Armin Wasicek

The ACROSS MPSoC -- A New Generation of Multi-core Processors Designed for Safety-Critical Embedded Systems

The European ARTEMIS ACROSS project aims to overcome the limitations of existing Multi-Processor System-on-a-Chip (MPSoC) architectures with respect to safety-critical applications. MPSoCs have a tremendous potential in the domain of embedded systems considering their enormous computational capacity and energy efficiency. However, the currently existing MPSoC architectures have significant limitations with respect to safety-critical applications. These limitations include difficulties in the certification process due to the high complexity of MPSoCs, the lacking temporal determinism and problems related to error propagation between subsystems. These limitations become even more severe, when subsystems of different criticality levels have to be integrated on the same computational platform. Examples of such mixed-criticality integration are found in the avionics and automotive industry with their desire to integrate safety-critical, mission critical and non-critical subsystems on the same platform in order to minimize size, weight, power and cost. The main objective of ACROSS is to develop a new generation of multicore processors designed specially for safety-critical embedded systems; the ACROSS MPSoC. In this paper we will show how the ACROSS MPSoC overcomes the limitations of existing MPSoC architectures in order to make the multi-core technology available to the safety-critical domain.

A System-on-a-Chip Platform for Mixed-Criticality Applications

High–integrity systems are deployed in order to realize safety–critical applications. To meet the rigorous requirements in this domain, these systems require a sophisticated approach to design, verfication, and certification. Not only safety consideration shave an impact on a product’s overall dependability, but also security has to be taken into account. In this paper we analyze the Time–Triggered System–on–Chip (TTSoC) architecture, which is a novel architecture for Multi–Processor System–on–Chip (MPSoC) devices, regarding its security properties. We discuss essential compliance criteria to the Multiple Independent Layers of Security (MILS) architecture, which is a industry–ready architecture for embedded high–integrity systems. We found that both architectures share intrinsic properties and we are able to show that the TTSoC architecture implements the core requirements of a MILS Separation Kernel and thus realizes its elementary security policies by design.

Authentication in Time-Triggered Systems Using Time-Delayed Release of Keys

This paper investigates on the security of time -- triggered transmission channels, which are used to establish a predictable and timely message transfer in a distributed embedded system with potential safety constraints. Within such a system, safety and security are closely related, because malicious attacks can have an impact on a systems safety and thereby cause severe damage. An attacker could masquerade as an original sender and try to alter some system parameters by injecting malicious messages in the system. In the embedded real-time systems domain particularly the authenticity of data items is of interest, because a lack of integrity can lead to incorrect or erroneous system behavior. In addition, we address the open research question how a common notion of time can contribute to a systems security. Our solution encompasses an authentication protocol to secure time-triggered transmission channels. We illustrate two attack scenarios (insertion and substitution) that aim at injecting fake messages in such a channel thereby corrupting the internal system state of a receiver. We discuss the feasibility of several key management strategies for embedded systems and describe an authentication protocol using time-delayed release of symmetric keys for time-triggered systems. In a case study we implement the protocol for a prototype Time-Triggered Ethernet (TTE) system. The insight gained from the evaluation is that the computation of the cryptographic algorithms consumes most resources. Our solution shows that authentication can be transparently applied to a time-triggered system exploiting the available global time base and without violating its timeliness properties.

The ACROSS MPSoC - A new generation of multi-core processors designed for safety-critical embedded systems

The European ARTEMIS ACROSS project aims to overcome the limitations of existing Multi-Processor System-on-a-Chip (MPSoC) architectures with respect to safety-critical applications. MPSoCs have a tremendous potential in the domain of embedded systems considering their enormous computational capacity and energy efficiency. However, the currently existing MPSoC architectures have significant limitations with respect to safety-critical applications. These limitations include difficulties in the certification process due to the high complexity of MPSoCs, the lacking temporal determinism and problems related to error propagation between subsystems. These limitations become even more severe, when subsystems of different criticality levels have to be integrated on the same computational platform. Examples of such mixed-criticality integration are found in the avionics and automotive industry with their desire to integrate safety-critical, mission critical and non-critical subsystems on the same platform in order to minimize size, weight, power and cost. The main objective of ACROSS is to develop a new generation of multicore processors designed specially for safety-critical embedded systems; the ACROSS MPSoC. In this paper we will show how the ACROSS MPSoC overcomes the limitations of existing MPSoC architectures in order to make the multi-core technology available to the safety-critical domain.

Copy protection for automotive electronic control units using authenticity heartbeat signals

Protection of intellectual property rights is a vital aspect for the future automotive supplier market, in particular for the aftersales market for ECUs. Computer security can deliver the required protection mechanisms and sustain the according business models. We propose an approach to facilitate the rigorous checking of components for originality in a vehicle. In our system model, a security controller receives special messages (i.e., the authenticity heartbeat signal) from relevant ECUs and it performs subsequent authentication and plausibility checks. As a result, the security controller can tell, if the current setup of components in the vehicle is original. We evaluate our authentication architecture for the Battery Management System (BMS) of a hybrid car. Here, the security controller detects reliably, if the BMS is an original component, and whether an attacker has modified the operational limits of the battery. In this paper, we reason that an effective copy protection scheme needs to fuse relevant information from different sources. Therefore, various security techniques have to be combined in a sound architectural approach. The distinctive feature of our architecture is that it takes into account application-specific knowledge of the real-time entities under control.

Virtual CAN Lines in an Integrated MPSoC Architecture

The standard solution for automotive control networks is the Control Area Network (CAN) bus. Almost any vehicular computer system comprehends at least one CAN line. For the past two decades, software development for control system has been strongly connected to the properties and interfaces of the CAN bus. Currently, the automotive industry is in the middle of a technology leap towards an information-based industry. New technologies are getting ready to fulfill newly emerging requirements for innovative products such as hybrid engine control, intelligent energy management, and advanced driver assistance systems. Integrated Multi-Processor-on-a-Chips (MPSoCs) will be one part of the solution to provide an adequate computing infrastructure for these newly emerging systems. The established technologies like the CAN bus will have to be reconsidered. In this work, we propose a virtual CAN overlay that abstracts the communication interfaces of an MPSoC to provide the Application Programmer Interface (API) of CAN to programmers. The overlay provides the standard behavior of a CAN line and works transparently over chip boundaries. The major implications is that the programmers can continue their used software development approaches and tools when introducing a new computing infrastructure. The main benefit is that the productivity can be maintained during this critical phase. In summary, our solution helps to mitigate the effects from a technology shift to integrated MPSoCs. Our approach is fully compliant with new automotive software development approaches like AUTOSAR.

Enhancing security in CAN systems using a star coupling router

Controller Area Network (CAN) is the most widely used protocol in the automotive domain. Bus-based CAN does not provide any security mechanisms to counter manipulations like eavesdropping, fabrication of messages, or denial-of-service attacks. The vulnerabilities in bus-based CAN are alarming, because safety-critical subsystems (e.g., the power train) often deploy a CAN bus, and hence a failure propagation from the security domain to the safety domain can take place. In this paper we propose a star coupling router and a trust model for this router to overcome some of the security deficiencies present in bus-based CAN systems. The CAN router establishes a partitioning of a CAN bus into separate CAN segments and allows to rigorously check the traffic within the CAN system, including the value and time domains. We evaluate the introduced trust model on a prototype implementation of the CAN router by performing attacks that would be successful on classic bus-based CAN, but are detected and contained on router-based CAN. The router can consequently increase the security in automotive applications and render some of the attacks described in the literature (e.g., fuzzying attack) on a car useless. Since the CAN router offers ports that are compatible to standard CAN, the router can be used to increase the security of legacy CAN based systems.

The ACROSS Integrity Model

In this chapter we discuss the application of integrity models in a mixed-criticality system to enable the secure sharing of information. The sharing of resources and information in computer systems enables cost savings. The major technical challenge of these systems is simple: low criticality applications must be prevented from interfering with high criticality ones which execute in the same system. An example for such an integrated architecture is the the ACROSS MPSoC architecture which facilitates the implementation of hard real-time systems. We present an integrity model for the secure exchange of information between different levels of criticality within ACROSS. Our approach is based on Totel’s integrity model which proposes to upgrade information from low to high by rigorously validating this information. We were able to show that the encapsulation mechanisms of the ACROSS architecture support the implementation of the proposed integrity model.

Internet Firewalls in the DECOS System-on-a-Chip Architecture

A big part of requests in todays Internet are malicious connection attempts aimed at compromising hosts in order to gain illegal access. Intrusion tools perform automatic scans to seek out promising targets, probe for vulnerabilities, and even mount autonomous attacks. Outgoing from this scenario, this paper discusses approaches to govern access to a network of System-on-a-Chip (SoC) components that provides an Ethernet interface to the Internet for maintenance purposes. Security measures are needed to protect the SoC from unauthorized access to internal information such as diagnostic interfaces or bus communication. Since the SoC should be realized as a compact embedded system, the implementation of security mechanisms has to fit the available processing and memory resources. In order to be able to cope with changing security requirements and different deployment environments a multi-level security architecture is proposed. The architecture partitions the system into intrusion containment regions and provides corresponding access privileges. As part of the architecture, the implementation of an Internet Firewall providing low level authentication to a network of SoC s is shown.