Specification Of Intrusion Detection System Manager - AUTOSAR

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-11Terms:IdsM block stateIntrusionManagerIdsRDetectionSystemQualified Security Event (QSEv)Security Event (SEv)Security Event TypeSemSensorSinkTimestamp Provider9 of 104Description:State reported by the BswM via IdsM BswM StateChanged.The states are used to suspend the collection of security events.The Intrusion Detection System Manager handles security eventsreported by security sensors.The IdsR is an OEM specific adaptive application that can beused to further propagate the QSEvs to the SOC.Events that have passed their corresponding filter chain and aresent to the configured sink.On-board Security Events are instances of security event typeswhich are reported by BSW or SW-C to the IdsM. They are structured data originating from a sensor which serve as fundamentalinput and output data format for filters. These reported events tothe IdsM that are indicative of an ongoing attack or are somehowsuited to assess the security state of the vehicle. This meansthat events can occur during the normal operation without anyongoing attack.A security event type can be identified by its security event typeID. Instances of security event types are called security eventsand share the same security event type ID.Security event memory is a Dem Module user defined memorywhich is separated from the Dem’s primary memory.Reporting identity that informs the IdsM module about SEvs. Itcan be a BSW Module, a proprietary CDD or an SW-C Application.Destination of a QSEv. Depending on the configuration the QSEvcan be persisted, propagated or both.Service or SW-Component which provides a TimeStamp. e.g. inCP Stbm.Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-113Related documentation3.1Related SpecificationAUTOSAR provides a General Specification on Basic Software modules [3], which isalso valid for the Intrusion Detection Manager.Thus, the specification SWS BSW General shall be considered as additional and required specification for the Intrusion Detection Manager.This document is part of the AUTOSAR IDS specification and covers aspects specificto Classic Platform only. For other aspects of the IDS specification, please referto the following documents: AUTOSAR RS Intrusion Detection System [1]: Specifies IDS system requirements. AUTOSAR PRS IntrusionDetectionSystem [4]: Specifies the communicationprotocol for the transmission of security events. AUTOSAR MOD GeneralDefinitions [5]: Standardized Security Events reported by AUTOSAR BSW AUTOSAR TPS SecurityExtractTemplate [6]: Specifies the Security Extract.3.2Input Documents & Related Standards and Norms[1] Requirements on Intrusion Detection SystemAUTOSAR RS IntrusionDetectionSystem[2] GlossaryAUTOSAR TR Glossary[3] General Specification of Basic Software ModulesAUTOSAR SWS BSWGeneral[4] Specification of Intrusion Detection System ProtocolAUTOSAR PRS IntrusionDetectionSystem[5] Standardized M1 Models used for the Definition of AUTOSARAUTOSAR MOD GeneralDefinitions[6] Security Extract TemplateAUTOSAR TPS SecurityExtractTemplate[7] General Requirements on Basic Software ModulesAUTOSAR SRS BSWGeneral10 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-114Constraints and assumptions[SWS IdsM CONSTR 00001] dThe Intrusion Detection Manager has no knowledgeof the meaning of the Context Data reported within a SEv; thus, it can not determineindependently if a system has being compromised or not. Identification and threatresponse is realized outside of the scope of IdsM, e.g., in a SOC.c()4.1AssumptionsThe following assumptions have been made in the design of the IdsM concept: Precision of timestamps: The timestamps of events received by the backendmay be inaccurate to some degree. However, it shall be possible in most casesto extract the order of events from the events received by the backend. In somecases, this might not be possible, e.g., because of events occurring in parallel ondifferent ECUs or because of inherent tolerances in time synchronization. Uniqueness of QSEv: Events do not need to be uniquely identifiable. Two eventsmay contain the same data. Dropping of events: It is acceptable that SEvs are dropped depending on theirreporting frequency and criticality, e.g., a general overload of the system. Semantics of events: Security-related events are indicative of a potential ongoing attack or are somehow suited to assess the security state of the vehicle.Meaning that events can occur during the normal operation without any attackhappening.4.2Applicability to Car DomainsThe AUTOSAR Intrusion Detection System Manager is generic and provides flexibleconfiguration. It is independent of the underlying communication system and can beapplied to any automotive domain under limitations and assumptions provided above.11 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-115Dependencies to other modules5.1Interfaces to ModulesThe AUTOSAR Intrusion Detection System Manager includes header files ofthe modules BswM, Dcm, DET, Dem, NvM, PduR, and the RTE. Furthermore, it providesgeneric interfaces to Basic Software Modules and Software Components (Sensors) forreporting their SEvs.Figure 5.1 shows the interfaces provided to and required from other modules in theAUTOSAR BSW.StbMRteStbM GetCurrentTime()DcmSensorBswMRte Call CustomTimestamp m InterfaceuseIdsM Dcm GetReportingMode Start()IdsM Dcm GetReportingMode RequestResults()IdsM Dcm SetReportingMode Start()Det ReportError()usePduRPduR IdsMTransmit()«EmbeddedInterface»Sensor InterfaceIdsM SetSecurityEvent()IdsM SetSecurityEventWithContextData()IdsM SetSecurityEventWithCount()IdsM SetSecurityEventWithCountContextData()IdsM SetSecurityEventWithTimestampCount()IdsM mbeddedInterface»BswM InterfaceIdsM BswM StateChanged()use«EmbeddedInterface»PduR InterfaceuseIdsM TxConfirmation()IdsM CopyTxData()IdsM rnal Submodules and APIs«EmbeddedInterface»Csm Interfaceuse«EmbeddedInterface»NvM InterfaceuseIdsM NvMRamBlockDataIdsM NvMRomBlockDataFigure 5.1: IdsM’s interfaces to other modules5.1.1Sensor ModulesThe IdsM provides generic IdsM interfaces that notify Security Events (SEvs) withadditional information depending on the configuration.Standard API Used by the Basic Software Modules and by Software Components. Notification of a SEv Notification of a SEv with context dataSmart Sensor API Used by software components in cases in which it is necessaryto transmit an event count and a timestamp. These additional parameters are alreadycalculated by a smart sensor. They are located either in a SW-C or a Cdd. Notification of a SEv with a counter12 of 104CsmCsm SignatureGenerate()IdsM CsmNotification()Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManagerNvMNvM WriteBlock()NvM GetErrorStatus()

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-11 Notification of a SEv with a counter and context data Notification of a SEv with a timestamp and a counter Notification of a SEv with a timestamp, a counter and context data5.1.2Error Handling ModulesIdsM reports development errors to the Default Error Tracer.5.1.3Diagnostic AccessThe Dcm module is able to modify the configuration of the events’ reporting level.5.1.4Persistence of Reporting LevelThe NvM module persists the configuration values of the events’ reporting level.5.1.5IdsR SinkThe PduR is used in case the events are configured to be sent to the IdsR sink; Thesending of the events is bus independent.5.1.6Dem / Sem SinkThe Dem module is used in case the events are configured to be logged in the Dem /Sem sink.5.1.7BSW SchedulerThe IdsM needs cyclic invocation of its main scheduling function in order to evaluateand handle the reported SEvs.5.2File StructureThis section explains the file structure of the IdsM.13 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-115.2.1Code File StructureFor details, refer to the section 5.1.6 “Code file structure” in [3, SWS BSW General].5.2.2Header File StructureBesides the files defined in section 5.1.7 “Header file structure” in [3, SWS BSW General], the Intrusion Detection System Manager module needs to include the files defined below.[SWS IdsM 00101] dThe IdsM module shall include the header file Det.h if the parameter IdsMDevErrorDetect is enabled.c()[SWS IdsM 00102] dThe IdsM module shall include the header file Dem.h if the parameter IdsMSinkDem is enabled.c()[SWS IdsM 00103] dThe IdsM module shall include the header file Dcm.h if the parameter IdsMDiagnosticSupport is enabled.c()[SWS IdsM 00104] dThe IdsM module shall include the header file NvM.h if the parameter IdsMNvmBlockDescriptor is configured.c()[SWS IdsM 00105] dThe IdsM module shall include the header file PduR.h if theparameter IdsMSinkIdsR is enabled.c()14 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-116Requirements TracingThe following tables reference the requirements specified in the IDS requirement specification [1], the Specification of Intrusion Detection System Protocol [4, Specificationof Intrusion Detection System Protocol] and BSW General system requirement specification [7] and links to the fulfillment of these. Please note that if column “Satisfied by”is empty for a specific requirement this means that this requirement is not fulfilled bythis document.Requirement[DRAFT]DescriptionNo description[RS IDS 00300]Provide configurable filter chainsfor qualifying SEv[RS IDS 00301][RS IDS 00310][RS IDS 00320][RS IDS 00330]Provide multiple filter chainsConfigure reporting mode perSecurity Event Type and IdsMinstanceSupport machine state filterSupport sampling filter[RS IDS 00340]Support Aggregation filter[RS IDS 00350]Support Threshold filter[RS IDS 00502][RS IDS 00503]Event TimestampsTimestamp Sources[RS IDS 00505][RS IDS 00510]Authenticity of QSEvsThe IdsM shall allow to transmitQSEv to the IdsRLimit event rate and traffic[RS IDS 00511][RS IDS 00610]15 of 104Configuration of qualificationfilters for SEvSatisfied by[SWS IdsM 01600][SWS IdsM 01601][SWS IdsM 01602][SWS IdsM 01001][SWS IdsM 01003][SWS IdsM 01004][SWS IdsM 01005][SWS IdsM 01001][SWS IdsM 01012][SWS IdsM 01013][SWS IdsM 01023][SWS IdsM 01031][SWS IdsM 01032][SWS IdsM 01041][SWS IdsM 01043][SWS IdsM 01044][SWS IdsM 01045][SWS IdsM 01046][SWS IdsM 01047][SWS IdsM 01048][SWS IdsM 01049][SWS IdsM 01061][SWS IdsM 01062][SWS IdsM 01106][SWS IdsM 01107][SWS IdsM 01108][SWS IdsM 01109][SWS IdsM 01110][SWS IdsM 01112][SWS IdsM 01204][SWS IdsM 01203][SWS IdsM 01070][SWS IdsM 01081][SWS IdsM 01091][SWS IdsM 01002]Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-117Functional specification7.1OverviewThe Intrusion Detection functionality consists of collecting possible security events,handle them with filter rules and forward them towards configured sinks.This chapter specifies the functional behavior of the IdsM for the Classic Platform.Figure 7.1 shows how the IdsM is integrated in the AUTOSAR BSW security stack:Application LayerRTECryptoServicesCryptoHW Abstr.CryptoDriversMicrocontroller (µC)Crypto ServicesKey ManagerCrypto e 7.1: AUTOSAR BSW architecture showing the IdsM moduleThe modules that act as sensors and report SEvs towards the IdsM are: AUTOSAR Basic Software Modules (BSW) Proprietary Complex Device Drivers (CDD) Application Software Components (SW-C)The collected On-board Security Event SEvs are processed by a series of configuredrules called "Filter Chains" into QSEvs, which can be sent to the following sinks: Intrusion Detection System Reporter (IdsR), using the PduR for transmission ofthe QSEvs. Dem / Sem Module, for local persistence of the QSEv records.It is possible to reconfigure specific event parameters and filter qualifiers via diagnosticsusing the Dcm module. 7.10.1Optionally integrity and confidentiality of the QSEv records can be enforced via cryptoalgorithms.16 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-11Figure 7.2 shows the interaction with the modules mentioned above. The modulesCanIf, LinIf, EthIf, KeyM and SecOC are illustrated as BSW sensor examples.AppRTEMEMORY SERVICESSYSTEM SERVICESCRYPTO SERVICESCOMMUNICATION YPTO HARDWARE ABSTRACTIONEthIfCanIfCryIfCOMMUNICATION DRIVERSCRYPTO DRIVERSCrypto ( HSM )CanDrvEthDrvMicrocontrollerHSMFigure 7.2: Interaction of the IdsM with other stack modules7.2Module HandlingThe functionality of the IdsM is divided into the following functional sub-modules: Reception of Events Buffering of Events IdsM Internal SEvs Qualification of Events Reporting of QSEvs Persistence of specific parameter of events in NvM Read and Write specific parameters of events via diagnostics with DcmFigure 7.3 shows the allocation in the stack of the functional sub-modules listed above,these are described in detail throughout this chapter 7.17 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-11SW-CApplicationReport SEvRTERTEMEMORY SERVICESCOMMUNICATION SERVICESDcmCRYPTO SERVICESAccess QSEvrecordsReconfiguratespecificparameters ofCOMMUNICATION SERVICESSecOCIdsMBuffer SEv(Sensor example)Report SEvQualify SEvSEvPrepare QSEv forpersistenceNvmSYSTEM SERVICESPersistspecificparametersof SEvsPrepare QSEv fortransmissionPduRPropagate QSEvto IdsRDemSemPersist QSEVCsmPreparesignatureCRYPTO HARDWARE ABSTRACTIONCryIfCRYPTO DRIVERSMCALCrypto ( HSM)COMMUNICATION DRIVERSEthDrv(Sensor example)Report SEvHSMMicrocontrollerFigure 7.3: Functional modules of the IdsM.7.2.1InitializationThe IdsM module is initialized via IdsM Init. Except for IdsM GetVersionInfoand IdsM Init, the API functions of the IdsM module may only be called after themodule has been properly initialized.[SWS IdsM 00202] dA call to IdsM Init initializes all internal variables and sets theIdsM module to the initialized state.c()[SWS IdsM 00203] dIf development error reporting is enabled via IdsMDevErrorDetect, the IdsM module shall call Det ReportError with the error codeIDSM E PARAM UNINIT when any API other than IdsM Init or IdsM GetVersionInfo is called in uninitialized state.c()[SWS IdsM 00204] dWhen IdsM Init is called in initialized state, the IdsM module shall not re-initialize its internal variables. It shall instead call Det ReportErrorwith the error code IDSM E ALREADY INITIALIZED if development error reporting isenabled (see IdsMDevErrorDetect).c()18 of 104Document ID 977: AUTOSAR SWS IntrusionDetectionSystemManager

Specification of Intrusion Detection SystemManagerAUTOSAR CP R20-117.2.2Timing Related FunctionalityTo be able to handle the security events and their filters asynchronously, theIdsM module is triggered cyclically via the IdsM MainFunction.7.3Reception and Buffering of Events7.3.1Reception of EventsIf a sensor reports a security event via the IdsM services IdsM SetSecurityEvent or IdsM SetSecurityEventWithContextData, without and with context data respectively, an event buffer from the IdsM event buffer pool is used andprocessed asynchronously in the IdsM MainFunction function.If context data exists, a context data buffer with the adequate size will be used. If thereare currently no context buffers available, the event is processed without context data.The service IdsM SetSecurityEvent and IdsM SetSecurityEventWithContextData can be used by any sensor, independently of its source.[SWS IdsM 00300] dThe IdsM shall be able to receive SEvs with the service IdsM SetSecurityEvent when there no context data is reported.c()[SWS IdsM 00301] dThe IdsM shall be able to receive SEvs with the service IdsM SetSecurityEventWithContextData when the optional context data is reported.c()7.3.1.1Smart SensorsSmart sensors provide additional information to the standard sensors. The smart sensors can be a SW-C or a CDD which previously records a timestamp a

The IdsM is part of the AUTOSAR Intrusion Detection System (IDS). An overview and description of the elements of a distributed IDS according to AUTOSAR is available in the IDS requirement specification [1]. The software component IdsM provides a standardized interface for receiving notifica-