Datenbestand vom 15. November 2024
Tel: 0175 / 9263392 Mo - Fr, 9 - 12 Uhr
Impressum Fax: 089 / 66060799
aktualisiert am 15. November 2024
978-3-8439-4044-3, Reihe Informatik
Pierre Schnarz Security Patterns for AMP-based Embedded Systems
261 Seiten, Dissertation Technische Universität Clausthal (2018), Softcover, A4
The consolidation of diverse functionalities onto a single platform is an ongoing, and still emerging, trend in the development of automotive electronic control units. More and more, these software-intensive functions imply different requirements concerning their system quality. In the future, this so-called mixed-criticality systems will emerge and consolidate even more functions, towards large computational platforms. Through the advent of hardware virtualization features into automotive-grade microcontrollers, software partitioning on hardware-level has been made possible. Particularly, asynchronous multiprocessing (AMP) is suitable to host several domains "bare-metal" by utilising these hardware virtualization capabilities. The AMP paradigm aims to assign a group of hardware elements statically to a single software partition. This composition is referred to as asynchronous domain. AMP is considered to be very performance effective, while the effort of realising hypervisors is kept at a minimum. This work elaborates on security patterns considering the specific construction paradigm of AMP-based systems. The patterns include security problems and solutions describing the offensive and defensive aspects of the given context. A tailored security assessment methodology combines methods and tools to analyse, quantify and evaluate the particular artefacts. The vulnerability assessment conducted in this work revealed a surface for denial-of-service of shared last-level caches (LLC) and elevation-of-privilege and tampering threats by misusing co-processors. Accordingly, the exploitability of these threats is demonstrated by penetration tests. The strategy to solve these issues, a reordering of the system memory map is proposed. A domain-block based mapping is shown to partition the LLC, which limits in this way the interference of adjacent domains. Furthermore, memory-map shuffling is proposed, to limit the exploitability of elevation-of-privilege threats by obfuscating the target memory structure. The findings of the security problems are transferred into rules to detect the issues in system architecture models. Furthermore, it is proposed to implement on each system layer primary and secondary security countermeasures. Particularly, systems utilizing hardware protection capabilities this leads to a extensive defence-in-depth security architecture. Therefore, the concepts contribute to the deterrence and the prevention of adverse actions to physical memory.