RUB » Bibliotheksportal

Karina Dorozhkina

• Today’s cars are deservedly called smart because they are no longer merely vehicles but complex devices communicating with each other and the outside world. With integrated infotainment (head unit ECU or HU) and communication (telematics ECU or TCU) control domains, they offer numerous ways to make the driver's life more comfortable. HUs and TCUs are powered by Linux or Android OS, similar to your mobile phone or tablet, and their hardware performance is more on a par with PCs than embedded systems. But as well as greater convenience, these enhanced vehicle capabilities bring greater responsibilities as the attack surface grows. For instance, it has been shown by several research groups that unauthorised remote access can result in CAN bus injection. Countering complex cyberattack scenarios requires security event monitoring inside the vehicle’s ECUs and the ability to deliver this information to vehicle operators (e.g., OEM or fleet owner) for incident discovery and response. Continuous asset monitoring in Security Operations Centers became the standard in enterprise-grade security with Endpoint Detection & Response solutions (EDR). Upcoming automotive cybersecurity regulations (UNECE WP.29/GRVA and ISO/SAE 21434) also cover this process. This paper gives a detailed description of security events from HU and TCU critical for malicious activity analysis as well as key mechanisms for their extraction. The target platforms are automotive embedded Linux distributions such as Automotive Grade Linux (AGL) and GENIVI. Mature systems such as udev and Linux Auditing will be reviewed along with the relatively new extended Berkeley Packet Filter (eBPF).