AUTOSAR Security – A Holistic Approach

The automotive industry is facing a dramatic transformation that brings fundamental changes to vehicle E/E architectures in the connected and automated driving environment. Designs are shifting from many application-specific ECUs to a few high-performance domain controllers with bundled functionalities. This technical engineering trend imposes a consolidation of automotive cybersecurity and a change of the AUTOSAR architecture.

From AUTOSAR Classic to AUTOSAR Adaptive

AUTOSAR Classic is the standard middleware for most vehicle platforms and meets the typical requirements of a real-time operating system and functional safety. It has been continuously developed over the years and provides a range of security tools for secure onboard communication or key and certificate management. However, vehicle computers or domain controllers will shape future E/E architectures as central applications and in highly automated or even fully automated driving and V2X communication, the vehicle will become a software-dominated system. This calls for the integration of many more applications that are considerably more extensive and diverse than in the past. Unlike AUTOSAR Classic, AUTOSAR Adaptive is based on a LINUX-related operating system and the applications use “AUTOSAR Runtime for Adaptive Applications,” or ARA for short. In addition, the adaptive platform offers hypervisor preconfigured partitioning that enables software components of different ASIL categories that are developed independently by different vendors to be integrated into and safely operated on vehicle computers. In line with its service-oriented architecture and additional features such as granular over-the-air updates, AUTOSAR Adaptive also incorporates additional measures and sets new standards for automotive security.

Figure 1
Figure 1. From AUTOSAR Classic to AUTOSAR Adaptive

Security modules in AUTOSAR

AUTOSAR incorporates various IT security applications, e.g., for securing in-vehicle communication and for protecting confidential data.

Crypto stack: Both in the Classic and in the Adaptive version, access to cryptographic primitives, keys, and certificates required for security-relevant applications is via the AUTOSAR-specific crypto stack. The applications subsequently access only the interfaces provided, independent of their respective crypto implementations, and remain portable to different ECUs.

Secure communication: AUTOSAR ensures that communication is secure – both inside and outside of the vehicle (e.g. backend, diagnostic test apparatus). Due to the wide range of applications and bus systems in the vehicle, it supports several protocols at the same time: SecOC, TLS, and IPsec. As a dedicated protocol for AUTOSAR Classic, SecOC specifically secures CAN communication. On the other hand, TLS and IPsec are becoming increasingly important. Both standards support authentic and confidential communication. AUTOSAR Classic and Adaptive both incorporate TLS, while IPsec is found only in AUTOSAR Adaptive.

Identity and access management: It is not generally advisable to grant all applications access to the vehicle network’s limited system resources, such as persistent memories, transmission paths, or cryptographic keys. The AUTOSAR Identity and Access Management module therefore ensures that only authorized applications access certain resources. Identity & Access Management is available only in AUTOSAR Adaptive.

Secure diagnostics: It is important to record safety-relevant events in the vehicle network (unauthorized access, failed setup of a safe channel, etc.) so that they can then be evaluated and debugged. AUTOSAR supports the logging of IT security events in secure memories. It also monitors authorized access to this data using the UDS SecurityAccess and Authentication.

Integrated automotive security beyond AUTOSAR

AUTOSAR Classic and Adaptive provide important modules for protecting vehicle software and data against manipulation and unauthorized access. However, additional measures are required for end-to-end protection of the vehicle network and comprehensive protection of the vehicle in the connected environment.

The most important measure is a hardware-supported trust anchor that must be implemented for all safety-critical applications. A hardware security module (HSM) is being chosen for this role in the modern vehicle architecture. The HSM physically encapsulates the key material and makes it possible to store and manage the cryptographic keys separately from the various (potentially untrustworthy) applications. Moreover, as vehicles become increasingly connected, it is a requirement to implement a comprehensive intrusion detection and prevention system (IDPS) with coordinated components for attack detection in the vehicle (IDS, automotive firewall), and forensics in the backend, including the initiation of a response in the form of a firmware over the air (FOTA) security update for the entire vehicle fleet.

In addition, the above measures require the ECUs to be equipped with a cryptographic key set during production. The vehicle manufacturer’s key material must be injected at the production sites via a suitable key management system (KMS).

Figure 2
Figure 2. Integrated automotive security including ECU production and security backend.

Safety-related in-vehicle functions are inevitably set to increase as part of the connected and automated driving trend. The proven security measures as well as a high security level in-vehicle architecture platform will serve to address these technical challenges. Furthermore, OEMs will need to have a secure vehicle engineering process/system in place to establish new business models based on high connectivity. This gives a clear mandate for the further development of AUTOSAR Adaptive to integrate security applications while at the same time continuing with AUTOSAR Classic for traditional development.

For any questions, or to find out how ESCRYPT can help, please contact us or comment below.

Leave a Reply