CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules Dr. Frederic Stumpf, ESCRYPT GmbH – Embedded Security, Stuttgart, Germany 1 Introduction Electronic Control Units (ECU) are embedded systems that process information from different vehicle sub-systems, such as sensors or other ECUs, and control actuators to react on system events accordingly. One prominent example for ECUs is the engine control unit which is responsible for controlling a series of actuators on a combustion engine to ensure optimal engine performance. The engine's actuators are controlled based on complex system parameters, such as ignition timing, and are configured and adapted to the specific motor characteristic during vehicle production. Manipulation of these critical system parameters is an interesting attack target since manipulations may yield in modified motor characteristics which may give an attacker the ability to improve the performance of the engine. These attacks are commonly referred to as Chiptuning and are offered by an industry-wide tuning sector. The motor control unit is only one out of many ECUs which is susceptible to attacks. Other attacks on ECUs may cover the unauthorized activation of vehicle features or circumventions of the immobilizer system of a vehicle [HS11]. Due to the increased networking of ECUs and the fact that ECUs carry out more and more sensitive tasks, the attack surface and the resulting financial loss caused by a successful attack on an ECU will grow significantly in the near future. In addition, successful attacks on one ECU endanger the whole vehicle board network and can have an impact to the whole vehicle safety system, which at worst, may cause the safety-characteristics no longer being satisfied. In order to harden ECUs against attacks, security mechanisms which prevent reading out sensitive keying material and also prevent successful manipulation of the software of an ECU must be used. To provide the necessary trust primitives and resistance to physical attacks, the security mechanisms must be rooted in hardware. This approach prevents that sensitive information, e.g., cryptographic keys, are vulnerable to software attacks. Hardware Security Modules (HSM) are a promising technology to answer the requirements for such a secure hardware extensions for ECUs. 2 Automotive-qualified Hardware Security Modules Hardware Security Modules are dedicated hardware security components that encapsulate security functions and provide the necessary trust primitives. HSMs are integrated chips specifically developed and designed for security use-cases. Typically, implementations range from smart cards used for identification and authentication purposes, such as, national identification cards, to Trusted Platform Modules [Tru07] which are Hardware Security Modules for personal computers. HSMs typically consist of a CPU core, different types of data storages (e.g., RAM, ROM, Flash), a memory protection unit, a memory encryption unit, sensors, cryptographic accelerators, and further peripheral components. Most HSMs employ sophisticated countermeasures against physical attacks, such as active sensors to detect fault and glitching attacks, and also employ cryptographic implementations which are hardened against side channel attacks. However, typical Hardware Security Modules do not satisfy automotive requirements. Problematic characteristics that render integrating existing Hardware Security Modules as additional component inside of an ECU non-usable are especially: 1. High costs caused by integrating an external, additional chip inside an ECU 2. Sensitivity to attacks on the communication interface between ECU application core and HSM 3. The non-existence of debug/testing interfaces if a malfunctioned device needs to be analyzed 4. The high temperature range an automotive qualified product needs to satisfy The lack of existing technology has caused Bosch to develop an own HSM specification that satisfies automotive requirements [BGI+11]. In order to ensure a high market penetration, Bosch cooperated with the most important silicon manufacturers to ensure that the technology will be supported and implemented by a broad set of silicon manufacturers. 3 The Bosch HSM The basic architecture of the Bosch HSM is shown in Figure 1. Core of the HSM is a secure CPU where security critical tasks are executed. The HSM also possesses its own RAM, Boot ROM, AES engine as well as a True Random Number Generator (TRNG) as cryptographic peripheries. Parts of the HSM are also debug interfaces and an On-Chip Interconnect Interface which is used for communication with the host core and to access the flash. The host core is a typical automotive qualified application processor providing an execution environment for safety-critical tasks, achieved for example using additional lockstep cores. The flash is shared between host core and HSM, and the firmware both of the HSM and the host core is stored in shared flash. A memory protection unit (not shown in the figure) ensures that only the HSM is allowed to access its own HSM allocated data located in the flash. When the HSM is powered up, the local boot code is loaded from the boot ROM and the HSM is initialized with the code stored in the shared flash. The HSM provides a method to enable debugging the HSM including read out of all data stored in the flash and the internal data of the HSM (besides internal AES keys). The debug interface can only be activated internally by the HSM after a secure authentication protocol (e.g., challenge-response authentication) between the HSM and one external debugger has been performed. Figure 1: Main Components of the BOSCH HSM While the detailed realization and implementation of the HSM varies between the different silicon manufacturers, the basic concepts of providing a secure execution environment based on an additional secure core, are the same for all silicon manufacturers that provide an implementation which is compliant to the Bosch HSM. 4 HSM Security Functions The HSM implements a set of security functions which can be used to realize complex automotive security use-cases. For this purpose, the HSM offers the following primitives: • AES-128 bit engine in Hardware • A True Random Number Generator for secure generation of cryptographic keys • Hardware-shielded protected storage for cryptographic keys or secure logging • A secure system timer to realize a secure, replay protected logging • Secure debug under control of the HSM 5 CycurHSM - A Secure Software Stack for Automotive HSMs The new CycurHSM product from ESCRYPT is a security firmware specifically designed for the Bosch HSM and its derivates. CycurHSM will support all available HSM implementations from the different silicon manufacturers and provides a standardized API to access the HSM. Besides making the existing HW security peripherals of the HSM available to software executed inside the HSM and applications on the host core, CycurHSM also implements a full cryptographic library with asymmetric cryptography support. CycurHSM provides all necessary interface to integrate the HSM inside of a typical automotive ECU, i.e., it consists of an AUTOSAR interfaces, required device drivers, and a PKCS#11 interface for non-AUTOSAR applications. As a result, CycurHSM fully encapsulates all required security functions needed to satisfy a broad set of automotive security requirements. The innovative design of CycurHSM is based on a real-time operating system to also ensure real-time characteristics of the HSM that will be required in future use-cases, e.g., for secure real-time critical on-board communication with the involvement of HSM technology. 5.1 Software Architecture The software architecture of CycurHSM is shown in Figure 2. Core component of CycurHSM is RTA-OS from ETAS. RTA-OS is a real-time operating system specifically designed to meet all requirements of automotive ECUs. Further, RTA-OS provides minimal runtime overheads, a very small footprint, and a MISRA C compliant implementation. RTA-OS provides a two-layer protection level to isolate trustworthy kernel tasks from non-trustworthy user tasks, thus providing an additional protection concept for the software of the HSM. Each task on the HSM is executed with the least privilege level required, as a result, potential security vulnerabilities in one task, do not cause the whole system to become insecure. The CycurLIB security library from ESCRYPT provides additional cryptographic primitives (ECC, RSA) and directly uses the cryptographic accelerators available in hardware on the HSM. CycurLIB encapsulates all cryptographic algorithms and functions and provides an interface to applications executed on top of the HSM. The software of the HSM implements customer specific security applications that directly use the provided security functions available on the HSM made available using the CycurLIB. In addition to the CycurLIB, a SHE emulation module is executed on the HSM. This module uses the CycurLIB security library as underlying primitive and implements the SHE specification [Sof09] with additional extensions to SHE to satisfy extended automotive requirements (denoted as SHE+). The functionality is made available to applications executed on the host core using the HSM driver. The functionality of security applications can be fully implemented on top of the HSM but can also be distributed between host core and HSM if required. CycurLIB and all additional customer specific software applications are executed in user-mode on the HSM. The HSM is communicating with the host core using a specific HSM device driver which ensures secure communication between HSM and host core. The HSM driver on the host is fully compatible to AUTOSAR and provides an interface based on the AUTOSAR crypto abstraction layer (CAL). In addition, it provides a PKCS#11 compliant interface. Figure 2: Main SW Components of CycurHSM 5.2 Security Functions and Use-Cases Based on the HSM, a broad set of use-cases can be implemented. Since the HSM provides a standardized interface to security functions based on strong cryptography, security applications can be either realized on the HSM, the host core, or using a combination of both. Supported uses-cases include, but are not limited, to the following: 5.2.1 Secure Boot Secure boot ensures that the integrity of code stored in the flash has not been compromised and is in a trustworthy state. This is achieved by checking the integrity of code before being executed during the initialization of the ECU. To this end, each component in the boot chain, validates the integrity of the following component in the boot chain before handing over control to the next component in the chain. The initial component is integrated as Core Root of Trust for Measurement inside the boot ROM which is initially responsible for initiating the boot process and for triggering the boot loader. The integrity is validated by computing a cryptographic hash value of the code and comparing it with a pre-configured hash value stored in secure storage of the HSM. If the computed result does not match the pre-configured value, the HSM prevents further execution of the code on the ECU. Figure 3: Secure Boot The secure boot is initiated and completely performed involvement of the HSM by the HSM itself, i.e., without any explicit call by the host CPU. process with 5.2.2 Runtime Tuning Detection Runtime tuning detection verifies the code integrity of the flash content during the regular operation of the ECU. The goal is to detect manipulations on the original ECU flash. Runtime tuning detection takes advantage that the HSM is realized as one additional core with full access to the flash of the ECU. As a result, the HSM can independently validate the code integrity of the flash without causing any impact or delays on the safety-critical applications executed on the host core. Typically, the runtime tuning detection is a low-prioritized task implemented on top of the HSM that walks through the flash storage in regular intervals and compares the integrity of the flash code with pre-configured measurements. If the runtime tuning detection tasks detects an anomaly, a secure log entry is created that gives information about the detected anomaly. As an alternative, the runtime tuning detection may cause a specific reaction to an event, e.g., causing the ECU to go into fail-safe mode. 5.2.3 Secure Flashing Secure flashing is the process of updating the software of the ECU in a secure manner. Secure flashing supported by an HSM is typically divided into three phases. First, the authenticity of the flashing request of an external diagnosis tester is verified by the HSM. For this purpose, a challenge-response authentication protocol using symmetric or asymmetric keys is performed. After the HSM grants access, the download of the software can be initiated (step 2). Alongside to the software, a cryptographic signature is transmitted which was created by a trustworthy entity, e.g., the manufacturer of the ECU, that vouches for the trust level of the code. After the code has been transmitted, the HSM checks the signature of the code. If the signature verification succeeds and the code fits to the ECU, the internal flash structure is updated with the new code (step three). 6 Conclusion Hardware Security Modules are a necessary building block to harden embedded systems against attacks. HSMs are dedicated hardware security components that encapsulate security functions and provide the necessary trust primitives. This article gives a high-level overview of the CycurHSM product currently under development by ESCRYPT. CycurHSM is a complete software stack adapted to the available implementations of the Bosch HSM by different silicon manufacturers. In addition, it provides an own SHE(+) emulation module on a secure core. The innovative design of CycurHSM is based on a real-time operating system to satisfy future upcoming requests to also meet safety requirements. Based on CycurHSM, a broad set of security applications can be supported. CycurHSM provides the technology for fulfilling the requirements regarding a flexible HSM firmware that provides open and standardized interfaces to HSM-enhanced security applications. The full comparability of CycurHSM to AUTOSAR ensures a broad applicability and the usage of the technology in different types of ECUs. Contact & Further Information Email Web info@escrypt.com www.escrypt.com ESCRYPT GmbH – Embedded Security Lise-Meitner-Allee 4 44801 Bochum, Germany Phone: +49 234 43870-219 ESCRYPT Inc. – Embedded Security 315 E Eisenhower Parkway, Suite 214 Ann Arbor, MI 48108, USA Phone: +1 734 418-2797 References [BGI+11] Oliver Bubeck, Jens Gramm, Markus Ihle, Jamshid Shokrollahi, Robert Szerwinski, and Martin Emele. A hardware security module for engine control units. In Proceedings of the 10th ESCAR Conference, 2011. [HS11] Johann Heyszl and Frederic Stumpf. Asymmetric cryptography in automotive access and immobilizer systems. In Proceedings of the 10th ESCAR Conference, 2011. [Sof09] HIS Herstellerinitiative Software. She - secure hardware extension version 1.1. Technical report, http://portal.automotive-his.de/, 2009. [Tru07] Trusted Computing Group. TCG TPM Specification, Architecture Overview. Technical report, TCG, 2007.