Improving Safety of an Automotive AES-GCM Core and its Impact on Side-Channel Protection

O incremento do número de componentes eletrónicos e o correspondente aumento do fluxo de dados no setor automóvel levou a uma preocupação crescente com a garantia de segurança dos sistemas eletrónicos, especialmente em sistemas críticos cuja violação seja passível de colocar em causa a integridade do sistema e a segurança das pessoas. A utilização de sistemas que implementam o Advanced Encryption Standard (AES) foi vista como uma solução para este problema, impedindo o acesso indevido aos dados dos veículos, através da sua encriptação. O algoritmo AES não possui atualmente nenhuma vulnerabilidade efetiva, mas o mesmo não acontece com as suas implementações, as quais estão sujeitas a ataques ditos side-channel, onde informações que resultam da operação destas implementações são exploradas na tentativa de descobrir os dados encriptados. A aplicação de núcleos IP no setor automóvel requer que as suas implementações cumpram a norma ISO-26262 de forma a garantir que a sua operação não compromete a segurança do veículo e dos ocupantes. Este cumprimento implica alterações na arquitetura dos sistemas que podem influenciar as características de operação que são normalmente exploradas em ataques para obter informação que eventualmente permita ganhar conhecimento sobre os dados encriptados. Assim, o desenvolvimento das componentes de segurança, na perspetiva da segurança informática da informação e no que se refere à segurança de operação do veículo e dos seus ocupantes, que são ainda consideradas como componentes independentes, podem na verdade estar relacionadas, já que as melhorias introduzidas para incrementar a resiliência a falhas e consequentemente a integridade de operação dos sistemas, podem aumentar a fragilidade do sistema a ataques que comprometam a segurança informática dos dados. O presente trabalho tem como objetivo desenvolver uma arquitetura capaz de atingir as métricas para o nível mais alto de certificação em segurança de acordo com a norma ISSO-26262 (certificação ASIL-D), a partir de uma arquitetura já existente, e comparar as duas arquiteturas em termos de vulnerabilidade a ataques ditos side-channel que exploram o seu consumo de potência dinâmica. Os resultados demonstram que para a arquitetura ASIL-D a identificação de pontos de interesse e de dados relevantes no consumo de potência é mais evidente, o que sugere existir uma maior vulnerabilidade da arquitetura desenvolvida a ataques informáticos desenvolvidos por esse processo.The increase in electronic components and the corresponding increment in the data flow among electronic systems in automotive applications made security one of the main concerns in this sector. The use of IP cores that implement the Advanced Encryption Standard (AES) was seen as a solution to this problem, preventing improper access to vehicle data, through its encryption. The AES algorithm does not currently have any effective vulnerability, but the same does not happen with its implementations, which are subject to side-channel attacks, where information that results from the operation of these implementations is exploited in an attempt to discover the encrypted data. The application of IP cores in the automotive sector requires that the implementations comply with the ISO-26262 standard in order to ensure that their operation does not compromise the vehicle's safety. This compliment implies changes in the core architecture that can influence the characteristics of operation that are normally exploited in attacks. Thus, the development of safety and security components in the automotive sector, which are still considered as independent processes, may be related because safety improvements may cause changes in the system's vulnerability to attacks that can compromise its security. This work aims to develop an architecture capable of reaching the metrics for the highest level of safety certification (ASIL-D), based on an existing architecture, and compare the two architectures in terms of vulnerability to side-channel attacks that exploit their dynamic power consumption. The results show that for the ASIL-D architecture, the identification of points of interest and relevant data on the power consumption traces is more evident, which suggests greater effectiveness of the attacks performed in this architecture

A Novel ISO 26262-Compliant Test Bench to Assess the Diagnostic Coverage of Software Hardening Techniques against Digital Components Random Hardware Failures

This paper describes a novel approach to assess detection mechanisms and their diagnostic coverage, implemented using embedded software, designed to identify random hardware failures affecting digital components. In the literature, many proposals adopting fault injection methods are available, with most of them focusing on transient faults and not considering the functional safety standards requirements. This kind of proposal can benefit developers involved in the automotive market, where strict safety and cost requirements make the adoption of software-only strategies convenient. Hence, we have focused our efforts on compliance with the ISO 26262 automotive functional safety standard. The approach concerns permanent faults affecting microcontrollers and it provides a mapping between the failure mode described in part 11 of the Standard and the chosen fault models. We propose a test bench designed to inject permanent failures into an emulated microcontroller and determine which of them are detected by the embedded software. The main contribution of this paper is a novel fault injection manager integrated with the open-source software GCC, GDB, and QEMU. This test bench manages all the assessment phases, from fault generation to fault injection and the ISA emulation management, up to the classification of the simulation results

Optimizing the Automotive Security Development Process in Early Process Design Phases

Security is a relatively new topic in the automotive industry. In the former days, the only security defense methods were the engine immobilizer and the anti-theft alarm system. The rising connection of vehicles to external networks made it necessary to extend the security effort by introducing security development processes. These processes include, amongothers, risk analysis and treatment steps. In parallel, the development of ISO/SAE 21434 and UN-ECE No. R155 started. The long development cycles in the automotive industry made it necessary to align the development processes' early designs with the standards' draft releases. This work aims to design a new consistent, complete and efficient security development process, aligned with the normative references. The resulting development process design aligns with the overall development methodology of the underlying, evaluated development process. Use cases serve as a basis for evaluating improvements and the method designs. This work concentrates on the left leg of the V-Model. Nevertheless, future work targets extensions for a holistic development approach for safety and security.:I. Foundation 1. Introduction 2. Automotive Development 3. Methodology II. Meta-Functional Aspects 4. Dependability as an Umbrella-Term 5. Security Taxonomy 6. Terms and Definitions III. Security Development Process Design 7. Security Relevance Evaluation 8. Function-oriented Security Risk Analysis 9. Security Risk Analysis on System Level 10. Risk Treatment IV. Use Cases and Evaluation 11. Evaluation Criteria 12. Use Case: Security Relevance Evaluation 13. Use Case: Function-oriented Security Risk Analysis 14. Use Case: System Security Risk Analysis 15. Use Case: Risk Treatment V. Closing 16. Discussion 17. Conclusion 18. Future Work Appendix A. Attacker Model Categories and Rating Appendix B. Basic Threat Classes for System SRA Appendix C. Categories of Defense Method Propertie

GPU devices for safety-critical systems: a survey

Graphics Processing Unit (GPU) devices and their associated software programming languages and frameworks can deliver the computing performance required to facilitate the development of next-generation high-performance safety-critical systems such as autonomous driving systems. However, the integration of complex, parallel, and computationally demanding software functions with different safety-criticality levels on GPU devices with shared hardware resources contributes to several safety certification challenges. This survey categorizes and provides an overview of research contributions that address GPU devices’ random hardware failures, systematic failures, and independence of execution.This work has been partially supported by the European Research Council with Horizon 2020 (grant agreements No. 772773 and 871465), the Spanish Ministry of Science and Innovation under grant PID2019-107255GB, the HiPEAC Network of Excellence and the Basque Government under grant KK-2019-00035. The Spanish Ministry of Economy and Competitiveness has also partially supported Leonidas Kosmidis with a Juan de la Cierva Incorporación postdoctoral fellowship (FJCI-2020- 045931-I).Peer ReviewedPostprint (author's final draft

Software architectural design for safety in Automated Parking System

The automotive industry has seen a revolution brought about by self-driving cars. However, one of the main challenges facing autonomous driving systems is ensuring safety in the absence of a supervising driver and verifying safe vehicle behaviour under various circumstances. Autonomous Driving Systems (ADS), due to their complexity, cannot be solved straightforwardly without proper structure. Thus, they need a well-defined architecture to guide their development with requirements that involve modularity, scalability, and maintainability among other properties. To help overcome some of the challenges, this master thesis defines and implements in a simulated environment an automated parking system that complies with industrial and safety standards. The work has been divided into four parts. Firstly, the safety rules for the development of an autonomous function have been analysed. Secondly, the use cases and system requirements have been defined following the needs of the automated parking system. Thirdly, the system has been implemented in the simulation environment with a structure based on a widely adopted automotive standard. The final result is the software architecture of an autonomous vehicle with automated parking functionality. This concept has been validated within the virtual environment together with the integration of the AUTOSAR runtime environment, which the communication between components and mode switching functionality in the CARLA simulation environment. The result of this project shows the benefit of integrating architecture and simulation, thus easing the development and testing of future autonomous systems

Efficient Neural Network Implementations on Parallel Embedded Platforms Applied to Real-Time Torque-Vectoring Optimization Using Predictions for Multi-Motor Electric Vehicles

The combination of machine learning and heterogeneous embedded platforms enables new potential for developing sophisticated control concepts which are applicable to the field of vehicle dynamics and ADAS. This interdisciplinary work provides enabler solutions -ultimately implementing fast predictions using neural networks (NNs) on field programmable gate arrays (FPGAs) and graphical processing units (GPUs)- while applying them to a challenging application: Torque Vectoring on a multi-electric-motor vehicle for enhanced vehicle dynamics. The foundation motivating this work is provided by discussing multiple domains of the technological context as well as the constraints related to the automotive field, which contrast with the attractiveness of exploiting the capabilities of new embedded platforms to apply advanced control algorithms for complex control problems. In this particular case we target enhanced vehicle dynamics on a multi-motor electric vehicle benefiting from the greater degrees of freedom and controllability offered by such powertrains. Considering the constraints of the application and the implications of the selected multivariable optimization challenge, we propose a NN to provide batch predictions for real-time optimization. This leads to the major contribution of this work: efficient NN implementations on two intrinsically parallel embedded platforms, a GPU and a FPGA, following an analysis of theoretical and practical implications of their different operating paradigms, in order to efficiently harness their computing potential while gaining insight into their peculiarities. The achieved results exceed the expectations and additionally provide a representative illustration of the strengths and weaknesses of each kind of platform. Consequently, having shown the applicability of the proposed solutions, this work contributes valuable enablers also for further developments following similar fundamental principles.Some of the results presented in this work are related to activities within the 3Ccar project, which has received funding from ECSEL Joint Undertaking under grant agreement No. 662192. This Joint Undertaking received support from the European Union’s Horizon 2020 research and innovation programme and Germany, Austria, Czech Republic, Romania, Belgium, United Kingdom, France, Netherlands, Latvia, Finland, Spain, Italy, Lithuania. This work was also partly supported by the project ENABLES3, which received funding from ECSEL Joint Undertaking under grant agreement No. 692455-2

component testing

Este relatório/dissertação foi desenvolvido no âmbito do Curso de Mestrado em Engenharia Eletrotécnica, e para a Unidade Curricular de Estágio, e representa o trabalho desenvolvido na empresa Critical Software, no âmbito do projeto interno Railway Embedded Software Validation na área de Component Testing. No projeto em que está envolvido este estágio, visa-se testar componentes do sistema de controlo do comboio (Luzes, Travagem, ...), ou seja, testar se uma das partes dos componentes está a funcionar dentro dos parâmetros exigidos e/ou estabelecidos. Para isso foi necessário passar por um processo de aprendizagem com várias etapas, entre as quais se podem destacar: - como funcionam os comboios; - como são aplicadas as normas; - como são descritos os requisitos necessários para que os comboios funcionem dentro dos parâmetros de segurança. Com isso em perspetiva, foram realizadas atividades de verificação formal, com objetivo fazer a especificação e desenvolvimento dos diversos níveis de teste o sistema. Alguns dos sistemas estudados foram de tração, sistema de travagem, controlos do motorista e de diagnóstico

On the Secure and Resilient Design of Connected Vehicles: Methods and Guidelines

Vehicles have come a long way from being purely mechanical systems to systems that consist of an internal network of more than 100 microcontrollers and systems that communicate with external entities, such as other vehicles, road infrastructure, the manufacturer’s cloud and external applications. This combination of resource constraints, safety-criticality, large attack surface and the fact that millions of people own and use them each day, makes securing vehicles particularly challenging as security practices and methods need to be tailored to meet these requirements.This thesis investigates how security demands should be structured to ease discussions and collaboration between the involved parties and how requirements engineering can be accelerated by introducing generic security requirements. Practitioners are also assisted in choosing appropriate techniques for securing vehicles by identifying and categorising security and resilience techniques suitable for automotive systems. Furthermore, three specific mechanisms for securing automotive systems and providing resilience are designed and evaluated. The first part focuses on cyber security requirements and the identification of suitable techniques based on three different approaches, namely (i) providing a mapping to security levels based on a review of existing security standards and recommendations; (ii) proposing a taxonomy for resilience techniques based on a literature review; and (iii) combining security and resilience techniques to protect automotive assets that have been subject to attacks. The second part presents the design and evaluation of three techniques. First, an extension for an existing freshness mechanism to protect the in-vehicle communication against replay attacks is presented and evaluated. Second, a trust model for Vehicle-to-Vehicle communication is developed with respect to cyber resilience to allow a vehicle to include trust in neighbouring vehicles in its decision-making processes. Third, a framework is presented that enables vehicle manufacturers to protect their fleet by detecting anomalies and security attacks using vehicle trust and the available data in the cloud