preroll music Camille Gay: Hello, everyone. My name is Camille. I am a researcher at Toyota Motor Corporation, and this is a presentation about RAMN, a platform that we developed to make education and research in the automotive systems more accessible. The automotive industry can be inaccessible to many people because automotive projects involve prohibitive costs and be tied to NDAs that everybody is going to sign. What we want to propose with this project is an inexpensive test bed to study and research automotive systems, which is both open source and developed with open source tools so that at least anyone can get access to a good alternative for education and research. The main focus of this test bed is security, but you will see that the usage of the test bed is not limited to security, and I will keep the security talk mostly for the end of the presentation. I will start by giving a short introduction about automotive systems. Then I will present the design details of the test bed besides demonstrations and concrete details about its hardware and software. As an example of how the test bed can be used, I will spend some time experimenting with cruise control and by that I mean I will go through the whole development process, starting from evaluating the differential equations of a simple mechanical model. I will experiment with various control strategies, implement them in C and make measurements in a driving simulator using only data from the CAN bus. And I will do all that using only open source tools. This is to demonstrate how the test bed can be used, but also to have a concrete project that I can use as a reference to explain after what concretely would have been different if we were experimenting with a real electronic control unit. I will also explain how we can get close to automotive hardware and software without signing NDAs. So the second part of the talk is mainly here to give you more information about the automotive industry in case you are not familiar with it. Before I start, let me just clarify that this is not an advertisement. We are not selling anything we present here and do not profit financially from it. We're simply showing design files whithout permising licenses and without royalties. OK, so first, let me give you a very quick introduction about automotive systems. You can see your car as a collection of systems divided in four different domains, the powertrain domain, which includes the engine and the transmission. The chassis domain, which includes the steering column and suspensions. The body domain, which includes the lights, the doors and heating, and the infotainment domain, which includes navigation and connectivity. Many of the different systems that can be found in the car are controlled by electronic control units or ECUs for short. There are many kinds of ECUs in the car. Sometimes hundreds of them. And usually it's a lot hard to understand. They have a limited number of inputs, generally data from sensors and actuators. And they have a limited number of outputs generally to control actuators. So, for example, an airbag ECU may use an accelerometer as its input and an airbag trigger as its output. The role of the ECU would be to use data from the accelerometer to detect a shock and output a signal as actuator to detonate an airbag when the shock is detected. It is very common for ECUs to read data from other ECUs. Most of the time ECUs will need to share data with other ECUs on the same domain. In the case of [unclear], for example the transmission control unit gets input from the engine ECU to determine the correct gear. If the data is critical that connection may even be redundant. ECUs may also need to communicate with ECUs on a different domain. For example the brake system, usually in the chassis domain, willl need to communicate its data to store them, usually in the body domain. Most of the time the technology that is used for communication is CAN. And CAN technology uses a bus topology, which means a CAN message will be received by all ECUs on the same CAN bus, there is no authentication or encryption at the link layer. So any message can be sent by any ECU. And security features need to be implemented at higher layers. A standard CAN frame consist mainly of an arbitration ID of 11 bits and a payload of 8 bytes. CAN-FD is a recent evolution of CAN where the payload size may be extended up to 64 bytes. For an ECU network manufacturers will assign a meaning to each arbitration ID and each bit in the payload, so the file that determines the traffic on the CAN bus is often referred to as a DBC file. For example, assuming a lamp controller and two lamps on the CAN bus. The manufacturer may decide that ID 123 is used by the lamp controller to communicate the command of both lamps, that ID 124 is used by the left lamp to give feedback about the status and that ID 125 is used by the right lamp to give feedback about its status. Each of those messages will be broadcasted periodically by the assigned ECU on the CAN bus and will serve as a basis for most data exchange between ECUs. So that's it for the introduction, there are many reasons why people would be interested in automotive systems and ECU networks. The opportunity that gets by far most attention from the media is vulnerability research. But there are also other reasons. For example, owners: They want to check their car's compliance with regulations such as emissions regulations and privacy regulations. For example, GDPR. Other owners may want to exercise their rights to repair as they are guaranteed by the country they live in. And finally, some owners may want to experiment and innovative DIY features or simply satisfy their curiosity and educate others. And while those may be valid reasons to experiment with the car, manufacturers are typically against people tinkering with a car because they may be worried about their intellectual property being stolen, about vulnerabilities being exploited or people hurting themselves and others while tinkering. And what probably suffers the most from this delicate situation is education and research in automotive security, because people can not easily get access to safe equipment or access the information that they would need. In the long term, this may mean that manufacturers will have less security technologies to choose from to secure their cars and that less talents would be available to develop and evaluate them. As the development, of course, involves many people from many companies, so it is important to make sure that everyone involved is competent in automotive security. And some people are pushing for more open sourcing cars and who knows, maybe one day the car will be 100% open source, but if it happens, it is going to take a long time. And manufacturers themselves do not have access to a hundred percent of the source code of the cars they make because ECUs contain intellectual property from other companies. So this is mostly a political topic. So there is not much we can contribute to as researchers. However what we can contribute technically right now is to try the other way around and use what is publicly available to make it accessible, to learn and research automotive systems. And this is what we try to do with RAMN, which is the topic of this presentation. The objective is to provide a platform for research that is: Open, and by that we mean it should be easy to modify the source code, and reprogram the ECUs; Accessible, and by that we mean inexpensive, small and requiring no prior skills in automotive systems; Safe - with no risk of accidents or legal repercussions; and motivating, something that you can interact with so that you get the same kind of experience as you do when you experiment with a real car. So already some solutions are available if you want to experiment with an ECU network. Besides, of course, a real car, the first one is making your own test bed from real ECUs so we can see many hackers sharing the test bed at security conferences. And usually if you see something like this, you stop and you immediately get interested. So it is a nice way to motivate people to learn. Unfortunately, those are not easy to reprogram because manufacturers do not share information about the ECUs and they require a lot of skills to build. So it's not accessible to everyone. Another option is to use development boards such as Arduino, and that is what you can see mostly on academic papers. They have the advantage of being reproducible and you can modify the source code as you want. So they can be used in many cases for research. But they lack many safety features offered on an actual ECU hardware and software. Even if you are able to simulate a CAN bus, you don't get the same level of interaction as you do with a real car. So it's not something that motivates people and makes them want to learn more. And the third option is to use a professional test bed such as Pasta - another work from our team. This is a good option because you get access to the source code and you can reprogram the ECUs and the CAN bus network is already simulating a full car. So the groundwork is already done. So major drawback are that it is very expensive. So it is not accessible to everyone. So there are some options to study and research automotive systems, but none of them seem to be both accessible and motivating at the same time. So many people don't even think of running automotive systems because it never occurred to them that they could like it. And in comparison with other industries, you have so many ways to get started, if you want to learn about Linux, you can start with a Raspberry Pi. If you want to learn about electronics you can start with an Arduino and so on. So we wanted something that would give a similar experience, but for automotive systems. So we noticed that most of the test beds that people are using to experiment with ECUs are made of 4 ECUs. So the ECUs are often communicating with each other using a CAN bus. So we tried to fit all that in a PCB the size of a credit card. And we named that PCB RAMN. It features four ECUs connected over a common CAN bus or CAN-FD bus, which is accessible from outside by a terminal block. One of the ECUs is also connected to USB, which is also the power supply. PIN-sockets can be used to connect sensors, actuators and additional hardware and the board features many probes to easily access important electric signals. The 4 ECUs simulate a CAN network with messages identical to Pasta. The name RAMN is obviously a reference to Pasta as this is a cheap alternative, mostly aimed at students. In real cars CAN messages typically have different payload sizes, but by default we operate with maximum payload size, to demonstrate heavy traffic, so the basic format is like this: Arbitration ID, 2 bytes for the data, 2 bytes for a counter and 4 bytes of additional data, random data used as a placeholder for additional data such as checksum or MAC. You can easily modify the CAN bus's arbitration ID end format. And here we are assuming a full by-wire vehicle, which means all physical functions of a car are accessible to the CAN bus, which is usually not the case on current cars. The block diagram of RAMN looks like this. And as I explained earlier, all ECUs are periodically exchanging messages on the CAN bus. If you connect a CAN adapter and have a look at the traffic, it will typically look like this. So the board itself is enough to simulate an ECU network, but it does not look very motivating. What we wanted on top of this was some sensors and actuators to make it more interactive. So we created 4 expansion boards for sensors and actuators. To simulate the infotainment domain, we simply use a screen. For the body domain, we use an engine key and some LEDs. For the chassis domain we mainly use a slide switch to simulate a side brake and a rotating potentiometer to simulate the steering wheel. And for the power train domain we use slide potentiometers for the brake and accelerator and a joystick for the shift lever. The EC connected to USB implements a standard CAN or CAN-FD interface, either of a standard serial port using Slcan or over a native interface on Linux thanks to the counterlight firmware projects. If you connect the board to a USB port on the computer, it should be recognized as a USB to CAN adapter. So it is not necessary to own an external CAN adapter to get started. This is a demo of what it looks like to use RAMN. Just connect it over USB, if you use Linux, you can get it to be recognized as a standard CAN network interface. So it will show up in ifconfig. Then you can use various tools available on Linux to observe the traffic, for example CAN sniffer. Here you can see the traffic explained earlier, the CAN IDs on the left and the payload on the right. So with this, we can simulate a ECU network with sensors and actuators, which is enough for basic interactions. But it still doesn't feel like you are actually experimenting with a car. Ideally the ECUs should be performing realistic ECU functions, not just lighting up LEDs based on some switches and potentiometers. And for this we thought of a connection in a closed loop with an open source driving simulator which is an affordable and safe solution. To feel like you are driving the ECU network. Fortunately, there is a great open source driving simulator for autonomous driving research. It is called CARLA. It features a Python API. So it is very easy to interact with it and it also comes with an example self-driving algorithm. So you can immediately start experimenting with your virtual self-driving car. So we wrote some scripts so that most sensors values for example speed and altitude would be simulated on the computer running CARLA. Then broadcasted on the CAN bus. On the other side we made it so that all controls of CARLA such as throttle, steering and brakes will be decided by the ECU network. And this is what you could refer to as HILs or Hardware-In-The-Loop simulation in the automotive industry, RAMN is not as advanced as professional tools, but at least it is accessible. So to achieve manual control, it is not complicated with CARLA. On the manual control example provided with the API there is a while true game loop that with events of the keyboard, applies controls, then updates the physics simulation. So CARLA does not simulate the CAN bus by default so we created a Python class to easily interact with the CAN bus using the CAN message specifications of RAMN. To integrate it with CARLA we just need to replace keyboard controls with actuator control data read from the CAN bus. To close the loop we broadcast sensor data using CAN messages based on data retrieved from the Python API of the physics simulator. And with this we are able to control the car manually, the potentiometers on the board. Here I gently press accelerator, release the handbrake, and I can control the car using the steering wheel on the expansion board. Video stops So manual control is nice, but automatic control is better because ultimately we want to focus on working on the CAN bus. So on the original CARLA project, there was also an example script for automatic control. Again there is a while true loop where the code basically simulates the physics, lets the self- driving AI make a decision, then applies the controls to the physics simulation. To integrate RAMN in this certain algorithm, again, we need to replace the apply control part with the controls from the ECU network. We also need to send CAN messages with sensor data retrieved from the Python API of the physics simulation. That is identical to having manual control. What we need to do more is also send a message to broadcast the status of the AI to the ECU Network, so that the ECU network knows what controls the AI algorithm is requesting. So periodically the AI would broadcast its status by sending messages over USB, which are converted into CAN messages by the ECU input to USB. All ECUs on the network will receive those messages and will decide the actual controls of the car based on their own algorithm. For example, the power train ECU may decide to apply brakes depending on the highest value between the AI brakes and the brake potentiometer. All ECUs will receive the CAN message and apply the control, some ECUs may filter that message if they do not need it. Some ECUs like the body ECU may process it and take action. For example, if the brakes are engaged, the body ECU will light up the stop lamp on the expansion board. Finally, the ECU connected to USB will forward the brake controls to the simulator that will apply the brakes in the physics simulation. So this is what it actually looks like, all I need to do again is release the handbrake and the car will drive itself. The car is controlled by the ECU network, so when the car stops in the simulation, it is because the controls were applied by the power train ECU. You can see that the stop lamp lights up because the body ECU also received and processed the break CAN message. Since the ECU is in charge of the controls, I can force the car to stop any time by forcing brakes on the power train ECU potentiometer. So if you connect an external CAN adapter to the CAN bus, you'll be able to send and receive messages. So using RAMN you can experiment with the CAN bus of the self-driving virtual car. When you want to reprogram an ECU in the real world, you have two options. Either you interact with the hardware bootloader of the ECUs microcontroller, which depends on the microcontrollers model and manufacturer, or you interact with diagnostics and calibration software, which depends on the car model and manufacturer. Diagnostic and calibration are often done on the CAN bus, but other options may be available. Protocols are defined by standard documents. You often hear about UDS and OBD-II which both rely on the same transport layer ISO-TP. But there are also other protocols, such as Keyword Protocol 2000 or XCP. All those protocols can often also be implemented over other layers. For the hardware bootloaders it depends on the microcontroller manufacturer. For example for an STM 32 microcontroller you can reprogram the firmware by interacting over CAN according to the application note 3154, over USB according to the application note 3156. Or using other protocols defined in other application notes. In the case of RAMN, we use the hardware bootloader to reprogram the ECUs and you can also use a UDS protocol over CAN. And in the future we may consider adding XCP and KWD 2000. How to reprogram an ECU using calibration and diagnostic software is a topic that is already heavily discussed at automotive security talks, I will not spend time on this topic. You can find the definition of the standards online. Usually you need to pay for them. But you can also find summaries for free on some websites. For example, Wikipedia. What is more interesting to discuss here is the hardware bootloader. The various ways to force a microcontroller into bootloader mode are described in the application note 2606. The format of CAN messages we need to send to interact with the bootloader is defined in the application note 3154. And it's not complicated. The format is simply common byte plus argument. All that within the same CAN message payload. So we wrote some script to make it easier to interact with the bootloader. So here I am showing the script that we use to interact with the bootloader. First thing I do is retrieve all information from the bootloader, including the version, the supported commands and the Chip ID. I then use a read memory command to dump all known sections of memories. This includes the ECU firmware. So it can be a good start to start experimenting with reverse engineering. We can also activate memory without protection and see what happens when you try to dump the memory again. And in this case is not allowing memory dumps anymore. You can remove the memory protection, which will wipe out the memory, and after you do that, you can use the bootloader to reprogram the ECUs. For the hardware we also designed additional expansion boards with various features. First one is an expansion to connect a JTAG debugger. Second one is about to add extra QuadSPI Memories, which is why you see packages such as EEPROM, FRAM, NAND, SRAM and so on. The third one is a board to add a trusted platform module. And the last one is an interface to easily connect a chip whisperer. All those expansions are compatible with each other, so you can stack them and create a very advanced ECU network with all ECUs between a TPM and one gigabit of memory. And it looks better when the expansions are stacked on top of each other. Since we would like to use RAMN for education, we try to vary the type of electrical signals using the expansions. And we added many external probes to easily connect external tools. You can use one of the many excellent probes to connect an oscilloscope and have a look at analog signals. For example, here's the brake potentiometer. Or connect a logic analyzer and have a look at digital signals, for example, to analyze SPI communication between the ECU and the screen. For the hardware design we kept it simple using only two layers and keeping all components on the same side. We designed the hardware with flash tolerances which should be easy to produce with most PCB fabrication services. We use components with large size. So if you have some skills in soldering, you should be able to solder one yourself. We designed the hardware using KiCAD, which is an open source tool for designing hardware. You can easily modify the schematics, layout and even generate nice 3D views. So firmware is designed using STM32CubeIDE, it is accessible to beginners, and you can easily reconfigure peripherals and clocks from the graphical interface. You will even get some statistics, such as the estimated power consumption. But of course, you do not need to use the graphical interface and libraries if you would rather program everything yourself by interacting directly with registers. We use free RTOS as a Real-Time operating system. The basic software of ECUs has several tasks running in parallel, one for receiving CAN messages, one for sending CAN messages and several periodic tasks to take care of the ECU control loops. Those tasks receive data from different interrupt services within, using queues and DMA memory overwrites. The tasks can also exchange data between each other using queues or memory overwrites. Again, to keep the project accessible to beginners, we did the OS configuration using the graphical interface where you can see all tasks and their configuration, for example the priority. You can add or remove interrupts. And you can also configure the various queues in memory. There is still a lot of memory left even though the memory controller is less performant. So you can easily add your own application on top of this. That's all for the hardware and software section, you can find more details on GitHub. I would like to move to the next section and show you a usage example. There are usually two budgets for people working in automotive security Either they are automotive engineers who learn about security or they are security engineers who wrote about automotive systems. Since this is a security conference and I assume most people do not need me to explain how the platform can be used to study and research basic security topics, I will focus on the automotive side. So diagnostics and calibration topic is already covered by many security talks. I will not spend time on this. So I will spend time on something that is not often mentioned at security conferences: Control algorithms and safety critical hardware and software. And for this, I would like to demonstrate the design of a PID controller for cruise control as an example. I will show you how being knowledgeable in control systems may be relevant to security engineers, and how many of the activities that are done by engineers in the automotive industry can also be simulated using open source tools, including RAMN. Once we have an implementation in C that works, I would then use it as a reference to talk about safety critical systems and the differences with real ECU hardware and software. So let's get started. Cruise control is very simple: When a human is controlling the throttle with the accelerator pedal depending on the skill the car may have an uneven speed. What we want is an ECU that optimizes the control of the throttle so that we can maintain a steady speed. An automatic car can be very easy to model. If you press the accelerator pedal, which opens the throttle, you will get speed out of your car. But the relationship between speed and throttle is not as simple as a multiplication. No, we have to follow the laws of dynamics. In this case that's the sum of forces on the car is equal to its mass times its acceleration. We can consider that there is a force pushing the car that is proportional to the throttle, and that there is an opposing force proportional to the speed due to friction. When we solve this diversal equation, what we expect to see is that the speed follows an exponential curve. And a simple way to control the speed that may come to your mind is open loop control. You make some measurements on the flat road of the relationship between throttle and maximum speed, and you keep in a lookup table. When the user asks the ECU to reach a certain speed, the ECU can use the lookup table to find what throttle controls should be applied based on past measurements. And this may work in some situations, but according to the laws of dynamics, as soon as we reach an upward slope, the car will lose speed because of gravity. So at least that is what we expect, but we should verify that on the CAN bus. This is something we can use RAMN for. Here again, using an external CAN adapter connected to a second PC. On that PC I simply receive data from the physical CAN bus. For the rest of the section I will only be modifying the firmware on the power train ECU. I will not change the simulator, I will not even reboot it. So in the simulator, I drove around the city to try to find a nice place to experiment. More precisely, I looked for a place with flat road followed by an upward slope. Then I programmed the power train ECU to a apply a constant throttle, which is only one line of code. And after reprogramming the ECU I let the car drive straight and I recorded data from the CAN bus. I used an open source tool for CAN bus analysis called Bus Master. Bus Master allows you to load DBC files or to input manually the format of your CAN frames. Here I simply told Bus Master what were the CAN arbitration IDs of the throttle control message and the speed sensor message. And what was the format of the payload. Once I do that, I can plot the evolution of the throttle and speed over time. And the results we get are exactly what we expected from our differential equations. The speed of the vehicle is following an exponential curve and as soon as we reach the upward slope, we start loosing speed because the throttle is constant. There are some noise and non-linearities at low speed but overall it seems our model of the car is correct. We are approaching the problem correctly. What we can see here is that it takes about 40 seconds for one test-drive. And 40 seconds is already too long. So before testing the ECU in the driving simulator, we want to use the software that can simulate differential equations so that we can see the impact of the cruise control algorithm directly, without having to wait for 40 seconds. Most of the time this is done using a professional tool such as Matlab and Simulink. But here we will use open source tool Scilab. It has a graphical interface where we can connect inputs and outputs from a block diagram. Differential equations are a bit hard to deal with because the relationship between inputs and outputs is complicated. What you typically do in control theory is use a Laplace transform, which will change the variable called t to a complex number called s. This may be complicated with a contradictory background, but you just need to know that a differentiation is equivalent to a multiplication by s and that integration is equivalent to division by s. In our system it is easier to model the Laplace transform because we now have a simple relationship between throttle and speed. Speed equals transfer function of car times throttle. And based on the measurements from the CAN bus, we can evaluate the transfer function of the car to be equal to approximately 1 / (1 + 4s). We can simulate the car in Scilab by using a block function which has the exact same transfer function. Using Scilab, we can now test various scenarios and get the results immediately. Here I am testing the scenario in which we start from zero speed, apply a constant throttle and after 20 seconds, we add a new force - gravity - which corresponds to the slope. And this is what we call here the disturbance. And with Scilab simulation we can verify we get waveforms similar to our measurements on the CAN bus. With a constant throttle, the speed follows an exponential curve that is close to maximum speed after around 14 seconds. And as soon as there is a disturbance: the gravity here, showing green, we can check that the car looses speed because there is no reaction from the throttle. So to fix that the solution is obvious: The ECUs need to have feedback. We need the ECU to make use of the speed sensor data that it can find on the CAN bus so that it can adapt the throttle to the actual speed of the vehicle. So first solution that may come to mind to software engineers is Bang-Bang Control. Bang-Bang Control is quite simple. You measure the speed and if it is above a certain threshold, you stop applying the throttle. If it goes below a certain threshold, you apply the throttle again. This is extremely easy to implement in C on the ECU. And once we reprogram the ECU on RAMN, we can make measurements on the CAN bus and verify that this time we are not loosing speed anymore when we reach a slope. But as you can see, there are some oscillations. And as you can imagine, the oscillations are not something very nice for passengers. Apparently people driving like this is the reason cruise control was invented. I do not know if that story is true, but I can believe it. So Bang-Bang Control made a good start, but it is not good enough for cruise control. And the most famous algorithm used in control theory is the PID controller. You can find a lot of resources online. The PID controller is one of the control mechanism used in software of the self-driving AI of CARLA. In the PID controller you measure the difference between the target speed and the current speed. You call that different error and you can control the throttle using the sum of 3 control blocks. The error multiplied by Kₚ. The integral of the error multiplied by Kᵢ and the derivative of the error multiplied by Kd. Kₚ, Kᵢ and Kd are constant called gains. And you need to have a very fine tuning of those gains to achieve optimal control. Here I can simulate the PID controller using Scilab with different blocks. Remember that the division by s is an integration, and the multiplication by s is a derivation. Thanks to the simulation I am able to try many values without having to actually drive the car. And when we are able to find correct values for the PID controller, we get this. The ECU is able to reach a target quite quickly without oscillations and without overshooting the maximum speed. And when there is a disturbance so gravity, it will dynamically adapt the controls of the throttle so that the target speed is maintained. So this is good, because this is what we want for cruise control. But is a gain of only one control block is correct, the speed of the vehicle may look like something totally different, potentially dangerous. And this is why the integrity of calibration data is important not only from a safety point of view, but also from a security point of view. Because an attacker should not be able to make an ECU have a dangerous behavior with only one small change. The last thing I need to explain is how to implement these algorithms in C, and this is not obvious because we're dealing with integration and derivations, which are not possible for digital functions. So there are many ways to implement this in a digital PID controller in C. I will just explain two approaches. The first approach is to stay in the time domain and approximate the derivation by the difference between two successive errors divided by the sampling time. And we can approximate the integral operation with a Riemann sum which is a running sum of errors so far multiplied by the sampling time. This may look a bit intimidating, but when you look at it closely, you can see it is just a combination of constants and values that can be computed from current and past sensor values from the CAN bus. The actual implementation in C looks like this. We need to define 2 variables. One to store the running sum of errors and one to store the error of the previous control loop execution. In the control loop, we define constant gains for each stage. We compute the current error. We add the error to the sum of all errors. We compute the difference between current errors and previous error. We then add all those values with the respective gain to the output variable and then we clamp that output in case it goes out of bound. We then apply the throttle control and save the current error in the previous error variable for use in the next iteration. The second approach is to use a Laplace transform of the PID controller. We first need to convert it to a Z transform, the equivalent of Laplace transform but for digital signals. It looks a bit complicated, but there are many tools to do the conversion for you. If you want to do the conversion by hand, one way is to use the bilinear transformation in which you replace s by this, to approximate the Z transform of your ECU. And again, this may all look a bit intimidating, but you can actually compute the throttle output by using the throttle output from 2 iterations ago, the current error, the previous error and the error before that which can all be computed from sensor values on the CAN bus. And while this control algorithm is equivalent to our previous implementation, it looks totally different. And what I would like to stress here that identical control algorithms may have very different software implementations, which may be relevant for reverse engineers. I only show the first implementation not waste time, but you can see now that the ECU in RAMN is able to make the car maintain a constant speed and for dynamic control of the throttle. So that's it for the example. I just wanted to show that RAMN can be used for realistic activities of the CAN bus and that the ECUs are not just doing some random easy work. The control theory part may be complicated and if that was going too fast for you at least I hope it proves there is a lot of things to discover and experiment with. And that all that learning can be done with open source tools. Now I would like to discuss what would have been different with real ECUs because, as you can imagine, actual ECU software is not as simple as this. I will also show you what alternatives we have. Technologies hidden behind NDAs, so that we can get as close as we can to real ECUs. We showed in RAMN that this cruise control ECU worked, but we only tried it on a single scenario, namely a flat road followed by an upward slope. But what about this scenario in which a car in front is driving slowly? Or what about a scenario in which we are in a downward slope? In this case the ECU will not be able to prevent a car from going too fast because it does not have access to the brakes, which could lead to an accident. And the difficult problem here is not whether you can think of one more scenario. The difficult problem is can you think of them all are you sure? And thinking of all potential scenarios, quantifying the risk and implementing countermeasures is what makes automotive systems really different. And to prove that an ECU is reasonably safe, you actually need to follow ISO 26262 standard, which is a standard for functional safety. The standard defines different requirements at many levels. Not all ECUs are equally critical, so safety relevant issues are assigned and automotive safety integrity level or ASIL for short. And ASIL A is a less critical level and ASIL D is the most critical level. So if you were to design a real cruise control ECU for use in a real car, you could not just connect some random ECU to the CAN bus and try it on the highway. You will need to go through a lot of analysis, such as HAZOP, HARA, FMEA, STPA and so on. Usually there are so many requirements that they cannot be tracked with only a human and a sheet of paper. They are managed using dedicated tools such as Rational Doors. Now let's discuss how the software would be different. The main contribution of automotive software is to realize control algorithms safely. But without countermeasures, many things could go wrong. For example there could be bugs in the ECU application code. And then without any bug the software will be robust enough when there are transient errors in the hardware. There could also be problems with the toolchains that compile the firmware and problems with the libraries and RTOS. And when we have a close look at the PID controller implementation which seemed good enough in our testing, you can see it is actually a terrible implementation. We are mixing integers and unsigned integers and floats without proper checks and type casting. We are not checking for overflows and also random software issues. And this is not acceptable, both for safety and security. And in this case, the problems were obvious on purpose, but sometimes it can be very hard to spot because they stem from very subtle computing issues. And those issues may lead to system failures. So to avoid such scenarios, the automotive industry usually mandates the use of a language subset which restricts what developers can do, but makes sure that numerical errors are less likely to happen. So usually in the automotive industry, the standard that is used is MISRA-C and it is very similar to CERT-C, which is popular in the security industry. Using a language subset is only one of the requirements that are dictated by ISO 26262. There are many other requirements. At a high level they try to enforce a low complexity of the software. For example, by restricting the size of components, restricting the copying between software components and making sure the scheduling is appropriate. And that there are not too many interrupts. But we also have more concrete requirements, such as restricting functions to 1 entry and 1 exit point, forbid dynamic memory, avoid global variables, limit the use of pointers and so on. The other issues we have to deal with, which is riddled with bugs is transient errors. In the harsh environment, data is not always reliable. There may be a bit flip occurring outside of memory, for example, because of noise and communication lines, but also may be bit flips occurring inside a microcontrollers memory. For example, because of cosmic rays. Those issues do not originate from software, they originate from hardware, but they do need to be addressed by software because remember, in the case of the example cruise control ECU, just one bit flip could lead to unwanted behavior of the ECU and the car. So to address those issues, automotive controllers need special countermeasures. For example having redundant memory or having redundant CPUs. In ECUs, you will typically find microcontrollers that have been designed specially for automotive use. All those microcontrollers require you to sign an NDA so you can not just buy them and start programming them. So that makes it a bit hard to study an actual ECU microcontroller and real automotive software. ISO 26262 is not the only standard for safety critical systems. ISO 26262 is actually derived from IEC 61508, so they are both similar in their concepts. And IEC61508 microcontrollers they do not require NDAs for most other activities you may be interested in. And more completely RAMN can be used with STM32L4 or STM32L5 microcontrollers. And for those microcontrollers, you do not need an NDA to download guidelines on how to implement safe software. For example, you can find a list of features that are required for safety applications, and you can request more data that you would need to actually achieve compliance with IEC 61508, such as the FMEA and FMEDA. But to obtain those data, you would need to sign an NDA. No, I personally do not think that those data are essential for education and research. So using such microcontrollers is a good alternative. But again, let me stress that this is an alternative for learning and researching, not for actual use in a car. I don't have time to detail all the safety features, let me just talk about memory redundancy, since this one impacts the code of the application of the example cruise control ECU. So in the example, we wrote the gain of each stage in code memory defining them as constants. For safer applications, this would not be here. They belong to another section, the data flash where ECC protection can be activated. If possible, calibration data should be stored twice with checksums and preferably MACs. If you're not familiar with ECC memory, it is a kind of memory that can detect bit flips and sometimes automatically corrects them. Another memory is also available for the RAM, but not at all addresses. So in the application, we have to ensure that safety critical variables are placed in a section of RAM in which bit flips can be detected, in this case in section SRAM2. For data in RAM that are actually constants such the gains you may also want to activate write protection, a feature that is only available in SRAM2. Last slide about software. In the example cruise control, we are using GCC toolchain in ISO 26262 it is a requirement to have what is called a tool confidence lever to ensure that poor chains will not introduce errors as it could be the case with some optimizations. So normally you cannot use GCC. Realtime operating systems and libraries may also have problems. That is why they need to be certified. Both STM32-HAL and FreeRTOS are compliant with MISRA-C which is nice, but they are not compliant with ISO 26262. However, it looks like ST is bringing Azure RTOS into the ecosystem and that one is actually precertified ISO 26262. Maybe in the future it would be an option to experiment with with an actual ISO 26262 operating system. So now let's talk a bit about hardware. In case it was not clear to you, you cannot use commercial electronics to implement an ECU. Smartphone vendors will often warn you not to let a device in your car because a parked car can reach extreme temperatures that commercial electronics are not designed to resist. And if you think that the life inside the cabin is hard, you should think about an ECU which has to stay in the engine compartment and operate without failures. And you would not think of putting a smartphone or an Arduino here and trust your life with it. And extreme temperatures are just one of the many environmental factors that make it difficult for an ECU to stay reliable. The ECU also need to resist high humidity, corrosive gases, vibrations, micro cuts, load dumps, electrostatic discharges, electromagnetic noise and so on. And when subjected to such a harsh environment, many things could go wrong with electronics. You probably know about corrosion, but many other physical phenomena are at risk of happening to the components. Solder cracs, intermetallic growth, whiskers, dendrites, electromigration, etc. For example, whiskers are metal growing out of electrical components and dendrites are metals leaving the plus side towards the minus side. And many other phenomena may result in a dangerous failure. So obviously, ECUs need to be designed to resist harsh environments and have countermeasures against all those potential failures. ECUs need to pass various tests that simulate harsh environments. Those tests are usually defined by manufacturers and the test specifications are not made public. What is made public, however, is the test specifications for individual electronic components. And those tests are usually defined by AEC. So the Automotive Electronic Council, and you can have a look at them online. For RAMN, we tried to follow design guidelines similar to those of real ECUs. But of course, we cannot follow actual rules as it to be much less accessible. Completely, we selected AEC-Q100 grade zero components for everything except connectors and microcontrollers, because those may require NDAs or not be easily accessible. Depending on the part reference, ECU microcontrollers may be usable from -40 to 125°C. RAMN tried to stay close to automotive grade, but it is still not automotive grade, especially in the reliability department, so it can not be used as a real ECU. As a result, we try to stay close to automotive hardware is to help researchers evaluate the impact of manufacturing tolerances and environments because remember, manufacturers are making millions of cars that need to operate on a large temperature range. So if you are developing, for example, a security technology that relies on hardware characteristics such as the clocks of the ECUs, you will need to prove that the technology works despite manufacturing tolerances and harsh environments. And with RAMN it is easy to have a large sample of ECU networks and since they are small they can easily fit in various testing equipment. And now let's move on to the last section, security. In the automotive industry, we just can not apply the same reasoning as you do in many other industries. For example, a credit card, if you detect the temperature is too cold, it may think that it is a tampering attack and decides to shut down because it is not safety critical. On the other hand, the car needs to start quickly because the user should not be left out in the cold and also credit cards have an expiration date. So they do not need to guarantee security for more than a few years. But cars do not have an expiration date. If they are well maintained they may be used for several decades and the security technologies should keep on working. So in the end, automotive security technologies have different requirements. Unfortunately, according to past research, a security technology is often less reliable when you extend its operating temperature range and its lifetime. For example, at low temperatures, they may be liable to cold boot attacks. At high temperatures, it has also been shown that electronics tend to be less reliable concerning glitching attacks and in those papers high-temperature means something like 60 or 100°C, far from the maximum temperature required for some ECUs. Also, it has been shown that the higher age for electronics usually results in different security properties. And you may think that the safety features of automotive microcontrollers would prevent some attacks such as glitching attacks, but it has been shown that ECC memories are also susceptible to glitching attacks. And that even ISO 26262 ASIL-D microcontrollers, which is the highest level of safety may be susceptible to glitching. So safety features often help, but there aren't really enough to ensure security. What is also different with automotive is that you need to rethink the strategy in case of security problems, for example, with credit cards, it is not uncommon for authentication to fail randomly. When the credit card fails to work usually you just need to try it once more and it will probably work and everything stays again. No life is at risk. But the car cannot have the same strategy. If you add authentication to the brake CAN message and you start receiving break request that fail authentication what should the car really do. Because it may be a cyber attacks, which you want to avoid, but you should not relay out the possibility of a random malfunction or a false positive for an intrusion detection system. And by adding complexity into the system, you always increase the odds of a problem. And which one would be worse between breaking because of a cyber attack or not breaking because of a malfunction? And there is no easy way to answer that question. But what I want to stress here is that many security countermeasures that people suggest for cars such as encrypting the CAN bus, permanently disabling debug ports or obfuscating the firmware, they may not necessarily be the best ideas, because if you suspect a malfunction with an ECU, you need to investigate the problem seriously because it may harm people. You cannot just replace a car as you would with a credit card or a smartphone. So technologies that can truly take into account both automotive requirements and security requirements are better. And we should make sure that education and research in these areas are accessible to many researchers without NDAs or prohibitive costs. Now, of course, you can use RAMN to try out different attacks. The first obvious one is to inject CAN messages to alter the behavior of the car. Here for example the breaks. Another kind of security that I did not mention in this presentation is physical security for sensors and actuators. Here I am demonstrating what happens when it overtake the control of the steering wheel actuator. A human will probably break in this situation. The self driving algorithm in CARLA here does not realize it has lost control of the steering wheel and is still trying to correct the trajectory when a better decision would be to stop the car. So this is the end of the presentation. We developed an inexpensive, safe and interactive platform to study and research automotive systems. The platform is accessible to beginners. It is not automotive grade, but is close enough for research and educational purposes. The project is open source and with permissive licenses. If you have questions or ideas, do not hesitate to contact us, especially if you are involved with education, research, training, CTF, etc. And thank you for watching. Herald: Camille, thanks for this comprehensive talk, this was amazing. We unfortunately don't have much time for the questions or answers, but there is one question that popped up, which is about the hardware and your PCB. How did you design it? How much does it cost actually, how can you get hold of that thing? Camille: So I designed everything with KiCAD. And I mean, I think a few years ago it was very hard to design hardware, but now you have footprint libraries available online. It has become very easy. The board was between 50 to 100€ for a quantity of one. So microcontrollers are obviously the expensive parts and the PCB assembling parts - it is up to the PCB Fabrication Service. If you have questions just ask me on GitHub, I would be happy to answer. rC3 postroll music Subtitles created by c3subtitles.de in the year 2021. Join, and help us!