The set of requirements available here describe security needs for an IVI product (system level). It's recommended to apply them on a "GENIVI software platform" based product.
Data categories are based on persistency definitions:
- User: User specific data
- Application: Application specific data (neither shared within a group nor public)
Shared: Shared data within a group or public
Reference | Requirement | Priority | Comments |
|---|---|---|---|
Reference | Requirement | Priority | Comments |
VH-SEC-001 | Data classification Data stored in, received or sent by a GENIVI product shall be classified in categories: - Node : collection of data needed by a GENIVI node to support all functional requirements (not user related) and coding parameters (download by a diagnosis tool) are included in that category - User : data attached to an user (e.g settings, last address, last user context, ...) - Application : specific data attached to an application (e.g configuration) | P2 | |
VH-SEC-002 | Connected units classification External electronic units connected to the system (wired or not) shall be classified in categories: - Automotive ECU : units linked through an automotive network and integrated in the car - Devices : CE devices like phones, USB sticks ... - Servers : back office | P2 | |
VH-SEC-003 | Services definition A functionality offered through a GENIVI platform (embedded or from servers undifferently) to applications is named service (e.g Radio, media playback, ...). | P2 | |
VH-SEC-004 | Confidential data All data which are strictly attached to an user or a company and in relation with payment, commercial services or privacy or system assets. That kind of data includes authentication secrets. | P1 | |
VH-SEC-024 | Security strategy Least privilege strategy shall be applied to the system. Access to services, data and connections shall be granted on a strict needed basis at design or installation. | P2 | |
VH-SEC-005 | Node data access control Node data stored shall be accessed/modified/deleted only by authorized software components users and units. | P1 | |
VH-SEC-006 | User data access control User data stored in the system shall be accessed/modified/deleted only by authorized users, applications and software components. | P2 | |
-SEC-007 | Confidential user data access control Confidential user data shall be accessed/modified only by the owner. | P1 | |
VH-SEC-008 | Application data access control Application data stored in the system shall be accessed/modified/deleted only by authorized applications or user. | P2 | |
VH-SEC-009 | Node data integrity Node data shall be protected against intentional corruptions (e.g. configuration, clock). | P2 | |
VH-SEC-010 | User data integrity User data shall be protected against intentional corruptions. | P2 | |
VH-SEC-011 | Application data integrity Application data shall be protected against intentional corruptions. | P2 | |
VH-SEC-012 | Protection of confidential data in the system Confidential data (e.g connection credentials) shall be stored in a secure way into the system. The miminum level of protection shall be software encryption without secured storage. | P1 | |
VH-SEC-013 | Temporary data deletion All data stored temporary shall be erased from the system when they are no more valid (user change, application stop or removed, ...). | P2 | |
VH-SEC-014 | Temporary external device data deletion All user and node device's data stored temporary in the system shall be erased at de-connection. | P2 | |
VH-SEC-015 | Device connection authorizations Connection of external device shall be monitored/authenticated and rights shall be granted accordingly to its authorizations. User could validate a device before a connection to increase rights. | P2 | |
VH-SEC-016 | Integrity and origin of data exchanged with an external device Integrity and origin of data exchanged with an external device should be verified to prevent from tampering and replay. When the verification failed, the data shall not be processed. | P2 | |
VH-SEC-017 | Confidentiality of data exchanged with an external device Confidential data exchanged with an external device should be protected from reading. | P2 | |
VH-SEC-017 | Server connection authorizations Connection to/from external servers shall be monitored/authenticated and rights shall be granted accordingly to its authorizations. | P2 | |
VH-SEC-018 | Integrity and source of data exchanges with servers The system shall implement and use protocols to protect external exchanges with servers from spoofing, tampering or replay. | P2 | |
VH-SEC-019 | Confidentiality of exchanges with servers The system shall implement and use protocols to protect external exchanges of confidential data with servers from reading by third parties. | P2 | |
VH-SEC-020 | Services discovery and access authorizations Only authorized users and applications shall be able to discover and access services. | P2 | |
VH-SEC-021 | Diagnosis services access policy Access to diagnosis functionalities shall be restricted to authorized users, applications and devices. | P2 | |
VH-SEC-022 | Exchanges filtering The system shall filter incoming and outgoing data traffic according to a policy. | P2 | |
VH-SEC-023 | Inputs and output confidentiality User shall be notified when an input or output is used whitout any request from him (e.g microphone, ...) | P2 | |
VH-SEC-024 | Security strategy Least privilege strategy shall be applied to the system. By default, software components shall have no access to services offered by the platform (least privilege strategy). Access rights are given during the installation. | P2 | |
VH-SEC-025 | Update security Integrity and authenticity of an update shall be verified before installation. | P1 | |
VH-SEC-026 | Update confidentiality Content of an update should not be readable by third parties. | P2 | |
VH-SEC-027 | Component downgrade The system shall not allow version downgrade after a successfully installation. | P2 | |
VH-SEC-028 | Authorization to launch application or services The system shall start applications and services. | P2 | |
VH-SEC-029 | Network access security Only authorized applications, users and components shall be able to send or receive data on networks (CAN, ethernet, ...) | P2 | |
VH-SEC-030 | Integrity and source of data exchanges on automotive network The system should implement and use protocols to protect external exchanges on automotive networks from spoofing, tampering or replay. | P2 | |
VH-SEC-031 | Confidentiality of exchanges on automotive network The system should implement and use protocols to protect external exchanges of confidential data on automotive networks from reading by third parties. | P2 | |
VH-SEC-032 | Third-parties add-ons integrity at runtime Components not included in a system upgrade shall be launched in a protected context (segregation) to ensure system integrity at crash and global performances. | P2 | |
VH-SEC-033 | Data freshness Each components shall verify data freshness (no processing if data are not up to date and notifications required). | P2 | |
VH-SEC-034 | Debug ports Debug ports shall be removed or protected during each phase of the product lifecycle. | P2 | |
VH-SEC-035 | Communication deny of service Exchange between the system and an external part shall not be perturbed by malicious activities inside the system. | P2 | |
VH-SEC-036 | Resource performance deny of service Feature performance should not be impact by malicious activities inside the system. | P1 | |
VH-SEC-037 | Non repudation of services Services provided by the system should not be denounced (Non-repudiation) | P2 | |
VH-SEC-038 | Content copyrights The system shall respect applicable copyright laws and not allow illegal duplication. | P1 |