X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;ds=sidebyside;f=docs%2F03_Architecture_Guides%2F02_Security_Blueprint%2F09_Update_%28Over_The_Air%29.md;fp=docs%2F03_Architecture_Guides%2F02_Security_Blueprint%2F09_Update_%28Over_The_Air%29.md;h=0476b7ad182581e607be73e9441772cdd6f815d2;hb=120a2677992ea299eea5fb5cb0ed1081f76bb92c;hp=0000000000000000000000000000000000000000;hpb=33727f4e9619f9da65fdfc608a10a92887c7257c;p=AGL%2Fdocumentation.git diff --git a/docs/03_Architecture_Guides/02_Security_Blueprint/09_Update_(Over_The_Air).md b/docs/03_Architecture_Guides/02_Security_Blueprint/09_Update_(Over_The_Air).md new file mode 100644 index 0000000..0476b7a --- /dev/null +++ b/docs/03_Architecture_Guides/02_Security_Blueprint/09_Update_(Over_The_Air).md @@ -0,0 +1,154 @@ +--- +title: Update (Over The Air) +--- + +Updating applications and firmware is essential for the development of new +features and even more to fix security bugs. However, if a malicious third party +manages to alter the content during transport, it could alter the functioning of +the system and/or applications. The security of the updates is therefore a +critical point to evaluate in order to guarantee the integrity, the +confidentiality and the legitimacy of the transmitted data. + +## Attack Vectors + +Updates Over The Air (OTA) are one of the most common points where an attacker will +penetrate. An OTA update mechanism is one of the highest threats in the system. +If an attacker is able to install his own application or firmware on the system, +he can get the same level of access that the original application or firmware +had. From that point, the intruder can get unfettered access to the rest of the +system, which might include making modifications, downloading other pieces of +software, and stealing assets. + +### Man In The Middle (MITM) + +The man-in-the-middle attack is the most classic example of an attack, where an +adversary inserts himself between two communicating entities and grabs whatever +is being communicated. In the case of OTA attacks, the connection in the network +may be intercepted: + +* On the internet, before the cloud back-end. +* At the base station, 3G,4G,5G connection to the internet. +* At the receiving antenna, connection to the car. +* Between the receiving antenna and the gateway router (if present), connection + within the car. +* Between the gateway router and the target component (IVI, In-Vehicle + Infotainment unit). + +There are many ways to mount a MITM attack. For example, proxy tools like Burp +Proxy can be used to intercept web traffic as a man-in-the-middle. Under the +guise of being a testing tool, the proxy server is often used in attack +scenarios. It runs on a variety of platforms. + +As another example, false base station attacks are known to be fairly easy to +set-up. The problem is apparently fairly prevalent in countries like China and +in the UK. These fake base stations are sometimes just eavesdropping on the +communication, but others have the potential to do serious harm. + +Defenses against MITM attacks include encrypted and signed data pipes. +Furthermore, architects and developers are also recommended to encrypt and sign +the payloads that are being passed over these pipes, to defend against perusal +of the data. + +### Man At The End (MATE) + +The man-at-the-end attack is when an intruder analyzes the end-point of the +communication when software is accessing the data communication. This is a more +severe attack type where the attacker can: + +* Steal keys. + * For example, a simple debugging session in running software could reveal a + key used in memory. +* Tamper software. + * For example, replacing just one function call in software with a NOP (i.e. + no operation) can drastically change the behavior of the program. +* Jam branches of control. + * For example, making a program take one branch of control rather than the + intended branch can mean the difference between an authorized and a + non-authorized installation. +* Modify important data. + * For example, if the data changed is a key or data leading to a control path, + then this attack can be severe. + * In the case of OTA updates, MATE attacks are particularly problematic for + the system. One of the consequences of MATE attacks can be installed + software that allows installation of any other software. For example, an + attacker might install remote access software to control any part of the + system. + +-------------------------------------------------------------------------------- + +## Acronyms and Abbreviations + +The following table lists the terms utilized within this part of the document. + +Acronyms or Abbreviations | Description +------------------------- | ------------------------------------------------------------------------- +_FOTA_ | **F**irmware **O**ver **T**he **A**ir +_MATE_ | **M**an **A**t **T**he **E**nd +_MITM_ | **M**an **I**n **T**he **M**iddle +_OTA_ | **O**ver **T**he **A**ir +_SOTA_ | **S**oftware **O**ver **T**he **A**ir +_TUF_ | **T**he **U**pdate **F**ramework + +# Firmware Over The Air + +The firmware update is critical since its alteration back to compromise the +entire system. It is therefore necessary to take appropriate protective +measures. + +AGL includes the _meta-updater_ Yocto layer that enables OTA software updates +via [Uptane](https://uptane.github.io), an automotive-specific extension to [The +Update Framework](https://theupdateframework.github.io/). Uptane and TUF are +open standards that define a secure protocol for delivering and verifying +updates even when the servers and network--internet and car-internal--aren't +fully trusted. + +_meta-updater_ includes the application +[`aktualizr`](https://github.com/advancedtelematic/aktualizr), developed +Advanced Telematic Systems (now part of HERE Technologies) that enables OTA for +an ECU. `aktualizr` combined with Uptane is suitable for updating the firmware, +software, and other packages on even functionally critical ECUs. `aktualizr` can +be enabled with the free, open souce backend +[`ota-community-edition`](https://github.com/advancedtelematic/ota-community-edition). + +This FOTA update mechanism can be enabled through the `agl-sota` feature. + +## Building + +To build an AGL image that uses `aktualizr`, the following can be used. + +``` +source meta-agl/scripts/aglsetup.sh -m agl-sota +``` + +During the build, _meta-updater_ will use credentials downloaded from +`ota-community-edition` to sign metadata verifying the build as authentic. These +signatures are part of the Uptane framework and are used to verify FOTA updates. + +## Atomic Upgrades with Rollbacks + +`aktualizr`'s primary method of updating firmware is to use `libostree` with +binary diffs. The binary diffs use the least amout of bandwidth, and by it's +nature `libostree` stores current and previous firmware versions on disk or in +flash memory to allow for rollbacks. + +`libostree` is a content addressable object store much like `git`. Versions are +specified via SHA2-256. These hashes are signed in the Uptane metadata and are +robust against cryptographic compromise. + +# Software Over The Air + +Software updates in connected vehicles are a very useful feature, which can +deliver significant benefits. If not implemented with security in mind, software +updates can incur serious vulnerabilities. Any software update system must +ensure that not only are the software updates to devices done in a secure way, +but also that the repositories and servers hosting these updates are adequately +protected. As the process of updating software migrates from a Dealership update +model towards an **OTA** update model, securing these processes becomes a high +priority. + +**SOTA** is made possible by **AppFw** (See Platform part). It will be possible +to manage in a simple way the packets (i.g. Android like). + +Domain | Improvement +------------- | ----------------- +Update-SOTA-1 | Part to complete.