DPI and Firewalls in AUTOSAR Architecture: A Modern Approach to Vehicle Network Security

Use Cases for DPI and Firewalls in Automotive Systems

Proposed use cases by AUTOSAR:

1. Stateless filtering.
2. Stateful filtering.
3. Deep Packet Inspection (DPI).
4. Standardization of filtering rules.
5. Configuration updates (via manifest file or runtime control through coupled/dedicated API) as part of the IPS system.
6. Reporting of security events.

Modern implementations may include:

Unified Threat Management (UTM): UTM devices integrate multiple security features—including firewall, DPI, antivirus, and intrusion detection/prevention—on a single platform. DPI enhances the ability of UTM solutions to detect and block sophisticated threats.

Next Generation Firewalls (NGFWs): These combine traditional firewall functionalities with DPI, intrusion prevention systems (IPS), and other advanced security mechanisms. They provide granular control and enhanced protection against modern threats by analyzing network traffic content.

Stateful Packet Inspection (SPI)

Stateful Packet Inspection is a multi-layered and dynamic approach. Stateless packet filters can only inspect headers, while stateful filters track connection states using a state table. For example, with the TCP protocol, packets are analyzed based on TCP flags, allowing the identification of whether a packet is part of an existing connection or the start of a new one. This approach effectively detects DoS attacks such as SYN flooding or ACK storm, which involve sending spoofed TCP segments.

Deep Packet Inspection (DPI)

DPI can be used in automotive networks to enhance security by analyzing packets exchanged between electronic control units (ECUs) and external networks. This helps identify and mitigate potential threats such as malware, unauthorized access, and data manipulation.

Intrusion Detection and Prevention Systems (IDPS)

DPI can be integrated with IDPS (covered in the third part of this series) to monitor network traffic for signs of malicious activity. By analyzing packet content, DPI can detect and prevent attacks.

Although DPI is not yet widely adopted in the automotive sector, efforts are underway to integrate it more broadly. The AUTOSAR (AUTomotive Open System ARchitecture) standard provides a unified software architecture for ECUs. While AUTOSAR does not explicitly require DPI, it supports it as a use case at the architectural level. For instance, the Secure Onboard Communication (SecOC) module—discussed in the fourth part of this series—can be complemented by DPI to enhance security.

Example Applications of DPI:

• IVehicle Network Edge Security: In-vehicle gateways can use DPI to filter inbound and outbound traffic, ensuring that only secure and approved data passes through.
• Telematics and Infotainment Security: DPI can detect malicious content in data packets sent to and from these systems, protecting them from potential attacks.
• Over-the-Air (OTA) Updates: DPI can verify the integrity and authenticity of OTA update packages before they are applied to the vehicle’s ECUs.
• Vehicle-to-Everything (V2X) Communication: DPI can analyze data exchanged between vehicles, infrastructure, and other entities to detect and prevent security threats.

It is worth noting that one of the proposed firewall use cases is the reporting of security events (SEv). A firewall can generate alerts for incidents, which are forwarded to the IdsM module and then to the Security Operations Center (SOC). Based on this data, firewall rules can be dynamically updated via FOTA, and preventive actions can be taken against intrusions. This demonstrates the interoperability and system-level approach promoted by AUTOSAR.

To further illustrate the use case of configuration updates, the diagram below shows the range of firewall rules that can be configured.

Source: https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_RS_Firewall.pdf, p. 11

Challenges of DPI in Automotive Networks:

AUTOSAR documentation (e.g., Utilization of Crypto Services AUTOSAR CP R20-11) specifies how cryptographic functions should be used. The Crypto Stack consists of three primary components:

Crypto Service Manager (CSM)
Acts as an intermediary between the application software and the cryptographic hardware or software modules. It provides APIs for operations such as encryption, decryption, digital signatures, and hashing. It’s important to note that without so-called low-level cryptographic methods (avoiding the anglicism “cryptographic primitives”), it’s impossible to build systems supporting, for example, PKI (Public Key Infrastructure).

Hashing large datasets can be challenging, which is why incremental hashing is employed. This allows data to be hashed “in chunks,” eliminating the need to store the entire data stream in memory—an efficient and standard-compliant solution when using secure algorithms like SHA-2 or SHA-3.

Crypto Interfaces (CRYIF)
Provide standardized interfaces for applications and middleware. They facilitate integration and support common security mechanisms for communication (e.g., MAC, encryption), secure boot, and firmware updates.

Crypto Driver (CRYPTO)
Handles communication with cryptographic hardware, such as HSMs (Hardware Security Modules) or other dedicated chips. It introduces an abstraction layer that ensures a consistent interface for higher layers, regardless of the underlying hardware implementation.

Secure key storage and resistance to physical attacks

• Performance Impact: DPI may introduce latency and processing overhead, which can negatively affect real-time automotive systems.
• Scalability: Automotive networks can be complex, with numerous ECUs and communication channels. Ensuring DPI scales without compromising performance is critical.
• Privacy Concerns: DPI involves inspecting packet content (at the upper OSI layers), raising potential legal and privacy issues. A balanced approach is necessary to ensure compliance with data protection regulations.

DPI holds significant potential to enhance the security of automotive networks by offering deep visibility into traffic and detecting malicious activity. Although not yet widely implemented, evolving standards like AUTOSAR pave the way for broader DPI adoption.

Is AUTOSAR Facilitating Firewall Integration?

In conclusion, it’s important to emphasize a fundamental truth about AUTOSAR proposals: while the described architecture may seem accessible, its implementation is a complex endeavor. Integrating the many layers and components specified by AUTOSAR is a major challenge for automotive engineers—both during development and especially during integration. Dozens, if not hundreds, of PDF documents and thousands of pages of technical specifications speak for themselves.