively respond against such activities to control, con-
fine and minimise physical damage and harm to passen-
gers and pedestrians. The proposed architecture has been
prototyped and verified on Avnet UltraZed and Zed-
board development boards.
An agile policy-based security modelling approach
has been proposed to model and integrate the proposed
policy-based security approach using existing security
modelling methods. A realistic connected vehicle case
study has been presented to highlight and demonstrate
its flexibility and how it can be integrated within the ex-
isting secure development life-cycle and security design
practices. A detailed domain-specific threat modelling of
a connected vehicle case study has been conducted using
STRIDE and DREAD risk assessment models to derive se-
curity policies and enforced by the platform. In contrast
to a guideline-based approach, this provide opportuni-
ties to realise adaptable system security, implementing
diverse use case security requirements without the need
to redesign the underlying security architecture.
The presented work will be extended to gain and
achieve contextual-based vehicle access control, thus
enabling enforcement of system-level behavioural poli-
cies.
References
[1] R. Coppola and M. Morisio, “Connected Car: Tech-
nologies, Issues, Future Trends,” ACM Comput.
Surv., vol. 49, no. 3, pp. 46:1–46:36, 2016.
[2] A. Koesdwiady, R. Soua, and F. Karray, “Improving
traffic flow prediction with weather information in
connected cars: A deep learning approach,” IEEE
Trans. Veh. Technol., vol. 65, no. 12, pp. 9508–9517,
2016.
[3] Xilinx, “Xilinx Automotive - Flexible Solutions Be-
yond Silicon,” Xilinx Inc., Tech. Rep., 2018.
[4] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno,
S. Checkoway, D. McCoy, B. Kantor, D. Anderson,
H. Shacham, and S. Savage, “Experimental secu-
rity analysis of a modern automobile,” in Proc. IEEE
Symposium on Security and Privacy (SP), Oakland,
USA, May 2010, pp. 447–462.
[5] S. Woo, H. J. Jo, and D. H. Lee, “A Practical Wireless
Attack on the Connected Car and Security Protocol
for In-Vehicle CAN,” IEEE Trans. Intell. Transp. Syst.,
vol. 16, no. 2, pp. 993–1006, Apr. 2015.
[6] R. Currie, “Hacking the CAN Bus: Basic Manipula-
tion of a Modern Automobile Through CAN Bus Re-
verse Engineering,” SANS Institute: InfoSec Read-
ing Room, Tech. Rep., May 2017.
12
[7] D. Reinhardt and M. Kucera, “Domain Controlled
Architecture-A New Approach for Large Scale
Software Integrated Automotive Systems,” PECCS,
vol. 13, pp. 221–226, 2013.
[8] ARM, “Then, Now and the Future of the Car Cock-
pit,” Tech. Rep.
[9] R. Rajkumar, I. Lee, L. Sha, and J. Stankovic, “Cyber-
physical systems: The next computing revolution,”
in Design Automation Conference, Jun. 2010, pp.
731–736.
[10] A. Lima, F. Rocha, M. Vo¨lp, and P. Esteves-
Verı´ssimo, “Towards Safe and Secure Autonomous
and Cooperative Vehicle Ecosystems,” in Proceed-
ings of the 2Nd ACM Workshop on Cyber-Physical Sys-
tems Security and Privacy, New York, NY, USA, 2016,
pp. 59–70.
[11] R. Charette, “This car runs on code,” IEEE Spec-
trum, Feature: Transportation: Systems, Feb. 2009.
[12] P. Gai and M. Violante, “Automotive embedded soft-
ware architecture in the multi-core age,” in Proc.
21st IEEE European Test Symposium (ETS), Amster-
dam, Netherlands, May 2016, pp. 1–8.
[13] S.-H. Kim, S.-H. Seo, J.-H. Kim, T.-M. Moon, C.-W.
Son, S.-H. Hwang, and J. W. Jeon, “A gateway system
for an automotive system: Lin, can, and flexray,”
in Proc. 6th IEEE International Conference on Indus-
trial Informatics (INDIN), Daejeon, South Korea, Jul.
2008, pp. 967–972.
[14] C. Sitawarin, A. N. Bhagoji, A. Mosenia, M. Chiang,
and P. Mittal, “DARTS: Deceiving Autonomous Cars
with Toxic Signs,” CoRR, vol. abs/1802.06430, 2018.
[15] F. Siddiqui, S. Amiri, U. I. Minhas, T. Deng,
R. Woods, K. Rafferty, and D. Crookes, “FPGA-Based
Processor Acceleration for Image Processing Appli-
cations,” Journal of Imaging, vol. 5, no. 1, 2019.
[16] M. Amiri, F. M. Siddiqui, C. Kelly, R. Woods, K. Raf-
ferty, and B. Bardak, “FPGA-Based Soft-Core Pro-
cessors for Image Processing Applications,” Journal
of Signal Processing Systems, vol. 87, no. 1, pp. 139–
156, Apr. 2017.
[17] E. Ohn-Bar and M. M. Trivedi, “Looking at Humans
in the Age of Self-Driving and Highly Automated
Vehicles,” IEEE Trans. Intell. Veh., vol. 1, no. 1, pp.
90–104, 2016.
[18] “Road vehicles – Functional safety – Part 1: Vocab-
ulary,” International Organization for Standardiza-
tion (ISO), Geneva, CH, Standard, Nov. 2011.
[19] G. Velez, A. Corte´s, M. Nieto, I. Ve´lez, and
O. Otaegui, “A Reconfigurable Embedded Vision
System for Advanced Driver Assistance,” Journal of
Real-Time Image Processing (JRTIP), vol. 10, no. 4,
pp. 725–739, 2015.
[20] N. Papernot, P. D. McDaniel, A. Sinha, and
M. P. Wellman, “Towards the Science of Secu-
rity and Privacy in Machine Learning,” CoRR, vol.
abs/1611.03814, 2016.
[21] F. M. Siddiqui, M. Russell, B. Bardak, R. Woods, and
K. Rafferty, “IPPro: FPGA based image processing
processor,” in 2014 IEEE Workshop on Signal Process-
ing Systems (SiPS), Oct 2014, pp. 1–6.
[22] S. Shreejith and S. A. Fahmy, “Extensible FlexRay
Communication Controller for FPGA-Based Auto-
motive Systems,” IEEE Trans. Veh. Technol., vol. 64,
no. 2, pp. 453–465, Feb. 2015.
[23] (2018) Functional Safety: Highest Level
of Safety and Reliability. [Online]. Avail-
able: https://www.xilinx.com/applications/
industrial/functional-safety.html
[24] Xilinx, “Zynq UltraScale+ MPSoC Embedded De-
sign Methodology Guide,” Xilinx Inc., User Guide:
UG1228 (v1.0), 2017.
[25] S. Pinto and N. Santos, “Demystifying Arm Trust-
Zone: A Comprehensive Survey,” ACM Comput.
Surv., vol. 51, no. 6, pp. 130:1–130:36, Jan. 2019.
[26] M. Howard and S. Lipner, The Security Development
Lifecycle. Redmond, WA, USA: Microsoft Press,
2006.
[27] C. Yue, Z. Yulong, W. Zhi, and W. Tao, “Downgrade
Attack on TrustZone,” Computing Reseach Repository
(CoRR), Jul. 2017.
[28] N. Jacob, J. Heyszl, A. Zankl, C. Rolfes, and G. Sigl,
“How to Break Secure Boot on FPGA SoCs Through
Malicious Hardware,” in International Conference
on Cryptographic Hardware and Embedded Systems
(CHES 2017), Taipei, Taiwan, Sep. 2017, pp. 425 –
442.
[29] Z. Ning and F. Zhang, “Understanding the security
of arm debugging features,” Proceedings - IEEE Sym-
posium on Security and Privacy, May 2019.
[30] D. Arora, S. Ravi, A. Raghunathan, and N. K. Jha,
“Secure embedded processing through hardware-
assisted run-time monitoring,” in Design, Automa-
tion and Test in Europe, Mar. 2005, pp. 178–183 Vol.
1.
[31] P. Maene, J. Gotzfried, T. Muller, R. de Clercq,
F. Freiling, and I. Verbauwhede, “Atlas: Appli-
cation Confidentiality in Compromised Embedded
Systems,” IEEE Trans. Depend. Sec. Comput., pp. 1–
1, 2018.
[32] J. Coburn, S. Ravi, A. Raghunathan, and S. Chakrad-
har, “SECA: Security-enhanced Communication Ar-
chitecture,” in Proceedings of the 2005 International
Conference on Compilers, Architectures and Synthesis
for Embedded Systems, ser. CASES ’05, New York, NY,
USA, 2005, pp. 78–89.
13
[33] P. Cotret, G. Gogniat, and M. J. S. Flo´rez, “Protec-
tion of heterogeneous architectures on FPGAs: An
approach based on hardware firewalls,” Micropro-
cessors and Microsystems, vol. 42, pp. 127 – 141, May
2016.
[34] F. Siddiqui, M. Hagan, and S. Sezer, “Establish-
ing Cyber Resilience in Embedded Systems for Se-
curing Next-Generation Critical Infrastructure,” in
Proc. 32st IEEE International System-on-Chip Confer-
ence (SOCC), Singapore, Sep. 2019.
[35] C. Valasek and C. Miller, “Remote Exploitation of an
Unaltered Passenger Vehicle,” 2015.
[36] “Cybersecurity Guidebook for Cyber-Physical Ve-
hicle Systems,” SAE International, Tech. Rep.,
2016. [Online]. Available: https://saemobilus.sae.
org/content/j3061 201601
[37] G. Macher, E. Armengaud, E. Brenner, and
C. Kreiner, “Threat and risk assessment methodolo-
gies in the automotive domain,” Procedia Computer
Science, vol. 83, pp. 1288 – 1294, 2016.
[38] C. McCarthy, K. Harnett, and A. Carter, “Character-
ization of potential security threats in modern au-
tomobiles: A composite modeling approach,” U.S.
Department of Transportation: National Highway
Traffic Safety Administration, Tech. Rep., Oct. 2014.
[39] D. Dominic, S. Chhawri, R. M. Eustice, D. Ma, and
A. Weimerskirch, “Risk assessment for cooperative
automated driving,” in Proc. of 2nd ACM Workshop
on Cyber-Physical Systems Security and Privacy (CPS-
SPC), Oct. 2016, pp. 47–58.
[40] T. Benjamin, B.-A. Morteza, and S. Zoran, “Towards
decentralized system-level security for MPSoC-
based embedded applications,” Journal of Systems
Architecture, vol. 80, pp. 41 – 55, Oct. 2017.
[41] N. Akatyev and J. I. James, “Evidence identification
in IoT networks based on threat assessment,” Future
Generation Computer Systems, 2017.
[42] S. Ray, E. Peeters, M. M. Tehranipoor, and S. Bhu-
nia, “System-on-chip platform security assurance:
Architecture and validation,” Proc. IEEE, vol. 106,
no. 1, pp. 21–37, Jan. 2018.
[43] (2016) Cyber Threat Modeling: An Evalua-
tion of Three Methods. [Online]. Available:
https://insights.sei.cmu.edu/sei blog/2016/11/
cyber-threat-modeling-an-evaluation-of-three-methods.
html
[44] F. Siddiqui, M. Hagan, and S. Sezer, “Embedded
policing and policy enforcement approach for fu-
ture secure IoT technologies,” in Living in the Inter-
net of Things: Cybersecurity of the IoT - 2018, March
2018, pp. 1–10.
[45] F. Siddiqui, M. Hagan, and S. Sezer, “Pro-Active
Policing and Policy Enforcement Architecture for
Securing MPSoCs,” in 2018 31st IEEE International
System-on-Chip Conference (SOCC), Sep. 2018, pp.
140–145.
[46] M. Hagan, F. Siddiqui, and S. Sezer, “Policy-
Based Security Modelling and Enforcement Ap-
proach for Emerging Embedded Architectures,” in
2018 31st IEEE International System-on-Chip Confer-
ence (SOCC), Sep. 2018, pp. 84–89.
[47] GlobalPlatform, “Introduction to Device Trust
Archietcture,” Tech. Rep.
[48] D. Meng, R. Hou, G. Shi, B. Tu, A. Yu, Z. Zhu,
X. Jia, and P. Liu, “Security-first architecture: de-
ploying physically isolated active security proces-
sors for safeguarding the future of computing,” Cy-
bersecurity, vol. 1, no. 1, p. 2, Jun 2018.
[49] N. Jacob, J. Wittmann, J. Heyszl, R. Hesselbarth,
F. Wilde, M. Pehl, G. Sigl, and K. Fischer, “Se-
curing FPGA SoC configurations independent of
their manufacturers,” in Proc. 30th IEEE Interna-
tional System-on-Chip Conference (SOCC), Munich,
Germany, Sep. 2017, pp. 114 – 119.
[50] E. Uhlemann, “Introducing Connected Vehicles
[Connected Vehicles],” IEEE Trans. Veh. Technol.,
vol. 10, no. 1, pp. 23–31, 2015.
[51] A. Palanca, E. Evenchick, F. Maggi, and S. Zanero,
“A Stealth, Selective, Link-Layer Denial-of-Service
Attack Against Automotive Networks,” in Detection
of Intrusions and Malware, and Vulnerability Assess-
ment.
[52] D. Lyu, L. Xue, L. Yu, and X. Luo, “Remote Attacks
on Vehicles by Exploiting Vulnerable Telematics,”
2016.
14
