Protecting Automotive SoCs Starts With Secure IP

The automotive industry is undergoing a significant transformation. Cars are becoming more sophisticated and valuable with increased connectivity and capabilities to provide a better user experience. They are also collecting and transmitting more and more sensitive data and thus are becoming very attractive targets for attacks. Cybercrime in the automotive industry is growing rapidly. How bad is it? According to the AV-TEST Institute, the number of malicious programs targeting automobiles has increased to roughly 1.1 billion at the end of 2020, from ~65 million in 2011. Upstream Security reported in a 2019 cyber hack security study that there was a 94% year-over-year growth in automotive hacks since 2016.

Cybersecurity is a critical and urgent need that OEMs must address, and it’s important that they do so starting early in the design cycle. While the automotive sector has not been as regulated as other industries, the environment is changing rapidly with more regulations, standards and guidelines, such as:

• 29 regulations released by UNECE (United Nations Economic Commission for Europe) mandate cybersecurity management systems for new vehicles. The regulations require OEMs to manage cyber risks, secure vehicles by design, detect and respond to security incidents, and provide safe and secure over-the-air software updates.
• ISO/SAE 21434, a new standard scheduled for release in 2021, specifies the process requirements for cybersecurity risk management of road vehicle systems. Covered processes include the complete life cycle from concept, development, production, operations and maintenance, to decommissioning.
• SAE J3101 specifies hardware-protected security requirements for ground vehicle applications. SAE J3101 includes a comprehensive view of security functions and corresponding use cases as well as applications that need to be supported to address the security needs in a vehicle.
• NHSTA (National Highway Traffic Safety Administration) cybersecurity best practices report recommends a multilayered automotive cybersecurity approach. NHSTA focuses on vehicle entry points that could be vulnerable to cyberattacks, such as wired and wireless connections designed for human or machine interfaces.

While automotive security is critical and must be addressed from the ground up starting with the system-on-chips (SoCs), it also needs to be approached together with safety in a holistic manner. In addition to the systematic and random faults addressed by the ISO 26262 functional safety standard, secure automotive systems must be able to handle malicious attacks that can occur unpredictability. Designing security into automotive SoCs from the hardware level with safe and secure Hardware Secure Module (HSM) IP with root of trust will help ensure that connected cars behave as expected, prevent random and systematic faults, and are able to fend off malicious attacks.

Automotive HSM IP solutions

The foundation of security is an in-depth defensive strategy for securing a vehicle. At the heart of every software program is the hardware on which it runs. To ensure that an SoC has not been compromised, the hardware should be capable of assessing its own integrity as it comes out of reset. Then, when it is deemed secure, it can bring up the network that ultimately forms the intelligence inside the car that will eventually connect to the outside world. In addition to ensuring the SoC boots safely and is protected, the SoC needs to be able to prevent random and systematic faults and meet stringent safety requirements.

ASIL B compliant HSM IP for automotive (figure 1) includes comprehensive root of trust security and automotive documentation (safety manual, DFMEA/FMEDA/DFA analysis reports, quality manual, development interface and safety case reports) along with hardware safety mechanisms that protect the SoC against malicious security attacks while preventing random and systematic safety faults. Safe and secure IP can include a broad range of safety mechanisms such as dual-core lockstep, memory ECC, register EDC, parity, watchdog, self-checking comparators, bus and MPU protection, and dual rail logic. The HSM IP can also incorporate an ASIL D compliant processor, such as the low-power ARC Processor IP, for running secure applications and cryptographic processing. SoC designers look for the IP to include features such as:

• Fully programmable solution that provides the hardware root of trust for a system and safeguards against evolving threats with high-grade security
• Safety mechanisms for ASIL B compliance for random faults and ASIL D compliance for systematics
• Scalable symmetric/asymmetric/hash/MAC cryptography acceleration from CPU custom instructions, to cryptographic cores with side channel protection
• Processor that includes an MPU for memory access permission control
• Secure external memory controllers with side channel (DPA protection) to provide confidentiality and integrity protection for untrusted external memory, as well as runtime tamper detection
• NIST SP800-90c compliant random number generator
• Multiple secure key servers for secure key distribution within the SoC
• Compliance with EVITA Full/Medium/Light hardware requirements
• Power, clock, and reset management
• Software that includes secure applications such as SDK, NIST-validated cryptography library, runtime library, device drivers, and reference designs
• Development and manufacturing tools

Fig. 1: Key features for safe and secure SoCs.

HSM IP for automotive must provide a trusted execution environment (TEE) to protect sensitive information and processing at the SoC level. The HSMs should implement security-critical functions required throughout the device life cycle, such as:

• Secure boot that validates software and data integrity of the host CPU and is used to ensure that it executes only trusted firmware. Besides integrity and authenticity, the secure boot service supports confidentiality as well via optional decryption of firmware images.
• Secure update enables in-the-field firmware updates based on secure identification and authentication, with optional encryption.
• Secure authentication is essential to ensure that one or more of the upstream and/or downstream devices communicating with the target device can be trusted. To ensure this trust, a mutually agreed upon authentication scheme is required. The HSM can ensure the integrity of various authentication protocols as well as the confidentiality of shared secrets between devices.
• Secure debug permits authentication with an external host using a secure protocol to enable local debugging on a device. Only trusted, authenticated developers are allowed debug access to the system.
• Secure storage provides protection for the device’s application data. The HSM provides a secure path to encrypt and decrypt the application data for storage in non-trusted locations, preventing attackers from reading or modifying it.
• Key management keeps the secret key material inside the hardware root of trust. Use of keys is allowed and managed by permissions and policies at the application layer. In addition, key generation, import and export are controlled by the HSM trusted application software without access to the keys from application or other less-trusted processors in the system.

Conclusion

Connected cars are evolving rapidly with more innovation and new applications for ADAS / autonomous driving, V2X, and infotainment. With the amount of hardware and software content enabling greater automation, cars have many potential points of security vulnerability and are targets to an increasing number of cyberattacks. To avoid weaknesses in security, OEMs are demanding both data protection and safety in the chip level. Automotive systems must address high-grade security and also must meet functional safety standards, which means implementing security functions to ensure that functional safety cannot be tampered with. Without security, there is no safety, and vice versa. Secure systems must be able to handle unpredictable inputs that would create unacceptable behaviors. Designing the security into automotive SoCs from the hardware level will help ensure that connected cars behave as expected, are able to protect against malicious security attacks, and are capable of preventing random and systematic safety faults.

Synopsys is uniquely positioned in the market with standards-compliant safe and secure tRoot HSM IP for Automotive that aligns with the latest technology demands and cybersecurity guidelines and enables SoC designers to quickly implement the required security in their chips with low risk and fast time to market. In addition to tRoot HSMs with Root of Trust, Synopsys provides a broad portfolio of highly integrated security IP solutions that use a common set of standards-based building blocks and security concepts to enable the most efficient silicon design and highest levels of security for a range of products in the cloud computing, automotive, digital home, IoT and mobile markets.