5/26/2012

1

Security for Automotive with Multi-core-based Embedded Systems

Claudia EckertTU München &Fraunhofer AISEC

C. Eckert, AISEC

1

DATE 2012, 16. March 2012Dresden

Outline

1. Introduction

2. Security Issues 

3. Multi‐core architectures: Risks

4. Multi‐core architectures: Opportunities

5 Research Challenges

©C. Eckert, AISEC,

5. Research Challenges

6. Take Home Message

5/26/2012

2

• > 80 ECUs, security/safety sensitive services

1. IntroductionAutomotive : Today

• Tailored ECUs for additional functions

• High energy consumption

• Expensive 

©C. Eckert, AISEC,

3

Traffic info andweb cams

Road Billing

Intelligent Car Routing and N i ti

1. Introduction Tomorrow: more servicesmore computational power required

Inter CarCommunication

web cams

GPS Street Parking

(Location based) web informationFleet Management

Navigation

©C. Eckert, AISEC,

Mobile TVParking Slots Reservation Contactless Gas

Station

High demand for few highly integrated multi-core systems

5/26/2012

3

Outline

1. Introduction

2. Security Issues 

3. Multi‐core architectures: Risks

4. Multi‐core architectures: Opportunities

5 Research Challenges

©C. Eckert, AISEC,

5. Research Challenges

6. Take Home Message

Security level today:

2. Security IssuesAutomotive Security: Today

Security level today: 

Do modern cars already provide 

• Secure execution environment?

• Hardened ECUs or security modules to reduce 

vulnerabilities? 

©C. Eckert, AISEC,

• Security services like intrusion detection, access 

controls, self‐monitoring?

6

5/26/2012

4

2. Security IssuesAutomotive: Security Risks

Vulnerabilities: e.g.

• ECUs which are not hardened:Code injection, data manipulation

• Software updates via CAN/Ethernetinsufficient access control (or even missing)

• External interfaces enable :

©C. Eckert, AISEC,

remote access/attacks: NFC, C2C

M2M interfaces (GSM) 

2. Security IssuesAutomotive: Security Risks

• Communication with backend of OEM 

• Internet access, added‐value servicesVulnerabilities: 

• Car logs into every GSM BTS

• Attacks  with malformed  

©C. Eckert, AISEC,

messages from GSM network 

• Possible damages: 

manipulation, DoS, malware

8 8

5/26/2012

5

2. Security IssuesAutomotive: Security Risks

©C. Eckert, AISEC,

Multi‐cores 

l h d

Lessons Learned so far

• Multi‐core architectures are required to meet

Increasing demands for computational power

Demands to reduce power consumption

• Cars are already  exposed to severe security risks

Q i

©C. Eckert, AISEC,

Questions

• Multi‐core: a security enhancing technology ?

• Multi‐core: even more security/safety risks ?

10

5/26/2012

6

Outline

1. Introduction

2. Security Issues

3. Multi‐core architectures: Risks

4. Multi‐core architectures: Opportunities

5 Research Challenges

©C. Eckert, AISEC,

5. Research Challenges

6. Take Home Message

Shared resources: memory, caches, network

l k f d l

3. Multi-coresEven more risks …

• Data leakages: confidentiality, integrity• Covert channels, e.g. cache replacement strategy

• Denial‐of‐service: e.g. occupying shared memory regions: starving 

©C. Eckert, AISEC,

12

safety‐critical tasks

Vulnerable system software, missing separation

• e.g. BO attacks: malware intrusion, manipulation, …

5/26/2012

7

Outline

1. Introduction

2. Security Issues

3. Multi‐core architectures: Risks

4. Multi‐core architectures: Opportunities

5 Research Challenges

©C. Eckert, AISEC,

5. Research Challenges

6. Take Home Message

Attack tolerance

4. Multi-coresOpportunities

FA

e.g. Fault injections with laser

• Inject jump to bypass security checks

• Modify register content

• Modify alarm signals alarmOK

not auth

FA

0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0

0x00 0x80FA

©C. Eckert, AISEC,

14

Multi‐core:

• Redundant cores to tolerate fault‐attacks:  e.g. SLE 78 

redundant computation, majority voting, monitoring

14

5/26/2012

8

Attack tolerance

4. Multi-coresOpportunities

Attack tolerance

e.g. side‐channel attacks

• Timing (execution time of cryptographic operations) and 

power (power consumption)  attacks  to crack keys   

Multi‐Core

©C. Eckert, AISEC,

15

• Increased resistance against side‐channel attacks:e.g. using multi‐cores for randomized  execution of 

cryptographic algorithms

Attack tolerance

4. Multi-coresOpportunities

Attack tolerance

e.g. resistance against software‐based modifications 

©C. Eckert, AISEC,

16

• Redundant computation in different cores to detect 

abnormal behavior (e.g. manipulated code) 

5/26/2012

9

Take advantage of multi‐cores

4. Multi-coresOpportunities

• Assign security/safety critical  tasks to dedicated security cores (e.g. hardened cores):• secure execution environment

• strict access controls

• Distribute sensitive functions 

©C. Eckert, AISEC,

17

between different cores to 

enhance resistance against  

reverse engineering attacks

Self‐monitoring

4. Multi-coresOpportunities

• Separate a security core from data processing cores :

• Trusted OSs in monitoring system 

• Collect data in userland OS (e.g. syscall traces)

• Securely analyze data to detect malbehavior

• Dynamic health monitoring

©C. Eckert, AISEC,

18

• Extend  VMI to enhance 

malware detection on 

multi‐cores

5/26/2012

10

Outline

1. Introduction

2. Security Issues

3. Multi‐core architectures: Opportunities

4. Multi‐core architectures: Risks

5. Research Challenges

©C. Eckert, AISEC,

5. Research Challenges

6. Take Home Message

5. Research ChallengesSecure Architectures

other System on Chip

M2M

Core 1

Core 2

IO-interfaces Peripherals

ID IDSensorActuator

SIM

GSM

TrustOS

©C. Eckert, AISEC,

Core i Core n RAM Flash HardwareSecurityModuleSystem on Chip

5/26/2012

11

5. Research ChallengesSecure Elements

Scalable hardware trust anchors: 

• Secure storage: 

keys, credentials, access tokens

• Integrity measurement: 

static (TPM‐like)  as well as dynamic attestations

• Support for virtualized execution environments:

©C. Eckert, AISEC,

21

attaching a virtual Secure Element to individual 

environments: Secure Boot, secure Updates , … 

• PUF technology for secure identification

Software Hardening

5. Research ChallengesSecure Software

• Compile‐time Hardening

• Operating System Extensions

• Process Virtualization / Sandboxing

• System Virtualization

Secure Monitoring L4Linux

Androidincluding Dalvik VM

3rd Party Application

Trustworthy

Secure OS

Rich OS

©C. Eckert, AISEC,

Secure Monitoring

• VMI for malware detection

• Attack tolerance

22

L4Linuxwith Android patches

VMM (L4 Microkernel)

Multi-core (SoC)

Trustworthycomponent

5/26/2012

12

6. Take Home Message

Automotive domain: High demand for

• openess, value-added services, cost and energy efficiency

• Security is already a big issue (e.g. impact on safety)

Multi-core architectures: security enhancing technology

• Attack tolerance, self-monitoring

• Partitioning: critical, non-critical

©C. Eckert, AISEC,

Research issues: security architectures & controls & crypto

Secure multi-cores: key enabling technology for CPS!

Thank you for your Attention

Claudia Eckert

Fraunhofer AISEC, Munich

TU Munich, Chair for IT Security

E-Mail: claudia.eckert@aisec.fraunhofer.de

http://www aisec fraunhofer de

©C. Eckert, AISEC,

http://www.aisec.fraunhofer.de