A new security architecture for networked embedded devices
To establish an effective mitigation against such attacks, Imec has devised a new security architecture for networked embedded devices, called Sancus. It was carefully laid out to fit the usual automotive electronics environments, and is intended as a general solution to secure not just vehicles, be they smart or autonomous, but also for other critical infrastructures, such as medical equipment, smart buildings or power grids.
CAN: island of smart electronics
Complex industrial equipment is monitored and steered by networks of sensors, actuators and control processors that continuously exchange essential up-to-date messages. In automobiles this real-time interaction usually is organized via the CAN bus (Controller Area Network). The problem here is: CAN was laid out about 30 years ago as a closed network with no consideration of obvious access points for intruders. The CAN bus specs offer a convenient way to integrate the growing number of heterogeneous sensors and control processors, which send and receive reliable and timely messages without any central computer. Most important: CAN connects the rotation sensors in the wheels with the anti-lock braking system (ABS) and the drivetrain.
Traffic infrastructure: opening up to the world
In high-end cars the infotainment and navigation systems are hooked up to both, the CAN network and to external public networks. The infotainment components communicate via the driver’s mobile phone or headset and they receive software updates from their vendors. With information provided by the CAN network, it is possible to turn up the music volume when driving faster or upon entering rough terrain. Autonomous vehicles take this a step further: they will communicate with the traffic infrastructure to steer and protect the car.
So suddenly a car’s CAN network provides a number of potential entry points for malicious intruders. Communication with the outside is done via Bluetooth or IP networks, some of which may connect to the Internet. And the Internet, if anything, is a highly non-trusted network. The CAN bus and it’s hardware and software components were not designed to operate in such an unsafe environment. CAN offers no actual form of authentication or authorization. If a syntactically correct CAN message arrives at the car’s brake system, it just assumes that the message is legitimate and stems from a trusted source.
Moreover, car network processors are designed to be very small and inexpensive, just good enough for their task, and consuming as little power as possible. They usually run tiny operating systems and some communication and control applications. They don’t feature memory protection or an isolated sandbox to run processes in. Every application, also an application that shouldn’t be there, is able to access and rewrite the complete processor memory.
All in all, this is a considerable risk and – an untenable situation. Reportedly, researchers were able to remotely control a car by hacking its Wifi or Bluetooth gateways. Also, in a high-stakes case in Ukraine, it was demonstrated that electricity grids could be taken over and manipulated by attackers. Researchers at imec were able to hack pacemakers, eavesdropping on the devices and injecting potentially harmful commands.
This is not to say that such attacks are easy: They require a high level of sophistication, ingenuity and patience. But in the case of highly sensitive road traffic environments, because of the sheer number of electronically identical cars involved, an attacker who manages to find a way into one system, poses a real threat to the security of a great number of other systems.
Establishing safe processing harbors
For all these incidents and scenarios there is no commercial mitigation available today. In contrast to higher-end processors in laptop computers and smartphones, the automotive control chips are small and resource-constrained. They lack the security features that are standard on other processors, such as various privilege levels and memory segmentations. Yet, replacing all embedded processors in cars with high-end systems is not an option, due to cost, complexity and power consumption.
Therefore, at Imec, we have initiated a research endeavor to design a new secure architecture that is suitable to secure today’s embedded systems. It covers the CAN networks in cars, and also industrial control systems in manufacturing, or even very small IoT devices. Such security systems have to be low on complexity and cost – a definite requirement in regard to the envisioned applications.
We started out with a lightweight microcontroller and extended its design, adding a secure memory management and a crypto unit optimized for low-power consumption. The result is a processor that is not much larger and doesn’t consume much more energy (about 6 percent). But it is able to isolate the critical network software and it creates a kind of a safe harbor for it. With this isolation concept, the software cannot be compromised. Its trusted computing base is restricted to the hardware on which it runs. Barring vulnerabilities in a protected application itself, no software, be it an application or operating system, running on the same processor or on an outside process, can override the security checks and read or overwrite the protected runtime state.
Knowing whom to trust
But even if the processor that controls the brakes of a car can no longer be hacked, it will still obey any brake command, even if issued by an illegitimate source. Therefore, we have limited the range of trusted message sources to those that can authenticate themselves as legitimate. Thus a brake command should only come from a trusted processor, which itself cannot be hacked, and from an authenticated software component. So the CAN network is now made up of small unbreakable applications that mutually authenticate and trust each other.
In an automobile, such an embedded system must be able to be contacted from the outside, for instance by a software provider that wants to install updates, or, in a more general way, for communicating with the surrounding traffic infrastructure. Therefore, Imec’s Sancus provides secure communication and remote attestation. Any outside party can send or receive messages to and from a specific software module on a specific node, while making sure that this is the correct module (authenticity), it has not been changed (integrity), and its status is correct (freshness).
Demo at ITF and future work
Thus, Sancus is conceived as novel security architecture for resource-constrained, extensible embedded network systems. It provides remote attestation and strong integrity, as well as authenticity guarantees within a minimal layout of a trusted computing base. Sancus consists of the specially extended microprocessor, the dedicated software running in the safe harbors, and a C compiler that generates the Sancus-secured code.
To be precise, Sancus still is an ongoing project, and the researchers in Imec’s research groups at DistriNet and COSIC at KU Leuven must still resolve a number of issues to be included in Sancus. One of these issues is to ensure the availability and real-time function of the network. We can now guarantee that any messages that arrive in a module are legitimate. But we cannot yet ensure that they will arrive at their intended destination nodes. It would still be possible for an attacker to drop malicious messages – which our solution of course would detect. And in most cases this would probably not lead to dangerous situations, as the receiving node would raise an error flag and halt the system in a safe way. But this is of course inconvenient.
A second issue is safe operation of the secure software modules. Without formal design methodologies and inherently safe programming languages, these modules show vulnerabilities that may lead to unsafe operating situations. But due to the small isolated modules of trusted code, it should be possible to design these in a more formal, fault-free way.
Collaborating on Sancus
At this point, we are looking for collaboration partners to develop suitable hardware/software solutions, which are best adapted to the envisioned environments. At the upcoming Imec Technology Forum in Antwerp (ITF Belgium, May 16-17), Sancus is to be demonstrated, either in an automotive scenario or as a smart metering solution, which is another use case where embedded processors need additional security measures. At ITF, there is an excellent opportunity to discuss in technical detail how to add tight security to these embedded networks – an issue that will become more pressing when autonomous cars will start to communicate with their surroundings.
Availability and acknowledgements
To ensure that the results of the Sancus initiative can be verified and reproduced, the hardware design and software of our prototype have been made publicly available. Hardware designs, source files, as well as binary packages and documentations can be found at https//distrinet.cs.kuleuven.be/software/sancus.
Sancus has been designed and implemented by Imec’s DistriNet and COSIC (both located at KU Leuven) – two research groups well known for their work on security matters. The development is supported in part by the Intel Lab’s University Research Office. It was also partially funded by the Research Fund KU Leuven, by the EU FP7 Project NESSoS, and by the Belgian Cybercrime Centre of Excellence (B-CCENTRE).
The Sancus project (Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base) was first presented by Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, and Frank Piessens at the 22nd USENIX Conference on Security 2013 in Berkeley, CA, USA. https//distrinet.cs.kuleuven.be/software/Sancus
About the author
Jan Tobias Mühlberg is Research Manager at Imec (DistriNet, KU Leuven). Prior, until 2011, he did research at University Bamberg, Germany. He obtained his Ph.D. in 2010 from York University, UK. Until 2005, he has worked as a researcher at the University of Applied Sciences in Brandenburg, Germany, where he obtained his M.Sc. Tobias focuses on software security, formal verification and validation of software systems, specifically for embedded systems and low-level operating system components. He is particularly interested in security architectures for safety-critical embedded systems and for the Internet of Things.