Securing SOME/IP for In-Vehicle Service Protection

Although high-speed in-vehicle networks are being increasingly adopted by the industry to support emerging use cases, previous research already demonstrated that car hacking is a real threat. This paper formalizes a novel framework proposed to provide improved security to the emerging SOME/IP middleware, without introducing at the same time limitations in the communication patterns available. Most notably, the entire traffic matrix is designed to be configured using simple high-level rules, clearly stating who can talk to whom according to the service abstraction adopted by SOME/IP. Three incremental security levels are made available, accounting for different services being associated with different requirements. The core security protocol, encompassing a session establishment phase followed by the transmission of secured SOME/IP messages, has been formally verified, to prove its correctness in terms of authentication and secrecy properties. Performance-wise, in-depth experimental evaluations conducted with an extended version of vsomeip confirmed the introduction of quite limited penalties compared to the bare unsecured implementation

Sécurité et protection de la vie privée dans les systèmes embarqués automobiles

Electronic equipment has become an integral part of a vehicle's network architecture, which consists of multiple buses and microcontrollers called Electronic Control Units (ECUs). These ECUs recently also connect to the outside world. Navigation and entertainment system, consumer devices, and Car2X functions are examples for this. Recent security analyses have shown severe vulnerabilities of exposed ECUs and protocols, which may make it possible for attackers to gain control over a vehicle. Given that car safety-critical systems can no longer be fully isolated from such third party devices and infotainment services, we propose a new approach to securing vehicular on-board systems that combines mechanisms at different layers of the communication stack and of the execution platforms. We describe our secure communication protocols, which are designed to provide strong cryptographic assurances together with an efficient implementation fitting the prevalent vehicular communication paradigms. They rely on hardware security modules providing secure storage and acting as root of trust. A distributed data flow tracking based approach is employed for checking code execution against a security policy describing authorized communication patterns. Binary instrumentation is used to track data flows throughout execution (taint engine) and also between control units (middleware), thus making it applicable to industrial applications. We evaluate the feasibility of our mechanisms to secure communication on the CAN bus, which is ubiquitously implemented in cars today. A proof of concept demonstrator also shows the feasibility of integrating security features into real vehicles.L'équipement électronique de bord est maintenant devenue partie intégrante de l'architecture réseau des véhicules. Elle s’appuie sur l'interconnexion de microcontroleurs appelés ECUs par des bus divers. On commence maintenant à connecter ces ECUs au monde extérieur, comme le montrent les systèmes de navigation, de divertissement, ou de communication mobile embarqués, et les fonctionnalités Car2X. Des analyses récentes ont montré de graves vulnérabilités des ECUs et protocoles employés qui permettent à un attaquant de prendre le contrôle du véhicule. Comme les systèmes critiques du véhicule ne peuvent plus être complètement isolés, nous proposons une nouvelle approche pour sécuriser l'informatique embarquée combinant des mécanismes à différents niveaux de la pile protocolaire comme des environnements d'exécution. Nous décrivons nos protocoles sécurisés qui s'appuient sur une cryptographie efficace et intégrée au paradigme de communication dominant dans l'automobile et sur des modules de sécurité matériels fournissant un stockage sécurisé et un noyau de confiance. Nous décrivons aussi comment surveiller les flux d'information distribués dans le véhicule pour assurer une exécution conforme à la politique de sécurité des communications. L'instrumentation binaire du code, nécessaire pour l’industrialisation, est utilisée pour réaliser cette surveillance durant l’exécution (par data tainting) et entre ECUs (dans l’intergiciel). Nous évaluons la faisabilité de nos mécanismes pour sécuriser la communication sur le bus CAN aujourd'hui omniprésent dans les véhicules. Une preuve de concept montre aussi la faisabilité d'intégrer des mécanismes de sécurité dans des véhicules réels

Remote software upload techniques in future vehicles and their performance analysis

Updating software in vehicle Electronic Control Units (ECUs) will become a mandatory requirement for a variety of reasons, for examples, to update/fix functionality of an existing system, add new functionality, remove software bugs and to cope up with ITS infrastructure. Software modules of advanced vehicles can be updated using Remote Software Upload (RSU) technique. The RSU employs infrastructure-based wireless communication technique where the software supplier sends the software to the targeted vehicle via a roadside Base Station (BS). However, security is critically important in RSU to avoid any disasters due to malfunctions of the vehicle or to protect the proprietary algorithms from hackers, competitors or people with malicious intent. In this thesis, a mechanism of secure software upload in advanced vehicles is presented which employs mutual authentication of the software provider and the vehicle using a pre-shared authentication key before sending the software. The software packets are sent encrypted with a secret key along with the Message Digest (MD). In order to increase the security level, it is proposed the vehicle to receive more than one copy of the software along with the MD in each copy. The vehicle will install the new software only when it receives more than one identical copies of the software. In order to validate the proposition, analytical expressions of average number of packet transmissions for successful software update is determined. Different cases are investigated depending on the vehicle\u27s buffer size and verification methods. The analytical and simulation results show that it is sufficient to send two copies of the software to the vehicle to thwart any security attack while uploading the software. The above mentioned unicast method for RSU is suitable when software needs to be uploaded to a single vehicle. Since multicasting is the most efficient method of group communication, updating software in an ECU of a large number of vehicles could benefit from it. However, like the unicast RSU, the security requirements of multicast communication, i.e., authenticity, confidentiality and integrity of the software transmitted and access control of the group members is challenging. In this thesis, an infrastructure-based mobile multicasting for RSU in vehicle ECUs is proposed where an ECU receives the software from a remote software distribution center using the road side BSs as gateways. The Vehicular Software Distribution Network (VSDN) is divided into small regions administered by a Regional Group Manager (RGM). Two multicast Group Key Management (GKM) techniques are proposed based on the degree of trust on the BSs named Fully-trusted (FT) and Semi-trusted (ST) systems. Analytical models are developed to find the multicast session establishment latency and handover latency for these two protocols. The average latency to perform mutual authentication of the software vendor and a vehicle, and to send the multicast session key by the software provider during multicast session initialization, and the handoff latency during multicast session is calculated. Analytical and simulation results show that the link establishment latency per vehicle of our proposed schemes is in the range of few seconds and the ST system requires few ms higher time than the FT system. The handoff latency is also in the range of few seconds and in some cases ST system requires less handoff time than the FT system. Thus, it is possible to build an efficient GKM protocol without putting too much trust on the BSs

Modeling a Consortium-based Distributed Ledger Network with Applications for Intelligent Transportation Infrastructure

Emerging distributed-ledger networks are changing the landscape for environments of low trust among participating entities. Implementing such technologies in transportation infrastructure communications and operations would enable, in a secure fashion, decentralized collaboration among entities who do not fully trust each other. This work models a transportation records and events data collection system enabled by a Hyperledger Fabric blockchain network and simulated using a transportation environment modeling tool. A distributed vehicle records management use case is shown with the capability to detect and prevent unauthorized vehicle odometer tampering. Another use case studied is that of vehicular data collected during the event of an accident. It relies on broadcast data collected from the Vehicle Ad-hoc Network (VANET) and submitted as witness reports from nearby vehicles or road-side units who observed the event taking place or detected misbehaving activity by vehicles involved in the accident. Mechanisms for the collection, validation, and corroboration of the reported data which may prove crucial for vehicle accident forensics are described and their implementation is discussed. A performance analysis of the network under various loads is conducted with results suggesting that tailored endorsement policies are an effective mechanism to improve overall network throughput for a given channel. The experimental testbed shows that Hyperledger Fabric and other distributed ledger technologies hold promise for the collection of transportation data and the collaboration of applications and services that consume it

Security and Trust in Safety Critical Infrastructures

Critical infrastructures such as road vehicles and railways are undergoing a major change, which increases the dependency of their operation and control on Information Technology (IT) and makes them more vulnerable to malicious intent. New complex communication infrastructures emerge using the increased connectivity of these safety-critical systems to enable efficient management of operational processes, service provisioning, and information exchange for various (third-party) actors. Railway Command and Control Systems (CCSs) turn with the introduction of digital interlocking into an “Internet of Railway Things”, where safety-critical railway signaling components are deployed on common-purpose platforms and connected via standard IP-based networks. Similarly, the mass adoption of Electric Vehicles (EVs) and the need to supply their batteries with energy for charging has given rise to a Vehicle-to-Grid (V2G) infrastructure, which connects vehicles to power grids and multiple service providers to coordinate charging and discharging processes and maintain grid stability under varying power demands. The Plug-and-Charge feature brought in by the V2G communication standard ISO 15118 allows an EV to access charging and value-added services, negotiate charging schedules, and support the grid as a distributed energy resource in a largely automated way, by leveraging identity credentials installed in the vehicle for authentication and payment. The fast deployment of this advanced functionality is driven by economical and political decisions including the EU Green Deal for climate neutrality. Due to the complex requirements and long standardization and development cycles, the standards and regulations, which play the key role in operating and protecting critical infrastructures, are under pressure to enable the timely and cost-effective adoption. In this thesis, we investigate security and safety of future V2G and railway command and control systems with respect to secure communication, platform assurance as well as safety and security co-engineering. One of the major goals in this context is the continuous collaboration and establishment of the proposed security solutions in upcoming domain-specific standards, thus ensuring their practical applicability and prompt implementation in real-world products. We first analyze the security of V2G communication protocols and requirements for secure service provisioning via charging connections. We propose a new Plug-and-Patch protocol that enables secure update of EVs as a value-added service integrated into the V2G charging loop. Since EVs can also participate in energy trading by storing and feeding previously stored energy to grid, home, or other vehicles, we then investigate fraud detection methods that can be employed to identify manipulations and misbehaving users. In order to provide a strong security foundation for V2G communications, we propose and analyze three security architectures employing a hardware trust anchor to enable trust establishment in V2G communications. We integrate these architectures into standard V2G protocols for load management, e-mobility services and value-added services in the V2G infrastructure, and evaluate the associated performance and security trade-offs. The final aspect of this work is safety and security co-engineering, i.e., integration of safety and security processes vital for the adequate protection of connected safety-critical systems. We consider two application scenarios, Electric Vehicle Charging System (EVCS) and Object Controller (OC) in railway CCS, and investigate how security methods like trusted computing can be applied to provide both required safety and security properties. In the case of EVCS, we bind the trust boundary for safety functionality (certified configuration) to the trust boundary in the security domain and design a new security architecture that enforces safety properties via security assertions. For the railway use case, we focus on ensuring non-interference (separation) between these two domains and develop a security architecture that allows secure co-existence of applications with different criticality on the same hardware platform. The proposed solutions have been presented to the committee ISO/TC 22/SC 31/JWG 1 that develops the ISO 15118 standard series and to the DKE working group “Informationssicherheit für Elektromobilität” responsible for the respective application guidelines. Our security extension has been integrated in the newest edition ISO 15118-20 released in April 2022. Several manufacturers have already started concept validation for their future products using our results. In this way, the presented analyses and techniques are fundamental contributions in improving the state of security for e-mobility and railway applications, and the overall resilience of safety-critical infrastructures to malicious attacks

Demystifying Internet of Things Security

Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms

QuantumCharge: Post-Quantum Cryptography for Electric Vehicle Charging

ISO 15118 enables charging and billing of Electric Vehicles (EVs) without user interaction by using locally installed cryptographic credentials that must be secure over the long lifetime of vehicles. In the dawn of quantum computers, Post-Quantum Cryptography (PQC) needs to be integrated into the EV charging infrastructure. In this paper, we propose QuantumCharge, a PQC extension for ISO 15118, which includes concepts for migration, crypto-agility, verifiable security, and the use of PQC-enabled hardware security modules. Our prototypical implementation and the practical evaluation demonstrate the feasibility, and our formal analysis shows the security of QuantumCharge, which thus paves the way for secure EV charging infrastructures of the future