Security Engineering for Vehicular IT Systems - Improving the Trustworthiness and Dependability of Automotive IT Applications

7 Vehicular Security Technologies (S. 107-108)

This chapter provides an overview about general vehicular security .technologies such as physical security measures, vehicular security modules, and vehicular security architectures. These technologies serve as basis to implement identified security requirements using the security mechanisms described in the next chapter. Parts of this chapter are based on published research in [BEPW07, BEWW07, HSW06, SSW06].

7.1 Physical Security

In contrast to most other IT related attack scenarios, attackers in the automotive domain usually have full physical access to breach the security of a particular vehicular IT system. As described in detail in Section 5.2.2 about physical attacks, an internal attacker in the automotive domain can manipulate or replace almost every built-in component and can manipulate its actual physical environment and (physical) inputs. He further holds the respective attack target in his possession for as long as he likes, and may eventually even receive more samples for testing and practice. Hence, the attacker can undisturbedly mount almost any feasible attack without having to fear to be detected, backtracked, or locked out. Nevertheless, there exist several measures to make physical attacks at least more difficult, even though it is practically impossible to fend off a sufficiently motivated (and sufficiently funded) attacker completely.

Thus, a security-critical IT system cannot solely rely on its physical protection measures and hence has to ensure that the successful compromise of a single hardware component does not compromise the overall IT system. This means that the cost of compromising a single hardware component should generally outweigh the potential rewards (economic security). Physical security or tamper protection measures usually either aim to prevent any kind of disclosure and modification (tamper-resistance), or aim to at least enable a subsequent detection of potential disclosures or modifications by a regular and unpredictable examining control entity (tamper-evidence).

Physical security measures can be further distinguished into active (tamper-responsive) and passive (tamper-evident, tamper-resistant) protection measures. This results in the following three definitions. Being tamper-evident refers to a passive physical security characteristic, which provides detection whether a hardware component has been illicitly modified or compromised. Optionally, tamper-evidence provides moreover the detection of unsuccessful tampering attempts. However, tamperevidence itself cannot prevent any potential modifications or disclosures. Being tamper-resistant or tamper-proof refers to a passive physical security characteristic, which prevents an attacker from illicitly modifying or compromising a hardware component by passive, non-responsive physical protection measures.

Lastly, being tamper-responsive refers to an active physical security characteristic, which actively prevents an attacker from tampering a hardware component by triggering appropriate counteractive measures up to automatic self-destruction. Tamper-response, in turn, is based on tamper-detection measures, which have to detect an ongoing attack in order to trigger proper response measures. However, deploying physical security measures at the same time means that the maintainability of such a protected hardware component usually will become clearly limited. This holds, since it is normally impossible that a tamper-protection measure is able to distinguish between an authorized access and an unauthorized access.