Mastering the Future: The Power of Connected Cars
Chris Barlow from Lynx Software Technologies explains a practical approach to making self-driving cars safe and secure.
In the automotive world, keeping costs low is crucial, which makes it hard to integrate advanced tech like lidar, computer vision, and machine learning into self-driving cars at an affordable price. These complex systems require a move from using microcontrollers to pricier multicore microprocessors and graphics processors. To cut costs, it’s best to combine what were once separate systems into fewer, consolidated devices known as vehicle domain controllers.
These domain controllers must preserve the safety features of the separate systems while boosting security. You can’t just lump all functions into one big software environment because it would expose all software to wireless attacks and mess up the timing of safety-critical parts. A smarter solution is using a hypervisor to run multiple virtual machines on one processor. This way, you save on costs and weight, and you gain the ability to strictly control communications between different sub-systems.
The ideal hypervisor would let software originally designed for microcontrollers run on their own virtual machines alongside more complex operating systems. It should be lightweight to avoid affecting the timing of safety-critical operations while ensuring the virtual machines don’t interfere with each other.
Security and Safety
Security and functional safety in cars are closely related but need different design methods. ISO 26262 is a way to analyze and score functional safety hazards based on severity, controllability, and exposure. You can mitigate expected failures and prove that your strategies address these specific hazards.
With cybersecurity, it’s a bit different. We know current risks, but new vulnerabilities pop up constantly. Machines connected to wireless networks should be considered untrusted. Autonomous cars need to handle wireless signals from other vehicles and even from street infrastructure.
A malicious wireless signal might say the traffic lights are green when they’re actually red. To protect the system, the safety-critical software must be isolated from untrusted environments, and communication must be tightly controlled to design functional safety cases for detecting valid but unauthorized signals.
Locking Down
Traditional car systems use separate boxes communicating via serial connections, usually on the Can bus. Can bus uses a bus topology where all broadcast messages are visible to every node, and each node decides if it needs a message.
This setup has a major vulnerability, as shown by the 2015 Jeep hack by Charlie Miller and Chris Valasek. Anyone can read or send messages on a Can bus and it’s tough for receiving nodes to verify the source of a message. A more secure system would have each node with private connections to those it needs to talk to, but this increases the weight and complexity of the wiring, making it impractical.
With a hypervisor, you can implement any topology between virtual nodes with minimal impact on the car’s Bill of Materials (BoM). You can establish private channels through shared memory regions and enforce read-write, read-only, or write-only permissions, enhancing security without significantly adding to the car’s weight or complexity.