University of LuxembourgSnT - CritiX

Towards sustainable safety and security in autonomous vehicles

Marcus Völp

marcus.voelp@uni.lu

Autonomous driving – the next complexity milestone

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 2

Source: http://paleofuture.com/blog/2010/12/9/driverless-car-of-the-future-1957.html

Level 4 autonomy => Level 5

Source: Wiki SelKet (CC-BY-SA-3.0)

Brain areas involved in human visual perception

Recognition not only of regular traffic

Ethics

Source: Autobild

Acceptance and Reputation

Implicit Communication

1957

Complexity of autonomous driving:

• Level 3: 300 MLOC (human supervision)

• Level 5: 1 BLOC+ ?

Autonomous driving – the next complexity milestone

Current Cars:

• ~ 100 MLOC (30 MLOC multimedia)

• ~ 100 ECUs

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 3

Components associated with physical control of the vehicle

Components associated with safety

Components associated with entertainment and convenience

Image credit: Mercedes-Benz Museum (as cited in Computer

History Museum, 2011)Slide from Intel ADG

Functionality vs. Complexity

Complexity of autonomous driving:

• Level 3: 300 MLOC (human supervision)

• Level 5: 1 BLOC+ ?

Autonomous driving – the next complexity milestone

Current Cars:

• ~ 100 MLOC (30 MLOC multimedia)

• ~ 100 ECUs with 25 – 200 microprocessors

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 4

Components associated with physical control of the vehicle

Components associated with safety

Components associated with entertainment and convenience

Image credit: Mercedes-Benz Museum (as cited in Computer

History Museum, 2011)Slide from Intel ADG

Functionality vs. Complexity

Over the air updates

https://arstechnica.com/cars/2017/07/gm-to-offer-ota-software-updates-before-2020-but-only-for-a-new-infotainment-platform/

Safety Certification?

Complexity of autonomous driving:

• Level 3: 300 MLOC (human supervision)

• Level 5: 1 BLOC+ ?

Autonomous driving – the next complexity milestone

Current Cars:

• ~ 100 MLOC (30 MLOC multimedia)

• ~ 100 ECUs with 25 – 200 microprocessors

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 5

Components associated with physical control of the vehicle

Components associated with safety

Components associated with entertainment and convenience

Image credit: Mercedes-Benz Museum (as cited in Computer

History Museum, 2011)Slide from Intel ADG

Functionality vs. Complexity

Over the air updates

https://arstechnica.com/cars/2017/07/gm-to-offer-ota-software-updates-before-2020-but-only-for-a-new-infotainment-platform/

Safety Certification?

We need: 1. fault and intrusion tolerance for safety critical / real-time systems2. safety and security for the entire lifetime of the car

(avg. 11.6 year on US roads [IHS Markit Report ‘18])3. automatic resilience

Threat Vectors on autonomous and cooperativevehicle ecosystems

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 6

I2I

V2V

Internet

I2I

ECUV2I

I2I

I2I

1

5

1

2 3

48

7

6

T.A.

RSU System Provider

Threat Vectors:1. Attacks on global V2I/I2I

communication infrastructure2. Attacks on local V2V

communication infrastructure3. Attacks on in-vehicle

communication infrastructure4. Attacks on vehicle computing

nodes' software5. Attacks on road-side

units'software6. Attacks on sensors and

control-sensitive data7. Attacks on authentication

mechanisms8. Physical-level attacks

[Lima et al. “Towards Safe and Secure Autonomous and Cooperative Vehicle Ecosystems”, CPS-SPC 2016]

Outline

Motivation

What we all know: FIT / Resilience

Full compromise of swarm individuals is intolerable

Intra Vehicular Systems

Towards Sustainable Safety and Security Surviving perception / maneuver planning unavailabilities Lifecycle for safeguarding safety and security

ConclusionsMarcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 7

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 8

NodeIncomingTraffic

Client

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 9

NodeIncomingTraffic

Node

Node

Consensus(in fault-threshold exceeding quorum)

Clientf+1

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 10

NodeIncomingTraffic

Node

Node

Consensus(in fault-threshold exceeding quorum)

Clientf+1

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 11

NodeIncomingTraffic

Intrusion Prevention

Node

Node

Consensus(in fault-threshold exceeding quorum)

Clientf+1

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 12

NodeIncomingTraffic

Intrusion Prevention

Node

Node

Consensus(in fault-threshold exceeding quorum)

Clientf+1

P. Sousa et al. – Exhaustion Failure

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 13

NodeIncomingTraffic

Intrusion Prevention

Node

Node

Consensus(in fault-threshold exceeding quorum)

Clientf+1

P. Sousa et al. – Exhaustion Failure

Fault and Intrusion Tolerance

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 14

NodeIncomingTraffic

Intrusion Prevention

Node

Node

Consensus(in fault-threshold exceeding quorum)

Clientf+1

P. Sousa et al. – Exhaustion Failure

Full compromise of swarm individuals is intolerable

Platoon of Cars

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 15

distance keeping

driving

Platoon votes on common operation (e.g., maneuver to follow)

leader

Full compromise of swarm individuals is intolerable

Platoon of Cars

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 16

distance keeping

driving

Platoon votes on common operation (e.g., maneuver to follow)

leader

Full compromise of swarm individuals is intolerable

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 17

Towards Sustainable Safety and Security

Safeguard safety through trusted trustworthy components

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 18

distance keeping

driving

Platoon votes on common operation (e.g., maneuver to follow)

leader

A

Towards Sustainable Safety and Security

Known Strategies for TCB Reduction

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 19

B

C

B

C

D

e.g., C. Weinhold: JVPFS(also Inktag, SGX)

D

qed.

B1

C

DD

B2B3

split applications: trusted / untrusted reuse untrusted replication (trust majority; not individual)

Towards Sustainable Safety and Security

Reusing potentially unavailable maneuver planning

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 20

fail save (A)

point of no return

A

Towards Sustainable Safety and Security

Reusing potentially unavailable maneuver planning

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 21

fail save (A)

point of no return

A

Towards Sustainable Safety and Security

Reusing potentially unavailable maneuver planning

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 22

fail save (A)

point of no return

A B

fail save (B)

Towards Sustainable Safety and Security

Lifecycle for safeguarding safety and security

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 23

timeend of lifeout of maintenanceout of productionin productiondesign

vulnerability

accidentalfault

fault

attack

maliciousfault

error failure

subsystem

Reactive andproactive recoveryand diversification

vulnerability removal(testing, verification,

…) fault diagnosis / removal

intrusion detection

S3-aware design

fault tolerance; error masking(e.g., through replication);

error detection andinitiation of recovery

replacement offaulty hardwarein new systems

patches / update of SW components

(active supply of div. pool)

criticalupdates

only

refill of diversification pool onlythrough on-board mechanisms

/ cross fleet fertilization

…secret cleaning

beforedecommissioning

This Talk in one Slide

Marcus Völp - Towards sustainable safety and security in autonomous vehicles - 75th IFIP WG 10.4 on Dependable Computing and Fault Tolerance - 2019 24

We are hiring bright PhD students and postdocs!