Preventing Unauthorized Network Access With Automotive Firewalls

V0.1 | 2024-04-15
u Intro
Automotive Firewall
Summary

Introduction
 Intro
Zonal E/E Architecture

u Zonal Architecture
u Definition of spatial vehicle zones (E.g., “Front Left”, “Rear”)
u ECUs as generic execution platforms for different functions (Lane assist, interior light, window lifter…)
> Hard Realtime: Gateways
> ADAS/Infotainment: High Performance Computers (HPC)
u Ethernet as backbone between zones (→ Saves wiring cost- and weight)

u Challenges
u Mixed traffic on Ethernet links between zones (Comfort, ADAS…)
u High communication load between zones
u Separation and flow control of different types of traffic needed
u Cybersecurity requirements on traffic

3
 Intro
Security Gateway

u Security Gateways
u Are often a combination of a Smart Ethernet Switch implementing a
firewall and a Host Microcontroller
u Represent themselves as a single ECU on the network
u Are the central connecting nodes between zones

u Smart Ethernet Switches

u Have a CPU with one or multiple cores for high-level tasks:
> Global time
> Firewall filtering
u Switch fabric for low-level tasks:
> Packet routing
> Traffic modification (VLAN tagging…)
> Traffic shaping
> Firewall filtering
u Run their own software stack (MICROSAR Switch)

u Host Microcontroller
u Has an internal connection to the Ethernet switch
u Takes over some of the switch's tasks (update, diagnostics…)
u Executes other vehicle functions

4
 Intro
Automotive Ethernet Traffic

u The network architecture and the traffic within a vehicle is well known
u Protocols
u Addresses

u Common protocols and their ISO/OSI level are:

SOME/IP, SOME-IP-SD, DoIP, DHCP 5 -7

TCP, UDP, DoIP 4

IP, ICMP, IEEE 1722 (AVB) 3

Ethernet MAC, VLAN, ARP 2

Ethernet PHY 1

5
 Intro
Threats and Attack Paths

u Modern vehicles are facing various cyber security threats

Tuning Theft
u Cyber security attacks usually focus on getting control over
an ECU Manipulation Blackmailing

u That runs the targeted function

u That can reach the ECU with the targeted function via the network

u Modern vehicles have multiple attack paths

u Vehicle-external
> Bluetooth
> Wifi
> Backend
> Wiring
u Vehicle-internal
> Diagnostics-port
> USB interfaces
> Media interfaces (SD/CD/DVD…)

u Attacks almost always use communication over the internal networks

Securing the vehicle-internal networks is essential

6
 Agenda

Intro
u Automotive Firewall
Summary

7
 Automotive Firewall
Types of Firewalls

u An Ethernet automotive firewall can be realized either:

u Host-based: On the Host microcontroller/microprocessor of an ECU
u Network-based: By the Ethernet switch

u Host-Based firewalls fall into two categories SoAd SoAd ID

u Dedicated firewall software: iptables, packet filter (pf)…
u Stack-based firewalling: Components of the MICROSAR TcpIp IP, Protocol,
communication stack Port

Eth Driver / Interface VLAN

Ethernet Controller MAC

u Network-based (→ Security Gateway)

u Realization of the firewall on Ethernet smart switches
u Filtering of the traffic by the switch in hardware (fabric)
and software (CPU)
MICROSAR Switch with option Firewall

8
 Automotive Firewall
Hardware-Based Filtering

u Automotive firewalls have

u …high requirements for bandwidth and latency
u …very limited computation- and memory resources
Filtering of the complete traffic by a software-based firewall in the switch CPU is not possible

u Hardware-Based Filtering: Usage of Ternary Addressable Memory (TCAM)

u TCAM operate at line speed
u TCAM are used as bitmasks that are applied to network packets
u TCAM can trigger a configurable action upon match
> Forward packet to egress port(s)
> Drop packet
> Forward packet to switch CPU for further inspection
> Forward packet to switch CPU for reporting

9
 Automotive Firewall
Deep Packet Inspection (DPI)

u Deep Packet Inspection (DPI): Allows filtering on OSI layer 5 and higher
u DPI means parsing of the frame content
u DPI must be done by the switch CPU1 (→ TCAM are unsuitable for dynamic frame content)
u MICROSAR Firewall supports DPI for SoAd PDU IDs
> Filtering of Socket Adaptor (SoAd) IDs allows filtering of SOME/IP services
> Firewall parses layer 4 PDUs for contained layer 5 PDUs
> Beginning of next PDU is calculated by length in PCI

ID Length SoAd PDU Header

SDU Layer 5 (SoAd)

PduR PDU

PCI SDU Layer 4 (UDP)

1) Applies to standard smart switches without specialized HW

10
 Automotive Firewall
Security Gateway: Overview

u A Security Gateway is an ECU consisting of 1):

u Host microcontroller/processor running MICROSAR

u Ethernet smart switch running MICROSAR Switch

u Work-split
u Switch:
> Firewalling

u Host:
> Intrusion detection (IDS) reporting
> Diagnostic communication to vehicle
> Software update
> …

1) The Host is required because of resource constraints of most switches Security Gateways without Host are not feasible

11
 Automotive Firewall
Security Gateway: The Components

u The firewall related components are:

u vFwM – Firewall Manager
u Provides Interfaces to the Application for firewall
management like:
> Loading of rulesets (policies)
> Getting the ID of the currently loaded ruleset

u vTCam – TCAM driver

u Configures TCAM for packet filtering according to
the currently loaded firewall ruleset.

u vFwF – Firewall Filter

u Implementation of the software firewall filter
u Checks incoming Ethernet frames against the active
ruleset.
u Drops-, passes- and/or reports Security Events
(SEv) to the IdsM

u IdsM (Satellite) - Intrusion Detection System

Manager
u Forwards security events (SEv) raised by the
firewall to the IdsM Master

u IdsM (Master)
u Fordwards security events (SEv) raised by the
firewall to the IdsR or persists them in the SEM

12
 Automotive Firewall
AFL Language: Overview

u The MICROSAR Automotive Firewall Language (AFL):

u …is an external domain-specific language (DSL)
u …is a file format for the AFB tooling
u …is used by automotive cyber-security experts to specify vehicle
network firewall policies

u The AFL abstracts from the underlying hardware and

software of the firewall
Firewall policy development can be started even before the
concrete switch has been selected or is available

13
 Automotive Firewall
AFL Language: Elements

u Ruleset
u An AFL-based firewall policy structure consists of at least one ruleset

u Chain
u A chain groups multiple rules together
u The rules in a chain are evaluated in sequential order (first to last)
u The first rule to match will dictate what action to take

u Rule
u A rule is an instruction to filter (drop) or allow (accept) the network
packet under inspection

u Filter
u A filter expression applies to a protocol field
u Filter expression can be atomic filter expression or so-called
compound filter expression, which combined multiple atomic filter
together by a logical operator

u Action
u The action is executed by the rule when all filter expressions are
fulfilled
u Actions can be
> Accept
> Drop
> Report

14
 Automotive Firewall
AFB Tooling

u The Automotive Firewall Builder (AFB) tooling comprises of the following individual elements
u AFB ARXML: Allowlist firewall policy creation from AUTOSAR System Descriptions
> Analyzes the Ethernet communication in the AUTOSAR Classic Platform System Description
> Creates allowlist firewall rules in Automotive Firewall Language (AFL) for the switches in the vehicle network

u AFB Editor: AFL language support for Visual Studio Code

> Is the frontend for developing firewall rulesets.
> The AFB-Editor is a Microsoft Visual Studio Code plugin that provides:
> Syntax highlighting- and completion
> Workflow support for the AFB ARXML
> Workflow Support for the AFB-Compiler
> Allows unit testing of firewall rules with simulated or recorded traffic

15
 Automotive Firewall
AFB Tooling
u The Automotive Firewall Builder (AFB) tooling comprises of the following individual elements
u AFB Compiler: Allowlist firewall policy creation
> Compiles the AFL Firewall rules into a hardware independent, data-oriented representation format (Filter Intermediate Representation (FIRE))
> Performs various optimization steps that eliminate redundant rules and combine similar rules
> Prioritize rules for hardware-based filtering based on traffic captures
u Rule Seperator / Generator: Software firewall- and hardware filter configuration generation
> Is the switch-hardware dependent part of the tooling
> Generates the filter instructions for the SW firewall
> Generates the configuration of the TCAM
> Deploys the rules to TCAM or the CPU depending on:
> The hardware features of the switch
> The filter conditions
> The filtered Ethernet protocol
> The prioritization done by the the AFB Compiler

16
 Automotive Firewall
Unit Tests

u Thorough firewall policy evaluation is critical

u The options are
u System level test (board set-up / vehicle)
u Unit tests (AFB-Tooling)

u Unit Tests
u The AFB Tooling is used to define- and execute individual test
cases and test specifications
u A test case contains of
> One ore multiple input packets
> An expected result of the test

u Input packets can be

> Recorded traffic (*.pcapng)
> Synthetic packets defined in AFL

u Automatic HTML test report generation

17
 Automotive Firewall
Unit Tests

u Thorough firewall policy evaluation is critical

u The options are
u System level test (board set-up / vehicle)
u Unit tests (AFB-Tooling)

u Unit Tests
u The AFB Tooling is used to define- and execute individual test
cases and test specifications
u A test case contains of
> One ore multiple input packets
> An expected result of the test

u Input packets can be

> Recorded traffic (*.pcapng)
> Synthetic packets defined in AFL

u Automatic HTML test report generation

u Code coverage
u Unit tests also perform coverage analysis that tells
> Which filter condition was hit/not hit
> Which rules have been hit/not hit

u Allows firewall policy tweaking

18
 Automotive Firewall
Stakeholders and involved Tools

u The Automotive Firewall Toolchain supports the following stakeholders during the specification, development and
testing of automotive ethernet firewalls

u Security Engineers at the OEM (System Perspective)

u Define and validate firewall policies (Independent of Target HW)
> Define policies via AFL
> Validate policies via unit tests
> (Optional: Generate policies from System Descriptions)
Automotive Firewall Builder (AFB)

u Security Engineers at the Tier1 (ECU Perspective)

u Analyze and refine firewall rules (For the concrete target HW)
> Refine Rules via AFL

u Developers and Integrators at the Tier1 (ECU Perspective)

u Configure and verify firewall rules (For target HW) DaVinci
> Configure components with DaVinci tooling

u Testers at the Tier1 and OEM

u Test firewall behavior (On ECU Level and on System Level) CANoe
> Test with CANoe / vTestStudio

19
 Agenda

Intro
Automotive Firewall
u Summary

20
 Summary
Option Firewall

u MICROSAR Switch Option Firewall

u …extends MICROSAR Switch by a network firewall for smart switches
u …provides powerful tooling for firewall policy creation and validation
u …makes optimal use of the switch's resources
> Hardware-based (TCAM) filtering for high throughput
> Software-based filtering for advanced filtering, Deep Packet Inspection and reporting
u …allows an independent flash-update of firewall policies
u …provides an easily accessible, yet extensive language for firewall policy definition
u …is seamlessly integrated with the MICROSAR Intrusion Detection System (IDS)

21
 For more information about Vector
and our products please visit

www.vector.com

Author:
Zeeb, Alexander
Vector Germany

22 © 2024. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2024-04-15