Background & Objectives
Future automotive safety applications based on vehicle-to-vehicle and vehicle-to-infrastructure communication have been identified as a means for decreasing the number of fatal traffic accidents. Examples of such applications are local danger warnings and electronic emergency brakes. While these functionalities inspire a new era of traffic safety, new security requirements need to be considered in order to prevent attacks on these systems. Examples of such threats are forced malfunctioning of safety-critical components or the interference with the traffic flow by means of fake messages.
Secure and trustworthy intra-vehicular communication is the basis for trustworthy communication among cars or between cars and the infrastructure. Therefore, the objective of the EVITA project is to design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise when transferred inside a vehicle.
By focusing on the protection of the intra-vehicle communication EVITA complements other e-safety related projects that focus on the protection of the vehicle-to-X communication.
Security requirements analysis
Starting from relevant use cases and security threat scenarios, security requirements for on-board networks will be specified. Also legal requirements on privacy, data protection, and liability issues will be considered.
Secure on-board architecture design
Based on the security requirements and the automotive constraints, a secure on-board architecture and secure on-board communications protocols will be designed. The security functions will be partitioned between software and hardware. The root of trust will be placed in hardware security modules that may be realised as extensions to automotive controllers or as dedicated security controller chips.
In order to ensure that the identified requirements are satisfied, selected parts of the secure on-board architecture and the communications protocols will be modelled using UML and automata and verified using a set of different but complementary model-based verification tools.
For prototyping, FPGA’s will be used to extend standard automotive controllers with the functionality of cryptographic coprocessors. The low-level drivers for interacting with the hardware will be partially generated from UML models.
For even faster prototyping, the security functionality will also be implemented purely in software. An API will be defined so that applications on top of this API can use the cryptographic functions regardless of whether they are provided in hardware or software. All developed code will be validated to ensure its correctness.
The secure on-board communication will be deployed inside a lab car demonstrating e-safety applications based on vehicle-to-X communication. Cryptographic methods will ensure the integrity and authenticity of information exchanged within the vehicle and will protect the electronic control units against theft, tampering, and unauthorised cloning.
Releasing the automotive hardware security modules for deployment in cars on public roads requires further implementation and testing efforts, which are out of scope of this project.
Dissemination and external interfaces
In order that the entire automotive industry may benefit from the project results, the secure on-board architecture and communications protocol specifications will be published as open specifications.
The EVITA project partners will liaise with related initiatives in the fields of e-safety and embedded security to achieve multilateral synergies.
July 2008 – December 2011
These models are to be viewed with the open source UML toolkit TTool.
- M. Wolf, T. Gendrullis: Design, implementation, and evaluation of a vehicular hardware security module. In 14th International Conference on Information Security and Cryptology, Seoul, South Korea, November/December 2011 – Paper
- H. Schweppe, B. Weyl, Y. Roudier, M.S. Idrees, T. Gendrullis, M. Wolf: Securing car2X applications with effective hardware-software co-design for vehicular on-board networks. In 27th Joint VDI/VW Automotive Security Conference, Berlin, Germany, October 2011. VDI Berichte 2131 – Paper
- G. Pedroza, M.S. Idrees, L. Apvrille, Y. Roudier: A formal methodology applied to secure over-the-air automotive applications. In 74th IEEE Vehicular Technology Conference (VTC2011-Fall), San Francisco, CA, USA, September 2011 – Paper
- H. Schweppe, Y. Roudier, B. Weyl, L. Apvrille, D. Scheuermann: Car2X communication – Securing the last meter. In 4th International Symposium on Wireless Vehicular Communications (WIVEC 2011), San Francisco, CA, USA, September 2011 – Paper
- G. Pedroza, L. Apvrille, D. Knorreck: AVATAR: A SysML environment for the formal verification of safety and security properties. In 11th International Conference on New Technologies of Distributed Systems (NOTERE), Paris, France, May 2011 – Paper
- M.S. Idrees, H. Schweppe, Y. Roudier, M. Wolf, D. Scheuermann, and O. Henniger: Secure automotive on-board protocols: A case of over-the-air firmware updates. In T. Strang, A. Festag, A. Vinel, R. Mehmood, C. Rico Garcia und M. Röckl, eds., 3rd International Nets4Cars/Nets4Trains Workshop, Oberpfaffenhofen, Germany, March 2011. Springer (LNCS vol. 6596) – Paper
- A. Fuchs, S. Gürgens, and C. Rudolph: A formal notion of trust and confidentiality – Enabling reasoning about system security. In Journal of Information Processing, vol. 19 (2011), pp. 274–291 –Paper
- O. Henniger: Secure automotive on-board networks – Basis for secure vehicle-to-X communication. In Workshop “Staufrei von Holland nach Hessen” (From Holland to Hesse without traffic jam), Frankfurt/Main, Germany, December 2010 – Slides
- G. Pedroza, L. Apvrille, and R. Pacalet: A formal security model for verification of automotive embedded applications. In 3rd Sophia-Antipolis Formal Analysis Workshop (SAFA 2010), Sophia-Antipolis, France, October 2010 – Paper
- D. Knorreck, L. Apvrille, and R. Pacalet: Partitioning of in-vehicle systems-on-chip: a methodology based on DIPLODOCUS. In 13th Sophia-Antipolis Microelectronics Forum (SAME 2010), Sophia-Antipolis, France, October 2010 – Paper
- L. Apvrille, R. El Khayari, O. Henniger, Y. Roudier, H. Schweppe, H. Seudié, B. Weyl, M. Wolf: Secure automotive on-board electronics network architecture. In FISITA 2010 World Automotive Congress, Budapest, Hungary, May/June 2010 – Paper
- M.S. Idrees, Y. Roudier, and L. Apvrille: A framework towards the efficient identification and modelling of security requirements. In 5th Conference on Security in Network Architectures and Information Systems (SAR-SSI 2010), Menton, France, May 2010
- H. Schweppe, Y. Roudier: Security issues in vehicular systems: Threats, emerging solutions and standards. In 5th Conference on Security in Network Architectures and Information Systems (SAR-SSI 2010), Menton, France, May 2010 – Paper
- A. Ruddle: Security risk analysis approach for on-board vehicle networks. In “The Fully Networked Car” Workshop at the Geneva International Motor Show, Geneva, Switzerland, March 2010 – Slides
- O. Henniger and H. Seudié: EVITA-project.org: E-safety vehicle intrusion protected applications. In 7thescar (Embedded Security in Cars) Conference, Düsseldorf, Germany, November 2009, invited talk –Slides
- H. Seudié: Vehicular on-board security: EVITA project. In C2C-CC Liaison Security Workshop, Wolfsburg, Germany, November 2009, invited talk – Slides
- O. Henniger, L. Apvrille, A. Fuchs, Y. Roudier, A. Ruddle, and B. Weyl: Security requirements for automotive on-board networks. In 9th International Conference on Intelligent Transport System Telecommunications (ITST 2009), Lille, France, October 2009 – Paper
- B. Weyl, O. Henniger, A. Ruddle, H. Seudié, M. Wolf, and T. Wollinger: Securing vehicular on-board IT systems: The EVITA Project. In 25th Joint VDI/VW Automotive Security Conference, Ingolstadt, Germany, October 2009 – Paper
- F. Stumpf, B. Weyl, C. Meves, M. Wolf: A security architecture for multipurpose ECUs in vehicles. In 25th Joint VDI/VW Automotive Security Conference, Ingolstadt, Germany, October 2009 – Paper
- T. Kosch: Privacy and data protection for drivers – A contribution from the EVITA project. In 16th ITS World Congress, Stockholm, Sweden, September 2009, invited talk – Slides
- M. Wolf: Designing secure automotive hardware for enhancing traffic safety. In CAST Workshop “Mobile Security for Intelligent Cars”, Darmstadt, Germany, August 2009, invited talk – Slides
- A. Fuchs and R. Rieke: Identification of authenticity requirements in systems of systems by functional security analysis. In Workshop on Architecting Dependable Systems at the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-2009), Estoril, Portugal, June 2009 – Paper
- M. Wolf: Vehicular security hardware. In 6th escar (Embedded Security in Cars) Conference, Hamburg, Germany, November 2008, invited talk – Slides