putting trust in automotive electronics...2013/12/07 · trust model is simple –driver trusts the...

[email protected]

Putting Trust in Automotive Electronics

Camille VUILLAUME

ヴィオムカミーユ

ETAS K.K.

Embedded Security

[email protected]

Menu

Appetizer: Automotive Security

– Need for security, attack techniques and attack vectors

Plat de resistance: Trusted Computing

– About trust, Trusted Computing applications, problems with

Trusted computing

Dessert: Automotive Hardware Security Modules

– Why Trusted computing can help, why TPM is not the right

choice, SHE and EVITA, use-cases, key management

2013/12/07 2 Putting Trust in Automotive Electronics

[email protected]

What is an ECU?

2013/12/07 Putting Trust in Automotive Electronics 3

SoC

CPU

RAM Flash memory Sensor

Actuator

Variables OS, data e.g.

air flow meter

e.g. fuel

injection

Option: Security hardware

e.g. coprocessor,

secure memory

Boundary scan

On-chip debugger

JTAG

Network interface e.g. CAN

Boundary scan

[email protected]

The Need for Automotive Security


Headunit , V 2 X .. Central gateway

ESP

Engine control

GPS sensor

Vehicle serial no . provider

Brake actuator

Airbag actuator

RTC clock

Reverse engineer remote telematics call center protocol

Play music file embedding malicious code

Exploit buffer overflow in Bluetooth stack Use OBD-II diagnostics

Exploit tire pressure monitoring system

Get location

Engage/ disengage brakes

Disrupt/ kill engine

Spy with microphone

[email protected]

Tools of the Trade: Fuzz Testing

Goals

– Crash target application

– Make target application reply with incorrect data

Method

– Input malformed data to interface function

– E.G. bluetooth stack, HTTP stack, image, video or sound codec,

X.509 certificate parser

Flavors

– Black-box fuzz testing with protocol specifications (e.g. API)

– Gray-box fuzz testing with debugger and code coverage

– White-box fuzz testing with source code or binary


[email protected]

One Step Deeper: Debug Interfaces

Boundary scan

– Allow direct access to various

modules

On-Chip Debuggers

– Allow interruption of CPU execution,

reading/writing to memories and

registers

Backdoors

– Usually not malicious but left in place

by careless engineer for

development or testing


CPU

Flash

RAM

On-chip debugger

Boundary scan

Boundary scan

JTAG

[email protected]

The Abyss: Physical Attacks


CPU

Flash memory RAM

Intermediate data Programs

ALU

Program counter

Register

VCC

Measure power

consumption

Find operations executed by ALU

Find data in registers

Find data in RAM

Generate voltage spike

Corrupt operation executed by ALU

Corrupt program

flow

Corrupt data in

registers

Corrupt data in RAM

Corrupt program

Monitor data on bus with needle

[email protected]

Menu





Trusted computing


– Why Trusted computing can help, why TPM is not the right

choice, SHE and EVITA, use-cases, key management


[email protected]

Reliability

Safety

Security vs. Safety


Trust

Clear, measurable metrics -> realm of mathematics

Not way to quantify -> realm of faith

Failure based on average case e.g. failure prob. of CRC32 = 2*10-10

Security

Failure on worst case e.g. forgery prob. of CRC32 = 1

Composition possible with basic probability calculations

Composition possible with “my friends’ friends are my friends” rule

[email protected]

Chain of Trust: My Friends’s Friends…


Root of trust (usually secure hardware)

Bootloader

Verifies integrity/

authenticity of

Kernel Applications

Verifies integrity/

authenticity of

Verifies integrity/

authenticity of

Root of trust enables the use of trustworthy

application

[email protected]

Trusted Computing: Secure Boot

2013/12/09

Putting Trust in Automotive Electronics

11

TPM

Application CPU

Ref. 1

…

Value 1

Ref. 2 Value 2

Bootloader

OS kernel

Application Ref. 3 Value 3

Hash

Hash

Hash

=?

=?

=?

Trusted Platform Module (TPM)

Bootloader

OS kernel

Application

External I/O

Verify integrity of bootloader and

various memory areas

Send binary code to TPM chip through

external I/O In case of inconsistency, stop

boot or lock features

2013/12/07 11

[email protected]

Trusted Computing: Binding and Sealing


TPM

Application CPU

Trusted Platform Module (TPM)

Bootloader

OS kernel

Application

Encrypted application

Ref. X Value X =? password password

=?

Key

Encrypted application

Decryption

Decrypted application Decrypted application

External I/O

Allow decryption only if boot sequence correctly verified

Allow decryption only if application CPU supplies

correct password

[email protected]

Tamper-Resistance in Trusted Platform Modules


Application CPU

Trusted Platform Module (TPM) External I/O

Debug interface

Shielding protects chip

against probing

Decryption

Light detectors protect chip against laser attacks

Crypto engines include countermeasures against timing and

leakage attacks

Debug interface of application CPU can usually be opened

Trivial to probe or modify data transmitted

through I/O

[email protected]

Tamper-Resistance in Trusted Platform Modules (cnt’d)

Pros

– Strong tamper-resistance on TPM

– Including countermeasures against probing, fault, timing,

leakage attacks

Cons

– Data exchange between application CPU and TPM is unprotected

E.g. could send expected data to TPM during secure boot

– Debug interface of application CPU not protected

– TPM chip has expensive countermeasures, but they do not cover

critical parts like communications with application CPU

– TPM often uses smartcard technology processes, not well-suited

for industrial or automotive applications


[email protected]

The Problem with Trusted Computing


CPU manufacturer

OS designer

PC maker

Application designer

Cloud service provider

Storage device manufacturer

Electronic component

manufacturer

Free software

Trusted Computing Group (TCG)

Non-standard hardware

Need TCG consensus for irregular cases

How to deal with

cloud/SaaS?

GPL license allows

modification of software

[email protected]

Some Bad Memories from 2002


Source: salon.com

Source: Free Software Foundation

Source: Electronic Privacy Information Center

[email protected]

Menu





Trusted computing


– Why Trusted Computing can work in cars, why TPM is not the

right choice, SHE and EVITA, use-cases, key management


[email protected]

Some Differences in Liability


PC Industry

Automotive Industry

1970: US Clean Air Act (CAA) tampering prohibition 7522 (a)(3)

[It is prohibited] for any person to manufacture … any part or component intended for use with … any motor vehicle … where a principal effect of the part .. is to bypass, defeat, or render inoperative … any device or element of design … in compliance with regulations under this subchapter, and where the person knows or should know that such part or component is being offered for such use

-> 1996 settlement with US heavy-duty diesel manufacturers

1965: “Unsafe at any Speed” (Ralph Nader) -> Alleged defects in Chevrolet Corvair

1981: Grimshaw v Ford -> Ford Pinto gas tank defect led to $2.5 Mio

compensatory damages + $125 Mio punitive damages

EULA Example

IN NO EVENT SHALL XXX BE LIABLE FOR ANY … DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE PRODUCT, … EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF XXX, AND EVEN IF XXX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

[email protected]

Car OEM

Tier 1 supplier

Tier 1 supplier

Tier 1 supplier

Tier 1 supplier

OS designer

Semiconductor manufacturer

Basic software provider

Car OEM

Tier 1 supplier

Tier 1 supplier

Tier 1 supplier

Tier 1 supplier

OS designer



Automotive Supply Chain


Car OEM

Tier 1 supplier

Tier 1 supplier

Tier 1 supplier

Tier 1 supplier

OS designer



OEM is liable / takes all the

decision

Well-defined supply chain

Well-defined system

[email protected]

Trusted Computing and Cars: A Good Match? Yes!!!

OEM has all the keys – Has liability in case of incident

– But can control or at least influence all decisions

System is well-defined – All components are known in advance

– Free software can be integrated by OEM, who controls the version

– Cloud services are usually controlled by the OEM

Trust model is simple – Driver trusts the OEM

– The OEM trusts the manufacturer of security hardware

– And from there we can apply the standard trust composition


[email protected]

Trusted Platform Module and Cars: A Good Match? Maybe Not…

Cost issues

– Tamper-resistance of TPM is high, but no protection of I/O

interfaces

– Off-chip means separate testing, packaging, integration, more

complicated logistics

Feature issues

– Low bandwidth of external I/O, needs to go through application

CPU

– No real-time guarantee, performance depends on TPM chip

– Not automotive grade, usually based on smartcard, low-power

process


[email protected]

Automotive Hardware Security Modules

Secure Hardware Extension (SHE)

– Drafted by Hersteller Initiative Software (HIS, Audi, BMW, Daimler,

Porsche, and Volkswagen) in Germany, with the help of ESCRYPT

– Goal: affordable security meeting constraints of automotive industry

– Currently manufactured by Infineon, Freescale, Spansion (ex-Fujitsu)

EVITA Project (EU FP7 funded project)

– Members: Fraunhofer, BMW, Bosch, Continental, ESCRYPT, EURECOM,

Fujitsu, Infineon, Leuven U, MIRA, Telecom ParisTech, Trialog

– Goal: holistic approach covering all automotive security use-cases

– EVITA light similar to SHE, Bosch is preparing an HSM based on

EVITA medium


[email protected]

Automotive HSMs: SHE and EVITA


On-die “security extension” – To decrease cost and increase security

Direct memory access – To avoid interfering with main CPU and

increase security

No strong tamper resistance – To decrease cost

– Counterbalanced with key management

Guaranteed performance – AES for SHE, EVITA light and medium,

ECC for EVITA full

Automotive grade – E.G. temperature, vibrations, safety...

Application

CPU

EVITA/

SHE

Secure

memory

Normal

memory

Hardware separation e.g. memory controller,

independent busses

Application

CPU

TPM

Insecure IO (e.g. I2C)

[email protected]

EVITA HSM Classes and SHE


No CPU required, low memory

requirements, similar to SHE

No ECC/hash hardware, but can be implemented in

software

High-speed hardware

acceleration for hash, ECC, AES

Sou

rce: The EV

ITA P

roject R

esu

lts

[email protected]

EVITA: Foreseen Development

Efficient, cost-effective, flexible, and holistic in-vehicle

EVITA HSM deployment regarding the different cost,

performance constraints and functional requirements


[email protected]

Secure Boot in SHE/EVITA


EVITA Ref. 1 Value 1

Ref. 2 Value 2

Application

CPU

ECU bootloader

OS kernel

Application Ref. 3 Value 3

Hash

Hash

Hash

=?

=?

=?

Direct memory access

AES CMAC Recalculated

MAC

=?

MAC key

Memory area verified by SHE

Direct memory access Reference

MAC

SHE Application

CPU

[email protected]

Cryptographic Services in EVITA


EVITA

Ref. X Value X

Application

CPU

Key Y

Password Password

Decrypt API

Encrypted CAN packet

Decrypted CAN packet

=?

=?

MAC

Verify MAC

Key Z OK/NG

Key access can be password-

protected

Key access only allowed after successful secure boot

CAN

Other ECU


MAC

[email protected]

CAN

Reprogramming tool

Use Case 1: Secure Reprogramming


ECU

OEM’s RSA public key

RSA signature correct?

Reprograming data (option: encrypted)

RSA signature

Flash reprogramming

[email protected]

Use Case 2: Authentication


ECU ECU or tool or server

Random number generator

AES

=?

Key

AES

Key

Random number

OK

[email protected]

Use Case 3: Secure Communications


ECU ECU


MAC Encrypted CAN packet

MAC

CAN packet

AES AES

Decrypted CAN packet

MAC OK/NG

Key Key

CAN

[email protected]

Security as an Enabler: Secure Aftermarket Services


Secure environment

Dealer

Internet (HTTPS)

Server room

Database HSM

key key key Authentication

between server and ECU

Secure diagnostics, secure reprogramming

[email protected]

32

Dr.-Ing. Jan Pelzl

Managing Director

[email protected]

Dr.-Ing. Thomas Wollinger

Managing Director

[email protected]

Camille Vuillaume

カミーユ・ヴィオム

ESCRYPT Business Development, Japan

045-222-0913

[email protected]

putting trust in automotive electronics...2013/12/07 · trust model is simple –driver trusts the...

Documents