Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures (IMAs) Thomas Gaska Lockheed Martin MST Owego and Binghamton University [email protected] 1
Mar 31, 2015
1
Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures
(IMAs)
Thomas GaskaLockheed Martin MST Owego and Binghamton
2
Introduction• There is a future opportunity to leverage COTS security
technology being developed for the driverless car into future UAS Integrated Modular Architectures (IMAs)
• Infrastructure and Information Security are critical issues in networked UAS team configurations with increasing degrees of autonomy and collaboration
• The security hierarchy includes off-board connectivity level gateways, application level software security mechanisms, platform and subsystem network security gateways, processing infrastructure elements, and security primitives and protocols
3
Agenda1.) Common Security Challenges – UAS and Driverless Cars 2.) Dual Use Security Taxonomy3.) Automotive Industry Security Initiatives Mapped to Potential UAS Relevance4.) Future Embedded Security Product Directions 5.) Conclusions
4
Common Security Challenges – UAS and Driverless Cars
• Increased cooperative platform autonomy => Mixed capability management and levels of autonomy• Need to cooperate with less and more capable manned systems with goal of optionally piloted capability
• Connectivity to the Cloud and GIG => Every platform will interact as a sensor for situation awareness • Need to offload system-of-system management to an adhoc, trusted in-frastructure
• Connectivity within the platform for storage and onboard/offboard services at multiple trust levels => Multiple Levels of Security• Need Multiple security domains within and across the platforms
• Protection of critical program information and tamper resistance => Trusted Computing Elements • Need to balance open architecture and enforce trust
• Increase standardization to support collapsing into a common component infrastructure => Next Generation Integrated Modular Avionics (IMA)• Need to leverage Moore’s Law multicore explosion while maintaining safety and security
• Increase cross platform reuse => Domain standardization initiatives• Need hardware agnostic software components and uniform software interfaces
• Affordability consistent with the threat, policy, and customer => Early demonstration of advanced solution capability for acceptance/validation• Need for incremental technology insertion across a wide range of affordability targetsNext generation avionics architectures need to provide enhanced IA and TP solutions to protect new capabilities
5
Automotive Autonomy Applications Architecture
Automotive components, standards, and topologies will need to be incrementally developed in a reference architecture
REF 1
6
IMA Architecture – Driverless Cars
Future autonomous architectures will drive distributed security into a new generation of modular component based SW/HW
Planning/.Control
CloudServicesCloud
SENSOR NET UAS NET
CLOUD NET
VMS NET
7
Information Assurance and Trusted Processing Definitions
• Infrastructure security is the security to prevent tampering in the computer and networking hardware and software infrastructure
• Infrastructure security is typically associated with Tamper Resistant Computing and Information Security associated with Information Assurance (IA)
• Both of these security infrastructures need to be properly addressed and incremental extended in to enable future levels of autonomy
8
Generic Security Hierarchy
1. Cloud (public, private, hybrid) to Platform Exchanges
2. Platform to Platform Exchanges 3. Off-board Communication Security4. Platform Storage Security 5. Platform Network Security 6. Embedded Processing Node SW/HW Security7. Platform Application/Infrastructure Software
9
Avionics Security Taxonomy Mapped to University Research and Automotive Domains Layer # Information Assurance
for Avionics Trusted Processing for Avionics
University Security Research Focus Areas
Automotive Security Industry Focus
1 – Cloud (public, private, hybrid) to Platform Exchanges
Private Cloud Security SW Infrastructure
Trusted Network Infrastructure HW
Access control/identity management, data control/data loss, anomaly detection/security policy, hypervisor vulnerabilities
Car will connected to the Vendor/3rd Party Cloud over a 3G/4G link – Tesla S, SysSec
2 – Platform to Platform Exchanges
Secure Certification and Exchange Protocols
Secure IP Based Radios Ad hoc networks, sensor networks, mesh networks, and vehicular networks
CAR2X, PRESERVE – Integration and Demonstration, SysSec
3 – Off-board Communication Security
Intrusion Detection SW Trusted Network Gateway HW, Encrypted Communications HW
Accelerated Intrusion Detection System/Firewall System
CAR2X, PRESERVE – Integration and Demonstration, SysSec
4 – Platform Storage Security
Cross Domain Solution SW
Encrypted Storage HW Encrypted file systems - encrypt user’s data, manage and create keys
OVERSEE
5 – Platform Network Security
Security Services SW Encrypted Communications HW
Anomaly detection, Clean slate security protocols
OVERSEE
6 – Embedded Processing Node SW/HW Security
Malware Detection SW, Virtual Machines SW
Secure Root-of-Trust HW,Secure Boot Assist HW, and Secure Execution HW
Intrusion Prevention System/Application Layer Firewall,Trusted Processor Module (TPM) Extensions,Secure Processor SoC/3DIC HW
ESCRYPT – Secure Operating Systems, EVITA – High, Med, Low HW Security Modules (HSMs), EURO-MILS, EVITA
7 – Platform Application SW
Trusted Applications SW Secure HW Virtualization Support
Autonomy Architecture with Cloud Fusion
AUTOSAR SW Components
10
Securing Adhoc VehiculAr Inter-NETworking (VANET)
Secure Vehicle Communications (SEVECOM) In car architecture components including • Information Assurance Network
Security – Car to Car Network Security Module• Car to Car Coms
• Information Assurance Infrastructure - In car Network Security Module• GateWay/Firewall• Intrusion Detection/Attestation
• Trusted Processor - Tamper-Evident Security Module • Key/Certificate Storage• Secure Crypto Processing• Secure Execution
REF 2
11
Information Assurance Mechanisms In Network Connected Topologies
• Identification– Typically use trusted third parties to validate credentials
• Authentication of Data Origin– With no real-time connection to Certifying authority and in one way broadcast environment
• Attribute Identification– Traffic density information data authentication
• Integrity Protection– Signatures
• Confidentiality Protection– Encryption
• Attestation of Sensor Data– Location Obfuscation/Verification
• Tamper Resistant-Communication– Replay Protection – Access Control– Authentication and Authorization– Jamming/DoS Protection– Firewall– Sandbox– Filtering Based on RulesREF 2
12
Experimental Security Analysis of a Modern Automobile• Intel CTO Justin Rattner
predicts that driverless cars will be available within 10 years and that buyers by then will increasingly be more interested in a vehicle's internal technology than the quality of its engine
• God help us when one of them runs into somebody or runs over somebody
Most New Functionality in an Automobile is Electronics and Software – There are many vulnerabilities in current bridged networks
REF 3
13
Trusted Processing Mechanisms Hierarchy
REF 4
14
E-Safety Vehicle Intrusion Protected Applications (EVITA) • Defines 3 classes of Hardware
Security Modules (HSMs)• Full • Medium• Lite
• OVERSEE ads virtualization and firewalls at each node
REF 5
15
AUTomotive Open System Architecture (AUTOSAR) • AUTOSAR codesign methodology
uses a Component Software Design Model and a virtual function bus
• 1) Develop requirements and constraints
• 2) Describe SW-Component independently of HW
• 3) Describe HW independently of Application SW
• 4) Describe System – network topology, communication• Generate software
executable based on configuration information for each ECU using formal methods
REF 6
16
Parallel Domain Security Extensions
Addressing General Purpose, Safe, and Secure Multicore: Incremental Path to Unified
Hypervisor Infrastructure
Trusted Computing: HW Root-of-Trust(HSM), Secure Boot, Dynamic Monitoring
Enforced IMA Partitioning: Isolated Execution Environments via Virtualization
Unified Security Services: Crypto Servcies, Secure Boot, CommunicationGateway with Firewalls/Intrusion Protection
Reuseable SW Components: HW Agnostic and Uniform API Layering
AUTOMOTIVE UAS
AUTOSAR UAS Standards Initiatives
Embedded Controllers withTrust Services
Multicore Hypervisors That Support mixed GP, Safe and Secure
Reusable Units of Portability in Layered Architectures (Drivers, Transport Services)
Extensions for Systems-of-SystemsSecurityInteroperability
EURO-MILSSAEESCAR
17
Representative Derived Embedded Computing Products
• Cloud Based Security Infrastructure• Secure Network Gateway
– Intrusion Detection– Firewalls – Multiple Levels of Security
• Secure Microcontroller– Multiple Levels of Tamper Resistant vs Cost– Secure Boot Support
• Secure Software APIs– Network Services– Crypto Services– Virtualization
18
Secsys Security Assessment/Analysis
REF 7
19
IMA Context Networked Car
REF 8
20
Flight Avionics NetworksAFDX, Firewire, 1553, ARINC
429
Flight Avionics ProcessingHW Components
IMA & Non IMA WRAs
Flight Infrastructure SW Partitioned by SBC or ARINC
653 Partition
Mission Avionics Networks Ethernet, 1553, FC
Mission Avionics Processing HW Components
IMA & Non IMA WRAs
Mission Infrastructure SW Partitioned by SBC with
Middleware and POSIX OS
MsnSensors
Datalinks
SUBSYS1
Open HW Stds
Topology
Open SW Stds
SUBSYSN
Radios
ACSensors
Application SW Components
SUBSYS1
SUBSYSM
ApplicationSW Components
Other Platforms and the GIG
MILMission & WpnSubsystems
MIL/COMFltSubsystems
FACE and GIGSW MODERNIZATION => Modular Interoperable
Interfaces, Formal Methods
UNIFIED NETWORK ARCHITECTURE = Multiple
Levels of Security
MULTICORE AND VIRTUALIZATION, PROCESSOR POOLING, HIGHER DENSITY PACKAGING => Embedded Secure Processing on Multicore
with MILS
GIG MSG INTEROPERABILITY AND INCREASED PT-PT BW =>
Unified Security Protocols
MOBILE AND INTERNET CONNECTIVITY TO THE CLOUD
=> with Adhoc Network Security, IDS, Cross Domain
Solutions
Future Avionics Reference Architecture
21
Conclusions• There are many parallels with regard to Information
Assurance and Trusted Processing challenges for next generation avionics and automotive architectures
• Automotive related University Research and Automotive Consortiums have significantly increased focus on development of security for embedded systems
• Next generation UAS architectures require an affordable, balanced, reference security architecture while exploiting third party software and 10 billion transistor hardware chips by 2020
Embedded university research and automotive security consortiums can provide access to significant dual use solutions for avionics and other embedded industries
22
References• REF 1 - Kumar, S., S. Gollakota, D. Katabi, 2012, A Cloud-Assisted Design for Autonomous Driving, MIT• REF 2 - Groll, André, Jan Holle, Marko Wolf, Thomas Wollinger, 2010, Next Generation of Automotive
Security: Secure Hardware and Secure Open Platforms, ITS World 2010 • REF 3 - Koscher, Carl, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen
Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, 2010, Experimental Security Analysis of a Modern Automobile, Oakland 2010
• REF 4 - Hwang, D., Patrick Schaumont, Shenglin Yang, Ingrid Verbauwhede, 2006, Multi-level Design Validation in a Secure Embedded System, IEEE Transctions on Computers, Vol. 55, No. 11, November 2006
• REF 5 - Wolfe, M., 2009, Designing Secure Automotive Hardware for Enhancing Traffic Safety – The EVITA Project, CAST Workshop Mobile Security for Intelligent Cars
• REF 6 - AUTOSAR Web Site– http://www.autosar.com
• REF 7 - Syssec Web Site, syssec Deliverable D6.2: Intermediate Report on the Security of the Connected Car– http://www.syssec-project.eu/m/page-media/3/syssec-d6.2-SecurityOfTheConnectedCar.pdf
• REF 8 - Tverdyshev, Sergey, EURO-MILS, Secure European Virtualisation for Trustworthy Applications in Critical Domains, SYSGO, Presentation for EURO-MILS Project
• REF 9 - Gaska, Thomas, 2013, Assessing Dual Use Embedded Security For IMA, Digital Avionics Systems Conference 2013
• REF 10 - Gaska, Thomas, 2014, Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures (IMAs), AUVSI 2014– This paper includes the web sites for all research programs mentioned in the taxonomy table for future study