APPARATUS AND METHOD FOR PROTECTION OF CRITICAL EMBEDDED SYSTEM COMPONENTS VIA HARDWARE-ISOLATED SECURE ELEMENT-BASED MONITOR

US 20170098070A1
Filed: 02/19/2016
Published: 04/06/2017
Est. Priority Date: 10/01/2015
Status: Active Grant

First Claim

Patent Images

1. A secure element for providing hardware isolation of a mission critical subsystem, the secure element comprising:

a memory; and

a processor coupled to the memory and an unsecure path, the processor configured to;

perform actuation operation received across the unsecure path that modifies the state of the mission critical subsystem;

perform a diagnostic operation received across the unsecure path that request state information of the mission critical subsystem;

store information used to determine which of the diagnostic operation and the actuation operation received across the unsecure path are performed; and

flash an execution image of an electronic control unit when the execution image of the electronic control unit is received across the unsecure path,wherein the secure element is coupled to the electronic control unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method of a hardware isolated secure element protecting a plurality of mission critical subsystems are provided. The method includes performing an actuation operation received across an unsecure path that modifies the state of a mission critical subsystem, performing a diagnostic operation received across the unsecure path that requests state information of the mission critical subsystem, storing information used to determine which of the diagnostic operation and the actuation operation received across the unsecure path are performed, and flashing an execution image of an electronic control unit when the execution image of the electronic control unit is received across the unsecure path.

Citations

18 Claims

1. A secure element for providing hardware isolation of a mission critical subsystem, the secure element comprising:
- a memory; and
  
  a processor coupled to the memory and an unsecure path, the processor configured to;
  
  perform actuation operation received across the unsecure path that modifies the state of the mission critical subsystem;
  
  perform a diagnostic operation received across the unsecure path that request state information of the mission critical subsystem;
  
  store information used to determine which of the diagnostic operation and the actuation operation received across the unsecure path are performed; and
  
  flash an execution image of an electronic control unit when the execution image of the electronic control unit is received across the unsecure path,wherein the secure element is coupled to the electronic control unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The secure element of claim 1, wherein performance of the actuation operation comprises:
    - cryptographically verify that the actuation operation was not tampered with during transmission or transmitted from an untrusted device,allowing performance of the actuation operation via the electronic control unit and the mission critical subsystem upon the cryptographic verification the actuation operation was not tampered with during transmission and not transmitted by the untrusted device, andfilter out the actuation operation and return an error code upon the cryptographic verification the actuation operation was tampered with during transmission or transmitted by the untrusted device.
  - 3. The secure element of claim 2, wherein the cryptographic verification is performed using a public key/private key pair.
  - 4. The secure element of claim 1, wherein the performance of the diagnostic operation further comprises:
    - determine if the diagnostic operation is a trusted operation in the mission critical subsystem,perform the diagnostic operation via the electronic control unit and mission critical subsystem upon determination the diagnostic operation is trusted, andfilter out the diagnostic operation and return an error code upon determination the diagnostic operation is not trusted.
  - 5. The secure element of claim 4, wherein the determination that the diagnostic operation is a trusted is made by comparing the diagnostic operation to at least one of a whitelist or a blacklist.
  - 6. The secure element of claim 1, wherein the storing information further comprises:
    - receive at least one of a whitelist, a black list or secure element logic across the unsecure path,cryptographically verify the at least one of the whitelist, the black list or the secure element logic was not tampered with during transmission or transmitted from an untrusted device,store the at least one of the whitelist, the black list or the secure element logic for use by the secure element upon determination the at least one of the whitelist, the black list or the secure element logic was not tampered with during transmission or not transmitted from the untrusted device, andtransmit an error code back across the unsecure path upon determination the at least one of the whitelist, the black list or the secure element logic was tampered with during transmission or transmitted from the untrusted device.
  - 7. The secure element of claim 6, wherein the cryptographic verification is performed using a public key of a trusted device.
  - 8. The secure element of claim 1, wherein the flashing of the execution image comprises:
    - cryptographically verify that the execution image was not tampered with during transmission or transmitted from an untrusted device,transmit the execution image to the electronic control unit for flashing upon determination the execution image was not tampered with during transmission or not transmitted from the untrusted device, andtransmit an error code back across the unsecure path upon determination the execution image was tampered with during transmission or transmitted from the untrusted device.
  - 9. The secure element of claim 8, wherein the cryptographic verification is performed using a public key of a trusted device.

10. A method in a hardware isolated secure element for protecting a mission critical subsystem, the method comprising:
- performing an actuation operation received across an unsecure path that modifies the state of mission critical subsystem;
  
  performing a diagnostic operation received across the unsecure path that request state information of the mission critical subsystem;
  
  storing information used to determine which of the diagnostic operation and the actuation operation received across the unsecure path are performed; and
  
  flashing an execution image of an electronic control unit when the execution image of the electronic control unit is received across the unsecure path.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein, the performing of the actuation operation further comprises:
    - cryptographically verifying that the actuation operation was not tampered with during transmission or transmitted from an untrusted device;
      
      performing the actuation operation via the electronic control unit and the mission critical subsystem upon determination the actuation operation was not tampered with during transmission and not transmitted by the untrusted device; and
      
      filtering out the actuation operation and returning an error code upon determination the actuation operation was tampered with during transmission or transmitted by the untrusted device.
  - 12. The method of claim 11, wherein the cryptographic verification is performed using a public key/private key pair.
  - 13. The method of claim 10, wherein the performing of the diagnostic operation further comprises:
    - determining that the diagnostic operation is a trusted operation in the mission critical subsystem;
      
      performing the diagnostic operation via the electronic control unit and the mission critical subsystem upon determination the diagnostic operation is trusted; and
      
      filtering out the diagnostic operation and returning an error code upon determination that the diagnostic operation is not trusted.
  - 14. The method of claim 13, wherein the determination that the diagnostic operation is a trusted is made by comparing the diagnostic operation to at least one of a whitelist or a blacklist.
  - 15. The method of claim 10, wherein the storing of the information further comprises:
    - receiving at least one of a whitelist, a black list or secure element logic across the unsecure path;
      
      cryptographically verifying that the at least one of the whitelist, the black list or the secure element logic was not tampered with during transmission or transmitted from an untrusted device;
      
      storing the at least one of the whitelist, the black list or the secure element logic for use by the secure element upon determination the at least one of the whitelist, the black list or the secure element logic was not tampered with during transmission or not transmitted from the untrusted device; and
      
      transmitting an error code back across the unsecure path upon determination the at least one of the whitelist, the black list or the secure element logic was tampered with during transmission or transmitted from the untrusted device.
  - 16. The method of claim 15, wherein the cryptographic verification is performed using a public key of a trusted device.
  - 17. The method of claim 10, wherein the flashing of the execution image of the electronic control unit, further comprises:
    - cryptographically verifying that the execution image was not tampered with during transmission or transmitted from an untrusted device;
      
      transmitting the execution image to the electronic control unit for flashing upon determination the execution image was not tampered with during transmission or not transmitted from the untrusted device; and
      
      transmitting an error code back across the unsecure path upon determination the execution image was tampered with during transmission or transmitted from the untrusted device.
  - 18. The secure element of claim 17, wherein the cryptographic verification is performed using a public key of a trusted device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
NING, Peng, MCLAUGHLIN, Stephen E., GRACE, Michael C., AZAB, Ahmed M., BHUTKAR, Rohan, SHEN, Wenbo, CHEN, Xun, CHOI, Yong, CHEN, Ken

Granted Patent

US 10,402,561 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 21/64   Protecting data integrity, ...

G06F 21/85   interconnection devices, e....

G06F 2221/034   Test or assess a computer o...

G07C 5/0808   Diagnosing performance data...

APPARATUS AND METHOD FOR PROTECTION OF CRITICAL EMBEDDED SYSTEM COMPONENTS VIA HARDWARE-ISOLATED SECURE ELEMENT-BASED MONITOR

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR PROTECTION OF CRITICAL EMBEDDED SYSTEM COMPONENTS VIA HARDWARE-ISOLATED SECURE ELEMENT-BASED MONITOR

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links