Increasingly complex automotive systems pose serious development and security challenges. Today’s vehicle system engineers are faced with millions of lines of code – many times more than the average passenger aircraft. At the same time, a growing number of features and functions are being placed on a single electronic control unit (ECU). The resulting complexity of consolidation and mix of critical and non-critical functions makes for a demanding environment.
It’s an environment that Green Hills Software has been navigating for the past 30 years. Software created with the Green Hills Platforms for Automotive is found in millions of vehicles on the road today, and the company claims to be the largest independent vendor for embedded software solutions. During its three decades, the core objectives have remained relatively steady – cut manufacturing and development costs, speed up time-to-market, maximise product reliability and optimise product lifetime in the market. However, the specifics of its approach have been refined and reshaped by emerging trends.
One of the biggest trends in the current automotive industry is the consolidation of functionality from multiple ECUs to fewer, more powerful ECUs. “Pursuing hardware-based separation is often a non-starter for new automotive designs because manufacturers want fewer central processing units (CPUs) in the car, not more,” explained Joe Fabbre, Director of Platform Solutions at Green Hills Software. “The Integrity Real Time Operating System (RTOS) forms the foundation for providing provable software-based separation.”
Pursuing hardware-based separation is often a non-starter for new automotive designs because manufacturers want fewer central processing units (CPUs) in the car, not more
This is the flagship of Green Hills Software’s operating systems. Designed around a partitioning architecture, Integrity promises reliable, secure and real-time performance for embedded systems. “It has been evaluated against the most rigorous safety and security standards in the world,” added Fabbre. He describes it as “the key enabling component” for any project looking to build a safe and secure software architecture based on the idea of separation. “We can build security with an ‘inside out’ approach because we have a proven, stable foundation, as opposed to a soft underbelly,” he noted.
The ‘soft underbelly’ in this case refers to vulnerable operating systems, which could undermine strength in a multi-layered defence strategy. “Most people involved in creating a security architecture will leverage multiple layers of security to build defence in depth. More often than not, security architects think about building defence in depth from the outside, working in,” Fabbre explained. For example, a system designer may deploy a firewall to limit network access as an outer layer of defence. He may then additionally deploy an intrusion detection system, just in case an attacker penetrates the first layer of defence.
“Adding more layers makes it more difficult for a hacker to penetrate the system, and allows more time for detection and recovery in the event of a system compromise,” he pointed out. One of the big factors driving this approach is the enormous and complex software that runs in these systems. Notably, it frequently runs on operating systems such as Android, Linux, or Windows that were just not designed for high levels of security. “Vulnerable operating systems are the soft underbelly of this multi-layered defence in-depth strategy. They get hacked all the time, and once an attacker gains access, it is usually fairly easy to perform a privilege escalation and completely take control of the system,” cautioned Fabbre. “Therefore, security architects build layer after layer to protect this vulnerable foundation.”
Most people involved in creating a security architecture will leverage multiple layers of security to build defence in depth. More often than not, security architects build defence from the outside, working in
An inside-out approach
Green Hills Software applies a fresh approach to building security architectures for automotive systems. “We build them from the inside out. We start by identifying the security critical and safety critical components that are present in the system. We build those components with great care and scrutiny. We keep them small and simple so that they can be evaluated to make sure they perform reliably and do not have any vulnerabilities,” Fabbre outlined.
The code for those components is reviewed by experts and exhaustively tested. Importantly, critical components are kept separated from the larger, more complex pieces of code in the system. This can be achieved through either hardware-based or software-based separation of those components.
Several other industry trends are playing directly into the Green Hills corporate strategy, including the rapid rise in connected cars and advanced driver assistance systems (ADAS). This will only increase with the move towards eventual autonomy. BI Intelligence expects 381 million connected cars on the road by 2020 – just two years away. Gartner puts it at 250 million. The exact predictions vary, but the trend is clear. Vulnerabilities in the secure communication between cars and the Internet, other cars and infrastructure pose real risks.
Adding more layers makes it more difficult for a hacker to penetrate the system, and allows more time for detection and recovery in the event of a system compromise
“We’ve seen many high-profile exploits of automotive systems in the last several years,” noted Fabbre. While it was Charlie Miller and Chris Valasek’s white hat Jeep Cherokee hack that made headlines nearly three years ago, plenty more have followed. Even the Tesla Model S is not immune, as Chinese hacking firm Keen Security Lab demonstrated in September 2016.
“The combination of all of these trends is making cyber security a top priority for OEMs,” Fabbre pointed out. Green Hills offers products to address cyber security concerns with the added bonus of its expertise in building safety and security architectures. Its Integrity Security Services (ISS) is a wholly-owned subsidiary focused on providing embedded security products and services for the protection of smart devices from cyber security attacks.
Not only do software developers need to ensure their technology is automotive grade but they also need to fit into the automotive clockspeed. That means the systems developed today must work seamlessly with the vehicles that roll off the production line six or seven years down the line. Predicting the challenges so far down the line is very difficult at best, but Green Hills has a few tricks up its sleeve.
Automotive software now has a life beyond just a one-time deployment. As software lives on after start of production, OEMs need an end-to-end solution for secure distribution of new features and security updates
“One of the benefits of the separation architecture is that OEMs can use it to future proof system designs,” Fabbre told Megatrends. “The software that provides the user experience needs to be agile. It should be able to be updated to keep a modern look and feel, leverage the latest mapping technology, and so on. In contrast, the software that interacts with critical components in the car should be very stable and should not change much, if at all, over time.”
The company leverages its separation architecture in combination with virtualisation to consolidate those two worlds on the same ECU. Additionally, the ISS subsidiary provides firmware over-the-air update systems as well as key and certificate management.
“Automotive software now has a life beyond just a one-time deployment,” he emphasised. “As software lives on after start of production, OEMs need an end-to-end solution for secure distribution of new features and security updates. The combination of our device lifecycle management systems with our cryptography, operating systems, and virtualisation technology provide all of the foundational components to build future-proof, secure automotive systems.”
This article appeared in the Q1 2018 issue of Automotive Megatrends Magazine.