Computer aided design of a firmware flashing protocol for vehicular on-board networks

Vehicular On-Board Networks consist of up to 70 electronic control units (ECUs) interconnected by buses and gateways and organized within domains with different trust levels. This paper describes how the design of a protocol for deploying a new firmware onto various vehicular ECUs might be automated. In particular, such a protocol should prevent attacks to the firmware update process and make sure that no malicious firmware is actually installed in place of a regular firmware update, despite the fact that it may be sent through insecure domains. Designing security protocols for ECU communication in such architectures can become quite complex and error-prone, especially given the computational and deployment constraints that apply in the domain. This paper discusses how the protocol designer might receive some help in exploring fundamental design decisions based on the systematic review of alternative security architectures and potential threats.