汽车基础软件信息安全需求会有哪些?数字化转型网
信息安全的实现并非是通过独立的安全机制可以实现的,需要进行信息安全纵深防御体系设计。从云端 - 车云通讯 - 车端控制器 - 应用软件 - 基础软件 - 硬件等多个维度进行层层防御,设计相应的安全措施提升安全性。基础软件的安全需求主要来自以下两个方面:数字化转型网
1. 实现更高一级来自于功能 / 控制器的信息安全需求。如特定控制器需实现加密通讯,基础软件需要保证安全通讯协议、密钥管理、加密认证、加密存储等功能。
2. 基础软件自身安全的要求。为保证上述功能的安全实现不被绕过,基础软件还需保证自身的安全,如不存在公开漏洞、安全启动等。数字化转型网
安全启动
安全启动(SecureBoot)是 MCU 的基本功能,通过硬件加密模块来实现,该机制必须独立于用户程序运行,不能被破坏。作为整个安全启动信任链的基础,安全启动必须主要用于在 MCU 启动之后,用户程序执行之前,对用户定义的 Flash 中关键程序的数据完整性和真实性进行验证,确定是否被篡改。如果验证失败,说明 MCU 处于不可信的状态,部分功能甚至整个程序不能运行。数字化转型网
安全通信
在目前的车载网络中,大部分数据传输都是在没任何安全措施的情况下进行的。例如应用最广的CAN 通讯设计之初是没有考虑过信息安全问题的,其明文传输、报文广播传输、极少网络分段等特性,让进入整车网络的黑客如同进了游乐场,轻松便可以伪造报文对车辆进行控制。数字化转型网
SecOC 是在 AUTOSAR 软件包中添加的信息安全组件(组件位置及可应用的通讯方式如下图所示),该 Feature 增加了 CMAC 运算、秘钥管理、新鲜值管理和分发等一系列的功能和新要求。SecOC 模块在PDU 级别上为关键数据提供有效可行的身份验证机制,认证机制与当前的 AUTOSAR 通信系统无缝集成,同时对资源消耗的影响应尽可能小,以便为旧系统提供附加保护。
数字化转型网
此外,车云通讯的安全性主要依靠 TLS/SSL 协议保证。TLS 协议采用主从式架构模型,用于在两个应用程序间透过网络创建起安全的连接,防止在交换数据时受到窃听及篡改。
数字化转型网
安全诊断
一些用于将例程或数据下载 / 上传到服务器以及从服务器读取特定内存位置的诊断服务可能需要进行身份验证。不正确的程序或下载到服务器的数据可能会潜在地损害电子设备或其他车辆部件,或可能违背车辆的排放或安全等标准。另一方面,当从服务器检索数据时,可能会违反数据安全性。因此需在这些服务执行前,要求客户证明其身份,在合法身份确认之后,才允许其访问数据和诊断服务。数字化转型网
所以安全诊断是通过某种认证算法来确认客户端的身份,并决定客户端是否被允许访问。可以通过对随机数种子生成的非对称签名进行验证或者通过基于对称加密算法的消息校验码来验证其身份。
数字化转型网
安全调试
现在基本控制器都配备了基于硬件的调试功能,用于片上调试过程。安全 JTAG 模式是指通过使用基于挑战 / 响应的身份验证机制来限制 JTAG 访问。检查对 JTAG 端口的任何访问,只有授权的调试设备(具有正确响应的设备)才能访问 JTAG 端口,未经授权的 JTAG 访问尝试将被拒绝。在生产或者下线阶段,必须要禁用或者锁定相关的调试诊断接口,禁用意味着无法与硬件调试接口建立连接,锁定意味着硬件调试接口受到保护,只能根据安全调试解锁来访问。数字化转型网
安全升级
随着越来越复杂的网络环境,在软件升级更新过程中,保证升级包的发布来源有效、不被篡改、数据不丢失以及升级内容不被恶意获取变得越来越重要。数字化转型网
传统升级过程升级包的数据基本上是以明文传输,数据校验方式也是安全性较低的散列算法。安全升级在传统升级基础上,一方面使用添加签名的固件和在固件验证过程中额外执行签名验证来增强固件完整性验证,保证数据来源可靠,数据完整没有被篡改;另一方面还增加了对通过服务器加密固件的解密功能,传输数据过程通过密文传输,有效的降低 OTA 无线更新时数据暴露的风险。
数字化转型网
安全存储
一次性可编程存储器 OTP(On Chip One Time Programmable ROM, On-Chip OTP ROM),也称为eFuse,是芯片中特殊存储模块,字段中的任何 eFuse 位都只能从 0 编程为 1(融合),只能被烧写一次,但是读取操作没有限制。安全存储还可以通过将 Flash 某些区域设置只读或者只写来实现,防止非法访问和篡改。Flash 保护区域的数量和大小会根据 Flash 的类型和该 Flash 块的大小而有所不同。数字化转型网
本文为科普类文章,不作为选择建议或投资建议。数字化转型网
如果你想了解更多信息安全相关的资讯、科普、知识、方案、报告、资料、案例等可百度搜索中国数字化转型网。如果您对数字化感兴趣要记得去看看哦~
翻译:
The realization of information security can not be realized through an independent security mechanism, but needs to design the in-depth defense system of information security. Layer upon layer defense is carried out from multiple dimensions such as cloud, vehicle cloud communication, vehicle end controller, application software, basic software and hardware, and corresponding security measures are designed to improve security. The security requirements of basic software mainly come from the following two aspects: digital transformation network
1. Achieve a higher level of information security requirements from the function/controller. If a specific controller needs to implement encrypted communication, the basic software must ensure functions such as secure communication protocols, key management, encryption authentication, and encrypted storage.
2. Security requirements of the basic software. In order to ensure that the security implementation of the above functions is not bypassed, the basic software also needs to ensure its own security, such as no public vulnerabilities, safe startup, etc. Digital transformation network
Safe start
Secure boot (SecureBoot) is a basic MCU function, through the hardware encryption module, the mechanism must operate independently of the user program, cannot be broken. As the foundation of the entire secure startup trust chain, secure startup must be used primarily to verify the data integrity and authenticity of key programs in user-defined Flash after MCU startup and before user program execution to determine whether they have been tampered with. If the verification fails, the MCU is in an untrusted state, and some functions or even the entire program cannot run. Digital transformation network
Secure communication
In today's in-vehicle networks, most data transfers take place without any security measures. For example, the design of the most widely used CAN communication did not consider information security issues at the beginning, its plaintext transmission, message broadcast transmission, very few network segments and other characteristics, so that hackers entering the vehicle network like a playground, can easily forge messages to control the vehicle. Digital transformation network
SecOC is an information security component added to AUTOSAR software package (component location and applicable communication mode are shown in the figure below). This Feature adds a series of functions and new requirements such as CMAC operation, secret key management, fresh value management and distribution. The SecOC module provides an effective and feasible authentication mechanism for critical data at the PDU level, and the authentication mechanism is seamlessly integrated with the current AUTOSAR communication system, while the impact on resource consumption should be as small as possible in order to provide additional protection for the legacy system.
In addition, the security of vehicle cloud communication is mainly guaranteed by TLS/SSL protocol. The TLS protocol uses a master-slave architecture model to create a secure connection between two applications over the network, preventing eavesdropping and tampering when exchanging data.
Safety diagnosis
Some diagnostic services used to download/upload routines or data to the server and read specific memory locations from the server may require authentication. Incorrect procedures or data downloaded to the server may potentially damage electronic devices or other vehicle components, or may violate standards such as vehicle emissions or safety. On the other hand, data security may be violated when data is retrieved from the server. Customers are therefore required to prove their identity before these services can be performed, and access to data and diagnostic services is only allowed after their legal identity is confirmed. Digital transformation network
Therefore, security diagnosis is to confirm the identity of the client through some authentication algorithm, and decide whether the client is allowed to access. The identity can be verified by the asymmetric signature generated by the random number seed or by the message check code based on the symmetric encryption algorithm.
Safety debugging
Basic controllers are now equipped with hardware-based debugging functions for on-chip debugging processes. The secure JTAG pattern refers to restricting JTAG access by using a challenge/response based authentication mechanism. Check any access to the JTAG port, only authorized debug devices (devices with the correct response) can access the JTAG port, and unauthorized JTAG access attempts will be denied. During the production or offline phase, you must disable or lock the debugging diagnostic interface. Disabling means that the hardware debugging interface cannot be connected. Locking means that the hardware debugging interface is protected and can only be accessed according to the secure debugging unlock. Digital transformation network
Security upgrade
As the network environment becomes more and more complex, it becomes more and more important to ensure that the release source of the upgrade package is valid, that the data is not tampered with, and that the upgrade content is not maliciously obtained during the software upgrade. Digital transformation network
In the traditional upgrade process, the data of the upgrade package is basically transmitted in plain text, and the data verification method is also a hash algorithm with low security. Security upgrade On the basis of traditional upgrade, on the one hand, it uses the added signature firmware and performs additional signature verification during the firmware verification process to enhance the firmware integrity verification, ensuring that the data source is reliable and the data integrity is not tampered with. On the other hand, it also increases the decryption function of the encrypted firmware through the server, and the data transmission process is transmitted through ciphertext, effectively reducing the risk of data exposure during OTA wireless update.
Secure storage
OTP(On Chip One Time Programmable ROM, on-chip OTP ROM), also known as eFuse, is a special memory module in a Chip where any eFuse bit in a field can only be programmed from 0 to 1 (fusion). It can only be burned once, but there is no limit to read operations. Secure storage can also be achieved by making certain areas of Flash read-only or write-only, preventing unauthorized access and tampering. The number and size of Flash protected areas vary depending on the type of Flash and the size of the Flash block. Digital transformation network
This article is a popular science article and is not intended as selection advice or investment advice. Digital transformation network
If you want to know more information security related information, science, knowledge, programs, reports, data, cases, etc., you can search Baidu China Digital transformation network. If you are interested in digital, remember to check it out