1

Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures

(IMAs)

Thomas GaskaLockheed Martin MST Owego and Binghamton

Universitythomas.gaska@lmco.com

2

Introduction• There is a future opportunity to leverage COTS security

technology being developed for the driverless car into future UAS Integrated Modular Architectures (IMAs)

• Infrastructure and Information Security are critical issues in networked UAS team configurations with increasing degrees of autonomy and collaboration

• The security hierarchy includes off-board connectivity level gateways, application level software security mechanisms, platform and subsystem network security gateways, processing infrastructure elements, and security primitives and protocols

3

Agenda1.) Common Security Challenges – UAS and Driverless Cars 2.) Dual Use Security Taxonomy3.) Automotive Industry Security Initiatives Mapped to Potential UAS Relevance4.) Future Embedded Security Product Directions 5.) Conclusions

4

Common Security Challenges – UAS and Driverless Cars

• Increased cooperative platform autonomy => Mixed capability management and levels of autonomy• Need to cooperate with less and more capable manned systems with goal of optionally piloted capability

• Connectivity to the Cloud and GIG => Every platform will interact as a sensor for situation awareness • Need to offload system-of-system management to an adhoc, trusted in-frastructure

• Connectivity within the platform for storage and onboard/offboard services at multiple trust levels => Multiple Levels of Security• Need Multiple security domains within and across the platforms

• Protection of critical program information and tamper resistance => Trusted Computing Elements • Need to balance open architecture and enforce trust

• Increase standardization to support collapsing into a common component infrastructure => Next Generation Integrated Modular Avionics (IMA)• Need to leverage Moore’s Law multicore explosion while maintaining safety and security

• Increase cross platform reuse => Domain standardization initiatives• Need hardware agnostic software components and uniform software interfaces

• Affordability consistent with the threat, policy, and customer => Early demonstration of advanced solution capability for acceptance/validation• Need for incremental technology insertion across a wide range of affordability targetsNext generation avionics architectures need to provide enhanced IA and TP solutions to protect new capabilities

5

Automotive Autonomy Applications Architecture

Automotive components, standards, and topologies will need to be incrementally developed in a reference architecture

REF 1

6

IMA Architecture – Driverless Cars

Future autonomous architectures will drive distributed security into a new generation of modular component based SW/HW

Planning/.Control

CloudServicesCloud

SENSOR NET UAS NET

CLOUD NET

VMS NET

7

Information Assurance and Trusted Processing Definitions

• Infrastructure security is the security to prevent tampering in the computer and networking hardware and software infrastructure

• Infrastructure security is typically associated with Tamper Resistant Computing and Information Security associated with Information Assurance (IA)

• Both of these security infrastructures need to be properly addressed and incremental extended in to enable future levels of autonomy

8

Generic Security Hierarchy

1. Cloud (public, private, hybrid) to Platform Exchanges

2. Platform to Platform Exchanges 3. Off-board Communication Security4. Platform Storage Security 5. Platform Network Security 6. Embedded Processing Node SW/HW Security7. Platform Application/Infrastructure Software

9

Avionics Security Taxonomy Mapped to University Research and Automotive Domains Layer # Information Assurance

for Avionics Trusted Processing for Avionics

University Security Research Focus Areas

Automotive Security Industry Focus

1 – Cloud (public, private, hybrid) to Platform Exchanges

Private Cloud Security SW Infrastructure

Trusted Network Infrastructure HW

Access control/identity management, data control/data loss, anomaly detection/security policy, hypervisor vulnerabilities

Car will connected to the Vendor/3rd Party Cloud over a 3G/4G link – Tesla S, SysSec

2 – Platform to Platform Exchanges

Secure Certification and Exchange Protocols

Secure IP Based Radios Ad hoc networks, sensor networks, mesh networks, and vehicular networks

CAR2X, PRESERVE – Integration and Demonstration, SysSec

3 – Off-board Communication Security

Intrusion Detection SW Trusted Network Gateway HW, Encrypted Communications HW

Accelerated Intrusion Detection System/Firewall System

CAR2X, PRESERVE – Integration and Demonstration, SysSec

4 – Platform Storage Security

Cross Domain Solution SW

Encrypted Storage HW Encrypted file systems - encrypt user’s data, manage and create keys

OVERSEE

5 – Platform Network Security

Security Services SW Encrypted Communications HW

Anomaly detection, Clean slate security protocols

OVERSEE

6 – Embedded Processing Node SW/HW Security

Malware Detection SW, Virtual Machines SW

Secure Root-of-Trust HW,Secure Boot Assist HW, and Secure Execution HW

Intrusion Prevention System/Application Layer Firewall,Trusted Processor Module (TPM) Extensions,Secure Processor SoC/3DIC HW

ESCRYPT – Secure Operating Systems, EVITA – High, Med, Low HW Security Modules (HSMs), EURO-MILS, EVITA

7 – Platform Application SW

Trusted Applications SW Secure HW Virtualization Support

Autonomy Architecture with Cloud Fusion

AUTOSAR SW Components

10

Securing Adhoc VehiculAr Inter-NETworking (VANET)

Secure Vehicle Communications (SEVECOM) In car architecture components including • Information Assurance Network

Security – Car to Car Network Security Module• Car to Car Coms

• Information Assurance Infrastructure - In car Network Security Module• GateWay/Firewall• Intrusion Detection/Attestation

• Trusted Processor - Tamper-Evident Security Module • Key/Certificate Storage• Secure Crypto Processing• Secure Execution

REF 2

11

Information Assurance Mechanisms In Network Connected Topologies

• Identification– Typically use trusted third parties to validate credentials

• Authentication of Data Origin– With no real-time connection to Certifying authority and in one way broadcast environment

• Attribute Identification– Traffic density information data authentication

• Integrity Protection– Signatures

• Confidentiality Protection– Encryption

• Attestation of Sensor Data– Location Obfuscation/Verification

• Tamper Resistant-Communication– Replay Protection – Access Control– Authentication and Authorization– Jamming/DoS Protection– Firewall– Sandbox– Filtering Based on RulesREF 2

12

Experimental Security Analysis of a Modern Automobile• Intel CTO Justin Rattner

predicts that driverless cars will be available within 10 years and that buyers by then will increasingly be more interested in a vehicle's internal technology than the quality of its engine

• God help us when one of them runs into somebody or runs over somebody

Most New Functionality in an Automobile is Electronics and Software – There are many vulnerabilities in current bridged networks

REF 3

13

Trusted Processing Mechanisms Hierarchy

REF 4

14

E-Safety Vehicle Intrusion Protected Applications (EVITA) • Defines 3 classes of Hardware

Security Modules (HSMs)• Full • Medium• Lite

• OVERSEE ads virtualization and firewalls at each node

REF 5

15

AUTomotive Open System Architecture (AUTOSAR) • AUTOSAR codesign methodology

uses a Component Software Design Model and a virtual function bus

• 1) Develop requirements and constraints

• 2) Describe SW-Component independently of HW

• 3) Describe HW independently of Application SW

• 4) Describe System – network topology, communication• Generate software

executable based on configuration information for each ECU using formal methods

REF 6

16

Parallel Domain Security Extensions

Addressing General Purpose, Safe, and Secure Multicore: Incremental Path to Unified

Hypervisor Infrastructure

Trusted Computing: HW Root-of-Trust(HSM), Secure Boot, Dynamic Monitoring

Enforced IMA Partitioning: Isolated Execution Environments via Virtualization

Unified Security Services: Crypto Servcies, Secure Boot, CommunicationGateway with Firewalls/Intrusion Protection

Reuseable SW Components: HW Agnostic and Uniform API Layering

AUTOMOTIVE UAS

AUTOSAR UAS Standards Initiatives

Embedded Controllers withTrust Services

Multicore Hypervisors That Support mixed GP, Safe and Secure

Reusable Units of Portability in Layered Architectures (Drivers, Transport Services)

Extensions for Systems-of-SystemsSecurityInteroperability

EURO-MILSSAEESCAR

17

Representative Derived Embedded Computing Products

• Cloud Based Security Infrastructure• Secure Network Gateway

– Intrusion Detection– Firewalls – Multiple Levels of Security

• Secure Microcontroller– Multiple Levels of Tamper Resistant vs Cost– Secure Boot Support

• Secure Software APIs– Network Services– Crypto Services– Virtualization

18

Secsys Security Assessment/Analysis

REF 7

19

IMA Context Networked Car

REF 8

20

Flight Avionics NetworksAFDX, Firewire, 1553, ARINC

429

Flight Avionics ProcessingHW Components

IMA & Non IMA WRAs

Flight Infrastructure SW Partitioned by SBC or ARINC

653 Partition

Mission Avionics Networks Ethernet, 1553, FC

Mission Avionics Processing HW Components

IMA & Non IMA WRAs

Mission Infrastructure SW Partitioned by SBC with

Middleware and POSIX OS

MsnSensors

Datalinks

SUBSYS1

Open HW Stds

Topology

Open SW Stds

SUBSYSN

Radios

ACSensors

Application SW Components

SUBSYS1

SUBSYSM

ApplicationSW Components

Other Platforms and the GIG

MILMission & WpnSubsystems

MIL/COMFltSubsystems

FACE and GIGSW MODERNIZATION => Modular Interoperable

Interfaces, Formal Methods

UNIFIED NETWORK ARCHITECTURE = Multiple

Levels of Security

MULTICORE AND VIRTUALIZATION, PROCESSOR POOLING, HIGHER DENSITY PACKAGING => Embedded Secure Processing on Multicore

with MILS

GIG MSG INTEROPERABILITY AND INCREASED PT-PT BW =>

Unified Security Protocols

MOBILE AND INTERNET CONNECTIVITY TO THE CLOUD

=> with Adhoc Network Security, IDS, Cross Domain

Solutions

Future Avionics Reference Architecture

21

Conclusions• There are many parallels with regard to Information

Assurance and Trusted Processing challenges for next generation avionics and automotive architectures

• Automotive related University Research and Automotive Consortiums have significantly increased focus on development of security for embedded systems

• Next generation UAS architectures require an affordable, balanced, reference security architecture while exploiting third party software and 10 billion transistor hardware chips by 2020

Embedded university research and automotive security consortiums can provide access to significant dual use solutions for avionics and other embedded industries

22

References• REF 1 - Kumar, S., S. Gollakota, D. Katabi, 2012, A Cloud-Assisted Design for Autonomous Driving, MIT• REF 2 - Groll, André, Jan Holle, Marko Wolf, Thomas Wollinger, 2010, Next Generation of Automotive

Security: Secure Hardware and Secure Open Platforms, ITS World 2010 • REF 3 - Koscher, Carl, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen

Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, 2010, Experimental Security Analysis of a Modern Automobile, Oakland 2010

• REF 4 - Hwang, D., Patrick Schaumont, Shenglin Yang, Ingrid Verbauwhede, 2006, Multi-level Design Validation in a Secure Embedded System, IEEE Transctions on Computers, Vol. 55, No. 11, November 2006

• REF 5 - Wolfe, M., 2009, Designing Secure Automotive Hardware for Enhancing Traffic Safety – The EVITA Project, CAST Workshop Mobile Security for Intelligent Cars

• REF 6 - AUTOSAR Web Site– http://www.autosar.com

• REF 7 - Syssec Web Site, syssec Deliverable D6.2: Intermediate Report on the Security of the Connected Car– http://www.syssec-project.eu/m/page-media/3/syssec-d6.2-SecurityOfTheConnectedCar.pdf

• REF 8 - Tverdyshev, Sergey, EURO-MILS, Secure European Virtualisation for Trustworthy Applications in Critical Domains, SYSGO, Presentation for EURO-MILS Project

• REF 9 - Gaska, Thomas, 2013, Assessing Dual Use Embedded Security For IMA, Digital Avionics Systems Conference 2013

• REF 10 - Gaska, Thomas, 2014, Exploring Security Synergies in Driverless Car and UAS Integrated Modular Architectures (IMAs), AUVSI 2014– This paper includes the web sites for all research programs mentioned in the taxonomy table for future study