- KonferenzbeitragPerforming a More Realistic Safety Analysis by Means of the Six-Variable Model(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Ulfat-Bunyadi, Nelufar; Hatebur, Denis; Heisel, Maritta; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardSafety analysis typically consists of hazard analysis and risk assessment (HARA) as well as fault tree analysis (FTA). During the first, possible hazardous events are identified. During the latter, failure events that can lead to a hazardous event are identified. Usually, the focus of FTA is on identifying failure events within the system. However, a hazardous event may also occur due to invalid assumptions about the system’s environment. If the possibility that environmental assumptions turn invalid is considered during safety analysis, a more realistic and complete safety analysis is performed than without considering them. Yet, a major challenge consists in eliciting first the ‘real’ environmental assumptions. Developers do not always document assumptions, and often they are not aware of the assumptions they make. In previous work, we defined the Six-Variable Model which provides support in making the ‘real’ environmental assumptions explicit. In this paper, we define a safety analysis method based on the Six-Variable Model. The benefit of our method is that we make the environmental assumptions explicit and consider them in safety analysis. In this way, assumptions that are too strong and too risky can be identified and weakened or abandoned if necessary.
- KonferenzbeitragOntologiebasierte Abhängigkeitsanalyse im Projektlastenheft(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Zichler, Konstantin; Helke, Steffen; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardZu Beginn eines Projekts dokumentieren interdisziplinäre Domänen-Experten die Anforderungen an alle Lebensphasen eines Nutzfahrzeugs und die entsprechenden Realisierungskonzepte im Projektlastenheft. Die Kenntnis der Abhängigkeiten zwischen Anforderungen bietet den Vorteil, fehlerhafte Produktkonzepte bereits in der frühen Projektphase zu vermeiden. Bei der Durchführung von Abhängigkeitsanalysen besteht für die Experten der einzelnen Abteilungen die Schwierigkeit darin, von den dokumentierten Einzelbeiträgen auf domänenübergreifende Abhängigkeiten zwischen den Anforderungen zu schließen. Bisher werden diese Analysen für gewöhnlich manuell durchgeführt, da es dafür kaum Werkzeugunterstützung gibt. Wir stellen ein neuartiges Verfahren vor, bei dem das für die Abhängigkeitsanalyse erforderliche, fachspezifische Wissen zu einer gemeinsamen Wissensbasis in Form einer Ontologie aggregiert wird. Zusammen mit Axiomen, einem Reasoner und Werkzeugen aus dem Natural Language Processing wird eine automatisierte Abhängigkeitsanalyse im Projektlastenheft realisiert, mit der es möglich ist, bisher nicht berücksichtigte Abhängigkeiten zwischen Anforderungen zu identifizieren.
- KonferenzbeitragExtending a Compiler Backend for Complete Memory Error Detection(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Rink, Norman; Castrillon, Jeronimo; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardTechnological advances drive hardware to ever smaller feature sizes, causing devices to become more vulnerable to faults. Applications can be protected against errors resulting from faults by adding error detection and recovery measures in software. This is popularly achieved by apply- ing automatic program transformations. However, transformations applied to intermediate program representations are fundamentally incapable of protecting against vulnerabilities that are introduced during compilation. In particular, the compiler backend may introduce additional memory accesses. This report presents an extended compiler backend that protects these accesses against faults in the memory system. It is demonstrated that this enables the detection of all single bit flips in memory. On a subset of SPEC CINT2006 the runtime overhead caused by the extended backend amounts to 1.50x for the 32-bit processor architecture i386, and 1.13x for the 64-bit architecture x86 64.
- KonferenzbeitragA Testing Framework Architecture for Automotive Intrusion Detection Systems(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Corbett, Christopher; Basic, Tobias; Lukaseder, Thomas; Kargl, Frank; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardVehicles are the target of a rising number of hacking attacks. The integration of in-vehicle intrusion detection systems is a common approach to increase the overall system security. However, testing and evaluating these systems is difficult due to the lack of tools to generate realistic benign and malicious workloads as well as sharing these workloads with other researchers. Currently, test- ing tools are predominantly intended for Network Intrusion Detection System (NIDS) in company or industrial networks where their usefulness became apparent. Yet, in the automotive domain, development of testing tools is still in the early stages. Existing non-commercial automotive tools only focus on one specific bus technology each. However, in-vehicle communication exceeds bus technology boundaries and a testing tool must cover multiple technologies. We propose a framework architecture concept for in-vehicle NIDS testing and evaluation to enable the creation of realistic network traffic and attacks in consideration of automotive specific challenges. Our concept provides the opportunity to share data without additional anonymization effort therefore improving cooperation and reproducibility of testing results.
- KonferenzbeitragExploring and Understanding Multicore Interference from Observable Factors(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Lesage, Benjamin; Griffin,David; Bate, Iain; Soboczenski, Frank; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardMulti-core processors bring a wide variety of challenges to the development, maintenance and certification of safety-critical systems. One of the key challenges is to understand how tasks sharing the processing resource affect one another, and to build an understanding of existing or new platforms. Industry reports that interference can lead to large variations in execution times which can lead to a wide variety of problems including timing overruns. To support performance improvements, debugging and timing analysis, a framework is presented in this paper for reliably establishing the interference patterns of tasks using simple contenders. These contenders systematically manipulate the shared resources so the effect on interferences can be understood and analysed. The approach relies on guided exploration of the interference space and existing performance monitoring infrastructure. It has been implemented on a Tricore AURIX platform to analyse the behaviour of multiple real and kernel applications.
- Editiertes BuchAutomotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik(2017) Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, Erhard
- KonferenzbeitragHacking Trucks - Cybersecurity Risks and Effective Cybersecurity Protection for Heavy Duty Vehicles(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Wolf, Marko; Lambert, Robert; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardSimilar to passenger cars, heavy-duty vehicles, such as commercial trucks and buses, are becoming increasingly software-driven, interconnected and semi-automated, and hence are also becoming increasingly susceptible to cybersecurity attacks. This article will identify and evaluate these cybersecurity threats and risks affecting the monetary business operation, reliability, and safety of heavy-duty vehicles, comparing them with similar cybersecurity risks for typical passenger vehicles. Based on this overall cybersecurity threat and risk analysis, the article will then present and explain our holistic and multi-layer protection approach to reduce such cybersecurity risks for heavy-duty vehicles.
- KonferenzbeitragRisk-Oriented Security Engineering(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Ebert, Christof; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardVirtually every connected system will be attacked sooner or later. A 100% secure solution is not feasible. Therefore, advanced risk assessment and mitigation is the order of the day. Risk-oriented security engineering for automotive systems helps in both designing for robust systems as well as effective mitigation upon attacks or exploits of vulnerabilities. Security must be integrated early in the design phase of a vehicle to understand the threats and risks to car functions. The security analysis provides requirements and test vectors and adequate measures can be derived for balanced costs and efforts. The results are useful in the partitioning phase when functionality is distributed to ECUs and networks. We will show with concrete examples how risk-oriented cyber security can be successfully achieved in automotive systems. Three levers for automotive security are addressed: (1) Product, i.e., designing for security for components and the system, (2) Process, i.e., implementing cyber security concepts in the development process and (3) Field, i.e., ensuring security concepts are applied during service activities and effective during regular operations.
- ZeitschriftenartikelAdapting Organic Computing Architectures to an Automotive Environment to Increase Safety & Security(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Lamshöft, Kevin; Altschaffel, Robert; Dittmann, Jana; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardModern cars are very complex systems operating in a diverse environment. Today they incorporate an internal network connecting an array of actuators and sensors to ECUs (Electronic Control Units) which implement basic functions and advanced driver assistance systems. Opening these networks to outside communication channels (like Car-to-X-communication) new possibilities but also new attack vectors arise. Recent work has shown that it is possible for an attacker to infiltrate the ECU network insides a vehicle using these external communication channels. Any attack on the security of a vehicle comes implies an impact on the safety of road traffic. This paper discusses the possibilities of using architectures suggested by Organic Computing to reduce these arising security risks and therefore improve safety. A proposed architecture is implemented in a demonstrator and evaluated using different attack scenarios.
- KonferenzbeitragUsing STPA in Compliance with ISO 26262 for Developing a Safe Architecture for Fully Automated Vehicles(Automotive - Safety & Security 2017 - Sicherheit und Zuverlässigkeit für automobile Informationstechnik, 2017) Abdulkhaleq, Asim; Wagner, Stefan; Lammering, Daniel; Boehmert, Hagen; Blueher, Pierre; Dencker, Peter; Klenk, Herbert; Keller, Hubert B.; Plödererder, ErhardSafety has become of paramount importance in the development lifecycle of the modern automobile systems. However, the current automotive safety standard ISO 26262 does not specify clearly the methods for safety analysis. Different methods are recommended for this purpose. FTA (Fault Tree Analysis) and FMEA (Failure Mode and Effects Analysis) are used in the most recent ISO 26262 applications to identify component failures, errors and faults that lead to specific hazards (in the presence of faults). However, these methods are based on reliability theory, and they are not adequate to address new hazards caused by dysfunctional component interactions, software failure or human error. A holistic approach was developed called STPA (Systems-Theoretic Process Analysis) which addresses more types of hazards and treats safety as a dynamic control problem rather than an individual component failure. STPA also addresses types of hazardous causes in the absence of failure. Accordingly, there is a need for investigating hazard analysis techniques like STPA. In this paper, we present a concept on how to use STPA to extend the safety scope of ISO 26262 and support the Hazard Analysis and Risk Assessments (HARA) process. We applied the proposed concept to a current project of a fully automated vehicle at Continental. As a result, we identified 24 system- level accidents, 176 hazards, 27 unsafe control actions, and 129 unsafe scenarios. We conclude that STPA is an effective and efficient approach to derive detailed safety constraints. STPA can support the functional safety engineers to evaluate the architectural design of fully automated vehicles and build the functional safety concept.