Firmware Security Module
Control units – but safe! More Cybersecurity in the car: In cooperation with the University of Lübeck, IAV has developed a software framework that compensates for performance bottlenecks in security-related functionality. The so-called Firmware Security Module (FSM) can be used wherever critical infrastructures need to be protected.
FSM has more power!
In order to protect control units, IAV has now developed a framework based on the HSM – the Firmware Security Module (FSM). It protects control units in a similar way, but the cryptographic algorithms can be updated by software update, is flexible and scalable. This makes the FSM exciting for all companies, from the automotive industry to wind power, who want cyber security for their critical infrastructures.
How safe are control units?
It all started with security vulnerabilities like “Spectre” and “Meltdown” found in processors of computers and mobile phones in 2018. At the time, the team of Philipp Jungklass, Technical Consultant at IAV wondered whether there were any corresponding weaknesses in control units for automotive applications. They teamed up with Thomas Eisenbarth, professor of IT security and specialist in security hardware analysis, from the University of Lübeck. The aim was to conduct a security analysis for a hardware platform.
Use of Micro-Controllers
For the analysis, they used a micro-controller, which has six normal processor cores and a seventh, the HSM. They made an interesting discovery: “We found that some security mechanisms of the HSM are also used for other functions in the processor,” explains Jungklass. While the HSM is rather weakly dimensioned in terms of computing power and therefore requires hardware accelerators, the processor cores have significantly more memory capacities and computing power “the idea arose to secure one of the six processor cores with HSM-equivalent security,” the expert said. The Firmware Security Module (FSM) was born.
From idea to prototype
For this purpose, they first defined the requirements for an HSM, which should also apply to the FSM. For example: Verification of the system and updates, management of cryptographic material or clear identifiability of the control units. “The basic functions that an HSM is supposed to offer can be summarized in three areas: Secure boot & update, cryptographic services and auxiliary functions,” explains Philipp Jungklass. These core functions were taken over during the conception of the FSM, thus fulfilling the tasks assigned to their area.
„Secure Boot & Update“
For example, “Secure Boot & Update” verifies software, while cryptographic services (Cryptographic Manager) include all symmetric and asymmetric cryptografic functions. In the auxiliary functions, for example, security-related incidents are logged for subsequent analysis. In addition, a two-stage security ensures that the key material is extra protected. This means that even the FSM operating system does not have access to it – which provides additional security.
Prototype with great potential
One of the six processor cores provides security-relevant functionality for the other five processor cores – they can make requests to the FSM. These are used by the Bridge Module, which connects the FMS operating system and the host system. Requests are validated there and placed in a kind of queue, the request queue, according to their evaluation. The operating system’s Activity Manager then processes the requests and assigns them to the respective subsystem.
IAV expert Jungklass about the concept
“We implemented this concept on a control unit platform, made measurements and tested it,” said Jungklass. The expert emphasizes another advantage of the FSM: “There is only one HSM in the micro-controller, but with the FSM there is the possibility of using further processor cores. So the system is scalable.” this makes the prototype a framework with a lot of potential.