putting trust in automotive electronics...2013/12/07 · trust model is simple –driver trusts the...
TRANSCRIPT
Putting Trust in Automotive Electronics
Camille VUILLAUME
ヴィオム カミーユ
ETAS K.K.
Embedded Security
Menu
Appetizer: Automotive Security
– Need for security, attack techniques and attack vectors
Plat de resistance: Trusted Computing
– About trust, Trusted Computing applications, problems with
Trusted computing
Dessert: Automotive Hardware Security Modules
– Why Trusted computing can help, why TPM is not the right
choice, SHE and EVITA, use-cases, key management
2013/12/07 2 Putting Trust in Automotive Electronics
What is an ECU?
2013/12/07 Putting Trust in Automotive Electronics 3
SoC
CPU
RAM Flash memory Sensor
Actuator
Variables OS, data e.g.
air flow meter
e.g. fuel
injection
Option: Security hardware
e.g. coprocessor,
secure memory
Boundary scan
On-chip debugger
JTAG
Network interface e.g. CAN
Boundary scan
The Need for Automotive Security
2013/12/07 Putting Trust in Automotive Electronics 4
Headunit , V 2 X .. Central gateway
ESP
Engine control
GPS sensor
Vehicle serial no . provider
Brake actuator
Airbag actuator
RTC clock
Reverse engineer remote telematics call center protocol
Play music file embedding malicious code
Exploit buffer overflow in Bluetooth stack Use OBD-II diagnostics
Exploit tire pressure monitoring system
Get location
Engage/ disengage brakes
Disrupt/ kill engine
Spy with microphone
Tools of the Trade: Fuzz Testing
Goals
– Crash target application
– Make target application reply with incorrect data
Method
– Input malformed data to interface function
– E.G. bluetooth stack, HTTP stack, image, video or sound codec,
X.509 certificate parser
Flavors
– Black-box fuzz testing with protocol specifications (e.g. API)
– Gray-box fuzz testing with debugger and code coverage
– White-box fuzz testing with source code or binary
2013/12/07 Putting Trust in Automotive Electronics 5
One Step Deeper: Debug Interfaces
Boundary scan
– Allow direct access to various
modules
On-Chip Debuggers
– Allow interruption of CPU execution,
reading/writing to memories and
registers
Backdoors
– Usually not malicious but left in place
by careless engineer for
development or testing
2013/12/07 Putting Trust in Automotive Electronics 6
CPU
Flash
RAM
On-chip debugger
Boundary scan
Boundary scan
JTAG
The Abyss: Physical Attacks
2013/12/07 Putting Trust in Automotive Electronics 7
CPU
Flash memory RAM
Intermediate data Programs
ALU
Program counter
Register
VCC
Measure power
consumption
Find operations executed by ALU
Find data in registers
Find data in RAM
Generate voltage spike
Corrupt operation executed by ALU
Corrupt program
flow
Corrupt data in
registers
Corrupt data in RAM
Corrupt program
Monitor data on bus with needle
Menu
Appetizer: Automotive Security
– Need for security, attack techniques and attack vectors
Plat de resistance: Trusted Computing
– About trust, Trusted Computing applications, problems with
Trusted computing
Dessert: Automotive Hardware Security Modules
– Why Trusted computing can help, why TPM is not the right
choice, SHE and EVITA, use-cases, key management
2013/12/07 Putting Trust in Automotive Electronics 8
Reliability
Safety
Security vs. Safety
2013/12/07 Putting Trust in Automotive Electronics 9
Trust
Clear, measurable metrics -> realm of mathematics
Not way to quantify -> realm of faith
Failure based on average case e.g. failure prob. of CRC32 = 2*10-10
Security
Failure on worst case e.g. forgery prob. of CRC32 = 1
Composition possible with basic probability calculations
Composition possible with “my friends’ friends are my friends” rule
Chain of Trust: My Friends’s Friends…
2013/12/07 Putting Trust in Automotive Electronics 10
Root of trust (usually secure hardware)
Bootloader
Verifies integrity/
authenticity of
Kernel Applications
Verifies integrity/
authenticity of
Verifies integrity/
authenticity of
Root of trust enables the use of trustworthy
application
Trusted Computing: Secure Boot
2013/12/09
Putting Trust in Automotive Electronics
11
TPM
Application CPU
Ref. 1
…
Value 1
Ref. 2 Value 2
Bootloader
OS kernel
Application Ref. 3 Value 3
Hash
Hash
Hash
=?
=?
=?
Trusted Platform Module (TPM)
Bootloader
OS kernel
Application
External I/O
Verify integrity of bootloader and
various memory areas
Send binary code to TPM chip through
external I/O In case of inconsistency, stop
boot or lock features
2013/12/07 11
Trusted Computing: Binding and Sealing
2013/12/07 Putting Trust in Automotive Electronics 12
TPM
Application CPU
Trusted Platform Module (TPM)
Bootloader
OS kernel
Application
Encrypted application
Ref. X Value X =? password password
=?
Key
Encrypted application
Decryption
Decrypted application Decrypted application
External I/O
Allow decryption only if boot sequence correctly verified
Allow decryption only if application CPU supplies
correct password
Tamper-Resistance in Trusted Platform Modules
2013/12/07 Putting Trust in Automotive Electronics 13
Application CPU
Trusted Platform Module (TPM) External I/O
Debug interface
Shielding protects chip
against probing
Decryption
Light detectors protect chip against laser attacks
Crypto engines include countermeasures against timing and
leakage attacks
Debug interface of application CPU can usually be opened
Trivial to probe or modify data transmitted
through I/O
Tamper-Resistance in Trusted Platform Modules (cnt’d)
Pros
– Strong tamper-resistance on TPM
– Including countermeasures against probing, fault, timing,
leakage attacks
Cons
– Data exchange between application CPU and TPM is unprotected
E.g. could send expected data to TPM during secure boot
– Debug interface of application CPU not protected
– TPM chip has expensive countermeasures, but they do not cover
critical parts like communications with application CPU
– TPM often uses smartcard technology processes, not well-suited
for industrial or automotive applications
2013/12/07 Putting Trust in Automotive Electronics 14
The Problem with Trusted Computing
2013/12/07 Putting Trust in Automotive Electronics 15
CPU manufacturer
OS designer
PC maker
Application designer
Cloud service provider
Storage device manufacturer
Electronic component
manufacturer
Free software
Trusted Computing Group (TCG)
Non-standard hardware
Need TCG consensus for irregular cases
How to deal with
cloud/SaaS?
GPL license allows
modification of software
Some Bad Memories from 2002
2013/12/07 Putting Trust in Automotive Electronics 16
Source: salon.com
Source: Free Software Foundation
Source: Electronic Privacy Information Center
Menu
Appetizer: Automotive Security
– Need for security, attack techniques and attack vectors
Plat de resistance: Trusted Computing
– About trust, Trusted Computing applications, problems with
Trusted computing
Dessert: Automotive Hardware Security Modules
– Why Trusted Computing can work in cars, why TPM is not the
right choice, SHE and EVITA, use-cases, key management
2013/12/07 Putting Trust in Automotive Electronics 17
Some Differences in Liability
2013/12/07 Putting Trust in Automotive Electronics 18
PC Industry
Automotive Industry
1970: US Clean Air Act (CAA) tampering prohibition 7522 (a)(3)
[It is prohibited] for any person to manufacture … any part or component intended for use with … any motor vehicle … where a principal effect of the part .. is to bypass, defeat, or render inoperative … any device or element of design … in compliance with regulations under this subchapter, and where the person knows or should know that such part or component is being offered for such use
-> 1996 settlement with US heavy-duty diesel manufacturers
1965: “Unsafe at any Speed” (Ralph Nader) -> Alleged defects in Chevrolet Corvair
1981: Grimshaw v Ford -> Ford Pinto gas tank defect led to $2.5 Mio
compensatory damages + $125 Mio punitive damages
EULA Example
IN NO EVENT SHALL XXX BE LIABLE FOR ANY … DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE PRODUCT, … EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF XXX, AND EVEN IF XXX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Car OEM
Tier 1 supplier
Tier 1 supplier
Tier 1 supplier
Tier 1 supplier
OS designer
Semiconductor manufacturer
Basic software provider
Car OEM
Tier 1 supplier
Tier 1 supplier
Tier 1 supplier
Tier 1 supplier
OS designer
Semiconductor manufacturer
Basic software provider
Automotive Supply Chain
2013/12/07 Putting Trust in Automotive Electronics 19
Car OEM
Tier 1 supplier
Tier 1 supplier
Tier 1 supplier
Tier 1 supplier
OS designer
Semiconductor manufacturer
Basic software provider
OEM is liable / takes all the
decision
Well-defined supply chain
Well-defined system
Trusted Computing and Cars: A Good Match? Yes!!!
OEM has all the keys – Has liability in case of incident
– But can control or at least influence all decisions
System is well-defined – All components are known in advance
– Free software can be integrated by OEM, who controls the version
– Cloud services are usually controlled by the OEM
Trust model is simple – Driver trusts the OEM
– The OEM trusts the manufacturer of security hardware
– And from there we can apply the standard trust composition
2013/12/07 Putting Trust in Automotive Electronics 20
Trusted Platform Module and Cars: A Good Match? Maybe Not…
Cost issues
– Tamper-resistance of TPM is high, but no protection of I/O
interfaces
– Off-chip means separate testing, packaging, integration, more
complicated logistics
Feature issues
– Low bandwidth of external I/O, needs to go through application
CPU
– No real-time guarantee, performance depends on TPM chip
– Not automotive grade, usually based on smartcard, low-power
process
2013/12/07 Putting Trust in Automotive Electronics 21
Automotive Hardware Security Modules
Secure Hardware Extension (SHE)
– Drafted by Hersteller Initiative Software (HIS, Audi, BMW, Daimler,
Porsche, and Volkswagen) in Germany, with the help of ESCRYPT
– Goal: affordable security meeting constraints of automotive industry
– Currently manufactured by Infineon, Freescale, Spansion (ex-Fujitsu)
EVITA Project (EU FP7 funded project)
– Members: Fraunhofer, BMW, Bosch, Continental, ESCRYPT, EURECOM,
Fujitsu, Infineon, Leuven U, MIRA, Telecom ParisTech, Trialog
– Goal: holistic approach covering all automotive security use-cases
– EVITA light similar to SHE, Bosch is preparing an HSM based on
EVITA medium
2013/12/07 Putting Trust in Automotive Electronics 22
Automotive HSMs: SHE and EVITA
2013/12/07 Putting Trust in Automotive Electronics 23
On-die “security extension” – To decrease cost and increase security
Direct memory access – To avoid interfering with main CPU and
increase security
No strong tamper resistance – To decrease cost
– Counterbalanced with key management
Guaranteed performance – AES for SHE, EVITA light and medium,
ECC for EVITA full
Automotive grade – E.G. temperature, vibrations, safety...
Application
CPU
EVITA/
SHE
Secure
memory
Normal
memory
Hardware separation e.g. memory controller,
independent busses
Application
CPU
TPM
Insecure IO (e.g. I2C)
EVITA HSM Classes and SHE
2013/12/07 Putting Trust in Automotive Electronics 24
No CPU required, low memory
requirements, similar to SHE
No ECC/hash hardware, but can be implemented in
software
High-speed hardware
acceleration for hash, ECC, AES
Sou
rce: The EV
ITA P
roject R
esu
lts
EVITA: Foreseen Development
Efficient, cost-effective, flexible, and holistic in-vehicle
EVITA HSM deployment regarding the different cost,
performance constraints and functional requirements
2013/12/07 Putting Trust in Automotive Electronics 25
Secure Boot in SHE/EVITA
2013/12/07 Putting Trust in Automotive Electronics 26
EVITA Ref. 1 Value 1
Ref. 2 Value 2
Application
CPU
ECU bootloader
OS kernel
Application Ref. 3 Value 3
Hash
Hash
Hash
=?
=?
=?
Direct memory access
AES CMAC Recalculated
MAC
=?
MAC key
Memory area verified by SHE
Direct memory access Reference
MAC
SHE Application
CPU
Cryptographic Services in EVITA
2013/12/07 Putting Trust in Automotive Electronics 27
EVITA
Ref. X Value X
Application
CPU
Key Y
Password Password
Decrypt API
Encrypted CAN packet
Decrypted CAN packet
=?
=?
MAC
Verify MAC
Key Z OK/NG
Key access can be password-
protected
Key access only allowed after successful secure boot
CAN
Other ECU
Encrypted CAN packet
MAC
CAN
Reprogramming tool
Use Case 1: Secure Reprogramming
2013/12/07 Putting Trust in Automotive Electronics 28
ECU
OEM’s RSA public key
RSA signature correct?
Reprograming data (option: encrypted)
RSA signature
Flash reprogramming
Use Case 2: Authentication
2013/12/07 Putting Trust in Automotive Electronics 29
ECU ECU or tool or server
Random number generator
AES
=?
Key
AES
Key
Random number
OK
Use Case 3: Secure Communications
2013/12/07 Putting Trust in Automotive Electronics 30
ECU ECU
Encrypted CAN packet
MAC Encrypted CAN packet
MAC
CAN packet
AES AES
Decrypted CAN packet
MAC OK/NG
Key Key
CAN
Security as an Enabler: Secure Aftermarket Services
2013/12/07 Putting Trust in Automotive Electronics 31
Secure environment
Dealer
Internet (HTTPS)
Server room
Database HSM
key key key Authentication
between server and ECU
Secure diagnostics, secure reprogramming
32
Dr.-Ing. Jan Pelzl
Managing Director
Dr.-Ing. Thomas Wollinger
Managing Director
Camille Vuillaume
カミーユ・ヴィオム
ESCRYPT Business Development, Japan
045-222-0913