Today’s cars are so complex electronically that they’re perhaps best thought of as mobile computer networks. The cars of tomorrow—which are already starting to appear today—will be increasingly connected—to the Internet, to each other, and to roadside wireless infrastructure.

The U.S. Department of Transportation (DOT) has designated IEEE 802.11p as the basis for Dedicated Short Range Communications (DS_RC), by which a vehicle can communicate with other vehicles and roadside infrastructure. DSRC enables cooperative cruise control—cruising as part of a pack on the freeway—as well as collision avoidance, electronic road pricing and toll collection, electronic parking payment, and even braking for a red light that you may not have noticed. Beyond paying for tolls and parking DSRC could turn your car into a 4-wheeled wallet, enabling you to drive through your favorite fast-food or coffee outlet without having to dig out your credit card.


In order to provide all the functionality in your car of your smart phone—including navigation, communication, multimedia, gaming, and location-based services (“Where’s the nearest Italian restaurant?”)—the average new car may have as much as a mile of wiring inside and contain over a hundred separate electronic control units (ECUs) that communicate over a variety of networks and buses. Add to that all the cool functionality that DSRC can enable and the system gets exceedingly complex.


The very complexity of in-vehicle infotainment (IVI) systems raises serious security issues, since you’re connecting systems with consumer-grade security with mission-critical systems that control the operation of the vehicle.


Getting on the bus
One weak point is the CAN bus (Figure 1), over which the various ECUs communicate. While devices on the bus may be secure, the bus is not—which means the system as a whole is not. CAN is a message-based protocol with no built-in security features.


Figure 1: The CAN bus ties together most automotive electronic control units (ECUs).


A couple of years ago the Center for Automotive Embedded Systems Security (CAESS) demonstrated the fragility of the underlying system structure. They connected a packet sniffer to the On-Board Diagnostics II (OBD-II) port to analyze CAN bus traffic. Using a wireless link they were then able to use that information to start and stop the car, race the engine, lock individual brakes, unlock the doors, and pretty much control the entire car.


Taking their hacking to the next level the CAESS team was then able to take over control of a vehicle remotely through its telematics system. They demonstrated that it’s possible to hack a car with malware inserted into an MP3 player or transmitted over a Wi-Fi connection. Devices relying on an 802.11p wireless connection may be particularly vulnerable.


Virtual IVI
While standards bodies are working on protocol vulnerability, auto makers are moving to reduce complexity by having a single ECU handle multiple functions. In these mixed-criticality systems real-time, safety-critical components must coexist with consumer infotainment applications. Developers can meet this goal with Intel® Atom™ processor-based platforms featuring Intel® Virtualization Technology (Intel® VT) and the INTEGRITY Multivisor from Green Hills Software.

“When you’re mixing consumer-grade applications and you want security, you’re always going to have maliciousness or just software that doesn’t work the way it’s supposed to,” explains Robert Redfield, Green Hills’ Director of Business Development . “That’s why you have to start at the very lowest level of software. If you’re going to have virtualization, it has to be at the microkernel level.”


Figure 2: INTEGRITY Multivisor securely partitions off guest operating systems from mission-critical applications.


INTEGRITY Multivisor is both a secure Type-1 hypervisor and an RTOS. At the heart of INTEGRITY Multivisor is a certified microkernel that provides trusted partitioning of guest operating systems, applications, and peripheral driver software (Figure 2). Multivisor supplies only a minimal set of critical services, such as process management, exception handling, and interprocess communications. Multivisor is the only code that runs in supervisor mode, while the overlying operating systems and applications run in user mode, accessing only those resources deemed appropriate by the system engineer. For example, Multivisor will prevent a guest operating system from accessing physical memory beyond what was originally allocated to the guest’s virtual machine. This prevents a stack overflow, which malware can use to take over control of a system.


To address the security issues mentioned earlier, “You would put the drivers for the CAN bus and the Wi-Fi and the cellular radio in the mission-critical part of the operating system,” continued Redfield, “where they’re under the control of Multivisor. Multivisor is built on the most highly certified real-time operating system on the planet, that is INTEGRITY. So if you put one of those communication drivers in its own partition, if something goes wrong it’s contained.”


Complete IVI platform
Mission-critical applications need to operate in near real time, which is made possible by Intel’s AtomTM processor. Intel AtomTM N2000 and D2000 processors (codename Cedar Trail) provide hardware-accelerated virtualization. Intel® Virtualization Technology (Intel® VT) speeds up the transfer of control between the hypervisor and the guest operating systems; it assists in trapping and executing certain instructions for the guest operating system, thereby accelerating performance. Intel VT is optimized for maximum virtualization performance, and its on-chip GPU accelerates 3D graphics to one or more screens while making minimal demands on the CPU.


The combination of INTEGRITY Multivisor and an Intel Atom processor provides a secure IVI platform that can run multiple guest operating systems and protected real-time applications simultaneously, using secure partitions to ensure real-time responsiveness and fault tolerance (Figure 3).


Figure 3: The combination of INTEGRITY Multivisor and an Intel Atom processor provides a secure IVI platform.



Solutions in this blog:

Related topics:


Green Hills Software is an Affiliate Member of the Intel® Intelligent Systems Alliance and plays a critical role in developing and delivering robust operating systems with virtualization and advanced development tools and embedded solutions for embedded markets such as automotive, industrial, medical, military/government, and telecommunications.

John Donovan
Roving Reporter (Intel® contractor), Intel® Intelligent Systems Alliance
Low-Power Design
Follow me on twitter: @jdonovan43