The set of requirements available here describe security needs for an IVI product (system level). It's recommended to apply them on a "GENIVI software platform" based product.
Data categories are based on persistency definitions:
- User: User specific data
- Application: Application specific data (neither shared within a group nor public)
Shared: Shared data within a group or public
Data stored in, received or sent by a GENIVI product shall be classified in categories:
- Node : collection of data needed by a GENIVI node to support all functional requirements (not user related) and coding parameters (download by a diagnosis tool) are included in that category
- User : data attached to an user (e.g settings, last address, last user context, ...)
- Application : specific data attached to an application (e.g configuration)
Connected units classification
External electronic units connected to the system (wired or not) shall be classified in categories:
- Automotive ECU : units linked through an automotive network and integrated in the car
- Devices : CE devices like phones, USB sticks ...
- Servers : back office
A functionality offered through a GENIVI platform (embedded or from servers undifferently) to applications is named service (e.g Radio, media playback, ...).
All data which are strictly attached to an user or a company and in relation with payment, commercial services or privacy or system assets. That kind of data includes authentication secrets.
Least privilege strategy shall be applied to the system. Access to services, data and connections shall be granted on a strict needed basis at design or installation.
Node data access control
Node data stored shall be accessed/modified/deleted only by authorized software components users and units.
User data access control
User data stored in the system shall be accessed/modified/deleted only by authorized users, applications and software components.
Confidential user data access control
Confidential user data shall be accessed/modified only by the owner.
Application data access control
Application data stored in the system shall be accessed/modified/deleted only by authorized applications or user.
Node data integrity
Node data shall be protected against intentional corruptions (e.g. configuration, clock).
User data integrity
User data shall be protected against intentional corruptions.
Application data integrity
Application data shall be protected against intentional corruptions.
Protection of confidential data in the system
Confidential data (e.g connection credentials) shall be stored in a secure way into the system. The miminum level of protection shall be software encryption without secured storage.
Temporary data deletion
All data stored temporary shall be erased from the system when they are no more valid (user change, application stop or removed, ...).
Temporary external device data deletion
All user and node device's data stored temporary in the system shall be erased at de-connection.
Device connection authorizations
Connection of external device shall be monitored/authenticated and rights shall be granted accordingly to its authorizations. User could validate a device before a connection to increase rights.
Integrity and origin of data exchanged with an external device
Integrity and origin of data exchanged with an external device should be verified to prevent from tampering and replay. When the verification failed, the data shall not be processed.
Confidentiality of data exchanged with an external device
Confidential data exchanged with an external device should be protected from reading.
Server connection authorizations
Connection to/from external servers shall be monitored/authenticated and rights shall be granted accordingly to its authorizations.
Integrity and source of data exchanges with servers
The system shall implement and use protocols to protect external exchanges with servers from spoofing, tampering or replay.
Confidentiality of exchanges with servers
The system shall implement and use protocols to protect external exchanges of confidential data with servers from reading by third parties.
Services discovery and access authorizations
Only authorized users and applications shall be able to discover and access services.
Diagnosis services access policy
Access to diagnosis functionalities shall be restricted to authorized users, applications and devices.
The system shall filter incoming and outgoing data traffic according to a policy.
Inputs and output confidentiality
User shall be notified when an input or output is used whitout any request from him (e.g microphone, ...)
Least privilege strategy shall be applied to the system. By default, software components shall have no access to services offered by the platform (least privilege strategy). Access rights are given during the installation.
Integrity and authenticity of an update shall be verified before installation.
Content of an update should not be readable by third parties.
The system shall not allow version downgrade after a successfully installation.
Authorization to launch application or services
The system shall start applications and services.
Network access security
Only authorized applications, users and components shall be able to send or receive data on networks (CAN, ethernet, ...)
Integrity and source of data exchanges on automotive network
The system should implement and use protocols to protect external exchanges on automotive networks from spoofing, tampering or replay.
Confidentiality of exchanges on automotive network
The system should implement and use protocols to protect external exchanges of confidential data on automotive networks from reading by third parties.
Third-parties add-ons integrity at runtime
Components not included in a system upgrade shall be launched in a protected context (segregation) to ensure system integrity at crash and global performances.
Each components shall verify data freshness (no processing if data are not up to date and notifications required).
Debug ports shall be removed or protected during each phase of the product lifecycle.
Communication deny of service
Exchange between the system and an external part shall not be perturbed by malicious activities inside the system.
Resource performance deny of service
Feature performance should not be impact by malicious activities inside the system.
Non repudation of services
Services provided by the system should not be denounced (Non-repudiation)
The system shall respect applicable copyright laws and not allow illegal duplication.