Refine Your Search

Topic

Search Results

Technical Paper

An Analysis of Secure Software Development Lifecycle from an Automotive Development Perspective

2016-04-05
2016-01-0040
The modern vehicle development is highly dependent on software. The software development plays an extremely important role in vehicle safety and security. In order to ensure software high quality and safety standards, we have investigated the secure software development process and analyzed the works in this area. Based on our analysis, we have identified the similarities and differences between the secure software development process and the existing vehicle development process. We then made suggestions on how to adopt the secure software development process in the overall vehicle development process.
Journal Article

An Approach to Verification of Interference Concerns for Multicore Systems (CAST-32A)

2020-03-10
2020-01-0016
The avionics industry is moving towards the use of multicore systems to meet the demands of modern avionics applications. In multicore systems, interference can affect execution timing behavior, including worst case execution time (WCET), as identified in the FAA CAST-32A position paper. Examining and verifying the effects of interference is critical in the production of safety-critical avionics software for multicore architectures. Multicore processor hardware along with aerospace RTOS providers increasingly offers robust partitioning technologies to help developers mitigate the effects of interference. These technologies enable the partitioning of cores for different applications at different criticalities and make it possible to run multiple applications on one specific core. When incorporated into system-design considerations, these partitioning mechanisms can be used to reduce the effects of interference on software performance.
Technical Paper

Analyze This! Sound Static Analysis for Integration Verification of Large-Scale Automotive Software

2019-04-02
2019-01-1246
Safety-critical embedded software has to satisfy stringent quality requirements. One such requirement, imposed by all contemporary safety standards, is that no critical run-time errors must occur. Runtime errors can be caused by undefined or unspecified behavior of the programming language; examples are buffer overflows or data races. They may cause erroneous or erratic behavior, induce system failures, and constitute security vulnerabilities. A sound static analyzer reports all such defects in the code, or proves their absence. Sound static program analysis is a verification technique recommended by ISO/FDIS 26262 for software unit verification and for the verification of software integration. In this article we propose an analysis methodology that has been implemented with the static analyzer Astrée. It supports quick turn-around times and gives highly precise whole-program results.
Technical Paper

Application of Suspend Mode to Automotive ECUs

2018-04-03
2018-01-0021
To achieve high robustness and quality, automotive ECUs must initialize from low-power states as quickly as possible. However, microprocessor and memory advances have failed to keep pace with software image size growth in complex ECUs such as in Infotainment and Telematics. Loading the boot image from non-volatile storage to RAM and initializing the software can take a very long time to show the first screen and result in sluggish performance for a significant time thereafter which both degrade customer perceived quality. Designers of mobile devices such as portable phones, laptops, and tablets address this problem using Suspend mode whereby the main processor and peripheral devices are powered down during periods of inactivity, but memory contents are preserved by a small “self-refresh” current. When the device is turned back “on”, fully initialized memory content allows the system to initialize nearly instantaneously.
Technical Paper

Case Study for Defining Security Goals and Requirements for Automotive Security Parts Using Threat Modeling

2018-04-03
2018-01-0014
Several external networks like telematics, and SOTA and many in-vehicle networks by gateways and domain controllers have been increasingly introduced. However, these trends may potentially make many critical data opened, attacked and modified by hackers. These days, vehicle security has been significantly required as these vehicle security threats are related to the human life like drivers and pedestrians. Threat modeling is process of secure software development lifecycle which is developed by Microsoft. It is a systematic approach for analyzing the potential threat in software and identifying the security risk associated with software. Through threat modeling, security risk is be mitigated and eliminated. In vehicle software System, one of vulnerability can affect critical problem about safety. An approach from experience and hacking cases is not enough for analyzing the potential threat and preparing new hacking attack.
Technical Paper

Cybersecurity Testing and Validation

2017-03-28
2017-01-1655
We also consider the necessary scope and depth of cybersecurity testing and suggest examples of how this can be related to cybersecurity requirements, goals and integrity levels, as determined by the threat analysis and risk assessment. ...An essential part of an effective cybersecurity engineering process is testing the implementation of a system for vulnerabilities and validating the effectiveness of countermeasures. ...The SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems provides a recommended framework which organizations can use to implement a cybersecurity engineering process, which includes activities such as integration and testing, penetration testing and verification/validation of cybersecurity requirements at the hardware, software and system levels.
Technical Paper

Deep Learning based Real Time Vulnerability fixes Verification Mechanism for Automotive firmware/Software

2021-04-06
2021-01-0183
Software vulnerability management is one of the most critical and crucial security techniques, which analyzes the automotive software/firmware across the digital cockpit, ADAS, V2X, etc. domains for vulnerabilities, and provides security patches for the concerned Common Vulnerabilities and Exposures (CVE). The process of automotive SW/FW vulnerability management system between the OEMs and vendors happen through a channel of fixing a certain number of vulnerabilities by 1st tier supplier which needs to be verified in front of OEMs for the fixed number and type of patches in there deliverable SW/FW. The gap of verification between for the fixed patches between the OEMs and 1st tier supplier requires a reliable human independent intelligent technique to have a trustworthiness of verification.
Technical Paper

Enabling Efficient Functional Safety Audits - The Missing Link between ISO 26262 and Automotive SPICE

2019-04-02
2019-01-0144
In the field of electric and electronic (E/E) design for the automotive industry, there are separate traditions related to functional safety and software quality assurance. Both relying on the evaluation of the processes used; Automotive SPICE provides detailed guidance on how to perform this evaluation whilst ISO 26262 does not and simply mention Automotive SPICE as one possible solution. ISO 26262 additionally requires for an evaluation of the functional safety achieved by the product and uses the process evaluation (or functional safety audit in ISO 26262 terms) to support the final functional safety assessment. The purpose is to evaluate the implementation of the necessary safety processes according to the claimed scope defined in the safety plan. Automotive SPICE does not make a distinction on whether the application of the software under evaluation is safety related or not.
Technical Paper

Experimental Setup Enabling Self-Confrontation Interviews for Modelling Naturalistic Driving Behavior

2019-04-02
2019-01-1082
Behavioral models of traffic actors have a potential of unlocking sophisticated safety features and mitigating several challenges of urban automated driving. Intuitively, volunteers driving on routes of daily commuting in their private vehicles are the preferred source of information to be captured by data collection system. Such dataset can then serve as a basis for identifying efficient methods of context representation and parameterization of behavioral models. This paper describes the experimental setup supporting the development of driver behavioral models within the SIMUSAFE project. In particular, the paper presents an IoT data acquisition and analysis infrastructure supporting self-confrontation interviews with drivers. The proposed retrofit system was installed in private vehicles of volunteers in two European cities. Wherever possible, the setup used open source software and electronic components available on consumer market.
Technical Paper

Hardware/Software Co-Design of an Automotive Embedded Firewall

2017-03-28
2017-01-1659
The automotive industry experiences a major change as vehicles are gradually becoming a part of the Internet. Security concepts based on the closed-world assumption cannot be deployed anymore due to a constantly changing adversary model. Automotive Ethernet as future in-vehicle network and a new E/E Architecture have different security requirements than Ethernet known from traditional IT and legacy systems. In order to achieve a high level of security, a new multi-layer approach in the vehicle which responds to special automotive requirements has to be introduced. One essential layer of this holistic security concept is to restrict non-authorized access by the deployment of embedded firewalls. This paper addresses the introduction of automotive firewalls into the next-generation domain architecture with a focus on partitioning of its features in hardware and software.
Technical Paper

Introducing Attribute-Based Access Control to AUTOSAR

2016-04-05
2016-01-0069
Cyber security concerns in the automotive industry have been constantly increasing as automobiles are more computerized and networked. AUTOSAR is the standard architecture for automotive software development, addressing various aspects including security. The current version of AUTOSAR is concerned with only cryptography-based security for secure authentication at the communication level. However, there has been an increasing need for authorization security to control access on software resources such as data and services in the automobile. In this paper, we introduce attribute-based access control (ABAC) to AUTOSAR to address authorization in automotive software.
Technical Paper

Is the Age of the Automotive V-model Over?

2021-04-06
2021-01-0065
The V-model has been central to rigorous vehicle engineering for decades. However, there are three factors that could be used to argue whether the V-model is still a good fit for the automotive industry as we move into the connected autonomous vehicle (CAV) era. The first is the shift during development towards simulation to reduce costs, which means that testing runs can be done quickly, reminiscent of the software development AGILE methodology. The second is the need to monitor vehicles after production due to ever-increasing software functionality on a vehicle. This is for two reasons: firstly, the software over the lifetime of the vehicle would need updating, and secondly, monitoring is required for incident response in the event of a cyber-attack. Since the V-model traditionally doesn't consider the product after the vehicle enters the market, there is an absence of a widely accepted model to follow.
Technical Paper

Lessons Learned in Inter-Organization Virtual Integration

2018-10-30
2018-01-1944
The SAE AS2C Standard AS5506C Architecture Analysis and Description Language (AADL) is a modeling language for predictive analysis of real-time software reliant, safety and cybersecurity critical systems that provides both the precision of formal modeling and the tool-agnostic freedom of a text-based representation. ...AADL supports multiple domains of architectural analysis such as timing, latency, resources, safety, scheduling, and cybersecurity. Adventium Labs conducted an exercise to determine the applicability of software engineering practices (e.g., continuous integration (CI), application programming interface (API) sharing, test driven development (TDD)) to the AADL-based Architecture Centric Virtual Integration Process (ACVIP).
Technical Paper

Modelify: Semi-Automatic Conversion of Control Systems C Code to Simulink Models

2016-04-05
2016-01-0020
Over the last decade, the automotive industry has embraced model-based development for control systems. Many of these companies have chosen Simulink from MathWorks to design and simulate these models. However, a remaining issue is the fact that many control systems were initially written in C and are still being used. Some companies have attempted to manually convert these C systems to Simulink models but have found this method to be too costly, error-prone, and time consuming. EnSoft decided to tackle this problem by providing a semi-automated conversion using our Atlas for C tool. Atlas is a tool that maps software and creates a relation map for all parts of the program. It then offers the developer tools to query and visualize this graph. We have developed Modelify, a tool built on this framework that performs the necessary queries on a C project and creates equivalent Simulink models and subsystems.
Technical Paper

Proposal of HILS-Based In-Vehicle Network Security Verification Environment

2018-04-03
2018-01-0013
We propose a security-testing framework to analyze attack feasibilities for automotive control software by integrating model-based development with model checking techniques. Many studies have pointed out the vulnerabilities in the Controller Area Network (CAN) protocol, which is widely used in in-vehicle network systems. However, many security attacks on automobiles did not explicitly consider the transmission timing of CAN packets to realize vulnerabilities. Additionally, in terms of security testing for automobiles, most existing studies have only focused on the generation of the testing packets to realize vulnerabilities, but they did not consider the timing of invoking a security testing. Therefore, we focus on the transmit timing of CAN packets to realize vulnerabilities. In our experiments, we have demonstrated the classification of feasible attacks at the early development phase by integrating the model checking techniques into a virtualized environment.
Technical Paper

Recognizing Manipulated Electronic Control Units

2015-04-14
2015-01-0202
Combatting the modification of automotive control systems is a current and future challenge for OEMs and suppliers. ‘Chip-tuning’ is a manifestation of manipulation of a vehicle's original setup and calibration. With the increase in automotive functions implemented in software and corresponding business models, chip tuning will become a major concern. Recognizing and reporting of tuned control units in a vehicle is required for technical as well as legal reasons. This work approaches the problem by capturing the behavior of relevant control units within a machine learning system called a recognition module. The recognition module continuously monitors vehicle's sensor data. It comprises a set of classifiers that have been trained on the intended behavior of a control unit before the vehicle is delivered. When the vehicle is on the road, the recognition module uses the classifier together with current data to ascertain that the behavior of the vehicle is as intended.
Journal Article

Safe and Secure Software Updates Over The Air for Electronic Brake Control Systems

2016-09-18
2016-01-1948
Vehicle manufacturers are suffering from increasing expenses for fixing software issues. This fact is mainly driving their desire to use mobile communication channels for doing Software Updates Over The Air (SOTA). Software updates today are typically done at vehicle service stations by connecting the vehicles’ electronic network via the On Board Diagnostic (OBD) interface to a service computer. These operations are done under the control of trained technicians. SOTA means that the update process must get handled by the driver. Two critical aspects need to get considered when doing SOTA at Electronic Brake Control (EBC) systems. Both will determine the acceptance of SOTA by legal authorities and by the passengers: The safety and security of the vehicle The availability of the vehicle for the passengers The security aspect includes the necessity to protect the vehicle and the manufacturers IP from unwanted attacks.
Technical Paper

Safety Development Trend of the Intelligent and Connected Vehicle

2020-04-14
2020-01-0085
Automotive safety is always the focus of consumers, the selling point of products, the focus of technology. In order to achieve automatic driving, interconnection with the outside world, human-automatic system interaction, the security connotation of intelligent and connected vehicles (ICV) changes: information security is the basis of its security. Functional safety ensures that the system is operating properly. Behavioral safety guarantees a secure interaction between people and vehicles. Passive security should not be weakened, but should be strengthened based on new constraints. In terms of information safety, the threshold for attacking cloud, pipe, and vehicle information should be raised to ensure that ICV system does not fail due to malicious attacks. The cloud is divided into three cloud platforms according to functions: ICVs private cloud, TSP cloud, public cloud.
X