SecMonQ: An HSM based security monitoring approach for protecting AUTOSAR safety-critical systems

Many attacks on vehicle systems that result in a safety hazard follow a general pattern in which ECU firmware is modified, or code is injected in order to send spoofed CAN messages to safety-critical components causing an unsafe driving situation. There is a general consensus that protecting vehicles requires a defense in depth approach where protections are added at each layer of the vehicle data architecture. At the vehicle CAN bus layer, two powerful countermeasures exist: message authentication/encryption and network intrusion detection systems. The two approaches assume that an attacker has already managed to reach the CAN bus and therefore attempt to limit his impact. To defend against CAN injection attacks, we propose an alternative approach which aims at stopping a CAN injection attack before it reaches the vehicle bus. The proposed approach, working at the ECU level, leverages the embedded hardware security module (HSM), available in modern automotive ECUs, to implement four security monitors (SecMonQ) that run within the HSM firmware. SecMonQ performs continuous monitoring activities of the ECU firmware integrity, communication peripherals, periodic task timing, and flow sequence of certain critical functions. It is designed to detect an active attack and bring the system back to a safe state within the safety defined fault tolerant time. We implement SecMonQ on an automotive development environment which consists of an Elektrobit AUTOSAR stack and a Renesas RH850 F1KM micro-controller. We evaluate SecMonQ against the CAN masquerading attack to demonstrate efficacy while maintaining compatibility with AUTOSAR. (C) 2019 Elsevier Inc. All rights reserved.