中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/98510
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 83696/83696 (100%)
Visitors : 56347856      Online Users : 2041
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://ir.lib.ncu.edu.tw/handle/987654321/98510


    Title: CASTR-OTA: 具狀態分析、分槽回滾與硬體信任錨之安全Over-the-Air更新架構;CASTR-OTA : A Context-Aware, Slot-based, Trust-anchored Resilient Over-The-Air Update
    Authors: 黎哲愷;Li, Che-Kai
    Contributors: 資訊工程學系
    Keywords: Over-the-Air 更新;Uptane;信賴平臺模組;可信執行環境;軟體定義汽車;車載資訊安全;Over-The-Air (OTA) Update;Uptane;Trusted Platform Module (TPM);Trusted Execution Environment (TEE);Software-defined Vehicle (SDV);Automotive Security
    Date: 2025-08-05
    Issue Date: 2025-10-17 12:52:06 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 在軟體定義車輛(Software-Defined Vehicle,SDV)中,韌體與應用程式的程式碼量動輒超過 2 億行,透過 OTA 更新(Over-the-Air)來確保行車安全已成為業界常態。現代車輛由數十個 電子控制單元(Electronic Control Unit,ECU)組成,各自負責煞車、資訊娛樂、車聯網等功能。主流標準 Uptane 提供簽章與版本管理機制,但假設每顆 ECU 內的作業系統與儲存皆可信。若資訊娛樂或車聯網 ECU 遭到攻陷,攻擊者仍可竄改映像或重播過期中繼資料,危及煞車、動力傳動與駕駛輔助等關鍵控制。

    我們提出 CASTR-OTA:將晶片內建的 (f)TPM 2.0 與 Arm TrustZone 結合,建立硬體信任根,同時加入 情境感知更新閘門與 A/B/Q 三槽隔離機制。CASTR-OTA 在「下載、解密、槽位切換、早期執行」四個檢查點評估車輛狀態,阻斷不安全的安裝。所有新映像首先被沙盒到隔離的 Quarantine 槽;唯有通過測試後才晉升為使用中槽位,確保未驗證程式碼無法奪取任何 ECU 的控制權。

    實驗結果顯示,即使攻擊者完全掌控 Rich OS 及車內網路,系統仍能滿足嚴苛的安全目標。此外,即便部分供應鏈金鑰外洩,硬體量測與單調遞增計數器仍可維護完整性,並在必要時安全回滾至最近的已知良好版本。;In software-defined vehicles (SDVs), firmware and applications routinely exceed 200 million lines of code, and ensuring road safety by means of over-the-air (OTA) updates has become industry practice. Modern vehicles consist of dozens of ECUs (Electronic Control Units), each responsible for specific functions such as braking, infotainment, or telematics. The prevailing standard, Uptane, provides signature and version-management mechanisms, yet assumes that the operating system and storage inside each ECU are trustworthy. If an infotainment or telematics ECU is compromised, an attacker can still tamper with images or replay stale metadata, endangering critical controls such as braking, power-train, and driver assistance.

    We present CASTR-OTA, which fuses an on-chip (f)TPM 2.0 with Arm TrustZone to form a hardware root of trust, and adds a context-aware update gate together with an A/B/Q tri-slot isolation scheme. CASTR-OTA evaluates vehicle state at four checkpoints—download, decryption, slot switch, and early runtime—to block unsafe installations. Every new image is first sandboxed in an isolated Quarantine slot; only after it passes this test is it promoted to the active slot, ensuring that unverified code can never seize control of any ECU.

    Experiments show that the system meets stringent security goals even against an adversary who controls the rich OS and the in-vehicle network. Moreover, should a subset of supply-chain keys be leaked, hardware measurements and a monotonic counter still preserve integrity and trigger a safe rollback to the last known-good version.
    Appears in Collections:[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML5View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明