software-update over-the-air (sota) - tntdpctntdpc.com/automotiveelectronics/speak/speakers...
TRANSCRIPT
V1.1 | 2016-12-09
CII – Conference on Automotive Electronics, Chennai
Software-Update over-the-air (SOTA)Challenges for secure software updates
u Overview
Process
Security
Reliability
Delta Technology
Vector SOTA demonstrator
Summary
Agenda
2
Connectivity
Overview
Remote Diagnostics Remote Diagnostics
Applications
Software Update OTA Software Update OTA
Data Collection Data Collection
Security
e.g
. TLS,
Auth
entication,
…
Connectivity (
e.g
. htt
p)
WAN3G, 4G
5G(e.g. LTE)
DSRC802.11n802.11p
3
Connectivity
Overview
Remote Diagnostics Remote Diagnostics
Applications
Software Update OTA Software Update OTA
Data Collection Data Collection
Security
e.g
. TLS,
Auth
entication,
…
Connectivity (
e.g
. htt
p)
WAN3G, 4G
5G(e.g. LTE)
DSRC802.11n802.11p
Remotely Activated Diagnostics
Backend initiated, e.g. monthly status report incl. DTCs
Interactive Remote Diagnostics
Backend initiated; instead of a local tester
Live Diagnostics
Driver initiated; car broke down, driver calls for help;
4
Connectivity
Overview
Remote Diagnostics Remote Diagnostics
Applications
Software Update OTA Software Update OTA
Data Collection Data Collection
Security
e.g
. TLS,
Auth
entication,
…
Connectivity (
e.g
. htt
p)
WAN3G, 4G
5G(e.g. LTE)
DSRC802.11n802.11p
“Firmware - Update”
Update of all the AUTOSAR based ECUs -program, calibration or coding data
“Software – Update”
Application Software Components Update in HPCs
System Software Update (OS, drivers, security,…) in HPCs
5
Connectivity
Overview
Remote Diagnostics Remote Diagnostics
Applications
Software Update OTA Software Update OTA
Data Collection Data Collection
Security
e.g
. TLS,
Auth
entication,
…
Connectivity (
e.g
. htt
p)
WAN3G, 4G
5G(e.g. LTE)
DSRC802.11n802.11p
Setup Configuration
Setup and conditions of data to be collected
Collect and Store Data
Send Data to the backend
On event / cyclic
6
Overview
Motivation for Software-update Over The Air (SOTA)
Software maintenance of car functionalities.Customer friendly with reduced costs.
Development advantages:Quick software updates and measurement possible.
Fleet management allows centralized and unified access.
Security updates can be provided quickly to reduce the window of opportunity and to avoid vulnerabilities.
Offering secure internet access points and cloud services.Function enabling and software-as-a-product.
7
Series B
Series A
u Lifetime: ECU is used for more than 20 years.
u Flexibility: Is applied in several car series, adapted by parameters per car.
u Dependencies: to other ECUs for distributed functions.
u Variants: are handled by software parameter and configuration.
u Updating and maintaining the correct software version and configuration for a car is the challenge.
Challenges in the update process
Overview
COMGateway
Body
Chassis
ADAS Infotainment
8
u A programmable ECU consists of:
u A bootloader according to the OEM standard.
u At least one executable application.
u Optional: calibration, configuration and parameter data
u Identity information for the hard- and software.
> Part number, software version, supplier id, …
u Bootloader is an optimized software for a fast and secure download:> Supports software partitioning for partial download
> Reprogramming time is optimized using data compression, pipelined operations and delta download (details later).
> Provides security features such as data decryption, software verification and authentication checks.
Programmable ECUs
Overview
UDS-Flash
Bootloader
Application
Data
Decompression
Data transfer
Flash programming
Verification/calculation
Verification/comparison
9
Requirements for over-the-air updates
Overview
u SOTA must be seamlessly integrated into the existing processes and infrastructures of the OEM.
Process
u Reliable software updates are required in an unattended environment. Availability must be guaranteed.
Reliability
u The download and execution of the software update must be planned and agreed with the car owner.
Planning
u Over-the-air communication requires additional security considerations for connectivity and data storage.
Security
u The car must be in a reliable state during programming: parking position, battery, temperature, …
Environment
10
Overview
u Process
Security
Reliability
Delta Technology
Vector SOTA demonstrator
Summary
Agenda
11
OEMcentral
database
Infrastructure
Process
Vehicle Assembly
Status
Software Release
Database
COM/TCU
Diagnostic Tester
ODX MDX
Do
IP
OBD
Diag-Gateway
OTA UDS-Flash
Bootloader
Application
Data
12
SOTA update process flow at a glance
Process
Vehicle Assembly
Status
Software Release
Database
Provide assembly status
VehicleBackend
Create/signupdate information
Transmit update info
Open secure channel
u Checkupdate data
u Plan and perform update
Provide update status
Internet
Onboard Diagnostic Tester
Software package and Flash Manager
Container Manager
Connectivity/Security Manager
Connectivity/Security Manager
Container Manager
Software package manager
Onboard Diagnostic Tester
Software Package Manager
OTA Components
13
Overview
Process
u Security
Reliability
Delta Technology
Vector SOTA demonstrator
Summary
Agenda
14
Security analysis for the software distribution
Security
CC
BackendConnectivity Diag gateway
u Assets
u Flash data along the communication path:> Over-the-air communication between backend and vehicle.
> Storage devices.
> In-vehicle communication.
u Impacts:> Financial loss.
> Manufacturer reputation.
> System malfunction.
> Safety functions.
InternetPDX
Gateway
Body
Chassis
ADASInfotainment
Flash Bootloader
u Threats:> Compromising keys.
> Data access or manipulation.
> Man-in-the-middle.
> Denial of services.
u Security keys of the devices.
15
u Internet communication
u PKI and certificate handling required for over-the-air communication.
u Connectivity device must handle and store (root-) certificates and key materials.
u Storage of software packages in the vehicle
u Protect the data on storage devices from reading and writing by malicious attacker.
u Prohibit data transfer between vehicles (data are unique to a vehicle).
u End-to-End protection for ECU software
u Signatures are generated over software package by the OEM.
u The Bootloader checks authenticity of programmed data by verifying the signature after successful programming.
u Optional: Additional data encryption of the software packages. Will be decrypted inside the bootloader.
Threat analysis
Security
16
Overview
Process
Security
u Reliability
Delta Technology
Vector SOTA demonstrator
Summary
Agenda
17
ECU
Reliability
Backup memory in the ECU
Redundancy in the ECU:
u ECU has two alternative memory storages.
u Current software version V1.0 is ready for execution in primary section.
u Software download is performed into the secondary memory section.
u VAP informs to activate the software version after successful programming.
u In case of a failure, all ECUs will keep on executing the current version.
UDS-Flash
Bootloader
ApplicationV1.0
Application V2.0
ProgrammingReady for execution
Connectivity
PDXV2.0
Diag gateway
18
Connectivity ECU
Reliability
Backup of software versions
Redundancy of data at central location:
u Software packages are stored within the vehicle (e.g. connectivity).
u This allows to retry interrupted or unsuccessful updates.
u Connectivity contains the current and new software versions of the ECUs.
u Software update of the new version (V2.0) is applied to the ECU.
u In case of a failure, the update can be reverted to the previous version.
PDXV1.0
PDXV2.0
UDS-Flash
Bootloader
Application V2.0
ProgrammingDiag gateway
19
ECU
Delta technology in the SOTA process
Delta Technology
Software Release Database
PDXV2.0
PDXV1.0
V1.0V2.0Conn
V1.0V2.0ECU
UDS-Flash
Bootloader
Connectivity
Backend
from TIER1
from OEM
Application
V1.0
DiagGateway
OTA
V1.0V2.0ECU
1
Application
V2.0
V1.0V2.0ECU
1
PDXV2.0
PDXV1.0
V1.0V2.0Conn
2
12
2
1 Standard process 2 Emergency process
20
Overview
Process
Security
Reliability
Delta Technology
u Vector SOTA demonstrator
Summary
Agenda
21
Diag-
CAN
Hardware components
Vector SOTA demonstrator
Backend
LINUX System
Connectivity
Embedded Linux
In-VehicleECUs
Wireless connection
DiagGateway
u Ubuntu 14.04 LTS
u Internet connection to the Vector-Cloud.
u Single board computer Beaglebone Black
> On-Chip CAN-Controller
> SD-Card, 16 GB
> USB-Port, for e.g. UMTS-device
> Ethernet connection
> HDMI/LCD-Display
u Infineon Crypto-Cape
> CAN Transceiver
> Real-Time Clock (RTC)
> Trusted Platform Module (TPM).
22
Software programs of the demonstrator
Vector SOTA demonstrator
Diagnostic Client Unit (DCU)
Vehicle Configuration Unit (VCU)
IPC
CAN
Backend Simulation (BES)
C
C
Vehicle Access Point (VAP)
Internet
BES VCU DCU
23
Backend: Vector Cloud
Architecture Backend/Vector Cloud
Vector SOTA demonstrator
ServiceGateway
HTTPSHTTPS
BES VCU DCU
Build/ReadContainer
DatabaseProxy
Connectivity
Software Release
Database
SecurityModule
Internet
24
Embedded LINUX
Vehicle configuration unit (VCU)
Vector SOTA demonstrator
XML Parser (LibXML2)
Vehicle Software Configuration Manager
CURL / OpenSSL
Ethernet socket
JSON(jansson)
IPC
Flash ManagerVehicle Data
Manager
ODX-F
Container Manager
VectorSecurity-Library
Connectivity Manager
VSCM Backend VSCM Vehicle
VSCM GUI
Google Protocol Buffers
BES VCU DCU
Internet
Open source software
25
u DCU is a completely separate Linux program.
u Uses standard AUTOSAR modules (higher layers).
u CanDrv as Socket-CAN on Linux.
u Executes single diagnostic requests
u Supports the software download steps.
u Could be located on another ECU, e.g. diagnostic gateway.
Diagnostic Communication Unit (DCU)
Vector SOTA demonstrator
MICROSAR BSW
DRM
Diagnostic service request
Software download manager
Diagnostic Package Server
IPCJSON
Generator/ Parser
BES VCU DCU
26
u The Vector demonstrator uses the following key material
Key material in the Vector demonstrator
Vector SOTA demonstrator
Vehicle
Kpub Vcu
Kpriv Vcu.
Kpriv BE
Kpub BE
u PKI-System is used for the TLS communication.
u Private and public keys used fordata container encryption andsigning.
27
u The VCU program effectively consists of two separated parts: backend and vehicle part.
> Loosely coupled between connectivity and vehicle, only on data level.
u Only correctly signed Data will be processed on vehicle side. This allows to isolate the two systems.
u Key material is separated for communication and data authentic./encrypt.
u Private keys can be stored in the Trusted platform module (TPM).
Security-Architecture and key assignment
Vector SOTA demonstrator
DataContainer
SecurityModule
Connectivity
HTTPS
Backend VCU
Connectivity
HTTPS
Data Container
IPC
Flash-manager
ODX-FReader
SecurityModule
VSCM
CDatabase
C
Certificates for the communication
CKBE priv sign
KBE pub encr
KVcu priv decr
KVcu pub signVer
KBE priv TLS KVeh priv TLS
Certificates and keys for Data-Container
Backend operation
Vehicle data operation
Certificates and keys for Data-Container
BES VCU DCU
VAP
28
Overview
Process
Security
Reliability
Delta Technology
Vector SOTA demonstrator
u Summary
Agenda
29
u Integrating SOTA into the OEM process is the challenge.
u A PKI infrastructure is required for a secure over-the-air communication.
u The vehicle owner must be involved into the update process for download and planning.
u An unattended software download must be reliable to guarantee the availability of the vehicle.
Summary
Summary
WAN3G, 4G
5G(e.g. LTE)
DSRC802.11n802.11p
30
© 2015. Vector Informatik India Private Limited. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2016-12-09
Author:Brahmanand PatilVector India
For more information about Vectorand our products please visit
www.vector.com