Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
V1.1 | 2020-10-12
MICROSAR Intrusion Detection System (IDS)
Cybersecurity IDS
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
� Motivation
IDS Overview
IDS Software Architecture
IDS Protocol
AUTOSAR Standardization
MICROSAR IDS Roadmap
Summary
Agenda
2/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
The Big Picture: Detection and Mitigation of Security Incidents
Motivation
Attack
2. Report
Propagate data of onboard security
incidents, based on priority and SOC needs
3. Analyze
Analyze reported onboard security incident data for single vehicles and the whole fleet
(e.g. impact analysis, root cause analysis)
4. Develop
Develop threat response (e.g. identification, implementation
and test of countermeasures)
5. Deploy
Deploy software updates to mitigate threats
Security Operations Center (SOC) with SIEM
solution
1. Detect
Aggregate data from onboard security event sensors to identify and record potential
onboard security incidents
3/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Distributed onboard IDS as an additional Security Control
IDS Overview
ADASDomain Controller
InfotainmentDomain Controller
Telematic Control UnitPowertrain
Domain Cont.
ChassisDomain Controller Body
DomainController
Intrusion Detection System (IDS)
Diagnostic port
1.Remote access
2.Access to
in-vehicle network
3.Bridge domain
boundaries
4.Access to
target ECU
5.Manipulate ECU orvehicle behavior
Defense barriers
4/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Distributed onboard IDS as an additional Security Control
IDS Overview
ADASDomain Controller
InfotainmentDomain Controller
Telematic Control UnitPowertrain
Domain Cont.
ChassisDomain Controller Body
DomainController
Diagnostic port
IdsM
Sensors
IdsM
Sensors
IdsM
Sensors
IdsM
SensorsIdsR
IdsM
Sensors
Intrusion Detection System Reporter (IdsR)
Intrusion Detection System Manager (IdsM)
Security Sensors
SOC
5/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
� Standardized BSW module IdsM (Intrusion Detection System Manager) for buffering, qualifying and processing onboard security events (SEv)
� Non standardized SW component IdsR (Intrusion Detection System Reporter) for receiving QSEvfrom IdsM and transmitting it to the backend
� Standardized interfaces for reporting onboard security events (SEv)
� Standardized qualification filters for SEv
� onboard security events (SEv) qualified onboard security events (QSEv)
� Standardized persistence concept for QSEv
� Standardized protocol for transmission of QSEv from IdsM to IdsR
� Standardized SEv for BSW modules
� KeyM
� Dcm
� SecOC
� TLS
� …
Elements of the comprehensive solution for IDS
IDS Overview
6/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Motivation
IDS Overview
� IDS Software Architecture
IDS Protocol
AUTOSAR Standardization
MICROSAR IDS Roadmap
Summary
Agenda
7/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Security Event Sensor
Concept of Security Events
IDS Software Architecture
Security Event Sensor
Intrusion Detection System Manager
(IdsM)
Intrusion Detection System Reporter
(IdsR)
Security Event Memory (Sem)
Security Event (SEv)
Qualified Security Event
(QSEv)
8/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Concept of Filters
IDS Software Architecture
…
Sensor
IDS M
anager
IDS
Report
er
Reporting Mode
MachineState
Forward Every n-th
Event Aggregation
Event Threshold
Event Rate Limitation
Traffic Limitation
to sink
Reporting Mode
MachineState
Forward Every n-th
Event Aggregation
Event Threshold
Blockers
Sampling
Aggregation
Rate Limitation
Event ID
specific
instance
specific
Event ID p Event ID qEvent IDs p+1 … q-1
9/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Integration of IdsM in the AUTOSAR CP Layered Architecture
IDS Software Architecture
Microcontroller (µC)
Crypto Drivers
Crypto HW Abstr.
RTE
Crypto
Services
Application Layer
Crypto Services
Crypto Service
ManagerKey Manager
Intrusion
Detection
System
Manager
10/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
IdsM Interfaces in AUTOSAR CP Architecture
IDS Software Architecture
Microcontroller
RTE
CRYPTO
CAN
COM
ETH
MCAL
DIAG
Csm
Crypto (HSM)
CryIf
ApplicationApp
KeyM
HSM
SecOC
Dcm
PduR
IdsM
MEM
Dem
Sem
Nvm
BSW Modules and Applications can act as security sensors and report SEV to the IdsM
The IdsM passes QSEV to the Sem for locally persisting QSEV records
The IdsM passes QSEV to the PduR for transmission to the IdsR
Optionally integrity and confidentiality of the QSEVrecords can be enforced via the crypto stack
CanDrv EthDrv
CanIf EthIf
11/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
IdsM Interfaces in AUTOSAR Adaptive Architecture
IDS Software Architecture
12/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Motivation
IDS Overview
IDS Software Architecture
� IDS Protocol
AUTOSAR Standardization
MICROSAR IDS Roadmap
Summary
Agenda
13/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Propagation of QSEV from IdsM to IdsR
IDS Protocol
ECU A(ASR Classic)
I-PDU
ECU C(ASR Classic)
IdsM
PduR
CAN Stack
PduR
ECU B(ASR Classic)
I-PDU
IdsM
PduR
CANStack
CAN Stack
Eth Stack
ECU D(ASR Adaptive)
Communication Management
IdsR
CAN Bus CAN Bus Ethernet
Gateway Routing
I-PDU
IdsM
IdsM
MobileData Link
Gateway Routing
PDU Daemon
Reporting Interface
PduRIdsM
The IdsM on Classic Platform (CP) uses a specific protocol which is defined in an AUTOSAR PRS (Protocol Requirement Specification) to transfer its data to the IdsR on Adaptive Platform (AP).
Existing PduR-Gateway-Mechanism can be used to route data between CP ECUs.
14/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Propagation of QSEV from IdsM to IdsR
IDS Protocol
CAN ECU(ASR Classic)
I-PDU 1 I-PDU 2
CAN Bus
IdsM
PduR
CanTp
CanIf
The goal of the IdsM implementation is to keep the CAN Bus Load as low as possible while providing all necessary information towards the Security Operation Center (SOC). Therefore it is necessary to use two separate PDUs. It must be ensured that reports without ContextData and without Timestamp fit into a single CAN frame.
I-PDU 1
Used to send IdsM data including ContextData and/or Timestamp
Uses CAN Transport Protocol (CanTp) to send segmented messages
I-PDU 2
Used to send IdsM data without ContextData and without Timestamp
Sends unsegmented, size optimized data
15/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Protocol: Transmission of Qualified Security Events
IDS Protocol
FieldName Length Purpose
Protocol Version 4 Bit The version of the IdsM protocol
Protocol Header 4 BitIdsM protocol header information: Bit 0: 0- No ContextData included, 1- ContextData included
Bit 1: 0- No Timestamp included, 1- Timestamp included
Bit 2-3: reserved
SourceId 10 Bit Unique identifier of the sending IdsM instance 0-1023
Module Instance
Id6 Bit Identifier to differ between multiple instances of modules
EventId 16 Bit
Unique identifier of a Security Event
Range of AUTOSAR internal IDs: 0…0x7FFF
Range of Customer specific IDs: 0x8000…0xFFFF
Count 16 BitNumber of IdsM calls which result in the current event after processing the configured
filter, e.g. EventAggregation.
Timestamp 64 Bit
Timestamp/Tickstamp when event was detected:
Bit 0: 0 - AUTOSAR Standard 1 - Auxiliary/ OEM Specific
Resolution in ms. Maybe not necessary for every event type (optional).
If not set, field is filled by IdsR. If not authentic time, IdsR might recalculate the time
and insert a new value
Context Data0…(2^32-9)
BytesBinary blobs attached by the sensor
16/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Motivation
IDS Overview
IDS Software Architecture
IDS Protocol
� AUTOSAR Standardization
MICROSAR IDS Roadmap
Summary
Agenda
17/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Release Plan
AUTOSAR Standardization
� Target release: R20-11
� BSW module IdsM (Intrusion Detection System Manager)
� for buffering, filtering and processing onboard security events (SEv)
� Interfaces for reporting onboard security events (SEv)
� Protocol for transmission of QSEv from IdsM to IdsR
� Security Extract (SecXT) to define Security Events and their properties
� SEv for BSW modules
18/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
New Work Products
AUTOSAR Standardization
Work Product Platform ID
Concept Document IdsM n.a. n.a.
RS IdsM Foundation 976
SWS IdsM CP 977
SWS IdsM AP 978
RS SecurityExtractTemplate Foundation 979
TPS SecurityExtractTemplate Foundation 980
PRS IdsM Foundation 981
19/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Impacted Work Products
AUTOSAR Standardization
Work Product Platform
SRS BSW General CP
SWS BSW General CP
SWS NvM CP
SWS SecOC CP
SWS Keym CP
SWS Dcm CP
SWS TCP/IP (for TLS) CP
20/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Motivation
IDS Overview
IDS Software Architecture
IDS Protocol
AUTOSAR Standardization
� MICROSAR IDS Roadmap
Summary
Agenda
21/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
IdsM CP
MICROSAR IDS Roadmap
IdsM Beta 1
2020/07
IdsM Beta 2
2020/11
IdsM QM
2021/04
� API for reporting SEv from BSW and SWC to Idsm
� Support of buffering and filtering of SEv
� Propagation of security events to Idsraccording to PRS Idsm
� Postbuild loadable of
� Support BSW-Sensors & SEv
� vSCC
� Support of time stamps
� Support of Idsm Sev
� Comfort View for Davinci Configurator
� Support BSW-Sensors & SEv
� CanDrv
� CanIf
� EthIf
� Store QSEv in Security Event Memory
� Reconfigure reporting mode at runtimevia diagnostic routines
� Support BSW-Sensors & SEv
� TCPIP
� SOAD
� Dem Extensions
� Synchronous API for setting eventstatus with snapshot data
� Independent user defined eventmemories
� Nvm Extensions
� MAC for Nvm Blocks
22/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
� Provides a standardized technical framework for implementing onboard IDS
� Specified for interoperability of AUTOSAR CP and AP
� Allows a distributed approach (no single point of failure)
� Scalable approach to balance available ressources and reporting needs
� Configurable detection and reporting behavior to meet OEM needs and constraints of vehicle E/E-architecture
� Set of standardized security event types provided for standard SW
� Framework serves as a Automotive Industry “state of the art” reference concept for onboard IDS
� OEMs can rely on the continuous evolution and maintenance of the specification
� No need for OEMs to coordinate suppliers on detailed technical level to achieve a distributed onboard IDS
Benefits of the Concept
Summary
23/24
© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12
Son, MyeonghyeonVector Korea
For more information about Vectorand our products please visit
www.vector.com