HOTLINE: 0086-021 52710299
Partners Partners & Customers
News Delegates’Testimonials

AliOS Internet Car Operating System Security Thinking and Practice

日期: 2019-10-09
浏览次数: 2

The entire automotive industry is undergoing an unprecedented process of industrial upgrading, which is in fact very similar to the industrial upgrade process of smart terminals. The car has become more and more intelligent, and networked, intelligent, and shared has become a big trend in the technological evolution of major OEMs and suppliers.

 

At ”The 4th Annual China Automotive Cyber Security Summit” organized by GRCC, Mr. Wei Zhong, the Senior Security Expert from AliOS explained Internet Car Operating System Security Thinking and Practice

 AliOS Internet Car Operating System Security Thinking and Practice

AliOS Internet Car Operating System Security Thinking and Practice

In such a large background, the car itself is undergoing a very big change. From a hardware point of view, the structure of the car from the traditional electronic circuit to the current intelligent network has become more and more complicated. An Internet car will have hundreds of ECUs, more complex interior components and more external interfaces. These external interfaces include Bluetooth, WiFi, NFC and other process communication interfaces, as well as information passing through the T-BOX. Group and remote services to implement interconnected data services. In the software dimension, like the car machine, T-BOX, gateway and some other ECUs, the operating systems on them are different, and the whole presents a heterogeneous computing feature. At the same time, the more intelligent the software on the ECU is, the more complicated it is. In general, the function of the car is rapidly upgrading, and the complexity of the system is continuously improving. Complexity and security are contradictory in terms of security. The complexity of the system has also brought about a continuous improvement in the risk of information security.

 

In the context of such a large industry, the safety of vehicles has become more and more concerned by the entire industry, and more manufacturers have invested in safety experiments. At present, the problem-driven approach is mainly used to promote the improvement of the vehicle's information security protection capabilities. Then Mr. Zhong showed us some cases related to the safety practice of the car. An important aspect of the security industry is the acquisition of commercial benefits through technical attacks. For example: by brushing the low-cost opening function that only has a high-end model. Change the number of car kilometers and so on by brushing the ECU. As the car's capabilities change (such as sharing), such attacks will quickly evolve as core interests migrate.

 

First, Mr. Zong demonstrated the common vulnerability discovery and utilization process and the distribution of network attack attacks。

AliOS Internet Car Operating System Security Thinking and Practice

AliOS Internet Car Operating System Security Thinking and Practice

Internet car safety capability elements: In terms of comprehensive coverage: 1. Intelligence and vehicle network are inseparable. 2. The intelligent nodes of the car, TBOX, APP and TSP need to be covered separately. 3. From the design and development to the production and operation, the whole process needs to be covered. In terms of defense fundamentals: 1. The scale of the 100-level code completely eliminates the engineering unreachability of the vulnerability. 2. The difference in mitigation mechanism determines the strength of the system's protection. 3, defense capabilities need to face the device characteristics

Targeted deployment. In terms of perceived criticality: 1. Does the ability to deploy achieve the expected results on actual vehicles? 2. Which users' vehicles may be insecure and need to be repaired as soon as possible? 3. Perceived threats are the basis of safe operation and maintenance.

AliOS Internet Car Operating System Security Thinking and Practice

Then Mr. Zhong gave us an explanation of the operating system and support service security requirements and operating system and support service vulnerability detection. Operating system and support service security requirements: 1. Technical requirements for defense capabilities: integrity protection capability requirements, system and user data protection capability requirements, application sandbox and access control capability requirements, vulnerability mitigation mechanism capability requirements, intrusion detection and Proactive defense technical requirements, timeliness for bug fixes. 2. In terms of security operation capability requirements: security log format, security event rating, threat perception visualization capability requirements, risk disposal capability technical requirements, vehicle application security detection requirements, and vehicle application market security protection requirements. 3. Interface and communication security requirements: key algorithm and strength requirements, key storage security requirements, key access environment security requirements, key and data transmission security requirements, key generation and distribution security requirements, PKI system coverage Claim. 4. In the system cloud service security requirements: infrastructure isolation technical requirements, host security protection capability requirements, application security protection capability requirements, DDOS security protection capability requirements, host security access capability requirements, and abnormal detection capability requirements.

 AliOS Internet Car Operating System Security Thinking and Practice


Operating system and support service vulnerability detection: 1, in the system based vulnerability detection: system firmware and configuration tampering vulnerability detection, firmware update vulnerability detection, debugable vulnerability detection, key leak vulnerability detection, privilege runaway vulnerability detection, known inventory vulnerability Detection. 2, in the interface and communication vulnerability detection: interface access authentication class vulnerability detection, key hard coding vulnerability detection, link hijacking vulnerability detection, communication credential leak vulnerability detection, communication link transmission vulnerability detection, replay attack detection. 3, in the application environment vulnerability detection: sensitive data leakage detection, sensitive log leakage detection, functional and service unauthorized vulnerability detection, core algorithm and logical leakage detection, file download replacement vulnerability detection, logical vulnerability detection. 4. In the system cloud service vulnerability detection: identity and access control vulnerability detection, border security vulnerability detection, XSS detection, file related vulnerability detection, Web injection vulnerability detection, service information leakage vulnerability detection.AliOS Internet Car Operating System Security Thinking and Practice

Finally, Mr.Zhong introduced us to Ali's AliOS network car security defense system and intelligent network car security capabilities: 1, in the system software reinforcement: control loopholes through the system's original defense and mitigation mechanisms can affect the scope. 2, in the end-to-end security protection: IVI, T-Box, Gateway, App secure and trusted interconnection. 3. In the TSP security protection: prevent the TSP from being broken and cause the whole vehicle to be controlled. 4. In the supply chain security protection: Automated detection of vulnerabilities and malicious code from different vendors, channels, and application markets. 5. In the sense of threat: real-time perception of vehicle risk in the whole network. 6, on the OTA: quickly fix security vulnerabilities, reduce the attack time window. 7 On continuous safe penetration: continuous penetration with the goal of remote non-contact vehicle control.

 

AliOS Internet Car Operating System Security Thinking and Practice 


Copyright ©2010 - 2016 

GENESIS RESOURCING CONSULTING CHINA

犀牛云提供企业云服务