Secure Software Flashing

More and more devices in our modern world come with a multitude and variety of embedded systems. An obvious example of this trend is today’s vehicles, which have dozens of electronic control units (ECUs) that control everything from the air conditioning and electric windows to the engine and brake system. Several ECUs allow downloading of updated program and data code via a boot loader. Such software might be a control unit firmware update for fixing bugs, for improving features, or for downloading data such as additional multimedia files. The first case is also called a software download or simply flashing (since flash memory is updated). The download might be performed directly over a diagnostic channel or another available communication channel such as Bluetooth and GSM.

Once such vehicle communication channels are opened to the outside world for downloading software, their integrity must be ensured. An example of a malicious software download is the replacement of firmware by an unauthorized party, e.g., as done for chip tuning in the automotive context. The main security objectives are as follows:

1. Only original software must be accepted by the embedded system. No manipulated or malicious software may be downloaded to the embedded system. In particular, software must not be successfully downloaded to the embedded system that alters its defined behavior.
2. Only authenticated parties may alter data, e.g., parameters, stored in the embedded system.

Furthermore, it is also desirable for an actual security design that the compromise of a single embedded system does not affect the security of other embedded systems of the same product line, (i.e., a successful attack does not scale).

The required computational performance on the embedded system side shall be minimal.

Digital Signatures

The secure software flashing scheme we present is based on digital signatures. A digital signature provides the security objective of integrity and authenticity; data being digitally signed cannot be altered by a malicious third party without being detected by the receiver. Furthermore, the receiver can verify that the data was indeed signed by the claimed signer. Moreover, the signer is not able to deny that he is the legitimate creator of the signature (non-repudiation). Digital signatures are generated and verified with asymmetric cryptographic algorithms, such as the Rivest Shamir Adleman (RSA) algorithm or Elliptic Key Cryptography (ECC).