The document discusses security issues with automotive systems as they transition to multi-core embedded systems with more connectivity. It notes existing security vulnerabilities and risks that multi-core architectures could exacerbate if not properly addressed. However, it also outlines opportunities for multi-cores to enhance attack tolerance and enable self-monitoring. Key research challenges include developing secure architectures with hardware trust anchors and secure elements, as well as secure software through techniques like sandboxing and attestation. Secure multi-cores could be an enabling technology for cyber-physical systems if these open challenges are addressed.

1. 5/26/2012
Security for Automotive with Multi-
core-based Embedded Systems
Claudia Eckert
TU München &
Fraunhofer AISEC
1
DATE 2012, 16. March 2012
Dresden
C. Eckert, AISEC
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5.
5 Research Challenges
Research Challenges
6. Take Home Message
©C. Eckert, AISEC,
1

2. 5/26/2012
1. Introduction
Automotive : Today
• > 80 ECUs, security/safety sensitive services
• Tailored ECUs for additional functions
• High energy consumption
• Expensive
©C. Eckert, AISEC,
3
1. Introduction Tomorrow: more services
more computational power required
Intelligent Car
Routing and Traffic info and
Road Billing
Navigation
N i ti web cams
(Location based)
Fleet Management web information
GPS Street Inter Car
Parking Communication
Parking Slots
Reservation Contactless Gas Mobile TV
Station
High demand for few highly integrated multi-core systems
©C. Eckert, AISEC,
2

3. 5/26/2012
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5.
5 Research Challenges
Research Challenges
6. Take Home Message
©C. Eckert, AISEC,
2. Security Issues
Automotive Security: Today
Security level today:
Security level today:
Do modern cars already provide
• Secure execution environment?
• Hardened ECUs or security modules to reduce
vulnerabilities?
• Security services like intrusion detection, access
controls, self‐monitoring?
©C. Eckert, AISEC,
6
3

4. 5/26/2012
2. Security Issues
Automotive: Security Risks
Vulnerabilities: e.g.
• ECUs which are not hardened:
Code injection, data manipulation
• Software updates via CAN/Ethernet
insufficient access control (or even missing)
• External interfaces enable :
remote access/attacks: NFC, C2C
©C. Eckert, AISEC,
2. Security Issues
Automotive: Security Risks
M2M interfaces (GSM)
• Communication with backend of OEM
• Internet access, added‐value services
Vulnerabilities:
• Car logs into every GSM BTS
• Attacks with malformed
messages from GSM network
• Possible damages:
manipulation, DoS, malware
©C. Eckert, AISEC,
8 8
4

5. 5/26/2012
2. Security Issues
Automotive: Security Risks
©C. Eckert, AISEC,
Lessons Learned so far
Multi‐cores
• Multi‐core architectures are required to meet
l h d
 Increasing demands for computational power
 Demands to reduce power consumption
• Cars are already exposed to severe security risks
Questions
Q i
• Multi‐core: a security enhancing technology ?
• Multi‐core: even more security/safety risks ?
©C. Eckert, AISEC,
10
5

6. 5/26/2012
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5.
5 Research Challenges
Research Challenges
6. Take Home Message
©C. Eckert, AISEC,
3. Multi-cores
Even more risks …
Shared resources: memory, caches, network
• Data leakages: confidentiality, integrity
l k fd l
• Covert channels, e.g. cache
replacement strategy
• Denial‐of‐service: e.g. occupying
shared memory regions: starving
safety‐critical tasks
Vulnerable system software, missing separation
• e.g. BO attacks: malware intrusion, manipulation, …
©C. Eckert, AISEC,
12
6

7. 5/26/2012
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5.
5 Research Challenges
Research Challenges
6. Take Home Message
©C. Eckert, AISEC,
4. Multi-cores
Opportunities
Attack tolerance
FA
e.g. Fault injections with laser
not auth
• Inject jump to bypass security checks
FA
0x00 0x80
• Modify register content 00000000 10000000
• Modify alarm signals alarm
OK
Multi‐core:
• Redundant cores to tolerate fault‐attacks: e.g. SLE 78
redundant computation, majority voting, monitoring
©C. Eckert, AISEC,
14
14
7

8. 5/26/2012
4. Multi-cores
Opportunities
Attack tolerance
Attack tolerance
e.g. side‐channel attacks
• Timing (execution time of cryptographic operations) and
power (power consumption) attacks to crack keys
Multi‐Core
• Increased resistance against side‐channel attacks:
e.g. using multi‐cores for randomized execution of
cryptographic algorithms
©C. Eckert, AISEC,
15
4. Multi-cores
Opportunities
Attack tolerance
Attack tolerance
e.g. resistance against software‐based modifications
• Redundant computation in different cores to detect
abnormal behavior (e.g. manipulated code)
©C. Eckert, AISEC,
16
8

9. 5/26/2012
4. Multi-cores
Opportunities
Take advantage of multi‐cores
• Assign security/safety critical tasks to dedicated
security cores (e.g. hardened cores):
• secure execution environment
• strict access controls
• Distribute sensitive functions
between different cores to
enhance resistance against
reverse engineering attacks
©C. Eckert, AISEC,
17
4. Multi-cores
Opportunities
Self‐monitoring
• Separate a security core from data processing cores :
• Trusted OSs in monitoring system
• Collect data in userland OS (e.g. syscall traces)
• Securely analyze data to detect malbehavior
• Dynamic health monitoring
• Extend VMI to enhance
malware detection on
multi‐cores
©C. Eckert, AISEC,
18
9

10. 5/26/2012
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Opportunities
4. Multi‐core architectures: Risks
5. Research Challenges
Research Challenges
6. Take Home Message
©C. Eckert, AISEC,
5. Research Challenges
Secure Architectures
other System on Chip
M2M
SIM
ID ID
GSM Actuator Sensor
Trust
Core OS Core IO-interfaces Peripherals
1 2
Core i Core n RAM Flash Hardware
Security
System on Chip Module
©C. Eckert, AISEC,
10

11. 5/26/2012
5. Research Challenges
Secure Elements
Scalable hardware trust anchors:
• Secure storage:
keys, credentials, access tokens
• Integrity measurement:
static (TPM‐like) as well as dynamic attestations
• Support for virtualized execution environments:
attaching a virtual Secure Element to individual
environments: Secure Boot, secure Updates , …
• PUF technology for secure identification
©C. Eckert, AISEC,
21
5. Research Challenges
Secure Software
Software Hardening
• Compile‐time Hardening Rich OS
• Operating System Extensions 3rd Party Application
• Process Virtualization / Sandboxing
Android
• System Virtualization Secure OS including Dalvik VM
Secure Monitoring
Secure Monitoring Trustworthy L4Linux
component with Android patches
• VMI for malware detection
VMM (L4 Microkernel)
• Attack tolerance
Multi-core (SoC)
©C. Eckert, AISEC,
22
11

12. 5/26/2012
6. Take Home Message
Automotive domain: High demand for
• openess, value-added services, cost and energy efficiency
• Security is already a big issue (e.g. impact on safety)
Multi-core architectures: security enhancing technology
• Attack tolerance, self-monitoring
• Partitioning: critical, non-critical
Research issues: security architectures & controls & crypto
Secure multi-cores: key enabling technology for CPS!
©C. Eckert, AISEC,
Thank you for your Attention
Claudia Eckert
Fraunhofer AISEC, Munich
TU Munich, Chair for IT Security
E-Mail: claudia.eckert@aisec.fraunhofer.de
http://www.aisec.fraunhofer.de
http://www aisec fraunhofer de
©C. Eckert, AISEC,
12