Other application security
RUN-TIME TUNING PROTECTION (RTP)
Run-time Tuning Protection (RTP) is a very important feature in a vehicle’s controller security system. Unlike Secure Boot, which performs integrity verification only once at system boot, RTP periodically verifies the integrity of firmware during runtime to ensure the ongoing security of a running system. This function prevents the controller’s firmware from being changed without permission during operation, ensuring the safety and reliability of vehicle systems.
How RTP works
1. Initialization and continuous verification:
- When the system boots, the HSM’s Secure Boot feature is activated and initially verifies the integrity of the boot area. After booting, RTP is activated and runs as a background task of the HSM, sequentially verifying the host’s firmware blocks.
2. Tamper detection and logging:
- When RTP detects an unauthorized change to an operating host firmware block, it immediately detects it and records a log in Secure Storage. This log is only saved the first time a tampering attempt is detected, and is not stored redundantly before a system reset.
3. Secure log access:
- The host can request logs stored in Secure Storage through the secure interface provided by HSM. This prevents unauthorized access through external interfaces and allows review of security events that occurred during system operation.
Importance of RTP
- Continuous security monitoring:
- RTP continuously checks the integrity of the firmware even during vehicle operation, allowing it to detect and respond to potential security threats in real time. This significantly improves the safety of vehicle systems.
- Firmware Protection:
- RTP effectively detects and blocks unauthorized changes or manipulation of firmware, safely protecting the controller’s functions and data.
Implementation considerations
- Disable RTP:
- To prevent RTP malfunction while the host firmware is being reprogrammed, the RTP function must be temporarily disabled. This is essential when the Host firmware area is deleted or updated.
- Security Infrastructure:
- A strong security infrastructure is required to effectively perform the RTP function. This is where HSMs play an important role and include secure key management and data encryption.
RTP is an essential feature for maintaining the security of vehicle control systems, and vehicle manufacturers must implement and manage it effectively. This increases the overall security level of the vehicle and ensures user trust.
MEMORY PROTECTION
Memory Protection is an important function that strengthens the memory security of the controller and protects against cybersecurity threats such as unauthorized extraction or manipulation of software firmware or execution of malicious software. This feature tightly manages access rights to the controller’s non-volatile and volatile memory and provides additional security enhancements through memory protection measures, especially in production-released controllers.
Importance of Memory Protection
1. Prevention of unauthorized reverse engineering:
- Prevents unauthorized extraction and reverse engineering of software firmware from memory. This prevents the controller’s core technology or protected assets from being exposed to the outside world.
2. Unauthorized Tamper Protection:
- Blocks tampering with controller functions by arbitrarily manipulating software firmware or calibration data stored in memory.
3. Prevent malicious software from running:
- Prevents hackers from executing malicious software by inserting attack code into the controller memory.
Implementation of Memory Protection
1. Access Permission Control:
- Access rights such as reading, writing, deleting, and execution to the memory area of the controller are strictly controlled. These controls are essential to prevent unauthorized access and manipulation of memory.
2. Release of privileges under certain conditions:
- The execution blocking function is applied by default in the volatile memory area, but can be temporarily disabled when executing the bootloader RAM code.
- A write blocking function is generally applied to the non-volatile memory area, and can be temporarily released through an authorized procedure during reprogramming.
- Controllers released into production must apply the Read blocking function to the code area, and Instruction Fetch of the code area is allowed in the Host/HSM core.
3. Differences in protection measures by chip type:
- Since the Memory Protection function may differ depending on the type of chip used, a Memory Protection concept suitable for the chip must be proposed to the OEM and received approval. This is important to meet the characteristics of the chip and the requirements of the controller.
Secure Module Self Update
The Secure Module Self Update function is designed to safely update the software firmware of the Hardware Security Module (HSM), a core security element of the vehicle control system. This function is important when it is necessary to strengthen existing security functions or algorithms or add new security technologies as hacking technology advances. Here we will explain in detail how Secure Module Self Update works, its necessity, and special considerations.
Necessity of Secure Module Self Update
1. Enhanced Security:
- Security threats are constantly evolving, and it may be difficult to effectively respond to new threats with existing security functions alone. Secure Module Self Update keeps the HSM’s security features up to date and allows continuous security enhancements.
2. Maintain stability:
- Safely updates HSM firmware while protecting important bootloader areas to maintain system stability. This protects your system from problems that may occur during updates.
How Secure Module Self Update works
1. Authentication and Integrity Assurance:
- The update process must use firmware provided from an authorized source, and the update file must pass integrity verification. This ensures that the update file has not been tampered with.
2. Bootloader and application area updates:
- HSM firmware is divided into a bootloader area and an application area, and each area can be updated independently. This improves efficiency and minimizes risk by updating only specific areas to suit your purposes.
3. Protection measures during updates:
- HSM firmware updates require protective measures to be applied in case the system terminates abnormally during the update process. In particular, it must be ensured that the HSM bootloader can run normally under any circumstances.
Implementation considerations
- Update Protocol Safety:
- The communication environment for HSM firmware updates must maintain the same level of security as for HOST firmware updates. This enhances security during data transmission and prevents unauthorized access.
- Differences depending on chip type:
- Supported Memory Protection functions may vary depending on the type of HSM chip used. It is important to develop an update strategy and protocol tailored to your chip and obtain the necessary approvals.
Secure Module Self Update plays an important role in strengthening the security of the controller and maintaining system stability. This function allows vehicle manufacturers to keep the controller’s firmware secure and effectively respond to security threats. This feature is an important part of enhancing your vehicle’s overall security.
If you are interested in other articles about Cyber Security Series, please refer to the links below!
[Cyber Security] 1. ISO/SAE 21434 Basic
[Cyber Security] 3. cyber security cryptography technology
[Cyber Security] 4. External, internal communication security and GATEWAY security
[Cyber Security] 5. Security Controls : Diagnostic Security Features
[Cyber Security] 6. Access Control : Diagnostic Security Features
[Cyber Security] 7. Security Updates : Diagnostic Security Features
[Cyber Security] 8. Secure Boot, Secure Debug, Secure Storage