Security Engineering for Vehicular IT Systems
Improving the Trustworthiness and Dependability of Automotive IT Applications
1st Edition
Published on 26. July 2009
XXII, 228 pages
978-3-8348-9581-3 (ISBN)
Description
Information technology is the driving force behind almost all innovations in the automotive industry, with perhaps 90% of all innovations in cars based on digital electronics and software. Dozens of networked microprocessors and several h- dred megabytes of software can be found in a common compact class car, contr- ling engine and driving functions, assisting the driver and enabling various c- fort, infotainment and safety functions. One crucial aspect of digital systems in vehicles is their security. Whereas software safety is a relatively well-established (if not necessarily well-understood) ?eld, the protection of automotive IT s- tems against malicious manipulations has only recently started to emerge. Even though many European car manufacturers have lately established R&D groups that are dedicated to embedded security in cars, so far there has not been an a- encompassing reference of this topic. The book by Dr. Marko Wolf ?lls this gap, and is by far the most comprehensive treatment of IT security in vehicles available today. A particular challenge of au- motive IT security is its interdisciplinary nature. Dr. Wolf has done an outstanding job incorporating disjoint areas in one comprehensive treatment. The book ranges from the relevant security technologies to a systematic analysis of security risks all the way to solution using state-of-the-art security methods. Despite the fact that much of the material is based on results from the research community, Dr.
More details
Other editions
Additional editions
Marko Wolf
Security Engineering for Vehicular IT Systems
Improving the Trustworthiness and Dependability of Automotive IT Applications
Book
04/2009
1st Edition
Vieweg+Teubner Verlag
€53.49
Shipment within 10-15 days
Person
Dr. Marko Wolf completed his doctoral thesis at the Ruhr University Bochum at the department of Embedded Security. He is now a senior security engineer at escrypt - Embedded Security GmbH, Munich.
Content
The Preliminaries.- Related Work.- Brief Background in Security and Cryptography.- The Threats.- Security-Critical Vehicular Applications.- Attackers and Attacks in the Automotive Domain.- Security Analysis and Characteristical Constraints in the Automotive Domain.- The Protection.- Vehicular Security Technologies.- Vehicular Security Mechanisms.- Organizational Security.
7 Vehicular Security Technologies (S. 107-108)
This chapter provides an overview about general vehicular security .technologies such as physical security measures, vehicular security modules, and vehicular security architectures. These technologies serve as basis to implement identified security requirements using the security mechanisms described in the next chapter. Parts of this chapter are based on published research in [BEPW07, BEWW07, HSW06, SSW06].
7.1 Physical Security
In contrast to most other IT related attack scenarios, attackers in the automotive domain usually have full physical access to breach the security of a particular vehicular IT system. As described in detail in Section 5.2.2 about physical attacks, an internal attacker in the automotive domain can manipulate or replace almost every built-in component and can manipulate its actual physical environment and (physical) inputs. He further holds the respective attack target in his possession for as long as he likes, and may eventually even receive more samples for testing and practice. Hence, the attacker can undisturbedly mount almost any feasible attack without having to fear to be detected, backtracked, or locked out. Nevertheless, there exist several measures to make physical attacks at least more difficult, even though it is practically impossible to fend off a sufficiently motivated (and sufficiently funded) attacker completely.
Thus, a security-critical IT system cannot solely rely on its physical protection measures and hence has to ensure that the successful compromise of a single hardware component does not compromise the overall IT system. This means that the cost of compromising a single hardware component should generally outweigh the potential rewards (economic security). Physical security or tamper protection measures usually either aim to prevent any kind of disclosure and modification (tamper-resistance), or aim to at least enable a subsequent detection of potential disclosures or modifications by a regular and unpredictable examining control entity (tamper-evidence).
Physical security measures can be further distinguished into active (tamper-responsive) and passive (tamper-evident, tamper-resistant) protection measures. This results in the following three definitions. Being tamper-evident refers to a passive physical security characteristic, which provides detection whether a hardware component has been illicitly modified or compromised. Optionally, tamper-evidence provides moreover the detection of unsuccessful tampering attempts. However, tamperevidence itself cannot prevent any potential modifications or disclosures. Being tamper-resistant or tamper-proof refers to a passive physical security characteristic, which prevents an attacker from illicitly modifying or compromising a hardware component by passive, non-responsive physical protection measures.
Lastly, being tamper-responsive refers to an active physical security characteristic, which actively prevents an attacker from tampering a hardware component by triggering appropriate counteractive measures up to automatic self-destruction. Tamper-response, in turn, is based on tamper-detection measures, which have to detect an ongoing attack in order to trigger proper response measures. However, deploying physical security measures at the same time means that the maintainability of such a protected hardware component usually will become clearly limited. This holds, since it is normally impossible that a tamper-protection measure is able to distinguish between an authorized access and an unauthorized access.
This chapter provides an overview about general vehicular security .technologies such as physical security measures, vehicular security modules, and vehicular security architectures. These technologies serve as basis to implement identified security requirements using the security mechanisms described in the next chapter. Parts of this chapter are based on published research in [BEPW07, BEWW07, HSW06, SSW06].
7.1 Physical Security
In contrast to most other IT related attack scenarios, attackers in the automotive domain usually have full physical access to breach the security of a particular vehicular IT system. As described in detail in Section 5.2.2 about physical attacks, an internal attacker in the automotive domain can manipulate or replace almost every built-in component and can manipulate its actual physical environment and (physical) inputs. He further holds the respective attack target in his possession for as long as he likes, and may eventually even receive more samples for testing and practice. Hence, the attacker can undisturbedly mount almost any feasible attack without having to fear to be detected, backtracked, or locked out. Nevertheless, there exist several measures to make physical attacks at least more difficult, even though it is practically impossible to fend off a sufficiently motivated (and sufficiently funded) attacker completely.
Thus, a security-critical IT system cannot solely rely on its physical protection measures and hence has to ensure that the successful compromise of a single hardware component does not compromise the overall IT system. This means that the cost of compromising a single hardware component should generally outweigh the potential rewards (economic security). Physical security or tamper protection measures usually either aim to prevent any kind of disclosure and modification (tamper-resistance), or aim to at least enable a subsequent detection of potential disclosures or modifications by a regular and unpredictable examining control entity (tamper-evidence).
Physical security measures can be further distinguished into active (tamper-responsive) and passive (tamper-evident, tamper-resistant) protection measures. This results in the following three definitions. Being tamper-evident refers to a passive physical security characteristic, which provides detection whether a hardware component has been illicitly modified or compromised. Optionally, tamper-evidence provides moreover the detection of unsuccessful tampering attempts. However, tamperevidence itself cannot prevent any potential modifications or disclosures. Being tamper-resistant or tamper-proof refers to a passive physical security characteristic, which prevents an attacker from illicitly modifying or compromising a hardware component by passive, non-responsive physical protection measures.
Lastly, being tamper-responsive refers to an active physical security characteristic, which actively prevents an attacker from tampering a hardware component by triggering appropriate counteractive measures up to automatic self-destruction. Tamper-response, in turn, is based on tamper-detection measures, which have to detect an ongoing attack in order to trigger proper response measures. However, deploying physical security measures at the same time means that the maintainability of such a protected hardware component usually will become clearly limited. This holds, since it is normally impossible that a tamper-protection measure is able to distinguish between an authorized access and an unauthorized access.
