More and more vehicle functions are being realized using software. However, the update cycles are also becoming shorter as a result. For example, the functions involved in fully automated driving are being improved continuously thanks to machine learning. Added to this, customers clearly expect it to be possible to update or add functions retroactively as well, such as improvements to the assistance systems, new apps, and so on. The ability to offer a consistent and stable procedure for meeting these requirements is becoming a key factor in enabling vehicle manufac-turers to set themselves apart from their competitors. If there is no such concept, they run the risk of damage to their image as a consequence. Looking further ahead, electromobility could also mean longer maintenance intervals. But this is a difficult message to get across when software updates can still only be performed during a visit to the workshop.
As in other industries, updates will therefore have to take place “over the air” in future. The preconditions required for such update mechanisms can be achieved by connecting vehicles to the internet and networking the components. However, the task of updating critical vehicle functions places high demands on the security and reliability of the processes used for this purpose.
Extensive design improvements in Adaptive AUTOSAR
These challenges called for a new platform alongside the existing AUTOSAR software environment: Adaptive AUTOSAR. This means that OEMs and their suppliers do not constantly have to develop new and, in some cases, proprietary solutions for critical and complex functionalities. In comparison with the older Classic AUTOSAR, Adaptive AUTOSAR relies on parallelization and dynamization of the run-time environment. What this actually means is that active or required compo-nents are reloaded and logged off. Adaptive AUTOSAR provides the applications with all the necessary programming interfaces –regardless of the operating system used. This enables the use of existing software libraries in the areas of high-performance computing, embedded vision, or machine learning. (Figure 1)
Signal-based communication in Classic AUTOSAR on the CAN bus, for instance, has been replaced with service-oriented communication in Adaptive AUTOSAR. With this system architecture, new applications can be integrated into the entire system more easily.
Modern and sometimes automated developer tools, such as Elektrobit’s EB tresos, support software development for Adaptive AUTOSAR. They offer functions designed specifically for the new, more modern system architecture, such as compiler-based static and dynamic data flow analyses, automatic run-time estimates, and automatic software and hardware optimization.
Responsibility for standardizing and further developing Adaptive AUTOSAR lies with the AUTOSAR consortium, which has over 250 subscribers from more than 70 different companies. New versions of Adaptive AUTOSAR will be published by the AUTOSAR consor-tium twice a year – at the end of March and the end of October. This will ensure that specifications and functionalities are maintained and updated continuously. Detailed information is available at www.AUTOSAR.org/standards/adaptive-platform.
Standardized functions for OTA updates
In connection with OTA updates, Adaptive AUTOSAR provides key functions as standard for purposefully updating functions and components. While Classic AUTOSAR always required a full update of the appli-cation software, Adaptive AUTOSAR supports differential updates. The background to this is a modular architecture in which only individual appli-cation blocks are updated and also delta updates where the target application is patched to the new software version.
What actually happens is that an update master receives from the connectivity client the update data sent over the air and then purposefully updates the individual software components in collaboration with the Update Configuration Manager (UCM) and the Diagnostic Manager (DM). (Figure 2)
To make the entire update process as simple and uncomplicated as possible for OEMs or suppliers of services, Elektrobit offers a scalable and flexible full-service solution in the form of EB’s Update OTA. Depending on the OEM’s specifications, it contains the cloud or backend environment required to prepare, manage, and implement the update throughout the life of the vehicle. Within an update rollout, several performance ECUs and/or the infotainment system belonging to the vehicle can also be updated at the same time. For this to work, the ECUs concerned must support standardized diagnostic protocols.
End-to-end security architecture to protect the entire vehicle
The connectivity of networked vehicles enables numer-ous meaningful functions, offering clear advantages to drivers and vehicle manufacturers alike. At the same time, however, it also increases the number of potential points of attack. Communication channels such as Car2X, WiFi, Bluetooth, remote control via apps, OBD-II, radio transmitter keys, and so on essentially represent potential gateways for hacker attacks. Alongside the obvious risks like data loss or malfunctions, these scenarios pose potential threats to OEMs, which include damage to their reputation with customers and business partners, cost risks for recalls or countermeasures, and customer dissatisfaction, all the way through to liability risks and potential legal consequences.
With this in mind, OTA software updates place special demands on the security architecture both inside and outside the vehicle. Obviously, the other points of attack listed are also purposefully protected. However, the focus below lies on the security functions of Adaptive AUTOSAR, most notably within the context of OTA updates.
The underlying security architecture takes account of the vehicle components and their connections and interfaces as well as the backend and, if applicable, any end devices connected as well. The concept there-fore covers all the layers affected inside and outside the vehicle environment: individual components and ECUs, bus systems inside the vehicle, external interfaces and protocols (including WLAN, for example) as well as the end-to-end encryption and protection of all relevant services. This not only ensures system integrity and prevents attempted misuse, but also meets the ever-increasing legal requirements for data protection and information security. (Figure 3)
High level of protection in Adaptive AUTOSAR
To achieve these goals, solutions and approaches are used from the area of automotive security, such as SecOC (Secure Onboard Communication) and HSM (Hardware Security Modules). What is more, the security architecture is also based on Classic AUTOSAR solutions and processes from the client-server com-munication, such as TLS (Transport Layer Security), certificate-based authentication, and encryption.
The Secure Onboard Communication (SecOC) concept ensures that data transmitted within the onboard communication are authentic. SecOC thereby prevents any manipulation of data packets, man-in-the-middle attacks, or other attack scenarios. To prevent any unauthorized access by hackers to the CAN bus, the SecOC module adds a Message Authentication Code (MAC) to every block of data transmitted on the internal bus. To prevent any manipulation due to inter-cepted blocks of data, the cryptographic calculation takes account of a time-dependent component which documents the up-to-dateness of the message. However, due to limitations with the classic CAN bus (the protocol used there provides for a frame size of just 8 bytes), only part of the up-to-dateness certificate and of the MAC can be transmitted with the user data. For its part, the recipient module calculates the complete MAC and the up-to-dateness value and then compares them with the values (partially) received. If they do not match, the data packet received is rejected.
SecOC is supplemented with hardware-based encryp-tion as well as internal trust safeguards and security mechanisms in the components and ECUs. These include authentication, anti-theft protection, and the identification of anomalies or unauthorized access attempts. These security elements too profit from the architecture-related advantages of Adaptive AUTOSAR, due to the parallelized execution and therefore acceleration of complex cryptographic calculations, for example.
Comprehensive protection of OTA update processes
On the basis of the security architecture and concepts described, Adaptive AUTOSAR protects the entire update process, from starting the system to receiving the OTA update data and through to installing the update. The integrity of the system environment in the vehicle is assured thanks to a secure boot mechanism. This loads and executes only authenticated software components. The verification process runs at the same time as the software in order to minimize loading and startup times. OEM-specific requirements are integrated seamlessly.
An end-to-end encrypted communication connection between the backend and onboard components as well as encrypted storage of the data in both the backend and the vehicle make sure that the update data are securely transmitted and stored. The bootloader, which is independent from the program code of the applications, creates a secure environment in the vehicle for installing the update.
The safeguards already described are also used for authenticating update packets and for actually importing the updated software. As Adaptive AUTOSAR has a stand-alone crypto library, the authentication and verification of software and hardware components run parallel to the update process. At the same time, the Secure Diagnostics system module monitors the communication between the diagnostic client and the ECUs concerned. The OEM has a choice between different authentication methods, such as seed-and-key or token-based authentication.
Elektrobit works on all security matters in close collaboration with Continental’s security software experts Argus Cyber Security. Founded in 2013, the company is headquartered in Tel Aviv, Israel, and has offices in Michigan, Silicon Valley, Stuttgart, and Tokyo. It is the world’s largest independent supplier of cyber security solutions in the automotive market. This means that OEMs profit from the design advantages of Adaptive AUTOSAR and can rely on the highest possible level of protection and security.