Transcription
Functional Safety & Security:Next Generation AutomotiveSecurity SolutionsMarius RotaruAutomotive Software Architect & Technical DirectorJune 2019 Session #AMF-AUT-T3680Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXPB.V. All other product or service names are the property of their respective owners. 2019 NXP B.V.
Agenda Introduction NXP’s Approach to Automotive Security System AMP’s Secure & Application ViewSecurity SolutionEngineeringConclusionCOMPANY PUBLIC1
NXP – Global #1 in Automotive Semiconductors2400 30 AUTOENGINEERSAUTO SITESWORLDWIDE#1AUTO SEMISUPPLIER GLOBALLY 50%60 OF NXP’SREVENUE ISFROM AUTOYEARS OFEXPERIENCEIN AUTOCOMPANY PUBLIC2
NXP Makes Safe and Secure Mobility HappenTechnologyLeadershipApplicationsLeadership#1 Auto Microprocessors#1 Car Infotainment#1 Auto Analog / RF / DSP #1 Secure Car Access#2 Auto Microcontrollers#1 In-Vehicle Networking#1 Auto ApplicationProcessors#1 Safety#2 Powertrain#1 in AutoSemiconductors2018 Global Auto Semi Market: 37.7BInnovation Leader ADASInnovation Leader Security1.2.3.Based on 2018 Auto TAMAuto RF/DSP includes Secure Car Access, Radio/Audio, V2X and Radar TransceiversSource: Strategy Analytics, IHS Markit, NXPCOMPANY PUBLIC3
Vehicle Safety & CybersecurityImprove safetyTrend: Improve user experienceMechanicsThrough: SeatbeltsHeadrestsCrumple zonesLaminated glassDriving force for:To address:In: Electronics Connectivity AirbagsAnti-lock Braking SystemElectronic Stability ControlTraction controlV2X / DSRCRemote diagnosticsUser device connectivityOTA (map, software) updates AutonomyADASSelf-DrivingSensorsAI & MLFunctional SafetyCybersecuritySOTIF(ISO 26262)(ISO/SAE 21434)(ISO 21448)Unintentional hazardsIntentional threatsUnanticipated hazardsSOTIF Safety Of TheIntended FunctionalityKnown scenarios Unknown scenariosCOMPANY PUBLIC4
Functional Safety & Security – System-Level ConcernsIC-level Safety &Security Solutions ConnectivitySafe & SecureDomain ArchitecturesDriverReplacementPowertrain &VehicleDynamicsBody &Comfort Safe andSecure MobilityIn-VehicleExperienceSecure Networks & Gateways Resource isolation On-die monitoring Integrity &authenticity checks Domain isolation Firewalls Network intrusiondetection Fail operational Resilient againstcyber attacksCOMPANY PUBLIC5
NXP – Making Safe & SecureMobility a RealitySolutionPortfolioThe most completesystem solutions forfastest time to marketand scalability.InnovationPowerSafe &SecureIn-house highperformance processing,security and mobileeco-system capabilities.Zero defectmethodology.Leading with securityand functional safety.COMPANY PUBLIC6
NXP’s Approach to Automotive SecuritySystem & Application ViewCOMPANY PUBLIC7
NXP’s Approach to Automotive SecurityCustomer SupportSystem & Application Know-HowSolution PortfolioSecure EngineeringQuality FoundationCOMPANY PUBLIC8
NXP’s Approach to Automotive SecurityCustomer SupportSystem & Application Know-HowSolution PortfolioSecure EngineeringQuality FoundationCOMPANY PUBLIC9
Example of Cybersecurity Threats in AutomotiveLocal AttacksTampering the odometerRemote AttacksVehicle theft by relay attackRemote hack of an unaltered car(July dhttps://www.youtube.com/watch?v 8pffcngJJq0Engine tuningRansom for a drivehttps://www.youtube.com/watch?v MK0SrxBC1xsWorkshop around the corner, or in your garageVDI Conference on IT Security for Vehicles(Berlin / July 2017)COMPANY PUBLIC10
Attack Costs vs. Attack ScalabilityLocal AttacksRemote AttacksECU (IC) IELocal interfacesIRemote interfacesAttack CostsAttack ScalabilityIEETargets for criminal organizations(maximized rewards)IIdentify vulnerabilityE Exploit vulnerabilityCOMPANY PUBLIC11
Where to Focus?Attack CostsLocal AttacksRemote AttacksICPCBECUCar InterfacesNon-Invasive AttacksOn CommunicationInitial AttentionSemi-Invasive (Fault) AttacksFuture?MostCommonHacksOn exposed functionsInvasive AttacksCOMPANY PUBLIC13
Different Solutions For Different Security NeedsAttack CostsLocal AttacksICRemote AttacksPCBECUCar InterfacesNon-Invasive AttacksOn-chip securityOn CommunicationSemi-Invasive (Fault) AttacksInvasive AttacksOn-chip security, with additional protectionOn exposedDedicatedsecurityfunctionscompanionsCOMPANY PUBLIC14
Core Security Principles and MeasuresLocal AttacksRemote AttacksECU (IC)Local interfacesSecureFoundationsRemote interfacesCore Security Principles···010110···SecureSolutions tionSecure EngineeringCOMPANY PUBLIC15
Core Security Principles Applied to In-Depth DefensesTechnologyPreventaccessSecureInterfacesM2M Authentication message filtering)SecureNetworksSecure MessagingPeople ttacksReduceimpactIntrusion DetectionSystems(IDS)Separated FunctionalDomainsFixvulnerabilitiesSecure UpdatesMessage Filtering &Rate LimitationCode / DataAuthentication(@ start-up)Code / DataAuthentication(@ run-time)SDLC incl. SecurityReviews & Testing, Threat Monitoring,Intelligence Sharing, Resource Control(virtualization)Incident Management / ResponseSecurity-Aware Organization, Policies, GovernanceCOMPANY PUBLIC16
NXP’s Approach to Automotive SecuritySolution PortfolioCOMPANY PUBLIC17
NXP’s Approach to Automotive SecurityCustomer SupportSystem & Application Know-How(Future) MarketTrends & NeedsTechnicalStandards / SpecsSolution PortfolioSecure EngineeringQuality FoundationCOMPANY PUBLIC18
Domain main MPUsWiFi, BT, GNSS, NFCSmart Car AccessConnectivityDomainControllerEdge Nodes &SensorsHigh otion & PressurePowertrain &Vehicle emp, Light, HumiditySafety & SecuritySensor Fusion& PlanningDomainControllerBody & ComfortIn-VehicleExperienceSwitch PanelsTouch Displays &GestureVoice Recognition & AudioNetwork GatewayRadio ReceptionEngineSteeringTransmissionAirbagBrake SuspensionBattery CellManagementBodyDomainControllerHVAC, Interior LightingDoors, seats, steering wheel,mirrors, wipers, erControllerCOMPANY PUBLICAudio & Amplifiers19
Auto Processors Tomorrow: Domain ASW ReuseOptimized fordomain controlArm top to bottomASIL DPowerful hardwaresecurity engine (HSE)Across most nodesMassive softwareRe-use within andacross applicationdomainsReal-timeArm Cortex-A, -R,and -M coresFirmware upgradablepublic key encryptionScalableNo side channelattacksScalable encryptedexternal NVMWide memory range,read while writeCOMPANY PUBLIC20
NXP’s Automotive Security Solutions GroupsAutomotive ICs with On-chip Security SubsystemIntegrated solution for best fit withapplication real-time constraints & forstrict security policy enforcementSENSETHINKSecurity CompanionsSecurity extension for specific useFunction-specific Secure ICsFit-for-purpose security supportCOMPANY PUBLIC21ACT
NXP’s Automotive Security SolutionsAutomotive ICs with.² on-chip security subsystemsSecurity companionsSecure Element (SE)Security Controller (SECO)In-Vehicle ExperienceHigh performancei.MX8Tamper-resistant secure systemideal for M2M authentication (e.g. V2X)Media content protectionFunction-specific secure ICsConnectivitySecure CAN Transceiver (TJA115x)Driver ReplacementLayerscapeSecurity Engine (SEC)For enhanced IDS & IPSHSE (HSM)S32XGatewayPowertrain &Vehicle DynamicsfamiliesHigh performanceVersatile feature setCSEFor advanced RKE / PKE solutionsEase-of-useCost-optimizedBody & ComfortNetwork frame analysis (L2/L3/L4)Secure Car Access ICs&MPC57xxSecure Ethernet Switch (SJA1110)V2X DSRC Baseband (SAF5x00)Ultra-fast ECDSA verificationsCOMPANY PUBLIC22
Automotive Security Specifications The SHE specification set thefoundation, introducing the conceptof a configurable (automotive)security subsystemEVITA’s HSM specification extendedthis concept into a programmablesubsystem, in three flavors (Full,Medium, and Light), addressing abroader range of use casesFirst securitysubsystemspecificationSeveral proprietary(OEM, Tier-1)specifications.Balancing cost,functionality, andperformanceWith common elements,but also with conflicts.OEMTier adays, OEMs are creating theirown technical specifications,including select aspects of SHE,EVITA, and FIPS 140-2Three variants: Full,Medium, Light.COMPANY PUBLIC24
Security Requirements – Today’s LandscapeSHEArchitecture Configurable, fixed functionEVITA (Light / Medium / Full)Programmable(except EVITA Light)More recent needs Acceleration close to the interfaces(CAN and ETH MAC/PHYs) Support for Flash-less technologiesFunctionality Secure bootSame as SHE, plus: Memory update protocol AES-PRNG Further crypto algorithms(e.g. RSA, SHA1-3, Curve25519, ) AES-128 (ECB, CBC) monotonic counters (16x, 64bit) Rollback protection Key negotiation protocols CMAC, AES-MP TRNG, PRNGPlus, for EVITA Medium and Full: Key derivation (fixedalgorithm) WHIRLPOOL, HMAC-SHA1,ECDH and ECDSA (P256) 10 4 keys, key-usage flags Context separation / multiapplication scenarios Increased attack resistance(e.g. SCA, Fault Injection, )OtherCovered by: Communication protocol offloading(e.g. TLS, IPsec, MACsec, )CSE family (since 2010)HSM family (since 2015)HSE family (since 2019)COMPANY PUBLIC25
Auto Processors Tomorrow – NXP’s Unique S32 PlatformCommon ChassisInterconnectCommon ChassisApplicationSpecific IPMemoryArmCortexMemoryInterconnectCommon ChassisCommon tDebugAutonomy – Safety10x the PerformanceArmCortexMultiple real time OSADAS AI acceleratorsMemorySafe and SecureCommon Chassis4 independent ASIL D pathsHW security engineReady for OTAThe World’s First Fully Scalable Safe Auto Compute PlatformUnprecedented Design Win Pipeline 1.5x of Previous Generations1.2.1Unified HW with identical SWenvironmentCommon ChassisInterconnectSecurityReduces SW R&Dby 35%ApplicationSpecific IPInterconnectCommon ChassisSafety & PowertrainArmCortexMemoryVisionApplicationSpecific IPInterconnectArmCortexRadarApplicationSpecific IPMemoryNetwork ProcessingApplicationSpecific IPArmCortexApplicationSpecific IPBody &General PurposeBased on analysis of existing NXP Software code in existing customers’ applicationsBased on publicly available competitor roadmap performance statements versus today’s best safe auto platformCOMPANY PUBLIC262
S32 Hardware Security Engine (HSE) – System OverviewS32 MCU / MPUHSE Security SubsystemHostBUILT-IN PROTECTIONSApplication MemorySecure MemoryECU Functions & FeaturesSecure Files (keys, etc.)Root of TrustSecurity Services(hard-wired)Security Services(software / firmware)Security Brain[when required]External NVMencryptedBUILT-IN PROTECTIONSBUILT-IN PROTECTIONSSecurity ManagerSecurity Service HandlerSERVETHE APPApplication BrainSystem ResourcesSystem ResourcesCommunication InterfacesCryptographic EnginesTRNGand moreSecurity ResourcesBUILT-IN PROTECTIONSApplication ResourcesCONTROLTHE PLATFORMCOMPANY PUBLIC28
NXP’s Security Software Components in PlayAutomotive IC – S32XHostImplementation @Tier1 / SW VendorECU Functions & FeaturesCrypto Service ManagerSecurity ManagerCrypto InterfaceSoftwareTechnical er)Common Security APIObject / Source codeSecurity Subsystem (HSE)FirmwareSupportIntegration @Tier1 / SW VendorNativeSecurity Services(same features & services supported on all S32 products)Messaging Unit/Shared MemoryExtendedSecurity ServicesExecutable (binary)Custom ExtensionFirmwareExecutable (binary)RealTime SchedulerCrypto / SystemResourcesSecure FilesRoot of TrustSupportTrust provisioningCOMPANY PUBLIC29
S32 HSE – More than a Cryptographic EngineAcceleratesCryptographic oadsthe app with a dedicated intelligenceEstablishes TrustSecure Boot Root of emUtilitiesControlsThe platformEasily IntegratesIn your designSecurityConfigurationsCOMPANY PUBLIC30
S32 HSE: Native Security ServicesCryptographic functionsKey managementRandom number generation Pseudo-random numbers basedon true random seedEncryption / decryptionMAC generation / verificationHashingSignature generation / verificationKey import & exportKey generationKey derivationKey exchangeMemory checksMonotonic countersSecure time base Memory verification at start-up(secure boot) Memory verification at run-time Incrementing and reading volatile &non-volatile counters Secure tick to hostAdministrationSecure network protocols SSL / TLS offload IPsec offloadSystem initialization & configurationFunctional testsSecurity policy managerService updates & extensionCOMPANY PUBLIC31
S32 HSE: Service ExamplesKey ManagementCryptographicOperationsSecure BootSecure UseKey file managementAESEncryption & decryptionStrict secure bootKey importCMAC/ HMACGeneration & verificationKey exportRSA/ ECC signatureGeneration & verificationKey generationRSA OAEPEncryption & decryptionKey derivationECIESEncryption & decryptionKey exchangeRandom numbergenerationParallel secure bootOn-demand verificationConfigurable sanctionsCOMPANY PUBLIC32
S32 HSE: API Integration SupportReference Manualdetailing the HSEconfiguration & usageNXP HSE firmware(binary) & referencedriver (source code)HSE API description available inHTML & PDF formatCOMPANY PUBLIC33
Integrating NXP’s HSE in Standard Security StackUser spaceApplication LayerQNX CryptoAPIOpenSSLKey BloblingRTECSMAPI LayerSecOCAF ALGCryptodevlinuxRandom Gen.cryptodevBKEKRNGService LayerCryptoInterfaceCrypto Driver(SW)Kernel Crypto API CoreService LayerECU Abstraction LayerCrypto DriverCrypto DriverHSE Host I/FHSE Host I/FMCALLegend3rd Party SWNXP SWShared RAMSWAlgorithmsCrypto DriverQNX BSPHSE Host I/FKernel spaceMessagingUnitHSEResource LayerINTCHWCOMPANY PUBLIC34
S32 HSE: Go-to-Market StrategyNXP is committed to be a “one-stop shop” for its HSE solutionHSE solution HW (HSE subsystem) FW (HSE services)Key BenefitsExtrasBest PerformancesBest Security Assurance LevelFaster Time-to-MarketLow ASPSeamless Integration(Standard SW Stacks)Custom Extensions When NecessaryIn-Field UpdatableCOMPANY PUBLIC35
NXP’s Approach to Automotive SecuritySecure EngineeringCOMPANY PUBLIC36
NXP’s Approach to Automotive SecurityCustomer SupportSystem & Application Know-How(Future) MarketTrends & NeedsSolution PortfolioTechnicalStandards / SpecsIndustryBest PracticesSecure EngineeringProcessStandardsQuality FoundationCOMPANY PUBLIC37
NXP’s Automotive Cybersecurity Program Holistic approach to product security Broad portfolio of security solutions Secure product engineering process Internal / external security evaluation (VA) Product security incident response team(PSIRT) Security-aware organization (incl. training) Threat intelligence feed and IT cyber security CSO/ SOC Information security policies Computer security incident response team(CSIRT) Site security (ISO 27001 cert.)In collaboration with third partiesResearchers, industry partners, Auto-ISAC, CERTs, TECHNOLOGYPROCESSPEOPLECOMPANY PUBLIC38
Product Security Incident Response Team (PSIRT) Product Security IR Process and Team–Global across products / markets / regions–Established in 2008 after the MIFARE Classic hackCommitted to Responsible Disclosure–In alignment with the security community–With our customers, partners, Auto-ISAC, CERTsContinuous Improvement–E.g. evaluate and benchmark against Auto-ISAC’sbest practice guide for incidence esolutionWeb site: www.nxp.com/psirt4Communicate5Contact: psirt@nxp.comEvaluateprocessCOMPANY PUBLIC639Closure
Vehicles become increasingly complex –electronics, software, services Security is essential –people must be able to trust their cars NXP leads the industry, with:Conclusionswww.nxp.com/automotivesecurity The most complete portfolio of automotivesemiconductor security solutions The World’s First Fully Scalable SafeAuto Compute Platform with a HardwareSecurity Engine (HSE) optimized fordifferent applications Comprehensive, holistic, automotivecybersecurity programCOMPANY PUBLIC40
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. 2019 NXP B.V.
#1 Secure Car Access #1 In-Vehicle Networking #1 Safety #2 Powertrain Innovation Leader ADAS Innovation Leader Security #1 NXP Makes Safe and Secure Mobility Happen 1. Based on 2018 Auto TAM 2. Auto RF/DSP includes Secure Car Access, Radio/Audio, V2X and Radar Transceivers 3. Source: Strategy Analytics, IHS Markit, NXP
