Using Software-based Attestation for Verifying Embedded Systems in Cars

With advances in automobile electronics, we find a rapid proliferation of embedded systems in cars, both in safety-critical applications and for passenger comfort. These embedded systems are increasingly networked for their operation and enhanced functionality. However, the increased connectivity of embedded systems also greatly complicates design, increases the number of failure modes, and introduces the risk of remote malicious attacks, such as worms and viruses. Moreover, car owners may alter the code on their car to access features they did not pay for or achieve higher motor performance. Such owner-initiated changes are likely to deteriorate the car’s safety. We propose SWATT, a SoftWare-based ATTestation mechanism to detect and defend against these threats. SWATT enables an external verifier to verify the code of a running system to detect maliciously inserted or altered code. So far, code attestation has been proposed as a mechanism to verify the code running on a system, and special hardware mechanisms have been designed to achieve this property, e.g., TCG (formerly known as TCPA) [15] and NGSCB (formerly known as Palladium) [6]. However, special hardware to provide attestation may not be available in legacy systems or due to cost reasons. Therefore, we design SWATT to be software-based. Code attestation is instrumental to many applications, such as remote detection of malicious code (such as Trojan horses and viruses) in embedded systems and gives an assurance that critical embedded systems are running the correct code. If we use SWATT to verify code running on embedded systems in a car, an attacker is forced to perform a hardware change to hide the presence of altered code; greatly increasing the effort required by an attacker and preventing entire classes of remote attacks.