Professional Documents
Culture Documents
10 - P4 - Safety & Security - 07072022
10 - P4 - Safety & Security - 07072022
Technical Methodological
Process Competence
Competence Competence
T1: Automotive Basics
(Sensor, SW, Mobility P1: Requirements
M1: SW Development Engineering
Solution) Lifecycle
T2: Automotive SW
Architecture (AUTOSAR) P2: Design Principles
This slide is a part of BGSV Embedded Academy (BEA) program and only used for
BEA training purposes.
This slide is Bosch Global Software Technology Company Limited’s internal property.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing,
distribution as well as in the event of applications for industrial property rights.
This slide has some copyright images and text, which belong to the respective
organizations.
P4
SAFETY & SECURITY
Agenda
Functional Safety
Cyber Security
.
Functional Safety Introduction
Agenda
Content Timeline
Examples: 15 mins
✓ Boeing 737 MAX grounded
✓ Tesla Model 3 crashes into overturned truck on highway
Functional Safety Awareness 60 mins
✓ Challenges and Motivations of Safety
✓ Introduction to Functional Safety and ISO 26262 Standard
✓ Approaches to ISO 26262
Groupwork: 15 mins
✓ Create safety requirements for AEB function
Safety Culture 10 mins
Conclusion and Q&A 5 mins
Training Post-Test 15 mins
.
Functional Safety Introduction
An Example: Boeing 737 MAX grounded
The Boeing 737 MAX passenger airliner was
grounded – 346 people died in two crashes
▪ Lion Air Flight 610 on October 29, 2018
▪ Ethiopian Airlines Flight 302 on March 10, 2019
.
Functional Safety Introduction
An Example: Tesla Model 3 crashes into overturned truck on highway
.
FUNCTIONAL SAFETY
AND
ISO 26262 STANDARD
Functional Safety Introduction
Challenges with Automotive Industry
Challenges to meet:
Safety
Security
Comfort
Automation
Efficiency
Performance
Less Pollution & etc.
.
Functional Safety Introduction
Motivations: Malfunction and its impacts
▪ System and processes must NOT harm human
beings
▪ OEM has to ensure that, the design, production
and related faults are adequately detected and
mitigated by effective way
Adverse
effects of
the
Possible Impacts Rework of
Schedule
Brand
Reputation
.
Functional Safety Introduction
Motivations: Malfunction and its impacts
We do not want to be in the media with comparable headlines
.
Functional Safety Introduction
Motivations: Why Product Safety?
Market Trends
Increasing complexity of devices has increased the inherent risks using them.
Legal Regulations
Governments worldwide have defined laws and regulations to monitor and implement
safety of product and processes.
❖ §1 Liability (Main clause)
If somebody is killed by the failure of a product, his body or his health is injured or a thing
is damaged, the manufacturer of the product is obliged to substitute the damage to
the injured person.
Consumer Awareness
Increasing consumer awareness of expected safety standards can adversely affect
organization companies that ignore Product Safety.
.
Functional Safety Introduction
Product Safety
A product should be designed and manufactured so that it does no harm to the consumer or
damage the property of the consumer
Product Safety is the freedom from unacceptable risk of harm, this means safety which could be
expected legitimately by the general public
.
Functional Safety Introduction
Functional Safety
Functional Safety *
absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems
*definition according to ISO 26262-1:2018, 3.67
.
Functional Safety Introduction
The Standard ISO 26262
ISO 26262:2011 (first edition) is an International Standard for
the automotive industry, based on the generic Functional
Safety Standard IEC 61508
ISO 26262:2011 is the first edition for passenger cars, published
November 2011
ISO 26262:2018 is the second edition expended for trucks, buses
and motorcycles, published December 2018
ISO 26262 is NOT a law, but it can support to avoid product liability issues
Deals with functional safety topic to minimize occurrence and consequence of road accidents due to
E/E and software
Provide systematic development process and has high demands on technical requirements, process
documentation and analysis
.
Functional Safety Introduction
Scope of the Standard ISO 26262 & Product Life-Cycle
ISO 26262 includes requirements for
development processes and organization, Functional Safety Management Activities
i.e. Functional Safety Management
Concept Development Production and
technical requirements for system, HW Phase Phase Operation
and SW levels
The complete product life cycle is addressed
system-description concept System
development
hazard analysis phase
HW & SW
system development development development
HW- and SW-development phase
production
operation production and
service operation
decommissioning
.
Functional Safety Introduction
Structure of the ISO 26262:2018
Part 2: Functional Safety Management Activities
Part 3: Concept
Phase Figures:
Development
Phase 12 parts
Part 7:
> 800 pages
Production and
Part 4: System level > 600 requirements
Part 12: Operation
Part 5: Hardware level
Adaptation for Part 6: Software level ~70% are addressed by
Motorcycles CMMI level 3 (or similar like SPICE)
.
Functional Safety Introduction
Approaches to ISO 26262
Functional Safety *
.
Functional Safety Introduction
Approaches to ISO 26262: Definitions
Item: system or combination of systems, that implements a function or part of a function at the
vehicle level
Element: Either a system, a component (consisting of hardware parts and/or software units)
System: set of components or subsystems that relates at least a sensor, a controller and an actuator
with one another
Car Engine
Engine Control Unit
Code mistake
Harm /
Fault Error Failure Hazard
Accident
Fault: Too high Error: Engine control unit Failure: Excessive Hazard: Too high drive
accelerator pedal value provides too high torque engine torque output torque (vehicle
request to engine acceleration)
.
Functional Safety Introduction
Approaches to ISO 26262: Hazard Overview
headlights control missing activation
wheel torques
steering angle / torque
brake torque: too low / high
faulty drive torque: too low / high
hold force: missing / unintended
asymmetrical wheel torques
→relevant effect yaw torque: too low / high
driver information supply
airbag firing
INFO
missing or wrong unintended firing
missing firing
.
Functional Safety Introduction
Approaches to ISO 26262: Malfunction of E/E system
Systematic Failure
Failure, related in a deterministic way to a certain cause, that can only be eliminated E/E
by a change of the design or of the manufacturing process, operational procedures, System
Malfunction
documentation or other relevant factors
Example: Wrong messages from ECU at the CAN bus because an obsolete
message format has been used
Appropriate Development Process (e.g., review method, test method) is defined for
each ASIL level by the ISO Random
Systematic
Hardware
Random Hardware Failure Failure
Failure
Failure that can occur unpredictably during the lifetime of a hardware element and
that follows a probability distribution Failure Hardware Software
Cause
Example: in ECU RAM memory, stored bit permanently stuck at the same value (0
or 1) Systematic
Target value of failure rate is defined for each ASIL level by the ISO Random
NOTE: Random hardware failure rates can be predicted with reasonable accuracy
.
Functional Safety Introduction
Approaches to ISO 26262: Risk and Reasonable Risk Level
reasonable risk level
frequency of system
severity for system failure
risk = failure causing inju- • <
(weighting factor) causing injuries of
ries of severity level
severity level
λ : Failure rate
ASIL is determined to specify the item's necessary (functional) safety requirements for achieving an unavoidable residual risk
Systematic Failure
risk = ASIL f(S, E, C) • Failure rate
.
Functional Safety Introduction
Approaches to ISO 26262: Risk and Reasonable Risk Level
always
combined with
Finally, we must be on
this side of the
diagram (i.e. absence
of unreasonable risk)!
remote
easy
ASIL Classification
A B C D
Lowest Highest
For the further implementation of ISO 26262 the ASIL classification must be known Following
classifications are possible:
QM → no safety relevance according ISO 26262
Processes according usual QM system (ISO/TS 16949 or ISO 9001 certification) are sufficient
ASIL A … ASIL D → Processes according ISO 26262
.
Functional Safety Introduction
Approaches to ISO 26262: ASIL (Automotive Safety Integrity Level)
ASIL requires the identification and categorization of hazards by a malfunction of the system. This is
done by the method “Hazard Analysis and Risk assessment (HARA)” using the following risk
parameters:
Exposure: How often do the driving situations occur, in which a driver or other road users can pose a hazard?
Controllability: How well can the driver or other road users control the hazard in this driving situation so that
damage can be avoided?
Severity: When damage occurs, what is its severity?
The outcome if this Hazard Analysis and Risk Assessment helps us in deriving corresponding
ASIL
.
Functional Safety Introduction
Approaches to ISO 26262: Risk Parameters
Severity (S)
Class S0 S1 S2 S3
Description No injuries Light and moderate Severe and life- Life-threatening
injuries threatening injuries injuries (survival
(survival probable) uncertain), fatal
injuries
Exposure (E)
Class E1 E2 E3 E4
Description Very low probability Low probability Medium probability High probability
Controllability (C)
Class C1 C2 C3
Description Simply controllable Normally controllable Difficult to control or
uncontrollable
.
Functional Safety Introduction
Approaches to ISO 26262: ASIL Determination
.
Functional Safety Introduction
Approaches to ISO 26262: Hazard Analysis and Risk Assessment
Hazard Analysis helps to determine
the safety assurance level (ASIL) by
characterizing the effects of its
failures on the Traffic participants.
.
Functional Safety Introduction
Approaches to ISO 26262: HARA with Concept of ASIL
always
Automotive Safety
ASIL Integrity Level
(i.e. necessary risk reduction)
Probability of Exposure to
driving situation
E*C=1 QM* B C D
E*C=0,1 QM* A B C
Frequency
E*C=0,01 QM* QM A B
E*C=0,001 QM* QM QM A
E*C=0,0001 QM* QM QM QM
remote
E*C=0,00001 QM* QM QM QM
S0 S1 S2 S3
negligible Severity catastrophic
.
Functional Safety Introduction
Example: Vehicle Hold
Driving situation: Vehicle is parked on slope, driver outside car
Failure on vehicle level: unintended vehicle movement (due to too low holding force @ wheels)
Failure on ESP system level: no or too low brake pressure @ wheel brakes
Maximum ASIL rating: ASIL C
If an impact speed higher 30 km/h possible. *)
Severity S3
.
Functional Safety Introduction
Example: Vehicle Hold
Driving situation: Vehicle hold on slope, driver inside car
Failure on vehicle level: unintended vehicle movement (due to too low holding force @ wheels)
Failure on ESP system level: no or too low brake pressure @ wheel brakes
Maximum ASIL rating: ASIL QM
Situation ‘hill hold’: Vehicle is stopped on a slope **) threshold > 5%,
velocity can increase considerably up to 30 km/h before hitting an
Exposure obstacle in the environment.
E3
Analogue is the case steep slope (E2) with higher severity (S3)
Driver is simply controlling the vehicle.
Controllability C1
.
Functional Safety Introduction
Safety Concept / Requirements Flow
Hazard Analysis and Risk Vehicle level
Assessment (HA&RA) (Responsibility: OEM)
Specification of
Safety Goals
System level
Technical Safety Concept
(Responsibility: e.g. RB)
Specification of
Technical Safety Requirements
.
Functional Safety Introduction
Groupwork: Create safety requirements for AEB function
Automatic Emergency Brake (AEB)
.
Functional Safety Introduction
Groupwork: Hazard Overview
headlights control missing activation
wheel torques
steering angle / torque
brake torque: too low / high
faulty drive torque: too low / high
hold force: missing / unintended
asymmetrical wheel torques
→relevant effect yaw torque: too low / high
driver information supply
airbag firing
INFO
missing or wrong unintended firing
missing firing
.
Functional Safety Introduction
Groupwork: Create safety requirements for AEB function
Vehicle Function
.
Functional Safety Introduction
Approaches to ISO 26262: Principles
The combination of probability and severity of dangerous system
failures must not exceed the reasonable risk level
.
Functional Safety Introduction
Approaches to ISO 26262: Recommended Process & Requirements
Requirements to Avoid and Control Requirements to Detect and Control
Systematic Failures Random Hardware Failures
QM ISO/TS 16949
Effort Increases
ASIL B ISO 26262 conform development process Low demand for safety mechanisms, quantitative
or qualitative analysis. As a result, limited
requirements to hardware reliability and
monitoring concepts
ASIL C ISO 26262 conform development process, Quantitative and qualitative analysis required,
assessment required, stricter processes compared effectiveness of implemented safety mechanisms
to ASIL A, B with respect to, for example, design (e.g. monitoring concepts) must be evaluated
assurance and verification
ASIL D ISO 26262 conform development process, Category with lowest residual risk. In addition to
assessment required, most comprehensive ASIL C, stricter requirements for hardware
requirements with respect to development reliability and comprehensive diagnosis and
processes, design assurance, and verification monitoring concepts
.
SAFETY CULTURE
Functional Safety Introduction
What is the problem?
Traditional safety engineering approaches developed for relatively simple electro-mechanical
systems
New technology (especially software) is allowing almost unlimited complexity in the systems we are
building
Complexity is creating new causes of accidents
Should build simplest systems possible, but usually unwilling to make the compromises necessary
‒ Complexity related to the problem itself
‒ Complexity introduced in the design of solution of problem
Need new, more powerful safety engineering approaches to dealing with complexity and new causes
of accidents
One aspect: Increase Safety Culture !
© “The Role of Complexity in System Safety and How to Manage It”, Nancy Leveson, MIT,
https://www.google.de/search?q=safety+culture+nancy+leveson&ie=utf-8&oe=utf-8&gws_rd=cr&ei=5wgJVs-0Icb5ygPjtaj4Aw
.
Functional Safety Introduction
Real examples of a “bad safety culture”
.
Functional Safety Introduction
Safety Culture: Problem Summary
Most accidencts in all industrial areas are also caused by human
factors
Gaps in process development (e.g., bad coding style and no sufficient
testing)
Suppression of facts (e.g., no awareness to problem solving)
Missing awareness to malfunction which are not covered by given
standards (e.g., unwanted AEB activations caused by functional
insufficiencies)
Very often there exist the mindset "safety is done by one person"
and is covered parallel to the standard development process
.
Functional Safety Introduction
Safety Culture for new engineers
Takes Safety Policy seriously
Resources are allocated for safety to whole organization Commitment from S
Knows the significance and importance of safety standards Top Management a
f
e
Takes accountability of safety in project t
Commitment from y
Resources are allocated for safety to all project members
Project
Safety experts are named for all relevant system functions C
Management
u
l
t
Keeps questioning attitude u
Development confirm to process landscape r
Commitment from e
Takes accountability not only for function also for malfunction
Developer
Takes accountability of safety in their scopes and
fix/communicate all recognized gaps, even outside their scope
.
CYBER SECURITY
Introduction
Challenge
You are a new hacker. Your first assignment is hacking a new
electric car with many modern features.
.
Introduction
Car Hacking Demo
Hackers Remotely Kill a Jeep on a Highway | WIRED
.
Introduction
Car Hacking Demo
.
Introduction
Threats & Motivation – Automotive World
Jeep Cherokee
.
Introduction
What is Cyber Security
Technologies, processes, and practices designed
to protect
networks, devices, programs, and data
from attack, damage, or unauthorized access.
.
Introduction
Why Cyber Security is not mandatory in the past
Car is single entity without connectivity
Car hacking requirements:
Physical access
Very expensive technical equipment
High skill set required
Car hacking benefits:
Engine tuning
More functions
…
.
Introduction
Why do we need Cyber Security today
Source: www.microcontrollertips.com
.
Introduction
Why do we need Cyber Security from today
Increasing Communication Known weaknesses, High consequential
Attacks, Viruses,
& Complexity, Attack potential costs, image
Trojans, Accidents
Open Interfaces demonstrated damage
time
.
Introduction
Why do we need Cyber Security from today
Country or global standard
UNECE WP.29 timeline: 7/2022, 7/2024 and 5/2026
Source: www.electronicdesign.com
.
Terminology & Definition
Symmetric cryptography
Each party knows one identical secret key
Use case:
UC1: Each party can encrypt & decrypt data
Key A Key A
Cryptography
Encryption Decryption
.
Terminology & Definition
Symmetric cryptography
UC2: Each party can generate & verify authentication tags
Key A Key A
MAC MAC
OK
generation verification
NG
.
Terminology & Definition
Asymmetric cryptography
Each party has two keys
One private key (or secret key) which is kept strongly secret
One public key, which is distributed open and everywhere
Use case:
UC1: Encrypt data with public key & decrypt data with private key
Encryption Decryption
.
Terminology & Definition
Asymmetric cryptography
UC2: Generate signature with private key & verify signature with public key
One way cryptography
Signature Signature
OK
Generation Verification
NG
.
Terminology & Definition
Symmetric cryptography vs Asymmetric cryptography
Source: www.thesslstore.com
.
Terminology & Definition The state-of-the-art requires measures to avoid known or reasonably
foreseeable risks based upon generally available, not necessarily new,
Security State-of-the-Art technical findings and solutions that recognized experts use. These measures
become state-of-the-art, as soon as they are a) scientifically proven (i.e., in
theory), b) available for series production, and c) practically useable.
.
Terminology & Definition
HSM – Hardware Security Module
VS
Source: https://en.wikiarquitectura.com
.
Terminology & Definition
HSM – Hardware Security Module
Hardware-based
Roots of Trust
.
Terminology & Definition
TARA (Threat and Risk Analysis)
ECU
(TOE)
.
Terminology & Definition
TARA (Threat and Risk Analysis)
Security Threat
Goals Modeling
ECU
(TOE)
.
Terminology & Definition
TARA (Threat and Risk Analysis)
Security Threat
Goals Modeling
ECU
(TOE)
Risk Risk
Handling Assessment
.
Terminology & Definition
TARA (Threat and Risk Analysis)
Security Threat
Goals Modeling
ECU
(TOE)
Risk Risk
Handling Assessment
.
Security Features
Overview
1) Secure Access Secure Access for diagnosis and re-programming
2) Secure Lifecycle Enhance work efficiency during development, production…
3) Secure Flashing Firmware authentication via software signatures
4) Hardware Interface Protection Protect the JTAG port from unauthorized usage
5) Secure In-Vehicle Communication Authenticity and Integrity for internal communication
6) Trusted Boot Secure/Authentic hybrid boot sequence
7) Runtime Manipulation Detection Cyclic verification of code-flash authenticity
8) Secure Data Storage Ensure authenticity and confidentiality of stored data
9) Secure Logging Store and protect security related events
10) Secure Feature Activation Activate features only after authorization
.
Security Features
Secure Access
Ensures only authorized parties can gain the access to ECU diagnosis services
Apply symmetric or asymmetric cryptography
May support several authorization levels to increase access control
.
Security Features
Secure Access (Symmetric Crypto.)
Tester/ ECU
FOTA master
.
Security Features
Secure Access (Symmetric Crypto.)
Tester/ ECU Random
FOTA master value
generation
Security access request
Seed
Respond with Seed / Challenge Seed
Key A
.
Security Features
Secure Access (Symmetric Crypto.)
Tester/ ECU Random
FOTA master value
generation
Security access request
Seed
Respond with Seed / Challenge Seed
Key A
Send Key / Response Key A
.
Security Features
Secure Access (Symmetric Crypto.)
Tester/ ECU Random
FOTA master value
generation
Security access request
Seed
Respond with Seed / Challenge Seed
Key A
Send Key / Response Key A
Comparision
Unlock
feature
.
Security Features
Private key Public key
Key pair
Generation
NG
OK
.
Security Features
Private key Public key
Key pair
Generation
NG
OK
.
Security Features
Private key Public key
Key pair
Generation
NG
OK
.
Security Features
Private key Public key
Key pair
Generation
NG
OK
.
Security Features
Private key Public key
Key pair
Generation
NG
OK
.
Security Feature
Secure Life Cycle
Specifies a roles and authorizations model for usage in Secure Access
Ensures access boundary for each life cycle
Plant
Access to all
Production features required
during production
Series
Access to only
(Mounted on
basic features
Vehicle)
.
Security Feature
Secure Life Cycle
Specifies a roles and authorizations model for usage in Secure Access
Ensures access boundary for each life cycle
Plant
Access to almost all features Access to features
(needs by developers) required for ECU test
Access to all
Development features required
Production
during production
Verification
Series
Access to only
(Mounted on
basic features
Return Analysis Vehicle)
.
Private key Public key
Security Feature
Key pair
Generation
NG
OK
passed
NG
Digital signature
Certificate
Pub key
.
Security Features
Hardware Interface Protection
Disable or protect HW-I providing privileged access.
Used uC must offer the adequate protection mechanisms
Data flow Data flow
in secure
channel
Tester
Generate Secret
Tester HSM
Database
Tester
Production
Key Server
.
Key A Key A
Security Features
Secure Communication MAC
generation
MAC
verification
NG
OK
.
Secure Coding
Example – Heartbleed Bug
pS
request
memcpy(pD, pS, Length)
mirrored response
RES Length Data DstData
user
server
pD
.
Secure Coding
Example – Heartbleed Bug
pS
65535
REQ 1 byte SrcData
bytes
request
memcpy(pD, pS, Length)
mirrored response
65535
RES 1 byte 65534 bytes DstData
bytes
user
server
pD
.
Secure Coding
Principle
Easy to read int func(int x)
{
if (x++<x*++x);
return 1;
return 0;
}
.
Secure Coding
Principle
Easy to read void func(void)
Easy to understand {
int a=14, b=sizeof(a++);
printf(“%d, %d\n”, a, b);
}
.
Secure Coding
Principle
Easy to read void Execute(Runnable action, int count)
Easy to understand {
Validate expectations towards input data for (int i=0; i<count; i++)
action.run();
}
.
Secure Coding
Principle
Easy to read void func(char* in_string)
Easy to understand {
Validate expectations towards input data char *str =
Checks for and handles errors (char*)malloc(strlen(in_string));
Expects exceptional conditions strcpy(str, in_string);
}
.
Secure Coding
Principle
Easy to read Do not rely on unspecified behavior
Easy to understand Consider doing peer reviews
Validate expectations towards input data Automate as much as possible
Checks for and handles errors Evaluate code analysis tools for your
Expects exceptional conditions code base
Relies on specification guarantees and tests
.
Secure Coding
Principle
Easy to read
Easy to understand
Validate expectations towards input data
Checks for and handles errors
Expects exceptional conditions
Relies on specification guarantees and tests
And more…
.
Secure Coding
Principle
Example: Is there any wrong in following code? Expected output:
{ 0x1234
short int target;
char source[] = {0x12, 0x34};
memcpy((char*)&target, &source[0], 2);
return target;
}
.
Summary
Group Activities
You are a new security engineer. Your first assignment is
designing the security features to protect a new electric car
with many modern features.
.
Appendix
Functional Safety vs Security
Safety: focuses on risk resulting from random Security: focuses on risk resulting from
failures, accidents and systematic failures during deliberate attacks carried out by intelligent
item development attackers
Goal is to prevent the system from causing Goal is to prevent people from causing intentional
unintended harm to people harm to the system
SECURITY SAFETY
Note: Security issue or solution may compromise safety. E.g.: RAM test, CRC vs CMAC.
.
Thank you!
96