Vehicle system isolation

To ensure car system integrity, Android Automotive protects incoming data at these levels:

EVS System components

Figure 1. System Service Architecture

  • Apps. System verifies an app has permission to talk to Car subsystems.
  • Well-defined APIs. Generic APIs do not accept arbitrary data blobs (APIs must be well defined).
  • Car Service. Updates allowed only through OTA (or USB), with full-disk encryption and verified boot. Can't be sideloaded.
  • Vehicle HAL. Verifies specific messages are allowed.

Apps and APIs

Android Automotive is built on Android and interacts directly with numerous safety-critical subsystems. In addition, different vehicles may have different interfaces with different functionalities exposed to Android. To make these functionalities safe and streamlined, they are isolated in an abstraction layer, separate from the rest of Android. Only well-defined APIs with strict formatting on messages sent through in-vehicle networks can communicate with the Vehicle HAL. This provides a predictable interface for Android developers and provides a secure interaction with the rest of the vehicle.

Vehicle HAL messages are filtered at two levels:

  • App level. Non-system apps can access vehicle HAL through car service with proper permissions.
  • Vehicle HAL level. Allows for an additional layer of protection and assurance that messages sent to vehicle subsystems originate from a legitimate source. Can also be used to rate limit messages, preventing malicious apps from flooding the CAN bus and potentially interfering with vehicle subsystems.

Vehicle HAL

Vehicle HAL is a lower layer that interacts with the vehicle, communicating with in-vehicle networks and other vehicular hardware through driver input/output control (ioctl) calls.

The vehicle HAL is the only component in Android Automotive connected to the IVI system, either through direct app processor/MicroController connection or gated through a VMCU. Access to the Vehicle HAL should be restricted to system apps using SELinux rules and proper permissions on kernel interfaces.

SELinux policies

Android Automotive extends SELinux to filter driver access including open, close, read, write, and ioctl calls. Using ioctl filtering (along with other SELinux functionality) limits the type of CAN messages allowed and accepted by the Vehicle HAL, drastically reducing the attack surface. For details on SELinux, see  Security-Enhanced Linux in Android.

Additionally, automotive use cases include new types of sensitive data that should be isolated and controlled. Sensitive data has separate permissions; other capabilities such as HVAC controls and window adjustment should be given only to system apps. Example of an Automotive-specific SELinux policy:

<permission-group
 android:name=”android.support.car.permission.CAR_MONITORING />

<permission
 android:name=”android.support.car.permission.CAR_MILEAGE”
 android:protectionLevel=”signature|privileged” />
<permission
 android:name=”android.support.car.permission.CAR_SPEED”
 android:permissionGroup=”android.permission-group.LOCATION”
 android:protectionLevel=”dangerous” />
<permission
 android:name=”android.support.car.permission.CAR_VENDOR_EXTENSION”
 android:permissionGroup=”android.support.car.permission.CAR_INFORMATION”
 android:protectionLevel=”signature|privileged” />

The CAR_MONITORING permission group was created for automotive-related permissions. Current speed can be regarded as sensitive information. Therefore, CAR_SPEED permissions were created with a protection level of dangerous. This level means the information is private and sensitive. The permission CAR_VENDOR_EXTENSION was created with the system- or signature-level permission, which is used for system apps or signed apps that are explicitly granted this permission.

App and activity blocking

To reduce distracted driving, Android Automotive provides additional controls (a allowlist) to ensure sideloaded apps can't be used when the vehicle is in motion. These apps can still run when a vehicle is parked or stopped.

The allowlist specifies apps that can be used when the vehicle is moving. Only trusted system apps can update the allowlist. While updates can occur over the network, updates should not be considered reliable.