Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
University of LuxembourgSnT - CritiX
Towards sustainable safety and security in autonomous vehicles
Marcus Völp
Autonomous driving – the next complexity milestone
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 2
Source: http://paleofuture.com/blog/2010/12/9/driverless-car-of-the-future-1957.html
Level 4 autonomy => Level 5
Source: Wiki SelKet (CC-BY-SA-3.0)
Brain areas involved in human visual perception
Recognition not only of regular traffic
Ethics
Source: Autobild
Acceptance and Reputation
Implicit Communication
1957
Complexity of autonomous driving:
• Level 3: 300 MLOC (human supervision)
• Level 5: 1 BLOC+ ?
Autonomous driving – the next complexity milestone
Current Cars:
• ~ 100 MLOC (30 MLOC multimedia)
• ~ 100 ECUs
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 3
Components associated with physical control of the vehicle
Components associated with safety
Components associated with entertainment and convenience
Image credit: Mercedes-Benz Museum (as cited in Computer
History Museum, 2011)Slide from Intel ADG
Functionality vs. Complexity
Complexity of autonomous driving:
• Level 3: 300 MLOC (human supervision)
• Level 5: 1 BLOC+ ?
Autonomous driving – the next complexity milestone
Current Cars:
• ~ 100 MLOC (30 MLOC multimedia)
• ~ 100 ECUs with 25 – 200 microprocessors
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 4
Components associated with physical control of the vehicle
Components associated with safety
Components associated with entertainment and convenience
Image credit: Mercedes-Benz Museum (as cited in Computer
History Museum, 2011)Slide from Intel ADG
Functionality vs. Complexity
Over the air updates
https://arstechnica.com/cars/2017/07/gm-to-offer-ota-software-updates-before-2020-but-only-for-a-new-infotainment-platform/
Safety Certification?
Complexity of autonomous driving:
• Level 3: 300 MLOC (human supervision)
• Level 5: 1 BLOC+ ?
Autonomous driving – the next complexity milestone
Current Cars:
• ~ 100 MLOC (30 MLOC multimedia)
• ~ 100 ECUs with 25 – 200 microprocessors
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 5
Components associated with physical control of the vehicle
Components associated with safety
Components associated with entertainment and convenience
Image credit: Mercedes-Benz Museum (as cited in Computer
History Museum, 2011)Slide from Intel ADG
Functionality vs. Complexity
Over the air updates
https://arstechnica.com/cars/2017/07/gm-to-offer-ota-software-updates-before-2020-but-only-for-a-new-infotainment-platform/
Safety Certification?
We need: 1. fault and intrusion tolerance for safety critical / real-time systems2. safety and security for the entire lifetime of the car
(avg. 11.6 year on US roads [IHS Markit Report ‘18])3. automatic resilience
Threat Vectors on autonomous and cooperativevehicle ecosystems
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 6
I2I
V2V
Internet
I2I
ECUV2I
I2I
I2I
1
5
1
2 3
48
7
6
T.A.
RSU System Provider
Threat Vectors:1. Attacks on global V2I/I2I
communication infrastructure2. Attacks on local V2V
communication infrastructure3. Attacks on in-vehicle
communication infrastructure4. Attacks on vehicle computing
nodes' software5. Attacks on road-side
units'software6. Attacks on sensors and
control-sensitive data7. Attacks on authentication
mechanisms8. Physical-level attacks
[Lima et al. “Towards Safe and Secure Autonomous and Cooperative Vehicle Ecosystems”, CPS-SPC 2016]
Outline
Motivation
What we all know: FIT / Resilience
Full compromise of swarm individuals is intolerable
Intra Vehicular Systems
Towards Sustainable Safety and Security Surviving perception / maneuver planning unavailabilities Lifecycle for safeguarding safety and security
ConclusionsMarcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 7
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 8
NodeIncomingTraffic
Client
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 9
NodeIncomingTraffic
Node
Node
Consensus(in fault-threshold exceeding quorum)
Clientf+1
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 10
NodeIncomingTraffic
Node
Node
Consensus(in fault-threshold exceeding quorum)
Clientf+1
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 11
NodeIncomingTraffic
Intrusion Prevention
Node
Node
Consensus(in fault-threshold exceeding quorum)
Clientf+1
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 12
NodeIncomingTraffic
Intrusion Prevention
Node
Node
Consensus(in fault-threshold exceeding quorum)
Clientf+1
P. Sousa et al. – Exhaustion Failure
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 13
NodeIncomingTraffic
Intrusion Prevention
Node
Node
Consensus(in fault-threshold exceeding quorum)
Clientf+1
P. Sousa et al. – Exhaustion Failure
Fault and Intrusion Tolerance
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 14
NodeIncomingTraffic
Intrusion Prevention
Node
Node
Consensus(in fault-threshold exceeding quorum)
Clientf+1
P. Sousa et al. – Exhaustion Failure
Full compromise of swarm individuals is intolerable
Platoon of Cars
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 15
distance keeping
driving
Platoon votes on common operation (e.g., maneuver to follow)
leader
Full compromise of swarm individuals is intolerable
Platoon of Cars
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 16
distance keeping
driving
Platoon votes on common operation (e.g., maneuver to follow)
leader
Full compromise of swarm individuals is intolerable
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 17
Towards Sustainable Safety and Security
Safeguard safety through trusted trustworthy components
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 18
distance keeping
driving
Platoon votes on common operation (e.g., maneuver to follow)
leader
A
Towards Sustainable Safety and Security
Known Strategies for TCB Reduction
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 19
B
C
B
C
D
e.g., C. Weinhold: JVPFS(also Inktag, SGX)
D
qed.
B1
C
DD
B2B3
split applications: trusted / untrusted reuse untrusted replication (trust majority; not individual)
Towards Sustainable Safety and Security
Reusing potentially unavailable maneuver planning
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 20
fail save (A)
point of no return
A
Towards Sustainable Safety and Security
Reusing potentially unavailable maneuver planning
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 21
fail save (A)
point of no return
A
Towards Sustainable Safety and Security
Reusing potentially unavailable maneuver planning
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 22
fail save (A)
point of no return
A B
fail save (B)
Towards Sustainable Safety and Security
Lifecycle for safeguarding safety and security
Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 23
timeend of lifeout of maintenanceout of productionin productiondesign
vulnerability
accidentalfault
fault
attack
maliciousfault
error failure
subsystem
Reactive andproactive recoveryand diversification
vulnerability removal(testing, verification,
…) fault diagnosis / removal
intrusion detection
S3-aware design
fault tolerance; error masking(e.g., through replication);
error detection andinitiation of recovery
replacement offaulty hardwarein new systems
patches / update of SW components
(active supply of div. pool)
criticalupdates
only
refill of diversification pool onlythrough on-board mechanisms
/ cross fleet fertilization
…secret cleaning
beforedecommissioning