Hitchhiker's Guide to Automotive Container Security using eBPF

The trend of virtualization and containerization, known from cloud technologies, is now being introduced into vehicles. The need for complex and feature-rich software, as well as the mandatory requirement for over-the-air updates, promotes the development of cloud trends in the embedded sector. The Software Defined Vehicle (SDV) aims to simplify the internal electrical and electronic architecture: several dedicated ECUs are consolidated into central high-performance computers (HPC), hosting different functions in software. Major players from the cloud sector, such as RedHat, Canonical, or SUSE, have entered the field of Linux and containers within the vehicle (Device Edge).

Will the Jeep Hack repeat - but this time using containers? How can it be prevented that the next generation of seat-heating apps don’t manipulate the safety critical self-driving features? What are the attack scenarios in software-defined networks and on-board interfaces such as a SPI bus? This talk explores the internals of container security on embedded platforms and how eBPF can contribute to security.

This talk presents the internals of embedded containers in the automotive domain and introduces the most prevalent engineering challenges in terms of security. The focus lies on automotive protocols, such as the CAN bus, and on-board interfaces such as SPI. Emphasis is put on attack scenarios and how eBPF programs can be employed for defense. The technology details are explained hands-on and include background theory of container security.