Implementation of a SOME/IP Firewall with Deep Packet Inspection for automotive use-cases

Abstract

As the in-vehicle network steadily aims at replacing the traditional and leading Controller Area Network (CAN) protocol, the Scalable service-Oriented MiddlewarE over IP (SOME/IP) comes into focus with its speed and reliability for transferring control-level messages. The SOME/IP protocol must be adequately protected else the whole system's safety can be endangered. However there are still known vulnerabilities present in SOME/IP, such as lack of authentication or encryption. This thesis aims at improving the security of the SOME/IP protocol by developing, implementing, and evaluating a SOME/IP firewall tailored for embedded automotive communication systems. The study involves implementing rule-based security measures utilizing SOME/IP header values to control and restrict access, alongside the development of a deep packet inspection mechanism for basic payload validation. Performance and resource requirements are evaluated on a Raspberry Pi 4 Model B to emulate smaller ECUs in a vehicular environment. This work bridges a gap in the literature by introducing an alternative approach to securing SOME/IP data transmission without the full CommonAPI framework, by proposing a novel SOME/IP firewall solution and providing insights into its performance and effectiveness for embedded system use. The basic packet parsing results, which introduce a delay in the range from 0.03ms to 0.15ms, demonstrate the feasibility and potential of the proposed firewall implementation for enhancing security in automotive communication systems. Further research is suggested to validate and analyse the resource constraints of a fully-functional SOME/IP firewall with support for deep packet inspection of any data type in an actual production environment.