This report was written by Tomas Olovsson, Computer Science and Engineering, Chalmers. 

The ESCAR EU conference took place in November and focused on the following topics: quantum cryptography, intrusion and misbehavior detection, the interplay between safety and security, securing onboard communication and (in)secure boot. Below is a summary of some selected talks. For more information and to download papers and slides from the conference, visit this homepage. Please feel free to contact us if you have any questions.

Georg Sigl from Fraunhofer gave a keynote talk and focused on how to create trusted applications in the automotive domain. The complete chain from hardware to software must be trusted: Trusted electronics (ECUs, sensors, actuators, buses) -> Trusted OS -> Trusted data spaces -> trusted applications. We need to know the full support chain and not forget recent examples such as weaknesses in CPUs (Spectre, Meltdown), Trojans in server and communication infrastructure such as 5G and backdoors in military chips discovered 6-7 years ago in FPGAs. The recommendation is to perform a risk analysis of the full chain to minimize the trusted base. We should also consider developing an automotive platform with open-source hardware (!) that can be reviewed and reused where the authenticity of chips can be reviewed.

Tim Fritzmann at TU Munich reminded us that quantum computing will change how ciphers are used. We are still far away from systems that can break RSA and ECC cryptography but no one knows whether it will take 5, 10, 20 or even more years before this happens. However, since the lifetime of our products is expected to be 20+ years, we have to plan for this today, not tomorrow. Details from his talk and about what ciphers are affected and how it is available as a download.

David Schubert at Fraunhofer described a systematic literature review they have performed about application-aware intrusion detection systems. After investigating current research, they concluded that architecture (i.e. distributed vs. centralized) is an underrepresented aspect. Only 10 high-quality publications were found, 5 focused on centralized systems, 4 on agent-based and 1 on hybrid solutions. They also found that most works lack a mapping from threats to actual technique selection, and also argued that technology selection should be done together with system development since they depend on each other. Much more information can be found in their interesting presentation.

Takeshi Kishikawa at Panasonic talked about spoofing and injecting messages on FlexRay. He concluded that most work has focused on CAN which does not apply to FlexRay. They have found that spoofing messages is not only possible in the dynamic segment where optional messages are transmitted, but also, contrary to some other recent work, possible in the static segment when a star topology is used. This is due to the star coupler which forwards only the frame with the earliest timing in a time slot to the other networks. Whether this is a real problem in a vehicle depends on its design.

Jonathan Petit – Qualcomm gave the second keynote talk around automated driving and security. He first focused on cameras in automated driving: what happens if a fake 90 km/h traffic sign is inserted in a 30 km/h area? Or if a No Entry sign is painted on the highway and an autonomous vehicle approaches,, or a painting a human on the road that looks real? Another topic he touched was the Uber accident in 2019. The forensic investigators’ main problem was lack of tools, i.e. tools to read Lidar and sensor data, and additionally, they had no way of knowing that data was authentic or what parts of the system they could trust. There was also no possibility to know whether an external attacker may have interfered with the car, e.g. used GPS jammers or other equipment. Forensics must be the next area to focus on.

David Förster at Bosch talked about a common method to address safety and security interplay when performing HARA/Safety and TARA/Security risk assessment. They propose a method for how to integrate safety and security risk management workflows. What we can see when comparing HARA and TARA is that both identify hazards, a process that could be done together and that safety goals can be used in security when identifying security assets. Also, when safety people have identified a safety hazard, they should be able to evaluate consequences even if a security problem is a cause. It should not matter whether it is due to a component failure or a security problem, severity should be the same regardless of origin.

Frederic Stumpf at ESCRYPT talked about how to increase the performance of HSM-based verification of messages. The Autosar platform has problems with fast message authentication due to the layered architecture. By using asynchronous and interleaved processing, it is possible to keep HSMs completely busy thus increasing performance. This can be done by creating arrays of I/O vectors (tasks) for them to process, although this is at least not yet compatible with Autosar CSM interfaces. This approach is similar to modern hard disk controllers in computers which are given lists of tasks instead of handshaking one task at a time.