EN 
DE Impact of end-to-end communication on safety and security
Author: Karsten Schmidt, AUDI AG
Contribution – Embedded Software Engineering Congress 2017
Many modern embedded systems are often distributed systems, which place additional demands on them regarding safety, security, and real-time performance. The current shift to Ethernet-based communication systems, in particular, necessitates a critical examination of the communication paradigms used to enable efficient communication. This publication discusses design criteria from an end-to-end perspective. It demonstrates why an end-to-end analysis of communication relationships, considering cross-cutting aspects, is crucial for sound system architecture. Using examples from the automotive sector, end-to-end properties are discussed, and the extent to which these properties significantly influence system and software architecture is examined. The necessary software abstraction is also addressed.
Introduction
Many modern embedded systems are often distributed systems, and these systems are frequently subject to additional requirements regarding safety, security, and real-time performance. The rapidly increasing level of vehicle connectivity and the emerging trend toward highly automated and autonomous vehicles demonstrate the need to consider cross-cutting aspects together. Furthermore, it is necessary to critically examine the communication paradigms used to enable efficient communication.
The following section critically discusses and compares common end-to-end paradigms, examining their effects on software architecture and its influence on technical implementation. Designing distributed systems ultimately revolves around determining the placement of components and their roles within the overall distributed embedded system. In such a communication system, the communication infrastructure and the application that utilizes it are typically separated. However, this approach presents the challenge that certain communication subtasks can be solved in different ways. This point will be explored in more detail below.
Problem definition
We assume the following scenario (see Figure 1, PDF) . There are two applications that exchange data bidirectionally. The applications use a communication stack and transmit the application data over a network.
The interesting question is: "What assumptions can the actual application make about the communication stack and the network?" Furthermore, one can discuss how the actual application can place requirements on the lower layers. Interestingly, this also includes requirements on the communication partner. Among the questions that now need to be considered for the actual end-to-end application communication are:
- Ensuring temporal determinism
- Ensuring data transmission from a safety perspective
- Ensuring data transmission from a security perspective
- General QoS considerations
State of the art
This consideration is not new. It was already addressed in [3] and discussed in more detail in [4]. However, the focus there was on the classic IT domain. In [1] and [2], these ideas were applied to the purely temporal analysis of end-to-end communication within a vehicle's communication network. In [13], a security analysis was conducted for a vehicle-backend-backend communication chain. For PDU-based communication, the AUTOSAR standard [7] provides a way to protect the transmitted data against random errors. In addition to purely technical topics, [10] also considered the necessary paradigm shifts regarding timing issues. References to these considerations can also be found in the RFCs [5] and [6].
Systems analysis
Let us consider a typical simplified example from the field of highly automated driving (see Figure 2, PDF).
For a function of highly automated driving, the following scenario is considered: Starting with sensors, through the sensor data to be processed in the control units, and up to the actuators, data is fused and aggregated to make complex decisions that ultimately actively influence driving behavior. These processes create particular challenges for holistic system modeling.
Considering this scenario raises several interesting questions. First, it's necessary to clarify where the actual endpoints of the communication are located. Within the sensor, this seems relatively straightforward. However, even here, a wide variety of technical implementations exist, and the differences in the chosen communication interface increase the system complexity.
The endpoint of this communication is the central control unit, which in turn is part of another communication relationship. From a purely application-oriented perspective, there is also the logical or functional relationship between sensor and actuator. For example, when an obstacle is detected, the actuator must trigger a corresponding reaction.
Typical challenges
Based on the systems analysis, some interesting questions arise for which solutions exist in the automotive context, but which also exist in a similar form for other industries.
Ensuring data transmission from a safety perspective
This concerns the aspect that the sender and receiver can be certain that the data was not accidentally altered during transmission, i.e., by interference. Established standards exist in the automotive industry to ensure this (see [7]). As already discussed in the original publication [3], the entire system design and software development must address where the necessary components for ASIL-D functionalities will be implemented. A discussion of this for ASIL-D control units can be found in [11].
Secure communication for sensitive data between ECUs
Security is an abstract term that describes a system's resilience against deliberate attacks. Accordingly, the key difference from the previous section is that it focuses on the effects of malicious interference with data communication. These include:
- Injection of malicious control commands
- Inserting, deleting, manipulating, repeating, and delaying messages
- Eavesdropping on sensitive information
For security considerations, an attack is directed at a specific part of the system, such as interfaces, applications, or communication channels. Typical targets in the automotive sector include electronic control units (ECUs), anti-theft systems, networking systems, and payment systems. Typical attacks attempt to remove security checks, intercept or modify communication data, or alter the original firmware [13]. During system design, the necessary system components are identified based on a risk analysis to implement appropriate countermeasures. However, the question of where to locate the necessary software components also plays a crucial role here.
Quality of Service
Quality of Service [12] describes the quality of a service in a communication network. Within a network, various communication processes take place using a wide variety of protocols. For each of these communication processes, various aspects must be considered. For example, the timing behavior, which is expressed in latency, i.e., the transit time of the message, and jitter, i.e., the maximum variation in this transit time.
At the network nodes, buffer sizes and the prioritization of the message or data packet are relevant. Within an electronic control unit (ECU), this necessitates an estimation of the required resources. These include the necessary memory for the required buffers for various types of user data and the resulting processing time for this data. Furthermore, the load on a single ECU also depends on how the overall communication within the vehicle is organized. Therefore, it is important to examine the entire communication chain, as, for example, the latency accumulates across all nodes (see Figure 2)., PDF).
Software development
Another interesting aspect within these considerations is the software. This applies to both application software and the software for the communication stack. In the future, the question of where to place the necessary function that ensures security, safety, or quality of service will become increasingly important.
The use of standard software often appears attractive because it avoids having to address the issues mentioned above („the basic software will take care of it“). However, this approach typically only covers part of the system requirements [14]. By carefully selecting the necessary software and sensibly dividing it into the communication stack or application software, efficient systems can be developed that also possess a high degree of reliability.
System development, function development, and the actual software development are complicated by the division of tasks within the organization. Additionally, the necessary protection of know-how is required when different companies collaborate. This fact is described in detail in [10]. This effect is amplified by the integration of different software components into a single control unit. Due to collaboration across company boundaries and the integration of software from diverse parties, it is difficult for the actual integrator to approach troubleshooting with a comprehensive understanding of the entire system. This becomes even more challenging when dealing with security or safety issues.
Summary
The complexity of the development process for highly integrated control units necessitates consideration of cross-cutting design aspects. These include not only security and safety, but also real-time capability and resource consumption. It is important to understand that this is no easy task, but rather requires a paradigm shift. AUDI AG is currently working on establishing a security process, incorporating and adapting experiences from its safety processes.
Simple, standard architectural solutions exist only for very few special cases. The ability to model and analyze complex architectures is crucial, as is the development of system architects' expertise in addressing emerging challenges.
Bibliography
[1] K. Reif, K. Schmidt, F. Gesele, S. Reichelt, M. Saeger, N. Seidler, „Networked control systems in motor vehicles“ in ATZelektronik worldwide, 04/2008 Pages 18-23, Springer Fachmedien Wiesbaden GmbH (2008)
[2] K. Schmidt, M. Buhlmann, C. Ficek, K. Richter, „Design Patterns for Highly Integrated ECUs with various ASIL Levels“, ATZ elektronik worldwide Edition, 2012-01.
[3] JH Saltzer, DP Reed and DD Clark, „END-TO-END ARGUMENTS IN SYSTEM DESIGN,“ MIT Laboratory for Computer Science
[4] T. Moors, „A critical review of 'End-to-end arguments' in system design‚
[5] RFC 3117, „On the Design of Application Protocols„
[6] RFC 3439, „Some Internet Architectural Guidelines and Philosophy„
[7] AUTOSAR 4.3 „Specification of SW-C End-to-End Communication Protection Library“
[8] AUTOSAR 4.3 „Specification of Module Secure Onboard Communication“
[9] K. Schmidt, „Ethernet and IP network stacks in cars“, ESE Congress 2016
[10] K. Schmidt, D. Marx, K. Richter, K. Reif, A. Schulze, T. Flämig, „On Timing Requirements and a Critical Gap between Function Development and ECU Integration“, SAE World Congress, April 2015, Detroit, USA
[11] J. Wolf, P. Müller, „Safety and performance through ASIL-D-AUTOSAR basic software“, Hanser automotive 7-8/2016
[12] F. Netter, F. Reimann, „Quality of Service (QoS) in switched vehicle networks“, International Congress Electronics in Vehicles, 2015, VDI Reports Volume 2249 (2015) Pages 561-572
[13] A. Weimerskirch, „Do Vehicles Need Data Security?“, SAE International, December 2011.
[14] C. Jakobs, P. Tröger, „Quo vadis, AUTOSAR?“, INFORMATIK 2017,
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
