Upload
fraunhofer-aisec
View
822
Download
2
Embed Size (px)
DESCRIPTION
1. Introduction 2. Security Issues 3. Multi‐core architectures: Risks 4. Multi‐core architectures: Opportunities 5. Research Challenges 6. Take Home Message
Citation preview
5/26/2012
1
Security for Automotive with Multi-core-based Embedded Systems
Claudia EckertTU München &Fraunhofer AISEC
C. Eckert, AISEC
1
DATE 2012, 16. March 2012Dresden
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5 Research Challenges
©C. Eckert, AISEC,
5. Research Challenges
6. Take Home Message
5/26/2012
2
• > 80 ECUs, security/safety sensitive services
1. IntroductionAutomotive : Today
• Tailored ECUs for additional functions
• High energy consumption
• Expensive
©C. Eckert, AISEC,
3
Traffic info andweb cams
Road Billing
Intelligent Car Routing and N i ti
1. Introduction Tomorrow: more servicesmore computational power required
Inter CarCommunication
web cams
GPS Street Parking
(Location based) web informationFleet Management
Navigation
©C. Eckert, AISEC,
Mobile TVParking Slots Reservation Contactless Gas
Station
High demand for few highly integrated multi-core systems
5/26/2012
3
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5 Research Challenges
©C. Eckert, AISEC,
5. Research Challenges
6. Take Home Message
Security level today:
2. Security IssuesAutomotive Security: Today
Security level today:
Do modern cars already provide
• Secure execution environment?
• Hardened ECUs or security modules to reduce
vulnerabilities?
©C. Eckert, AISEC,
• Security services like intrusion detection, access
controls, self‐monitoring?
6
5/26/2012
4
2. Security IssuesAutomotive: Security Risks
Vulnerabilities: e.g.
• ECUs which are not hardened:Code injection, data manipulation
• Software updates via CAN/Ethernetinsufficient access control (or even missing)
• External interfaces enable :
©C. Eckert, AISEC,
remote access/attacks: NFC, C2C
M2M interfaces (GSM)
2. Security IssuesAutomotive: Security Risks
• Communication with backend of OEM
• Internet access, added‐value servicesVulnerabilities:
• Car logs into every GSM BTS
• Attacks with malformed
©C. Eckert, AISEC,
messages from GSM network
• Possible damages:
manipulation, DoS, malware
8 8
5/26/2012
5
2. Security IssuesAutomotive: Security Risks
©C. Eckert, AISEC,
Multi‐cores
l h d
Lessons Learned so far
• Multi‐core architectures are required to meet
Increasing demands for computational power
Demands to reduce power consumption
• Cars are already exposed to severe security risks
Q i
©C. Eckert, AISEC,
Questions
• Multi‐core: a security enhancing technology ?
• Multi‐core: even more security/safety risks ?
10
5/26/2012
6
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5 Research Challenges
©C. Eckert, AISEC,
5. Research Challenges
6. Take Home Message
Shared resources: memory, caches, network
l k f d l
3. Multi-coresEven more risks …
• Data leakages: confidentiality, integrity• Covert channels, e.g. cache replacement strategy
• Denial‐of‐service: e.g. occupying shared memory regions: starving
©C. Eckert, AISEC,
12
safety‐critical tasks
Vulnerable system software, missing separation
• e.g. BO attacks: malware intrusion, manipulation, …
5/26/2012
7
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Risks
4. Multi‐core architectures: Opportunities
5 Research Challenges
©C. Eckert, AISEC,
5. Research Challenges
6. Take Home Message
Attack tolerance
4. Multi-coresOpportunities
FA
e.g. Fault injections with laser
• Inject jump to bypass security checks
• Modify register content
• Modify alarm signals alarmOK
not auth
FA
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
0x00 0x80FA
©C. Eckert, AISEC,
14
Multi‐core:
• Redundant cores to tolerate fault‐attacks: e.g. SLE 78
redundant computation, majority voting, monitoring
14
5/26/2012
8
Attack tolerance
4. Multi-coresOpportunities
Attack tolerance
e.g. side‐channel attacks
• Timing (execution time of cryptographic operations) and
power (power consumption) attacks to crack keys
Multi‐Core
©C. Eckert, AISEC,
15
• Increased resistance against side‐channel attacks:e.g. using multi‐cores for randomized execution of
cryptographic algorithms
Attack tolerance
4. Multi-coresOpportunities
Attack tolerance
e.g. resistance against software‐based modifications
©C. Eckert, AISEC,
16
• Redundant computation in different cores to detect
abnormal behavior (e.g. manipulated code)
5/26/2012
9
Take advantage of multi‐cores
4. Multi-coresOpportunities
• Assign security/safety critical tasks to dedicated security cores (e.g. hardened cores):• secure execution environment
• strict access controls
• Distribute sensitive functions
©C. Eckert, AISEC,
17
between different cores to
enhance resistance against
reverse engineering attacks
Self‐monitoring
4. Multi-coresOpportunities
• Separate a security core from data processing cores :
• Trusted OSs in monitoring system
• Collect data in userland OS (e.g. syscall traces)
• Securely analyze data to detect malbehavior
• Dynamic health monitoring
©C. Eckert, AISEC,
18
• Extend VMI to enhance
malware detection on
multi‐cores
5/26/2012
10
Outline
1. Introduction
2. Security Issues
3. Multi‐core architectures: Opportunities
4. Multi‐core architectures: Risks
5. Research Challenges
©C. Eckert, AISEC,
5. Research Challenges
6. Take Home Message
5. Research ChallengesSecure Architectures
other System on Chip
M2M
Core 1
Core 2
IO-interfaces Peripherals
ID IDSensorActuator
SIM
GSM
TrustOS
©C. Eckert, AISEC,
Core i Core n RAM Flash HardwareSecurityModuleSystem on Chip
5/26/2012
11
5. Research ChallengesSecure Elements
Scalable hardware trust anchors:
• Secure storage:
keys, credentials, access tokens
• Integrity measurement:
static (TPM‐like) as well as dynamic attestations
• Support for virtualized execution environments:
©C. Eckert, AISEC,
21
attaching a virtual Secure Element to individual
environments: Secure Boot, secure Updates , …
• PUF technology for secure identification
Software Hardening
5. Research ChallengesSecure Software
• Compile‐time Hardening
• Operating System Extensions
• Process Virtualization / Sandboxing
• System Virtualization
Secure Monitoring L4Linux
Androidincluding Dalvik VM
3rd Party Application
Trustworthy
Secure OS
Rich OS
©C. Eckert, AISEC,
Secure Monitoring
• VMI for malware detection
• Attack tolerance
22
L4Linuxwith Android patches
VMM (L4 Microkernel)
Multi-core (SoC)
Trustworthycomponent
5/26/2012
12
6. Take Home Message
Automotive domain: High demand for
• openess, value-added services, cost and energy efficiency
• Security is already a big issue (e.g. impact on safety)
Multi-core architectures: security enhancing technology
• Attack tolerance, self-monitoring
• Partitioning: critical, non-critical
©C. Eckert, AISEC,
Research issues: security architectures & controls & crypto
Secure multi-cores: key enabling technology for CPS!
Thank you for your Attention
Claudia Eckert
Fraunhofer AISEC, Munich
TU Munich, Chair for IT Security
E-Mail: [email protected]
http://www aisec fraunhofer de
©C. Eckert, AISEC,
http://www.aisec.fraunhofer.de