Security enhancing CAN transceivers Bernd Elend Principal Engineer - - PowerPoint PPT Presentation
Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017 Introduction: SECURITY REQUIRES A LAYERED APPROACH NXPs 4 + 1 Layer approach for vehicle cyber security: Multiple security techniques, at different
1 2 3 4
levels (“defense-in-depth”)
defense being compromised or circumvented NXP’s “4 + 1 Layer approach” for vehicle cyber security:
4.
Node A Node B
Node A Node B Node E Node C Node D Node F Node G Node H
5.
Node A Node B Node E
6.
Node A Node B Node E
USB
7.
Node A Node B Node E
USB
8.
Node A Node B Node E
9.
Node A Node B Node E
10. ID = 0x123 ID = 0x123
11.
12.
1st Solution: Transmission whitelist The transceiver of Node E allows to send only CAN or CAN FD messages with an ID that is stored in a whitelist in the transceiver. Implications: The message occurs once the bus, and is invalidated in the end-of-frame
the transceiver from any further communication. Benefits: Only one error flag on the bus. This method can also be used to protect against flooding attacks that would lead to a denial of service, by limiting the transmitted bus load. Drawback: Does not help in case node E is not under control of the OEM; e.g. after market device.
13.
2nd Solution: Spoofing protection The transceiver of Node A sends an active error flag, when it receives an identifier that it usually would sent. Error flag Implications: The error flag send by node A causes 16 repetitions before node E enters “error passive” (with suspend trans- mission) and further 16 repetitions prior to entering “bus off” state. Benefits: Helps to protect in case of foreign node attachment; i.e. in case E is not under control of the OEM like aftermarket devices. Drawbacks: Does not work, if A is not present
(e.g. like an off-board tester) or node A
is in Sleep mode or un-powered. Node E can be re-started by the hacker at any time. This method also helps in case Node E starts tampering the message data, after A has sent the identifier and when node A is in “error passive” state. 32 error frames and peak busload do occur.
Features in transmit path: Transmission whitelisting Flooding prevention
14.
Features in receive path: Spoofing protection Tamper protection Error flag
15.
Features in receive path: Spoofing protection Tamper protection Error flag Features in transmit path: Transmission whitelisting Flooding prevention List of IDs for spoofing protection and transmission whitelist can be the same ! does not need configuration needs limit, e.g. 6% bus load needs list of identifiers needs list of identifiers
No update in the field possible attack
FULL 5 MBps PORTFOLIO
Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell
Spoofing & Tampering protection TX control & Flooding protection Basic access prevention CAN/ CAN FD NETWORK SECURITY
Set of policies stored in memory
CAN FD BUS MONITOR FD SHIELD RE-USE CAN ECUs IN CAN FD NETWORKS
CAN FD controller
CAN BUS MONITOR PARTIAL NETWORKING
ENERGY SAVING, FAST ECU FLASHING
CAN decoder
16.
ECU and Network Security
HW Crypto Accelerators Programmable Core Secure Storage
Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell
CAN FD BUS MONITOR FD SHIELD RE-USE CAN ECUs IN CAN FD NETWORKS
CAN FD controller
CAN BUS MONITOR PARTIAL NETWORKING
ENERGY SAVING, FAST ECU FLASHING
CAN decoder
17.
Security In built CAN PHY ECU and Network Security CAN/ CAN FD NETWORK SECURITY FULL 5 MBps PORTFOLIO
18.
Feature summary:
transceiver may issue an active error flag on reception of a CAN ID that is included in its transmission whitelist
the sending transceiver has a transmission whitelist of CAN IDs that are allowed to be sent
If the node starts a transmission and a compromised node tampers the message, while the sender is error passive, then the transceiver is preventing message take over by sending an active error flag
The transceiver ensures that the contribution to the bus load is limited Advantages to realize these features in a transceiver: