Delivering secure V2V communications

In February, a new acronym, V2V, burst onto the embedded world, when the US government threw its weight behind the idea of V2V (Vehicle-to-Vehicle) communications. The idea is to create a wireless network in which cars send messages to each other with information about what they are doing, to improve traffic flows, reduce fuel consumption and most of all reduce accidents. Initially, V2V systems would simply warn drivers but the vision is partially or fully self-driving cars that identify and avoid hazards and respond to traffic signals. Whilst the potential benefits are unarguable, the potential risks are also great, should a V2V system be hacked or fail in some way.

On February 3rd, the U.S. Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) announced that it will begin taking steps to enable V2V communication technology for light vehicles. The dawn of the ‘intelligent’ car is here. Vehicle manufacturers already provide on-demand entertainment, smart sensor safety applications, and autonomous driving. Intelligent vehicles are filled with a variety of sensors, processors, software and displays that are increasingly being connected to the Internet. The addition of V2V communications, which could become mandatory, takes this to a new level. With these new innovations, vehicles will be connected in several different ways both to the internet, infrastructure and each other. Each of these new connectivity ports also opens up a point of attack to internal computing platforms, platforms which might in the future directly control the car.

V2V security

Most attacks on information systems originate from external sources through system inputs. When vehicles are allowed access to the global internet, anyone can launch an attack against the internal electronic systems. The only way to prevent these complex systems from being compromised is by providing secure separation between information domains or applications. Using similar techniques found in critical avionics and military systems, intelligent vehicle platforms can partition the computing domain according to system criticality level and provide narrow communication paths between partitions on a need to know basis.

Pair these new communication capabilities with technologies such as GPS, cameras, proximity sensors, machine actuators, touch screen displays etc. and manufacturers will struggle to manage the cost and integration of the overwhelming choices of processors, operating systems, applications, devices, and drivers. Utilising a single monolithic operating system as a vehicle host platform faces the traditional OS problems with limited app and device driver support, and exposes major safety and security problems due to insufficient kernel and application separation control.

The role of hypervisors

These challenges are similar to those faced by the aerospace industry, and hypervisors developed for these applications have much promise as a solution. Appropriately re-engineered for the vehicle environments, they will allow vehicle platforms to run best in breed application and device support, allowing a mixture of different OSes and applications to run concurrently on a consolidated platform. However, the selection of hypervisors is an arduous task when considering security, as not all hypervisors offer more protection and segregation from safety critical data and general applications than a monolithic operating system.

A well-designed Separation Kernel Hypervisor solves these complex issues with its full virtualisation guest OS support and least privilege design. It guarantees that a configuration of segregated applications or hardware can be verified to match the original specification. In addition, the very small Trusted Computing Base (TCB) disallows any unprivileged applications or malicious agents from accessing private information or compromising the safety critical applications. With the increasing number of emerging vehicle-hosted applications such as collision avoidance and toll payments, this separation becomes vital. Traditional software mechanisms can only provide assurance down to the operating system level and are still at the mercy of the operating system’s kernel or the device drivers that control the hardware. With a kernel like LynxSecure, designers are guaranteed that hardware memory resources have been segregated to the configuration specification because the hardware has been programmed to match it.

V2V communications is a subset of the much-discussed IoT, and a special case of M2M communications. With the huge volumes involved, the safety implications and the potential of the US and other governments mandating its introduction, it has the potential to become a massive market in its own right. Clearly it is essential that manufacturers get the technology right, and that early implementations in particular are proof against failure and hacking. Addressing safety and security from the ground up is paramount. Separation Kernel Hypervisors provide a robust foundation for protecting critical applications and allows for future expansion of vehicle capabilities without re-tooling of vehicle equipment while maintaining a high level of assurance.