Fusion: A Safe and Secure Software Platform for Autonomous Driving

The vastly increasing amount of software in vehicles, its variability and complexity, as well as the computational requirements, especially for those built with autonomous driving in mind, require new approaches to the structure and integration of software. The traditional approaches of single-purpose embedded devices with integrated software are no longer a suitable choice. New architectures introduce general purpose compute devices, capable of high-performance computation, as well as high variability of software. Managing the increasing complexity, also at runtime, in a safe and secure manner, are open challenges. Solving these challenges is a high-complexity development and integration effort requiring design-time and runtime configuration, approaches to communication middleware, operating system configuration, such as task scheduling, monitoring, tight integration of security and safety, and, especially in the case of autonomous driving, concepts for dynamic adaption of the system to the situation, e.g., fail-operational concepts. We present Fusion, a next-generation software platform supporting the development of autonomous driving systems

Towards a Reliable and Context-Based System Architecture for Autonomous Vehicles

Full vehicle autonomy excludes a takeover by passengers in case a safety-critical application fails. Therefore, the system responsible for operating the autonomous vehicle has to detect and handle failures autonomously. Moreover, this system has to ensure the safety of the passengers, as well as the safety of other road users at any given time. Especially in the initial phase of autonomous vehicles, building up consumer confidence is essential. Therefore, in this regard, handling all failures by simply performing an emergency stop is not desirable. In this paper, we introduce an approach enabling a dynamic and safe reconfiguration of the autonomous driving system to handle occurring hardware and software failures. Since the requirements concerning safe reconfiguration actions are significantly affected by the current context the car is experiencing, the developed reconfiguration approach is sensitive to context changes. Our approach defines three interconnected layers, which are distinguished by their level of awareness. The top layer, referred to as the context layer, is responsible for observing the context. These context observations, in turn, imply a set of requirements, which constitute the input for the reconfiguration layer. The latter layer is required to determine reconfiguration actions, which are then executed by the architecture layer

VEGa : a high performance vehicular Ethernet gateway on hybrid FPGA

Modern vehicles employ a large amount of distributed computation and require the underlying communication scheme to provide high bandwidth and low latency. Existing communication protocols like Controller Area Network (CAN) and FlexRay do not provide the required bandwidth, paving the way for adoption of Ethernet as the next generation network backbone for in-vehicle systems. Ethernet would co-exist with safety-critical communication on legacy networks, providing a scalable platform for evolving vehicular systems. This requires a high-performance network gateway that can simultaneously handle high bandwidth, low latency, and isolation; features that are not achievable with traditional processor based gateway implementations. We present VEGa, a configurable vehicular Ethernet gateway architecture utilising a hybrid FPGA to closely couple software control on a processor with dedicated switching circuit on the reconfigurable fabric. The fabric implements isolated interface ports and an accelerated routing mechanism, which can be controlled and monitored from software. Further, reconfigurability enables the switching behaviour to be altered at run-time under software control, while the configurable architecture allows easy adaptation to different vehicular architectures using high-level parameter settings. We demonstrate the architecture on the Xilinx Zynq platform and evaluate the bandwidth, latency, and isolation using extensive tests in hardware

Open source model and simulator for real-time performance analysis of automotive network security

With the increasing interconnection of vehicles, security challenges have moved into focus. Attacks on in-vehicle networks can cause accidents resulting in financial damages and even loss of life. The impact of an attack can be mitigated by secure internal vehicle networks, employing authentication of ECUs and authorization of messages. However, quantifying the real-time performance of additional security measures is difficult due to the high number of nodes and messages. In this paper, we present an open source model and simulator for the evaluation of the real-time performance of automotive networks implementing security measures. Applying parameters from hardware measurements, we evaluate our model and simulator with realistic test cases and a case study. We further present application perspectives on how the open source simulator can be used in different domains for the analysis of automotive network architectures

Security for automotive electrical/electronic (E/E) architectures

The increasing connectivity among vehicles increases their attack surface and challenges their security. This thesis explores approaches to improve analysis and design of security for invehicle networks. Therefore, a design time security analysis, a runtime authentication and authorization framework, and a flexible scheduling scheme, efficiently enabling security on FlexRay are presented. The infotainment system of an electric taxi is introduced as a design experience to demonstrate the necessity of new approaches in automotive security. Vehicles today include a large number of electronics in form of Electronic Control Units (ECUs). These ECUs are interconnected in internal vehicle networks implementing distributed control tasks. With the trend of rising interconnectivity and the Internet of Things (IoT), these in-vehicle networks are increasingly connected to other vehicles and the Internet. While the internal vehicle networks are shielded with gateways and firewalls, these protection mechanisms are not impenetrable. As for these external interfaces the same protection mechanisms as on the Internet are used, the same types of attacks can be applied. Once having access to the vehicle network, an attacker often has as many possibilities for influence as the vehicle owner or an authorized workshop. These internal networks consist of specialized automotive components, are often not sufficiently segmented or secured, and messages are transmitted unencrypted. Combining security and automotive real-time systems is challenging in many ways. The heterogeneity and complexity of automotive communication systems and their interconnections make the quantification of security a difficult task. Lower computational capabilities and network bandwidth, coupled with the real-time behavior in automotive systems makes implementation of computation and bandwidth intensive security challenging. New solutions are required to address security in the automotive domain in context of not only functional, but also real-time requirements. This thesis explores approaches to (1) analyze security of in-vehicle networks at design time, (2) secure network traffic efficiently through authentication and authorization at runtime, and (3) enable security on legacy communication systems. These approaches are motivated in context of the infotainment system of an electric taxi. The interaction of passengers with the infotainment system opens an attack vector on safety-critical in-vehicle systems and requires security to be a priority. The first approach targets the problem of quantifying the security of architectures and forms the basis for evaluation of all other approaches. It is not straightforward to evaluate the security of a network. No method to quantify the security of automotive networks currently exists. In this thesis, the Security Analysis for Automotive Networks (SAAN) is proposed. SAAN uses probabilistic model checking to calculate the security of automotive networks, based on the architecture and expert evaluations of components. Evaluations of SAAN prove its capabilities to detect security flaws and compare automotive architectures in terms of security. SAAN employs an automotive-specific model generation, taking into account the specific security dependencies in the automotive architecture. These dependencies are formulated as rules and form the basis for state-space reduction in the model. By reducing the model size, the performance of the model checking can be improved by two to three orders of magnitude over state of the art model generation. After establishing the ability to analyze networks for security, the second approach is centered around securing in-vehicle network traffic efficiently. To secure traffic, it is required to authenticate communication participants and authorize messages. This is typically ensured by authentication frameworks. Traditional authentication frameworks have high computation and bandwidth requirements, incompatible with automotive networks. This thesis proposes the Lightweight Authentication for Secure Automotive Networks (LASAN). LASAN is specifically tuned to the automotive environment, leveraging on the fixed network structure to reduce evitable flexibility in the protocols and minimize message sizes and thus bandwidth requirements. Splitting asymmetric and symmetric protocol components distributes the computational requirements and thus reduces the delays in time-critical phases of the system. Evaluations show improvements of setup latency of two to three orders of magnitude over the state of the art. Besides improved efficiency, LASAN can be easily integrated with existing automotive processes, such as Over-The-Air (OTA) updates or workshop maintenance and repair. The third approach targets the problem of security in legacy communication systems. Existing time-triggered communication systems, such as FlexRay, are highly limited in their flexibility regarding message lengths and transmission times. This limits the entropy available for security, allowing brute-force attacks on cryptographic keys, effectively rendering employed security mechanisms useless. The policy-based scheduling for FlexRay presented in this thesis enables a higher flexibility for messages on the bus by abstracting the bond between timetriggered slots and messages. Messages are flexibly arranged in a virtual communication layer, before being divided into slots. Thus, messages can be transmitted priority-based and messages longer than one slot lengths can be transmitted. This allows the implementation of authentication frameworks and increases the available entropy per message through enlargement, supporting encryption efficiently. Through the underlying time-triggered system, worst-case response times can be calculated efficiently. Evaluations show improvements in message transmission latencies by close to one order of magnitude over conventional FlexRay scheduling. At the same time, flexibility for message sizes and periods is increased significantly. The security approaches in this thesis are closely linked. Without a flexible message transmission scheme, authentication protocols cannot be implemented. Without an evaluation option for security, quantifying the impact of an authentication framework is highly complicated. Without an authentication framework, secure setup of architectures is not possible. The proposed approaches spans across both the design time and runtime aspects of automotive communication system development. A tight integration is key to security in automotive networks. This thesis lays the groundwork for this.Doctor of Philosoph

Security in automotive networks : lightweight authentication and authorization

With the increasing amount of interconnections between vehicles, the attack surface of internal vehicle networks is rising steeply. Although these networks are shielded against external attacks, they often do not have any internal security to protect against malicious components or adversaries who can breach the network perimeter. To secure the in-vehicle network, all communicating components must be authenticated, and only authorized components should be allowed to send and receive messages. This is achieved through the use of an authentication framework. Cryptography is widely used to authenticate communicating parties and provide secure communication channels (e.g. Internet communication). However, the real-time performance requirements of in-vehicle networks restrict the types of cryptographic algorithms and protocols that may be used. In particular, asymmetric cryptography is computationally infeasible during vehicle operation. In this work, we address the challenges of designing authentication protocols for automotive systems. We present Lightweight Authentication for Secure Automotive Networks (LASAN), a full life-cycle authentication approach. We describe the core LASAN protocols and show how they protect the internal vehicle network while complying with the real-time constraints and low computational resources of this domain. By leveraging on the fixed structure of automotive networks, we minimize bandwidth and computation requirements. Unlike previous work, we also explain how this framework can be integrated into all aspects of the automotive product life cycle, including manufacturing, vehicle maintenance and software updates. We evaluate LASAN in two different ways: Firstly, we analyze the security properties of the protocols using established protocol verification techniques based on formal methods. Secondly, we evaluate the timing requirements of LASAN and compare these to other frameworks using a new highly modular discrete event simulator for in-vehicle networks, which we have developed for this evaluation

Analysis of Cybersecurity Weakness in Automotive In-Vehicle Networking and Hardware Accelerators for Real-time Cryptography

The work analyses the cybersecurity weakness in state-of-art automotive in-vehicle networks and discusses possible countermeasures at architecture level. Due to stringent real-time constraints (throughput and latency) of fail-safe automotive applications, hardware accelerators are needed. A hardware accelerator design for AES (Advanced Encryption Standard)-128/256 calculation, the latter being already considered post-quantum resistant, is also presented together with implementation results in FPGA and 45 nm CMOS technology