安全是汽车系统的核心

　　In the past,access to the CAN bus was restricted by physical access to the car - if you couldn‘t get to the car then you couldn’t get access to the CAN bus - but with connected cars we are seeing examples where the CAN bus can be attacked remotely. The security threat for cars has moved to a new level， and it is just going to get worse.

　　过去的汽车中，CANbus（总线系统）是被物理隔离的，如果你不在车内，就无法碰触到CANbus。但是在互联汽车的语境下，汽车却可以被黑客远程攻击。汽车的安全风险已经上升到新的高度，如果没有解决方案，会越变越糟。

　　Car manufacturers are adding more software to cars， mechanical meters and gauges are being replaced by LCD panels and software， information is being integrated across the information cluster and the infotainment units. All this software being placed between the car and the driver is creating new vulnerabilities whereby a breach in the security could be used to deceive and trick drivers. External parties， such as governments， service providers and insurance companies， want to create applications for cars and this will create new security concerns. Adding more functionality makes systems more complex and more vulnerable.

　　车厂开始添加越来越多的软件在汽车环境中，机械表盘被LCD屏幕和软件替代，信息由信息群和信息娱乐系统整合起来。所有介于汽车和驾驶者之间的软件都带来了更多的风险，任何安全问题都可能会让驾驶者陷入麻烦的境地。所有的第三方们，政府，服务提供商和保险公司等都试图给汽车加上新的应用，而这都将带来更多的安全问题。随着功能的增加，系统会变得更复杂，也更危险。

　　On the desktop we are already very familiar with malware and attacks on our information， privacy and infrastructure. As cars are getting more connected and software driven， the same can be expected to happen in the automotive world. Malicious attacks are inevitable and must be anticipated and taken into account as part of the system design.

　　我们已经很熟悉电脑中的恶意软件对信息，隐私和环境的攻击。当汽车变得更加互联和软件化后，同样的风险也可能发生在汽车环境中。恶意的攻击不可避免，所以要在系统设计中充分考虑汽车的安全性。

　　How to design reliable and secure computing for connected cars

　　如何设计安全可靠的互联汽车电脑

　　Software security is not a feature. It cannot be added or plugged into a system after it is designed. Security has to be built in right at the core of a system. The key concepts in software security are the architecture and the design process. One approach to security is to physically isolate separate systems， but as the demand for computing in the car increases it becomes very expensive to keep adding separate devices and maintaining the different systems. On the other hand when implemented as part of the core security architecture virtualization is a cost efficient solution to isolating separate systems. An example of this is ARM platform‘s TrustZone which provides hardware-level security with software flexibility. TrustZone is a small operating system that is built onto the processor and is completely isolated from attack. By running virtualization on top of TrustZone you can isolate the different software systems from one another.

　　软件安全并不是一项功能，它不能添加或插入一个成型的系统中。安全设计存在于系统的核心。软件安全的核心理念是架构和设计的工作。保证安全的一种办法是从物理上分离系统，但是随着汽车电脑的要求增多，在汽车上添加设备和维护多个系统的成本会越来越高；而另一种节省成本的方法就是通过核心安全架构虚拟化来区隔不同系统。如同ARM平台的TrustZone提供了硬件级别的安全性同时提供了软件的灵活性。TrustZone是在处理器上的小型操作系统，它能完全避免被攻击。在TrustZone上运行虚拟机就可以把关键系统和其他系统隔离开。

　　Understanding connectivity in cars

　　理解汽车互联

　　Cars will have two types of connections，internet and V2X. The internet is too unreliable and too slow for vehicle-to-vehicle and vehicle-to-Infrastructure mission critical communication. Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) connectivity is being introduced to cars to enhance safety by sharing information between cars and the surrounding infrastructure. In addition to increased safety， V2X connectivity paves the way for autonomous vehicles. The U.S. Department of Transportation (DoT) and the U.S. National Highway Traffic Safety Administration (NHTSA) have set out a timeline mandating the introduction of V2X connectivity in vehicles in the US. The European Union is also woking on their plan to mandate V2I applications.

　　At the same time，connected consumer applications such as music and video streaming are becoming more and more coommon in car infotainment systems and cars are being designed with pre-installed Internet connectivity options. While attractive to consumers， this trend opens up new security risks，especially as embedded systems offering these functionalities are consolidated. Therefore， an important requirement for the design of any comprehensive information system for cars is to ensure isolation between Internet connected applications and V2X connectivity. A vulnerability in an Internet connected application must not compromise the security of the V2X connections.

　　汽车的互联有两种，互联网和V2X。互联网（对于汽车）对V2X中的关键任务通讯来说，是非常不可靠和缓慢的。

　　车车互联和车与环境的互联旨在通过车与车、环境的信息共享来提高安全性。在提高安全性以外，V2X互联还促进了自动驾驶汽车的发展。美国交通部和美国国家高速公路安全管理局提出了在美国要求推广V2X的时间表。欧盟也在制定要求应用车与环境互联的计划。

　　与此同时，互联消费产品如流媒体音乐与视频在汽车信息娱乐系统变得越来越常见，越来越多的汽车设计出厂时预装了互联网方案。当这些功能被整合到汽车信息娱乐系统后，虽然获得了消费者的青睐，但这样的趋势却引起了新的安全隐患。

　　所以，一个设计任何综合型汽车信息系统都需要考虑到的重要需求是保证把互联应用与V2X互联隔离开来。一个互联应用的漏洞决不能让V2X连接的安全性受到损害。

　　Car Manufacturers and Software cultures clash

　　车厂和软件文化的冲突

　　Car manufacturers business is very different form the consumer driven smart phone world. In the car manufacturers world the focus is on cost-efficiency，liability and long product cycles. Most software companies have no experience of the automotive industry. Traditionally car manufacturers sourced their IVI systems， like any other part， from their regular tier-1 suppliers. However tier-1 suppliers do not have the computer hardware and software know how to design and maintain these complex systems. Car manufacturers， tier-1 suppliers and software companies face a challenge to meet the next generation car computing requirements. Maybe now is the time to re-think the car computing value chain.

　　车厂与消费者驱动的智能手机市场有着巨大的差别。对车厂来说，他们的重点是成本效率，产品可靠性和产品生命周期。绝大多数软件公司没有汽车行业的经验。

　　按照传统，车厂向常见的tier-1供应商获取IVI系统，就像其他部件一样。但是一级供应商缺乏计算机硬件和软件的专业知识来设计和维护这些复杂的系统。

　　车厂，一级供应商和软件公司面临下一代汽车计算机需求的挑战。也许现在是时候来重新考虑汽车计算机价值链。