Table of Content
- Secure Boot
- Software Integrity
- Secure Update/Upgrade
- Layered Security
- Read-Only File Systems
- Mandatory Access Control
- Secured Applications
This document addresses the following security concepts that help make connected vehicles less vulnerable to security threats.
Secure boot refers to preventing malicious software applications and “unauthorized” operating systems from loading during the system start-up process. The goal is to protect users from rootkits and other low-level malware attacks. Modern bootloaders come with features that can be used to enable secure boot in the system.
The goal of software integrity is to ensure that all software running on a system has not been altered in any way, either accidentally or maliciously. This is typically achieved by checking a file’s hash or signature against a protected, “good” value that exists in the system. Maintaining software integrity ensures that your system behaves as intended. In principle, it protects the system against any malicious code trying to tamper your system.
Software updates in connected vehicles are a very useful feature, which
can deliver significant benefits. If not implemented with security in
mind, software updates can incur serious vulnerabilities. Any software
update system must ensure that not only are the software updates to
devices done in a secure way, but also that the repositories and servers
hosting these updates are adequately protected. As the process of updating
software migrates from a
Dealership update model towards an
update model, securing these processes becomes a high priority.
It has been well established amongst software security researchers, that a layered approach to security ensures a stronger protection against attackers. A multi-layered approach to security should be included when designing the architecture of a connected car. The goal is to ensure that even if one layer of security is compromised, the other layers will protect the platform, while at the same time making it harder for attackers to breach the security of the system.
Read-Only File Systems
When following a layered security design, one simple yet effective way to protect the platform is to make the file system read-only. It is important to note that making the filesystem read-only is not a foolproof security mechanism. It does, however, make life more complex for an attacker.
Mandatory Access Control
Mandatory Access Control (MAC) refers to a type of access control in a Linux system that constrains the ability of a “subject” to access a “resource”. The Linux kernel makes these decisions based on a pre-existing policy. User are not allowed to override or modify this policy, either accidentally or intentionally. MAC uses the underlying kernel framework of Linux Security Modules (LSM). There are multiple LSMs available including SELinux, Simplified Mandatory Access Control Kernel (SMACK), AppArmor and others. AGL uses SMACK as the MAC.
Applications in the modern car are steadily improving the dashboard and control of the car. Applications have also proven to be frequent point of attack for hackers. In AGL, The term of Application (App) has a very wide definition. Almost anything which is not in the core OS is considered an Application. At the same time, when talking about the security of applications, any mobile applications that have been designed to interact with the car must also be considered. Secured applications are mission-critical for OEMs who want to meet customer expectations for innovative software features, while ensuring the safety and proper functioning of their vehicles.