Assessing Dual Use Embedded Security for IMA
Thomas Gaska Lockheed Martin MST Owego
[email protected] 1
Introduction • Security of embedded devices is a key focus area that can be leveraged as dual use in avionics – Security needs to be designed into next generation avionics the start – Security includes both Information Assurance and Trusted Processing components
• One embedded platform that has parallels to avionics is the automobile • Next generation avionics need to integrate security into Integrated Modular Avionics (IMA) components, standards, and topologies Understanding embedded security university research and automotive security architecture consortiums provides insight into formulation of next generation affordable system-of-system avionics security solutions
2
Agenda • Information Assurance and Trusted Processing Definitions • Avionics Security Challenges • Automotive Security Challenges • Security Protection Mechanisms Hierarchy • Automotive Security Initiatives • University Security Initiatives • Reference Architectures • Reference Taxonomy for Comparing Security Architectures • Conclusions 3
Classic Definitions
• Information Assurance (IA) refers to the steps involved in protecting computer systems and networks. • There are commonly five associated terms: – – – – –
Integrity Availability Authentication Confidentiality Nonrepudiation
• Trusted Processing (TP) refers to computer processing and network processing that will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. University research is categorized differently … Network Security, Infrastructure Security, Information Security, Secure Processing, Cryptographic Processing, Cloud Security, Mobile Security, Sensor Network Security
4
Future Avionics Security Challenges • Increased autonomy => Pilotless requirement even for non UAS • Connectivity to the Cloud and GIG => DoD Goal for every platform a sensor • Connectivity within the platform to storage and onboard/offboard services at multiple trust levels => Multiple Levels of Security • Protection of critical program information => prevent reverse engineering • Increase standardization to support collapsing to common component infrastructure => Next Generation Integrated Modular Avionics (IMA) • Increase cross platform reuse => Future Airborne Capabilities Environment (FACE) • Affordability consistent with the threat, policy, and customer => Early demonstration of advanced solution capability for acceptance/validation
Next generation avionics architectures need to provide enhanced IA and TP solutions to protect new capabilities 5
Typical 200X Era Avionics Security MIL Mission & Wpn Subsystems
Limited OS Security Msn Sensors Datalinks
Pt-Pt Encrypted Datalinks
REF 1
S U B S Y S 1
Trusted Processing in SW Application SW Components
S U B S Y S N
Unencrypted S SW Loads U B S Y S 1
Application SW Components
S U B S Y S M
Mission Infrastructure SW Partitioned by SBC with Middleware and POSIX OS
Open SW Stds
Flight Infrastructure SW Partitioned by SBC or ARINC 653 Partition
Mission Avionics Processing HW Components IMA & Non IMA WRAs
Open HW Stds
Flight Avionics Processing HW Components IMA & Non IMA WRAs
Topology
Flight Avionics Networks Firewire, 1553, ARINC 429
Mission Avionics Networks Ethernet, 1553, FC
MIL/COM Flt Subsystems
AC Sensors Radios Non IP Radios
Gateway – Non IP Unencrypted VMS System High Other Platforms and the GIG Storage 6
Automotive Security Challenge
• Increased autonomy => Driverless car by 2020 • Connectivity to the Cloud and GIG => Car2Car, Car2Infrastructure • Connectivity within the platform to storage and onboard/offboard services at multiple security levels => Infotainment, Collision Avoidance • Protection of critical program information => Confidential data stored locally on car hub • Increase standardization to support collapsing to common component infrastructure => ESCAR, other consortium initiatives • Increase cross platform reuse => AUTOSAR • Affordability consistent with the threat, policy, and customer => Government policy toward driverless cars and Car2Car Next generation automotive architectures need to provide enhanced IA and TP solutions to enable new capabilities
7
Information Assurance Mechanisms In Network Connected Topologies •
Identification – Typically use trusted third parties to validate credentials
•
Authentication of Data Origin – With no real-time connection to Certifying authority and in one way broadcast environment
•
Attribute Identification – Traffic density information data authentication
•
Integrity ProtectionOR – Signatures
•
Confidentiality Protection – Encryption
•
Attestation of Sensor Data – Location Obfuscation/Verification
•
Tamper Resistant-Communication – – – – – – –
REF 2
Replay Protection Access Control Authentication and Authorization Jamming/DoS Protection Firewall Sandbox Filtering Based on Rules 8
Securing Adhoc VehiculAr InterNETworking (VANET) Secure Vehicle Communications (SEVECOM) In car architecture components including • Information Assurance Network Security – Car to Car Network Security Module •
Car to Car Coms
• Information Assurance Infrastructure - In car Network Security Module • •
GateWay/Firewall Intrusion Detection/Attestation
• Trusted Processor - TamperEvident Security Module • • •
Key/Certificate Storage Secure Crypto Processing Secure Execution 9
PREparing SEcure V2x Communication Systems (PRESERVE) • Establishing a common architecture that can be verified with formal methods is key to V2x communication systems
REF Secure Communications in Vehicular Networks PRESERVE DEMO
10
AUTomotive Open System Architecture (AUTOSAR) •
• •
• • •
• • • •
AUTOSAR codesign methodology uses a Component Software Design Model and a virtual function bus Step1 – Input Descriptions 1) Develop requirements and constraints 2) Describe SW-Component independently of HW 3) Describe HW independently of Application SW 4) Describe System – network topology, communication Step2 – System Model Check Step3 - Configuration Step4 – Generate SW Executables 1) Generate software executable based on configuration information for each ECU using formal methods
REF 3
11
Trusted Processing Mechanisms Hierarchy
REF 4
12
E-Safety Vehicle Intrusion Protected Applications (EVITA) • Defines 3 classes of Hardware Security Modules (HSMs) • • •
Full Medium Lite
• OVERSEE ads virtualization and firewalls at each node
REF 5
13
Representative Related University Security Research • Information Assurance – Experimental Security Analysis of a Modern Automobile – A Survey on the Application of FPGAs for Network Infrastructure Security
• Trusted Processing – Single-Chip Secure Processor Prototyping with OpenSPARC
• Safety Critical Architecture – Automotive Autonomy Applications Architecture Embedded Security is key when there will be 10-20 Billion connected devices in 2020
14
Experimental Security Analysis of a Modern Automobile • Intel CTO Justin Rattner predicts that driverless cars will be available within 10 years and that buyers by then will increasingly be more interested in a vehicle's internal technology than the quality of its engine. • God help us when one of them runs into somebody or runs over somebody.
Most New Functionality in an Automobile is Electronics and Software – There are many vulnerabilities in current bridged networks REF 6
15
Application of FPGAs In Network Infrastructure Security • Traffic Monitoring – Packet Inspection – Packet Classification
• TCP Stream Preprocessing • Internet Worms and DDoS Attack Detection and Containment With 10 Billion Transistors on a chip in 2020, FPGA technology will be a critical part of reconfiguration for security protocol updates but only if properly secured 16
Single-Chip Secure Processor Prototyping with OpenSPARC • Based on Secure Computing Model • Invasive Physical Probing Attacks • Non Invasive Side Channel Attacks • Software Attacks • Fault Insertion Attacks
REF 7
• Use FPGA SoC to implement OpenSPARC Multi-core and Embedded Crypto Controller with AES, TRNG, and memory integrity tree
17
Automotive Autonomy Applications Architecture
REF 8
Automotive components, standards, and topologies will need to be incrementally developed in a reference architecture
18
IMA Architecture – Driverless Cars
REF 9 Cloud
Planning/.Control Cloud Services
Future autonomous architectures will drive distributed security into a new generation of modular component based SW/HW
19
Future Avionics IMA Reference Architecture MIL Mission & Wpn Subsystems
Msn Sensors Datalinks
S U B S Y S 1
FACE and GIG SW MODERNIZATION S S => U U Modular Interoperable B B Interfaces, S S Application Application SW Y Y Formal Methods S S SW Components Components N
1
S U B S Y S M
Open Mission Infrastructure SW Flight Infrastructure SW SW Partitioned by SBC with Partitioned by SBC or ARINC MULTICORE AND VIRTUALIZATION, Middleware and POSIX OS 653 Partition Stds PROCESSOR POOLING, HIGHER DENSITY PACKAGING => Embedded Secure
Flight Avionics Processing Open Mission Avionics Processing Processing on Multicore with MILS HW Components HW Components HW IMA & Non IMA WRAs IMA & Non IMA WRAs
MIL/COM Flt Subsystems
AC Sensors Radios
Stds
UNIFIED NETWORKFlight Avionics Networks Mission Avionics Networks Topology =AFDX, Firewire, 1553, ARINC Ethernet, 1553, FC ARCHITECTURE 429
MOBILE AND INTERNET CONNECTIVITY TO THE CLOUD => with Adhoc Network Security, IDS, Cross Domain Solutions
Multiple Levels of Security
Other Platforms and the GIG
GIG MSG INTEROPERABILITY AND INCREASED PT-PT BW => Unified Security Protocols 20
There is Not One Solution - Residual Vulnerability vs Cost
• Information Assurance – – – –
Software Network Intrusion Detection System Software Cross Domain Solution Software Trusted Workstation Hardware NDIS
• Trusted Processing – Chips • • • •
Smart Cards Trust Zone ARM Microcontrollers Trusted Processor Modules (TPMs) Secure Microprocessors
– Cards • Hardware Security Modules (HSMs) • IBM Crypto Processors • Secure Processors
•
Trusted Applications
– Formal Proofs, Static and Dynamic Code Analysis Proper security analysis and updates to defense in depth will be critical to incorporating protections based on the threat and the cost required
21
Avionics Security Taxonomy Mapped to University Research and Automotive Domains Layer #
Information Assurance for Avionics
Trusted Processing for Avionics
University Security Research Focus Areas
Automotive Security Industry Focus
1 – Cloud (public, private, hybrid) to Platform Exchanges
Private Cloud Security SW Infrastructure
Trusted Network Infrastructure HW
Access control/identity management, data control/data loss, anomaly detection/security policy, hypervisor vulnerabilities
Car will connected to the Vendor/3rd Party Cloud over a 3G/4G link – Tesla S
2 – Platform to Platform Exchanges
Secure Certification and Exchange Protocols
Secure IP Based Radios
Ad hoc networks, sensor networks, mesh networks, and vehicular networks
CAR2X, PRESERVE – Integration and Demonstration
3 – Off-board Communication Security
Intrusion Detection SW
Trusted Network Gateway HW, Encrypted Communications HW
Accelerated Intrusion Detection System/Firewall System
CAR2X, PRESERVE – Integration and Demonstration
4 – Platform Storage Security
Cross Domain Solution SW
Encrypted Storage HW
Encrypted file systems - encrypt user’s data, manage and create keys
OVERSEE
5 – Platform Network Security
Security Services SW
Encrypted Communications HW
Anomaly detection, Clean slate security protocols
OVERSEE
6 – Embedded Processing Node SW/HW Security
Malware Detection SW, Virtual Machines SW
Secure Root-of-Trust HW, Secure Boot Assist HW, and Secure Execution HW
Intrusion Prevention System/Application Layer Firewall, Trusted Processor Module (TPM) Extensions, Secure Processor SoC/3DIC HW
ESCRYPT – Secure Operating Systems, EVITA – High, Med, Low HW Security Modules (HSMs)
7 – Platform Application SW
Trusted Applications SW
Secure HW Virtualization Support
Autonomy Architecture with Cloud Fusion
AUTOSAR SW Components
22
Conclusions
• There are many parallels with regard to Information Assurance and Trusted Processing challenges for next generation avionics and automotive architectures • Automotive related University Research and Automotive Consortiums have significantly increased focus on development of security for embedded systems • Next generation avionics and architectures both require an affordable, balanced, reference security architecture while exploiting third party software and 10 billion transistor hardware chips by 2020 • Disruptive Initiatives – GoogleX, Tesla Embedded university research and automotive security consortiums can provide access to significant dual use solutions for avionics and other embedded industries
23
References • • • •
• •
•
•
•
[1] Gaska, T., 2012, Leveraging Emerging Embedded Processing Trends In Rotorcraft Advanced Open System Architectures (AOSA), Fort Worth, Tx, .American Helicopter Society Forum 68 [2] Groll, André, Jan Holle, Marko Wolf, Thomas Wollinger, 2010, Next Generation of Automotive Security: Secure Hardware and Secure Open Platforms, ITS World 2010 [3] AutoSAR Web Page, www.autosar.org [4] Hwang, D., Patrick Schaumont, Shenglin Yang, Ingrid Verbauwhede, 2006, Multi-level Design Validation in a Secure Embedded System, IEEE Transctions on Computers, Vol. 55, No. 11, November 2006 [5] Wolfe, M., 2009, Designing Secure Automotive Hardware for Enhancing Traffic Safety – The EVITA Project, CAST Workshop Mobile Security for Intelligent Cars [6] Koscher, Carl, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, 2010, Experimental Security Analysis of a Modern Automobile, Oakland 2010 [7] Szefer, Jakub M. Wei Zhang, Yu-Yuan Chen, David Champagne, King Chan, Will X.Y. Li, Ray C.C. Cheung, Ruby B. Lee, 2011, Rapid Single-Chip Secure Processor Prototyping on the OpenSPARC FPGA Platform, Rapid System Prototyping Symposium (RSP 2011), May 2011 [8] Kumar, S., S. Gollakota, D. Katabi, 2012, A Cloud-Assisted Design for Autonomous Driving, MIT [9] Gaska, T., 2013, Selecting Components, Standards, and Topologies for Next Generation Integrated Modular Avionics (IMA) Architectures, Phoenix, Az, American Helicopter Society 24 Forum 69
