OEM&Lieferant Ausgabe 2/2021

106 Using TLS and IPSec – the established pro- tocols within the world of IT – it is possible to set up secure channels for communica- tion within the vehicle and with external in- stances that are impervious to manipulation or eavesdropping. AUTOSAR Adaptive manages access to sys- tem resources such as persistent memory, communication channels, and cryptograph- ic keys. The AUTOSAR Identity & Access Management module provides a gatekeeper that allows only explicitly authorized appli- cations to access the respective resource. Access rights can be configured as required and updated at any time. Secure update and trusted platform The secure update function in AUTOSAR Adaptive helps to fix detected vulnerabilities, for instance found by IDS (Intrusion Detec- tion System). It receives and processes se- curity updates for individual applications or even for the entire platform. The individual Update Blobs are signed by the back end so that only updates from a trusted source are executed. In addition to updates, ECU and VC ap- plications must also be verified at regular intervals. This calls for either secure boot or the trusted platform function in AUTOSAR Adaptive, which, as a trust anchor, verifies all applications as well as the platform itself. By maintaining the trust chain from boot to plat- form to application, only trusted software is executed. RTA-VRTE: platform software framework for AUTOSAR Adaptive For future users of AUTOSAR Adaptive, it is crucial to become familiar with the new architecture today. The Vehicle Runtime Environment (RTA-VRTE) platform software framework is the ideal basis for integrating and implementing security functions as well as for all other AUTOSAR Adaptive-compli- ant processes. RTA-VRTE contains all the impor tant middleware elements for microproces- sor-based vehicle computers. The platform software framework enables the function of virtual ECUs to be simulated on conven- tional desktop PCs and networked via Eth- ernet. RTA-VRTE creates a virtual machine consisting of four layers of basic software architecture, with the fifth layer then con- taining the vehicle-specific platform ser- vices (Fig. 3). Figure 3: The RTA-VRTE five-level model supports the important software functions and requirements for VCs. Security components in AUTOSAR Adaptive – Crypto stack for managing key material and access to crypto primitives – Secure communication via established protocols TLS and IPSec – Access protection for sensitive resources (e.g., keys through the Identity and Access Management module – Secure updates for everything from individual applications to the complete platform – Authentic software thanks to continuing the secure-boot trust chain as part of the “trusted platform” Figure 2: Central security components in AUTOSAR Adaptive. Application services Basic application services/semantic middleware Hardware, microcontroller, microprocessor, hardware acceleration OS Security Driver Analog IO HW self test Digital IO HW moni- toring IPC IVC INC CAN LIN FLX ETH OTA Boot loader Hypervisor Level 5 Vehicle-specific platform services Level 4 ECU-specific platform services Level 3 (Service-oriented) communication middleware Level 2 OS-specific infrastructure software Level 1 Hardware-specific infrastructure software ECU service broker IO multiplexer Security services Communication Stack(s)::Protocols Vehicle diagnosis Software lockstep voter Gateway Firewall Execution manager Software watchdog Vehicle life cycle manager Quality of service Time manager Hardware acceleration framework Diagnosis Vehicle update client E2E safety Memory management Life cycle manager Vehicle service broker ECU update client E2E security Service broker Development support Levels 1 and 2 contain the infrastructure software for the hardware used (e.g., de- vice drivers) and a POSIX-compliant oper- ating system. Level 2 also provides plat- form-specific elements that derive from the AUTOSAR Adaptive specifications – first and foremost execution management. This manages the dynamically assigned appli- cations, ensures that they are started and stopped correctly, and monitors adherence to the assigned resource and execution limits. Execution management is thus a key function in IT security, providing the trust- ed platform and verifying the integrity and authenticity of Adaptive applications. In this way, possible manipulation or damage is detected in advance. In addition, the level 3 communication mid- dleware ensures that the dynamic, flex- ible Adaptive applications and the other software applications can be integrated into the system. As a core component in RTA-VRTE, communication management controls and regulates the interaction be- tween the levels and guarantees the smooth operation of the encapsulated software in- cluding the ECU- and vehicle-dependent platform services on levels 4 and 5. In se- curing end-to-end communication between services offered by authenticated applica- tions, this function is also highly relevant to cybersecurity. RTA-VRTE communication management together with ECU-specific services on level 4 provides application developers with a versatile framework for automotive applications. To provide security, this level also features an update and configuration manager (UCM), which supports authenti- cated updates of individual applications and coordinates them across the entire platform. On level 5 of RTA-VRTE, the AUTOSAR++