Exploring Security Synergies in Driverless Car and UAS Integrated

Exploring Security Synergies in
Driverless Car and UAS Integrated
Modular Architectures (IMAs)
Thomas Gaska
Lockheed Martin MST Owego and Binghamton
University
[email protected]
1
Introduction
• There is a future opportunity to leverage COTS security
technology being developed for the driverless car into
future UAS Integrated Modular Architectures (IMAs)
• Infrastructure and Information Security are critical
issues in networked UAS team configurations with
increasing degrees of autonomy and collaboration
• The security hierarchy includes off-board connectivity
level gateways, application level software security
mechanisms, platform and subsystem network security
gateways, processing infrastructure elements, and
security primitives and protocols
2
Agenda
1.) Common Security Challenges – UAS and Driverless
Cars
2.) Dual Use Security Taxonomy
3.) Automotive Industry Security Initiatives Mapped to
Potential UAS Relevance
4.) Future Embedded Security Product Directions
5.) Conclusions
3
Common Security Challenges – UAS and
Driverless Cars
• Increased cooperative platform autonomy => Mixed capability management and levels of
autonomy
•
Need to cooperate with less and more capable manned systems with goal of optionally piloted capability
• Connectivity to the Cloud and GIG => Every platform will interact as a sensor
for situation awareness
•
Need to offload system-of-system management to an adhoc, trusted in-frastructure
• Connectivity within the platform for storage and onboard/offboard services at
multiple trust levels => Multiple Levels of Security
•
Need Multiple security domains within and across the platforms
• Protection of critical program information and tamper resistance => Trusted
Computing Elements
•
Need to balance open architecture and enforce trust
• Increase standardization to support collapsing into a common component
infrastructure => Next Generation Integrated Modular Avionics (IMA)
•
Need to leverage Moore’s Law multicore explosion while maintaining safety and security
• Increase cross platform reuse => Domain standardization initiatives
•
Need hardware agnostic software components and uniform software interfaces
• Affordability consistent with the threat, policy, and customer => Early
demonstration of advanced solution capability for acceptance/validation
•
Need for incremental technology insertion across a wide range of affordability targets
Next generation avionics architectures need to provide
enhanced IA and TP solutions to protect new capabilities
4
Automotive Autonomy Applications
Architecture
REF 1
Automotive components, standards, and topologies will need
to be incrementally developed in a reference architecture
5
IMA Architecture – Driverless Cars
SENSOR NET
Planning/.Control
Cloud
Cloud
Services
UAS NET
VMS NET
CLOUD NET
Future autonomous architectures will drive distributed
security into a new generation of modular component based
SW/HW
6
Information Assurance and Trusted
Processing Definitions
• Infrastructure security is the security to prevent
tampering in the computer and networking
hardware and software infrastructure
• Infrastructure security is typically associated with
Tamper Resistant Computing and Information
Security associated with Information Assurance
(IA)
• Both of these security infrastructures need to be
properly addressed and incremental extended in
to enable future levels of autonomy
7
Generic Security Hierarchy
1. Cloud (public, private, hybrid) to Platform
Exchanges
2. Platform to Platform Exchanges
3. Off-board Communication Security
4. Platform Storage Security
5. Platform Network Security
6. Embedded Processing Node SW/HW Security
7. Platform Application/Infrastructure Software
8
Avionics Security Taxonomy Mapped to
University Research and Automotive Domains
Layer #
Information Assurance
for Avionics
Trusted Processing for
Avionics
University Security Research
Focus Areas
Automotive Security
Industry Focus
1 – Cloud (public,
private, hybrid)
to Platform
Exchanges
Private Cloud Security
SW Infrastructure
Trusted Network
Infrastructure HW
Access control/identity
management, data control/data
loss, anomaly detection/security
policy, hypervisor vulnerabilities
Car will connected to the
Vendor/3rd Party Cloud
over a 3G/4G link –
Tesla S, SysSec
2 – Platform to
Platform
Exchanges
Secure Certification and
Exchange Protocols
Secure IP Based Radios
Ad hoc networks, sensor
networks, mesh networks, and
vehicular networks
CAR2X, PRESERVE –
Integration and
Demonstration, SysSec
3 – Off-board
Communication
Security
Intrusion Detection SW
Trusted Network
Gateway HW,
Encrypted
Communications HW
Accelerated Intrusion Detection
System/Firewall System
CAR2X, PRESERVE –
Integration and
Demonstration, SysSec
4 – Platform
Storage Security
Cross Domain Solution
SW
Encrypted Storage HW
Encrypted file systems - encrypt
user’s data, manage and create
keys
OVERSEE
5 – Platform
Network Security
Security Services SW
Encrypted
Communications HW
Anomaly detection, Clean slate
security protocols
OVERSEE
6 – Embedded
Processing Node
SW/HW Security
Malware Detection SW,
Virtual Machines SW
Secure Root-of-Trust
HW,
Secure Boot Assist HW,
and Secure Execution
HW
Intrusion Prevention
System/Application Layer Firewall,
Trusted Processor Module (TPM)
Extensions,
Secure Processor SoC/3DIC HW
ESCRYPT – Secure
Operating Systems, EVITA
– High, Med, Low HW
Security Modules (HSMs),
EURO-MILS, EVITA
7 – Platform
Application SW
Trusted Applications SW
Secure HW
Virtualization Support
Autonomy Architecture with
Cloud Fusion
AUTOSAR SW
Components
9
Securing Adhoc VehiculAr InterNETworking (VANET)
Secure Vehicle Communications
(SEVECOM) In car architecture
components including
• Information Assurance Network
Security – Car to Car Network
Security Module
•
Car to Car Coms
• Information Assurance
Infrastructure - In car Network
Security Module
•
•
GateWay/Firewall
Intrusion Detection/Attestation
• Trusted Processor - TamperEvident Security Module
•
•
•
REF 2
Key/Certificate Storage
Secure Crypto Processing
Secure Execution
10
Information Assurance Mechanisms In
Network Connected Topologies
•
Identification
– Typically use trusted third parties to validate credentials
•
Authentication of Data Origin
– With no real-time connection to Certifying authority and in one way broadcast environment
•
Attribute Identification
– Traffic density information data authentication
•
Integrity Protection
– Signatures
•
Confidentiality Protection
– Encryption
•
Attestation of Sensor Data
– Location Obfuscation/Verification
•
Tamper Resistant-Communication
–
–
–
–
–
–
–
REF 2
Replay Protection
Access Control
Authentication and Authorization
Jamming/DoS Protection
Firewall
Sandbox
Filtering Based on Rules
11
Experimental Security Analysis of a Modern
Automobile
• Intel CTO Justin Rattner
predicts that driverless
cars will be available within
10 years and that buyers
by then will increasingly be
more interested in a
vehicle's internal
technology than the
quality of its engine
• God help us when one of
them runs into somebody
or runs over somebody
Most New Functionality in an Automobile is Electronics and
Software – There are many vulnerabilities in current bridged
networks
REF 3
12
Trusted Processing Mechanisms
Hierarchy
REF 4
13
E-Safety Vehicle Intrusion Protected
Applications (EVITA)
• Defines 3 classes of Hardware
Security Modules (HSMs)
•
•
•
Full
Medium
Lite
• OVERSEE ads virtualization
and firewalls at each node
REF 5
14
AUTomotive Open System Architecture
(AUTOSAR)
•
•
•
•
•
AUTOSAR codesign methodology
uses a Component Software
Design Model and a virtual
function bus
1) Develop requirements and
constraints
2) Describe SW-Component
independently of HW
3) Describe HW independently of
Application SW
4) Describe System – network
topology, communication
• Generate software
executable based on
configuration information
for each ECU using formal
methods
REF 6
15
Parallel Domain Security Extensions
Unified
Security
Services:
Crypto Servcies,
Secure Boot,
Communication
Gateway with
Firewalls/
Intrusion
Protection
Reuseable SW Components: HW Agnostic
and Uniform API Layering
Enforced IMA
Partitioning:
Isolated
Execution
Environments
via Virtualization
AUTOSAR
UAS Standards Initiatives
EURO-MILS
Extensions for SAE
ESCAR
Systems-ofSystems
AUTOMOTIVE
UAS
Security
Reusable Units of Portability in
Interoperability
Layered Architectures (Drivers,
Transport Services)
Multicore Hypervisors That
Support mixed GP, Safe and Secure
Addressing General Purpose, Safe, and Secure
Multicore: Incremental Path to Unified
Hypervisor Infrastructure
Embedded Controllers with
Trust Services
Trusted Computing: HW
Root-of-Trust(HSM), Secure
Boot, Dynamic Monitoring
16
Representative Derived Embedded Computing
Products
• Cloud Based Security Infrastructure
• Secure Network Gateway
– Intrusion Detection
– Firewalls
– Multiple Levels of Security
• Secure Microcontroller
– Multiple Levels of Tamper Resistant vs Cost
– Secure Boot Support
• Secure Software APIs
– Network Services
– Crypto Services
– Virtualization
17
Secsys Security Assessment/Analysis
REF 7
18
IMA Context Networked Car
REF 8
19
Future Avionics Reference Architecture
MIL
Mission &
Wpn
Subsystems
Msn
Sensors
Datalinks
S
U
B
S
Y
S
1
FACE and GIG
SW MODERNIZATION => Modular Interoperable
S Interfaces, S
U
U
Formal
Methods
B
B
Application SW
Components
S
Y
S
N
S
Y
S
1
Application
SW Components
S
U
B
S
Y
S
M
MIL/COM
Flt
Subsystems
Open PROCESSOR
MULTICORE
AND VIRTUALIZATION,
POOLING,SW
HIGHER
Mission Infrastructure
SW
Flight Infrastructure
DENSITY
PACKAGING
Processing
Multicore
SW Secure
Partitioned
by SBC with=> Embedded
Partitioned
by SBCon
or ARINC
with MILS
Middleware and POSIX OS
653 Partition
Stds
Mission Avionics Processing
HW Components
IMA & Non IMA WRAs
Mission Avionics Networks
Ethernet, 1553, FC
MOBILE AND INTERNET
CONNECTIVITY TO THE CLOUD
=> with Adhoc Network
Security, IDS, Cross Domain
Solutions
Open
HW
Stds
Flight Avionics Processing
HW Components
IMA & Non IMA WRAs
Topology
Flight Avionics Networks
AFDX, Firewire, 1553, ARINC
429
UNIFIED NETWORK
ARCHITECTURE = Multiple
Levels of Security
Other Platforms and the GIG
AC
Sensors
Radios
GIG MSG INTEROPERABILITY
AND INCREASED PT-PT BW =>
Unified Security Protocols
20
Conclusions
• There are many parallels with regard to Information
Assurance and Trusted Processing challenges for next
generation avionics and automotive architectures
• Automotive related University Research and
Automotive Consortiums have significantly increased
focus on development of security for embedded
systems
• Next generation UAS architectures require an
affordable, balanced, reference security architecture
while exploiting third party software and 10 billion
transistor hardware chips by 2020
Embedded university research and automotive security
consortiums can provide access to significant dual use
solutions for avionics and other embedded industries
21
References
•
•
•
•
•
•
•
•
•
•
REF 1 - Kumar, S., S. Gollakota, D. Katabi, 2012, A Cloud-Assisted Design for Autonomous Driving,
MIT
REF 2 - Groll, André, Jan Holle, Marko Wolf, Thomas Wollinger, 2010, Next Generation of
Automotive Security: Secure Hardware and Secure Open Platforms, ITS World 2010
REF 3 - Koscher, Carl, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen
Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage,
2010, Experimental Security Analysis of a Modern Automobile, Oakland 2010
REF 4 - Hwang, D., Patrick Schaumont, Shenglin Yang, Ingrid Verbauwhede, 2006, Multi-level
Design Validation in a Secure Embedded System, IEEE Transctions on Computers, Vol. 55, No. 11,
November 2006
REF 5 - Wolfe, M., 2009, Designing Secure Automotive Hardware for Enhancing Traffic Safety – The
EVITA Project, CAST Workshop Mobile Security for Intelligent Cars
REF 6 - AUTOSAR Web Site
– http://www.autosar.com
REF 7 - Syssec Web Site, syssec Deliverable D6.2: Intermediate Report on the Security of the
Connected Car
– http://www.syssec-project.eu/m/page-media/3/syssec-d6.2-SecurityOfTheConnectedCar.pdf
REF 8 - Tverdyshev, Sergey, EURO-MILS, Secure European Virtualisation for Trustworthy
Applications in Critical Domains, SYSGO, Presentation for EURO-MILS Project
REF 9 - Gaska, Thomas, 2013, Assessing Dual Use Embedded Security For IMA, Digital Avionics
Systems Conference 2013
REF 10 - Gaska, Thomas, 2014, Exploring Security Synergies in Driverless Car and UAS Integrated
Modular Architectures (IMAs), AUVSI 2014
–
This paper includes the web sites for all research programs mentioned in the taxonomy table for future study
22