Exploring Security Synergies in Driverless Car and UAS Integrated
Transcription
Exploring Security Synergies in Driverless Car and UAS Integrated
Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures (IMAs) Thomas Gaska Lockheed Martin MST Owego and Binghamton University thomas.gaska@lmco.com 1 Introduction • There is a future opportunity to leverage COTS security technology being developed for the driverless car into future UAS Integrated Modular Architectures (IMAs) • Infrastructure and Information Security are critical issues in networked UAS team configurations with increasing degrees of autonomy and collaboration • The security hierarchy includes off-board connectivity level gateways, application level software security mechanisms, platform and subsystem network security gateways, processing infrastructure elements, and security primitives and protocols 2 Agenda 1.) Common Security Challenges – UAS and Driverless Cars 2.) Dual Use Security Taxonomy 3.) Automotive Industry Security Initiatives Mapped to Potential UAS Relevance 4.) Future Embedded Security Product Directions 5.) Conclusions 3 Common Security Challenges – UAS and Driverless Cars • Increased cooperative platform autonomy => Mixed capability management and levels of autonomy • Need to cooperate with less and more capable manned systems with goal of optionally piloted capability • Connectivity to the Cloud and GIG => Every platform will interact as a sensor for situation awareness • Need to offload system-of-system management to an adhoc, trusted in-frastructure • Connectivity within the platform for storage and onboard/offboard services at multiple trust levels => Multiple Levels of Security • Need Multiple security domains within and across the platforms • Protection of critical program information and tamper resistance => Trusted Computing Elements • Need to balance open architecture and enforce trust • Increase standardization to support collapsing into a common component infrastructure => Next Generation Integrated Modular Avionics (IMA) • Need to leverage Moore’s Law multicore explosion while maintaining safety and security • Increase cross platform reuse => Domain standardization initiatives • Need hardware agnostic software components and uniform software interfaces • Affordability consistent with the threat, policy, and customer => Early demonstration of advanced solution capability for acceptance/validation • Need for incremental technology insertion across a wide range of affordability targets Next generation avionics architectures need to provide enhanced IA and TP solutions to protect new capabilities 4 Automotive Autonomy Applications Architecture REF 1 Automotive components, standards, and topologies will need to be incrementally developed in a reference architecture 5 IMA Architecture – Driverless Cars SENSOR NET Planning/.Control Cloud Cloud Services UAS NET VMS NET CLOUD NET Future autonomous architectures will drive distributed security into a new generation of modular component based SW/HW 6 Information Assurance and Trusted Processing Definitions • Infrastructure security is the security to prevent tampering in the computer and networking hardware and software infrastructure • Infrastructure security is typically associated with Tamper Resistant Computing and Information Security associated with Information Assurance (IA) • Both of these security infrastructures need to be properly addressed and incremental extended in to enable future levels of autonomy 7 Generic Security Hierarchy 1. Cloud (public, private, hybrid) to Platform Exchanges 2. Platform to Platform Exchanges 3. Off-board Communication Security 4. Platform Storage Security 5. Platform Network Security 6. Embedded Processing Node SW/HW Security 7. Platform Application/Infrastructure Software 8 Avionics Security Taxonomy Mapped to University Research and Automotive Domains Layer # Information Assurance for Avionics Trusted Processing for Avionics University Security Research Focus Areas Automotive Security Industry Focus 1 – Cloud (public, private, hybrid) to Platform Exchanges Private Cloud Security SW Infrastructure Trusted Network Infrastructure HW Access control/identity management, data control/data loss, anomaly detection/security policy, hypervisor vulnerabilities Car will connected to the Vendor/3rd Party Cloud over a 3G/4G link – Tesla S, SysSec 2 – Platform to Platform Exchanges Secure Certification and Exchange Protocols Secure IP Based Radios Ad hoc networks, sensor networks, mesh networks, and vehicular networks CAR2X, PRESERVE – Integration and Demonstration, SysSec 3 – Off-board Communication Security Intrusion Detection SW Trusted Network Gateway HW, Encrypted Communications HW Accelerated Intrusion Detection System/Firewall System CAR2X, PRESERVE – Integration and Demonstration, SysSec 4 – Platform Storage Security Cross Domain Solution SW Encrypted Storage HW Encrypted file systems - encrypt user’s data, manage and create keys OVERSEE 5 – Platform Network Security Security Services SW Encrypted Communications HW Anomaly detection, Clean slate security protocols OVERSEE 6 – Embedded Processing Node SW/HW Security Malware Detection SW, Virtual Machines SW Secure Root-of-Trust HW, Secure Boot Assist HW, and Secure Execution HW Intrusion Prevention System/Application Layer Firewall, Trusted Processor Module (TPM) Extensions, Secure Processor SoC/3DIC HW ESCRYPT – Secure Operating Systems, EVITA – High, Med, Low HW Security Modules (HSMs), EURO-MILS, EVITA 7 – Platform Application SW Trusted Applications SW Secure HW Virtualization Support Autonomy Architecture with Cloud Fusion AUTOSAR SW Components 9 Securing Adhoc VehiculAr InterNETworking (VANET) Secure Vehicle Communications (SEVECOM) In car architecture components including • Information Assurance Network Security – Car to Car Network Security Module • Car to Car Coms • Information Assurance Infrastructure - In car Network Security Module • • GateWay/Firewall Intrusion Detection/Attestation • Trusted Processor - TamperEvident Security Module • • • REF 2 Key/Certificate Storage Secure Crypto Processing Secure Execution 10 Information Assurance Mechanisms In Network Connected Topologies • Identification – Typically use trusted third parties to validate credentials • Authentication of Data Origin – With no real-time connection to Certifying authority and in one way broadcast environment • Attribute Identification – Traffic density information data authentication • Integrity Protection – Signatures • Confidentiality Protection – Encryption • Attestation of Sensor Data – Location Obfuscation/Verification • Tamper Resistant-Communication – – – – – – – REF 2 Replay Protection Access Control Authentication and Authorization Jamming/DoS Protection Firewall Sandbox Filtering Based on Rules 11 Experimental Security Analysis of a Modern Automobile • Intel CTO Justin Rattner predicts that driverless cars will be available within 10 years and that buyers by then will increasingly be more interested in a vehicle's internal technology than the quality of its engine • God help us when one of them runs into somebody or runs over somebody Most New Functionality in an Automobile is Electronics and Software – There are many vulnerabilities in current bridged networks REF 3 12 Trusted Processing Mechanisms Hierarchy REF 4 13 E-Safety Vehicle Intrusion Protected Applications (EVITA) • Defines 3 classes of Hardware Security Modules (HSMs) • • • Full Medium Lite • OVERSEE ads virtualization and firewalls at each node REF 5 14 AUTomotive Open System Architecture (AUTOSAR) • • • • • AUTOSAR codesign methodology uses a Component Software Design Model and a virtual function bus 1) Develop requirements and constraints 2) Describe SW-Component independently of HW 3) Describe HW independently of Application SW 4) Describe System – network topology, communication • Generate software executable based on configuration information for each ECU using formal methods REF 6 15 Parallel Domain Security Extensions Unified Security Services: Crypto Servcies, Secure Boot, Communication Gateway with Firewalls/ Intrusion Protection Reuseable SW Components: HW Agnostic and Uniform API Layering Enforced IMA Partitioning: Isolated Execution Environments via Virtualization AUTOSAR UAS Standards Initiatives EURO-MILS Extensions for SAE ESCAR Systems-ofSystems AUTOMOTIVE UAS Security Reusable Units of Portability in Interoperability Layered Architectures (Drivers, Transport Services) Multicore Hypervisors That Support mixed GP, Safe and Secure Addressing General Purpose, Safe, and Secure Multicore: Incremental Path to Unified Hypervisor Infrastructure Embedded Controllers with Trust Services Trusted Computing: HW Root-of-Trust(HSM), Secure Boot, Dynamic Monitoring 16 Representative Derived Embedded Computing Products • Cloud Based Security Infrastructure • Secure Network Gateway – Intrusion Detection – Firewalls – Multiple Levels of Security • Secure Microcontroller – Multiple Levels of Tamper Resistant vs Cost – Secure Boot Support • Secure Software APIs – Network Services – Crypto Services – Virtualization 17 Secsys Security Assessment/Analysis REF 7 18 IMA Context Networked Car REF 8 19 Future Avionics Reference Architecture MIL Mission & Wpn Subsystems Msn Sensors Datalinks S U B S Y S 1 FACE and GIG SW MODERNIZATION => Modular Interoperable S Interfaces, S U U Formal Methods B B Application SW Components S Y S N S Y S 1 Application SW Components S U B S Y S M MIL/COM Flt Subsystems Open PROCESSOR MULTICORE AND VIRTUALIZATION, POOLING,SW HIGHER Mission Infrastructure SW Flight Infrastructure DENSITY PACKAGING Processing Multicore SW Secure Partitioned by SBC with=> Embedded Partitioned by SBCon or ARINC with MILS Middleware and POSIX OS 653 Partition Stds Mission Avionics Processing HW Components IMA & Non IMA WRAs Mission Avionics Networks Ethernet, 1553, FC MOBILE AND INTERNET CONNECTIVITY TO THE CLOUD => with Adhoc Network Security, IDS, Cross Domain Solutions Open HW Stds Flight Avionics Processing HW Components IMA & Non IMA WRAs Topology Flight Avionics Networks AFDX, Firewire, 1553, ARINC 429 UNIFIED NETWORK ARCHITECTURE = Multiple Levels of Security Other Platforms and the GIG AC Sensors Radios GIG MSG INTEROPERABILITY AND INCREASED PT-PT BW => Unified Security Protocols 20 Conclusions • There are many parallels with regard to Information Assurance and Trusted Processing challenges for next generation avionics and automotive architectures • Automotive related University Research and Automotive Consortiums have significantly increased focus on development of security for embedded systems • Next generation UAS architectures require an affordable, balanced, reference security architecture while exploiting third party software and 10 billion transistor hardware chips by 2020 Embedded university research and automotive security consortiums can provide access to significant dual use solutions for avionics and other embedded industries 21 References • • • • • • • • • • REF 1 - Kumar, S., S. Gollakota, D. Katabi, 2012, A Cloud-Assisted Design for Autonomous Driving, MIT REF 2 - Groll, André, Jan Holle, Marko Wolf, Thomas Wollinger, 2010, Next Generation of Automotive Security: Secure Hardware and Secure Open Platforms, ITS World 2010 REF 3 - Koscher, Carl, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, 2010, Experimental Security Analysis of a Modern Automobile, Oakland 2010 REF 4 - Hwang, D., Patrick Schaumont, Shenglin Yang, Ingrid Verbauwhede, 2006, Multi-level Design Validation in a Secure Embedded System, IEEE Transctions on Computers, Vol. 55, No. 11, November 2006 REF 5 - Wolfe, M., 2009, Designing Secure Automotive Hardware for Enhancing Traffic Safety – The EVITA Project, CAST Workshop Mobile Security for Intelligent Cars REF 6 - AUTOSAR Web Site – http://www.autosar.com REF 7 - Syssec Web Site, syssec Deliverable D6.2: Intermediate Report on the Security of the Connected Car – http://www.syssec-project.eu/m/page-media/3/syssec-d6.2-SecurityOfTheConnectedCar.pdf REF 8 - Tverdyshev, Sergey, EURO-MILS, Secure European Virtualisation for Trustworthy Applications in Critical Domains, SYSGO, Presentation for EURO-MILS Project REF 9 - Gaska, Thomas, 2013, Assessing Dual Use Embedded Security For IMA, Digital Avionics Systems Conference 2013 REF 10 - Gaska, Thomas, 2014, Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures (IMAs), AUVSI 2014 – This paper includes the web sites for all research programs mentioned in the taxonomy table for future study 22