Heterogeneous Cores Cyber-Exploit & Fault Tolerant Architecture (Hecocefta)

Abstract

Approved for Public ReleaseWith the increasing prevalence of #drive by wire#, electronic systems like advanced driver-assistancesystems (ADAS) and electronic control units (ECUs) are taking over more and more critical roles in thefunctionality and safety of modern day vehicles. Unfortunately, as highlighted in many real life events(e.g. NHTSA recall 23v337 related to defects in a Footwell Control Module [1], or NHTSA recall 22v648related to a climate control front blower [2]), this trend also means increased safety risk from anymalfunction in these components. In response, the ISO 26262 was proposed as a systematic approach formanaging functional safety throughout the development lifecycle of automotive electrical and electronicsystems. In particular, ISO 26262 defines the Automotive Safety Integrity Levels (ASIL) to combine theprobability of exposure to hazard, the extent to which it is controllable by a driver, and the severity offailure to control such hazard. ASIL-D is the highestlevel of integrity defined under ISO 26262. In order toattain ASIL-D, a system needs to satisfy a system requirement of having fewer than 1% single point offailure.A standard approach for achieving ASIL-D is to have redundant hardware components operating onthe same inputs and flag any discrepancy in their output as anerror condition. A popular implementationof this idea is the dual-core lockstep configuration (DCLS),as show in Fig. 1. Unfortunately, since ISO26262 (and thus ASIL) only focuses on random, unintentional faults, existing ASIL-D compliant systemsare unlikely to provide any defense against the much more dire threat from cyberattacks. This is because inthe face of a cyberattack, all the redundant components will be processing the same malicious input, and thusreaching the same compromised state, which will be passed as normal by any fault tolerance mechanism. Inorder to extend ASIL-D compliant systems to achieve any safety guarantee against cyberattacks,we need anapproachthat is i) scalable in both the class of attacks and the size of software that can be covered, ii) cheapto deployin both hardware and performance cost, and iii) provides high safety, security and compatibilityguarantee. The scalability requirement precludes fault avoidance methods that use formal methods toidentify and remove all security problems in software. The stringentperformance requirement precludesmany software based security monitoring solutions (which can have > 5% performance overhead). Thethird requirement precludes the use of many software based diversification techniques which provide littlesecurity guarantee and tendto have compatibility issues with the other software components (e.g. library,OS) in the system.Seeking a practical solution that satisfies the aforementioned requirements, this work proposes toextend existing fault tolerant design by introducing diversification at the hardware level; we call this theHeterogeneous Cores Cyber-Exploit & Fault Tolerant Architecture (Hecocefta) design. By extendingexisting fault tolerant systems, our approach allows us to bootstrap from the scalability, performance,safety guarantee and deployability of current solutions. By introducing diversity at the hardware level, wecan avoid compatibility problems of existing software-level diversification; the diversified systems willappear the same at the software level, and thus allow software components to work withoutmodifications. However, the realization of this idea requires us to overcome the following open researchchallenges: i) the introduction of hardware level diversification means the redundant components willbehave differently with or without cyberattacks,on the other hand, the fault tolerance mechanism willconsider any such discrepancy as a sign of faults. How can we reconcile the conflicting need of security

Document Details

Document Type

DoD Grant Award

Publication Date

Nov 09, 2024

Source ID

N000142412719

Entities

Tags