

AUTOSAR Safety and Security
02-11-2023

<p class="MsoNormal" align="center" style="text-align:center"><font color="#ffffff"><br></font></p><p class="MsoNormal"><b><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">OVERVIEW
OF AUTOSAR SAFETY AND SECURITY<o:p></o:p></font></span></b></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Connectivity
and collaboration with various external sources are crucial for future
automotive applications. This involves communicating with sensors and
applications within the vehicle, as well as external sources such as mobile
devices, roadside infrastructure, and cloud computing systems provided by
backend IT systems. <o:p></o:p></font></span></p><p class="MsoNormal" align="center" style="text-align: justify;">
</p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">AUTOSAR
paves the way to a standardized set of safety and security means to support
developers in achieving the Automotive Safety Integrity Level (ASIL) according
to ISO DIS 26262.</font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p><font color="#ffffff"><br></font></o:p></span></p><p class="MsoNormal" style="line-height:150%"><b><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">AUTOSAR
Safety Standard and Concepts<o:p></o:p></font></span></b></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:Wingdings;mso-fareast-font-family:Wingdings;mso-bidi-font-family:
Wingdings;mso-bidi-font-weight:bold">Ø<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";"> </span></span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Safety Standard<o:p></o:p></span></b></font></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Before
mentioning AUTOSAR Safety Concepts, we will go through the introductory
requirements of ISO 26262 for functional safety of vehicles on the road.</font></span></p><p class="MsoNormal" style="margin-left:.25in"><i><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">•
ISO 26262 provides an automotive safety lifecycle (management, development,
production, operation, service, and decommissioning) and supports tailoring the
necessary activities during these lifecycle phases.<o:p></o:p></font></span></i></p><p class="MsoNormal" style="margin-left:.25in"><i><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">•
ISO 26262 provides an automotive specific risk-based approach for determining
Automotive Safety Integrity Levels (ASILs).<o:p></o:p></font></span></i></p><p class="MsoNormal" style="margin-left:.25in"><i><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">•
ISO 26262 uses ASILs for specifying the item’s necessary safety requirements
for achieving an acceptable residual risk.<o:p></o:p></font></span></i></p><p class="MsoNormal" style="margin-left:.25in"><i><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">•
ISO 26262 provides requirements for validation and confirmation measures to
ensure a sufficient and acceptable level of safety being achieved.<o:p></o:p></font></span></i></p><p class="MsoNormal" style="margin-left:.25in"><i><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">•
ISO 26262 provides requirements for the relation with suppliers.<o:p></o:p></font></span></i></p><p class="MsoNormal" style="margin-left:.25in"><font color="#ffffff"><br></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:Wingdings;mso-fareast-font-family:Wingdings;mso-bidi-font-family:
Wingdings;mso-bidi-font-weight:bold">Ø<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";"> </span></span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">AUTOSAR Safety Concepts<o:p></o:p></span></b></font></p><p class="MsoNormal" style="margin-left:.25in"><font color="#ffffff"><b><span lang="JA">・</span></b><b><span lang="JA" style="font-family:"Segoe UI",sans-serif"> </span></b><b><span style="font-family:"Segoe UI",sans-serif">Concept 1: Fault Detection,
Isolation, and Recovery (FDIR)<o:p></o:p></span></b></font></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Fault
Detection, Isolation, and Recovery (FDIR) concept is a primary safety concept
provided by AUTOSAR, which helps detect, isolate, and recover from faults to
ensure the safety and dependability of the system.</font></span></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">There
are many definitions of FDIR mechanism to be found in the literature. The
following tasks are typical part of a FDIR System:<o:p></o:p></font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:"Times New Roman",serif;mso-fareast-font-family:"Times New Roman"">–<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><!--[endif]--><span style="font-family:"Segoe UI",sans-serif">Fault
detection is the identification of faults in a system and of their occurrence
times. <o:p></o:p></span></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:"Times New Roman",serif;mso-fareast-font-family:"Times New Roman"">–<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><!--[endif]--><span style="font-family:"Segoe UI",sans-serif">Fault
isolation to determine the type and position of faults.<o:p></o:p></span></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:"Times New Roman",serif;mso-fareast-font-family:"Times New Roman"">–<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><!--[endif]--><span style="font-family:"Segoe UI",sans-serif">Fault
identification refers to determining the size and fault behaviors and estimating
the damage level and its possible impact on the system.<o:p></o:p></span></font></p><p class="MsoNormal">
</p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:"Times New Roman",serif;mso-fareast-font-family:"Times New Roman"">–<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><!--[endif]--><span style="font-family:"Segoe UI",sans-serif">System
reconfiguration compensates for the identified faults, for example by switching
to redundant systems.<o:p></o:p></span></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo2"><font color="#ffffff"><img src="https://imagemaaz2023.blob.core.windows.net/images/autosar-safety-and-security-1.png" style="width: 494px;"><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></font></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff"><span style="font-family: "Segoe UI";">Figure 1:
Definition of Fault Dectection & Isolation (FDI), Fault Detection &
Diagnosis (FDD), Fault Detection, Isolation & Recovery (FDIR)</span><o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff"> </font></span></p><p class="MsoNormal"><font color="#ffffff"><b><span lang="JA">・</span></b><span style="text-indent: -0.25in; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";"> </span><b style="text-indent: -0.25in; font-size: 1rem;"><span style="font-family:"Segoe UI",sans-serif">Concept
2: Safety Element out of Context (SEooC)</span></b></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><b><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"><o:p></o:p></font></span></b></p><p class="MsoNormal"><font color="#ffffff"><b><span style="font-family:"Times New Roman",serif;mso-fareast-language:EN-US;
mso-no-proof:yes"><!--[if gte vml 1]><v:shape id="_x0000_i1028" type="#_x0000_t75"
alt="Diagram Description automatically generated" style='width:425.25pt;
height:224.25pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/dangth12/AppData/Local/Temp/msohtmlclip1/01/clip_image002.png"
o:title="Diagram Description automatically generated"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span></b><b><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></b></font></p><p class="MsoNormal"><font color="#ffffff"><img src="https://imagemaaz2023.blob.core.windows.net/images/autosar-safety-and-security-2.png" style="width: 1040px;"><span style="font-family:"Times New Roman",serif"><br></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Figure 2:
SEooC development process<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">This concept
refers to the process of verifying the safety of a component or system in
isolation, without considering its interaction with other components or systems
in the vehicle, which helps to ensure that the component or system is safe and
reliable, even when it is integrated into a larger system. <o:p></o:p></font></span></p><p class="MsoNormal"><font color="#ffffff"><span style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family: "Segoe UI", sans-serif; font-size: 1rem;">By way of
illustration, the operating system is responsible for ensuring safety by
providing guaranteed scheduling of safety-related tasks and protecting higher
ASIL processes from lower ASIL or QM processes in terms of memory, hardware,
and resources. This responsibility remains the same regardless of the ECU in
which it is used or the specific safety goals of the system.</span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Concept
3: Freedom From Interference (FFI)<o:p></o:p></span></b></font></p><p class="MsoNormal"><font color="#ffffff"><b><span style="font-family:"Segoe UI",sans-serif"> </span></b><span style="font-family:"Segoe UI",sans-serif">The
concept of Freedom From Interference (FFI) pertains to the absence of failure
propagation from a lower ASIL level element to a higher one. This implies
communication or dependency between two elements of different ASIL levels
should not have any impact on their respective safety requirements.<o:p></o:p></span></font></p><p class="MsoNormal"><font color="#ffffff"><span style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family: "Segoe UI", sans-serif; font-size: 1rem;">The effects
that can prevent FFI include timing or execution failures, such as deadlocks,
execution blocking, and lack of phase synchronization between software
elements, as well as memory failures and information exchange issues.</span></font></p><p class="MsoNormal"><font color="#ffffff"><span style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family: "Segoe UI", sans-serif; font-size: 1rem;">There are
various mechanisms that can be used together to achieve FFI and prevent the
above failure propagation as follows:</span></font></p><p class="MsoNormal"><font color="#ffffff"><span lang="JA">ー</span><span lang="JA" style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family:"Segoe UI",sans-serif">Barriers are hardware-based (external
watchdogs and MPU) to prevent interference between elements. <o:p></o:p></span></font></p><p class="MsoNormal"><font color="#ffffff"><span lang="JA">ー</span><span lang="JA" style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family:"Segoe UI",sans-serif">Defenses are programming techniques
that disable interruptions during critical sessions, pointer checking
mechanisms, etc. They are effective against memory corruption, but not dynamic
calling failures. <o:p></o:p></span></font></p><p class="MsoNormal"><font color="#ffffff"><span lang="JA">ー</span><span lang="JA" style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family:"Segoe UI",sans-serif">Qualifiers are documents with
evidence that show an element has its own mechanisms to guarantee FFI. <o:p></o:p></span></font></p><p class="MsoNormal">
</p><p class="MsoNormal"><font color="#ffffff"><span lang="JA">ー</span><span lang="JA" style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family:"Segoe UI",sans-serif">Well-trusted elements are also used
to ensure no ASIL level corruption occurs.</span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p><font color="#ffffff"><br></font></o:p></span></p><p class="MsoNormal"><font color="#ffffff"><b style="font-size: 1rem;"><span style="font-family:"Segoe UI",sans-serif">AUTOSAR
SAFETY MECHANISM FEATURES</span></b><br></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif"> Memory Partitioning<o:p></o:p></span></b></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">It separates
software applications from each other to avoid any data corruption, which allows
safety and non-safety applications to be implemented on the same ECU. <o:p></o:p></font></span></p><p class="MsoNormal"><font color="#ffffff"><span style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family: "Segoe UI", sans-serif; font-size: 1rem;">Memory
partitioning is a protection mechanism that restricts access to memory and
memory-mapped hardware. It also prevents code running in one partition from modifying
memory of another partition.</span></font></p><p class="MsoNormal"><font color="#ffffff"><span style="font-family:"Segoe UI",sans-serif"> </span><span style="font-family: "Segoe UI", sans-serif; font-size: 1rem;">Figure 3 displays
a partitioning example that is utilized as the fault containment regions. If an
error is found in a specific partition, that partition can be terminated or
restarted while the system is running. Electronic Control Unit (ECU) configuration
files are used to configure these partitions. If a violation or error occurs in
Partition 1 as illustrated in Figure 1, the OS services terminate Partition 1
and stop any possible communication, then the partition is restarted.</span></font></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif;mso-fareast-language:
EN-US;mso-no-proof:yes"><font color="#ffffff"><!--[if gte vml 1]><v:shape id="_x0000_i1027" type="#_x0000_t75"
alt="Timeline Description automatically generated" style='width:309pt;
height:223.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/dangth12/AppData/Local/Temp/msohtmlclip1/01/clip_image004.png"
o:title="Timeline Description automatically generated"/>
</v:shape><![endif]--><!--[if !vml]--></font></span></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif;mso-fareast-language:
EN-US;mso-no-proof:yes"><font color="#ffffff"><!--[if !vml]--></font></span></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif;mso-fareast-language:
EN-US;mso-no-proof:yes"><font color="#ffffff"><!--[if !vml]--></font></span></p><p class="MsoNormal"><font color="#ffffff"><span style="font-family:"Times New Roman",serif;mso-fareast-language:
EN-US;mso-no-proof:yes"><!--[if !vml]--><!--[endif]--></span><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></font></p><p class="MsoNormal"><font color="#ffffff"><img src="https://imagemaaz2023.blob.core.windows.net/images/autosar-safety-and-security-3.png" style="width: 757px;"><span style="font-family:"Times New Roman",serif"><br></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Figure 3:
Example of Partitioning<o:p></o:p></font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Defensive
Behavior</span></b><span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">The
defensive behavior of basic software modules in microcontrollers, which do not have
hardware support for memory partitioning, prevents data corruption and
incorrect service calls. This cost-efficient approach is suitable for
applications with low to medium levels of integrity to prevent the propagation
of faults.<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">End-to-End
(E2E) Communication Protection<o:p></o:p></span></b></font></p><p class="MsoNormal">
</p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">In AUTOSAR
4.0, the End-to-End (E2E) communication protection features are included as a
standard library offering protection mechanisms. These mechanisms enable the
sender to protect the data, and the receiver(s) to identify and handle errors
in the communication link during runtime. This library offers E2E protection
mechanisms suitable for safety-critical communication with requirements up to
ASIL D.<o:p></o:p></font></span></p><p class="MsoNormal"><font color="#ffffff"><img src="https://imagemaaz2023.blob.core.windows.net/images/autosar-safety-and-security-4.png" style="width: 984px;"><br></font></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff">Figure 4:
Example of faults detected by E2E protection<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff"> </font></span></p><p class="MsoNormal"><font color="#ffffff"><b><span lang="JA">・</span></b><b><span style="font-family:"Times New Roman",serif">Program flow monitoring<o:p></o:p></span></b></font></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff">The
program flow monitoring is a mechanism used to ensure the accurate execution of
software. Its main purpose is to detect program flow errors, which happen when
the program sequence deviates from the correct path. This can occur if program
instructions are processed out of sequence, or not executed on time, or not
processed at all. Such errors can result in data inconsistencies, data
corruption or software failures.<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff"> </font></span></p><p class="MsoNormal"><font color="#ffffff"><b><span lang="JA">・</span></b><b><span style="font-family:"Times New Roman",serif">Time determinism and timing
constraint modeling:<o:p></o:p></span></b></font></p><p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><font color="#ffffff">The
purpose of this mechanism is to create a consistent and predictable timing behavior.
This is achieved through several methods, including the use of synchronized
time bases, ensuring synchronized execution and deterministic timing of
software components, and controlling timing behavior and detecting timing
violations at runtime. The mechanism also includes setting timing constraints
such as end-to-end delays, minimum and maximum execution times of runnable
entities, and trigger rate constraints for events.<o:p></o:p></font></span></p><p class="MsoNormal"><b><span style="font-family:"Times New Roman",serif"><font color="#ffffff"> </font></span></b></p><p class="MsoNormal"><font color="#ffffff"><b><span style="font-family:"Segoe UI",sans-serif">AUTOSAR
SECURITY CONCEPTS </span></b><span class="MsoHyperlink"><span style="font-family:
"Segoe UI",sans-serif"><o:p></o:p></span></span></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l1 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff"><span style="font-family:Wingdings;mso-fareast-font-family:Wingdings;mso-bidi-font-family:
Wingdings;mso-bidi-font-weight:bold">Ø<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";"> </span></span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Security Concepts:<o:p></o:p></span></b></font></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Security
and Cryptograph Architecture<o:p></o:p></span></b></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Different
security applications require different cryptographic services, and the Crypto
Service Manager (CSM) enables various applications to utilize the same service
with different cryptographic primitives and routines.<o:p></o:p></font></span></p><p class="MsoListParagraph" style="margin-left:.25in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l1 level1 lfo1">
</p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">The crypto
module is responsible for managing requests for cryptographic services made by
applications and dispatching them to a pool of basic cryptographic routines. To
facilitate this, the crypto module provides a standardized interface for
security applications to access cryptographic routines and another interface
for cryptographic routines to be integrated into the module and used by
security applications. <o:p></o:p></font></span></p><p class="MsoNormal"><font color="#ffffff"><img src="https://imagemaaz2023.blob.core.windows.net/images/autosar-safety-and-security-5.png" style="width: 815px;"><br></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Figure 5:
Cryptographic Architecture<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">DCM
Manages Security Access Level Handling</span></b><span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">The
Diagnostic Communication Manager (DCM) is a basic software module offering a common
API for diagnostic services. It is utilized by diagnostic tools from external sources
during the development, manufacturing, and service phases. The primary purpose
of this module is to guarantee diagnostic data transmission and to manage
diagnostic states, such as diagnostic sessions and security states. <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif"> Memory Read Access</span></b><span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">The Operating
System (OS) can provide memory protection for OS-Application against read
access by other OS-Applications. When a task can read any memory, it can
operate on incorrect data, leading to failures during runtime. By preventing
read access, such faults can be detected immediately. Additionally, memory
protection can also address security concerns, though there are typically no
security implications between OS-Applications on the same processor.<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoNormal"><b><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">AUTOSAR
CYBERSECURITY AND THREAT ANALYSIS<o:p></o:p></font></span></b></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Cybersecurity
is a broad field about securing any digital information against cyberattacks. One
way to ensure cybersecurity solutions is to use threat modeling techniques,
such as STRIDE method which stands for Spoofing, Tampering, Repudiation,
Information disclosure, Denial of service, and Elevation of privilege. An
alternative approach is to identify the core assets of a specific domain and
collect threats targeting these assets, and this approach will be discussed in
more detail as follows. <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Asset
1: ARA_</span></b><span style="font-family:"Segoe UI",sans-serif"> The Runtime
Environment between user applications and the lower layer functional cluster
may have the following attacks and attack steps.<o:p></o:p></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 1.1.
Access <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 1.2.
Compromise <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 1.3.
Information leak <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 1.4.
Message injection <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 1.5.
Denial of service<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">The access
attack step (A 1.1) is used by the upper layer user application to gain access
to at least one interface of the lower layer platform-level applications.
Attackers who have access to any functional cluster interface in the ARA can
use it to deny service (A 1.5) that the interface provides. Attackers can also
compromise (A 1.2) the runtime environment itself, which can lead to
information leakage (A 1.3), and messages injections (A 1.4) during
communication. As a result, attackers can read information by leaking
information (A 1.3), write data by injecting messages (A 1.4), and deny
services provided by the platform applications and user applications by making
a denial-of-service attack (A 1.5) on the public interfaces in the ARA.<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Asset
2) Operating System (OS) </span></b><span style="font-family:"Segoe UI",sans-serif">may
have the following attacks and attack steps.<b><o:p></o:p></b></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 2.1.
Access <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 2.2.
Malware <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 2.3.
Denial of service<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 2.4. Data
injection <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 2.5.
Information leak <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 2.6.
Memory corruption<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">If attackers
gain access (A 2.1) to the OS, they can launch denial of service (A 2.3)
attacks, inject data (A 2.4) into running processes, and cause memory
corruption (A 2.6) in running programs. They can also install malware (A 2.2)
programs that can compromise accounts, read and write data, bypass access
control, and cause denial of services (A 2.3) in the OS. Malware can be
protected by antimalware programs, but attackers can still perform denial of
service (A 2.3) attacks by flooding services or exhausting resources. Such
attacks prevent legitimate processes from running, causing denial of services
in the platform and user application. <o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">Additionally,
attackers can inject (A 2.4) processed data of one process into another
process's data or from one thread to another in the same process, resulting in
information leaks (A 2.5). Finally, unhandled codes can cause memory corruption
(A 2.6), leading to information leaks (A 2.5), denial of services (A 2.3), data
injection (A 2.4), and account compromises. Protected runtime environments can safeguard
against memory corruption.<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoListParagraph" style="margin-left:.5in;mso-para-margin-left:0gd;
text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><font color="#ffffff">・<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-kerning: auto; font-optical-sizing: auto; font-feature-settings: normal; font-variation-settings: normal; font-variant-position: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span><!--[endif]--><b><span style="font-family:"Segoe UI",sans-serif">Asset
3) Bus Network</span></b><span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">It is
important to note the potential attacks and attack steps that can occur on the
bus network<o:p></o:p></font></span></p><p class="MsoNormal" style="text-indent:5.25pt;mso-char-indent-count:.5"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">A 3.1. Traffic injection<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> A 3.2. Wakeup message injection<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> A 3.3. Impersonation<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> A 3.4. Man-in-the-middle<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff">An attacker
could inject wakeup messages (A 3.2) or exceed the maximum transmit error
counter threshold to initiate a bus-off attack on connected ECUs. Wakeup
message injection on networked ECUs can lead to battery drain attacks. Since the
bus network allows everyone to send traffic without verification, an
impersonation attack (A 3.3) can occur easily, enabling adversaries in the
middle (A 3.4). The impersonation threat can be prevented with a message
authentication mechanism.<o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"> </font></span></p><p class="MsoNormal"><font color="#ffffff"><b><span lang="JA" style="font-family:"MS Gothic";mso-bidi-font-family:
"MS Gothic"">※</span></b><b><span style="font-family:"Segoe UI",sans-serif">Reference
Links:<o:p></o:p></span></b></font></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"><a href="https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_EXP_SecurityOverview.pdf">https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_EXP_SecurityOverview.pdf</a><o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"><a href="https://www.autosar.org/fileadmin/standards/R20-11/FO/AUTOSAR_RS_Safety.pdf">https://www.autosar.org/fileadmin/standards/R20-11/FO/AUTOSAR_RS_Safety.pdf</a><o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"><a href="https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CommunicationManagement.pdf">https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CommunicationManagement.pdf</a><o:p></o:p></font></span></p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><font color="#ffffff"><a href="https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_SWS_Cryptography.pdf">https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_SWS_Cryptography.pdf</a><o:p></o:p></font></span></p><p class="MsoNormal">
</p><p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><a href="https://fscdn.rohm.com/en/products/databook/white_paper/iso26262_wp-e.pdf"><font color="#ffffff">https://fscdn.rohm.com/en/products/databook/white_paper/iso26262_wp-e.pdf</font></a><o:p></o:p></span></p>