Secure Software Over-the-air Updates in Automotive Modern Software Architecture

Abstract

The automotive industry has seen a dynamic transformation from traditional hardware-defined to software-defined architecture enabling higher levels of autonomy and connectivity, better safety and security features, as well as new in-vehicle experiences and richer functions through software and ongoing updates of both functional and safety-critical features. Such architecture evolution demands new development paradigms to address the increasing com¬plexity of software. This is crucial to guarantee seamless software development, integration, and deploymentâall the way from cloud or backend repositories to the vehicle. Additionally, it calls for enhanced collaboration between OEMs and suppliers. Simultaneously, it intro¬duces challenges associated with the necessity for ongoing updates and support ensuring vehicles remain safe and up to date. Current approaches to software updates have primar¬ily been implemented for traditional vehicle architectures, which mostly comprise specialized electronic control units (ECUs) designed for specific functions. These ECUs are programmed with a single comprehensive executable that is then flashed onto the ECU all at once. Dif¬ferent approaches should be considered for new software-based modular vehicle architectures and specifically for ECUs with multiple independent software modules and support multiple variants. These modules should be updated independently and selectively for each ECU.In this study, the objective is to identify the most effective approach for implementing software over-the-air updates (SOTA) in modern modular automotive software architectures. Specifically, this research focuses on the critical challenges and requirements associated with software updates for automotive systems, with a particular emphasis on software-defined vehicles (SDVs). Given the complexity of vehicular software updates, particularly when dealing with highly distributed embedded ECUs, a software-centric approach is more effi¬cient and suitable to cover different architectures and configurations, ensuring consistency across all platforms. Therefore, we propose a variability-rich scheme for software updates based on a Merkle tree approach that can cope with the complexity of the new software architecture while addressing the safety and security requirements of real-time and resource-constrained embedded systems in the vehicle. The Merkle tree-based Software Over-The-Air update (MT-SOTA) proposal enables secure updates for individual software modules. These modules are developed and integrated by diverse entities with varying release timelines. The technical analysis and experiments conducted in this research demonstrate how the proposed scheme, which combines a digital signature and a Merkle hash tree, achieves synergistic authentication and verification of multiple software modules. The MT-SOTA scheme can enhance the speed of software update execution without significantly increasing the process overhead within the ECU. In parallel, this approach offers OEMs the ability to sign a software module once and verify it across multiple ECU variants, providing a more efficient alternative to the traditional method of creating a software update package for each variant. This approach not only adds flexibility to software updates and reduces the complexity of software variant management, but also maintains the security of the vehicle, ensuring that there is no compromise in the safety of the passengers.