An air-gapped log drive is used for storing logs generated by an “originator” device (e.g., an automotive electronic control unit (ECU)). The term “air-gapped” means the log the storage device is “offline” and thus cannot be accessed through a wired or wireless network connection. Because the log drive is “offline,” the log data stored on the log drive cannot be infected or corrupted by a remote actor. Periodically, or after critical events, the log drive can be accessed by an authorized “data processor” (e.g., a log ingestion system) for long term storage or analysis. To assure confidentiality of the log data, the log drive is encrypted. The originator(s) and data processor(s) need to share access to the log drive to allow use of the log data. Typical approaches share the same access credentials across both originator(s) and data processor(s) and at every originator, or use passwords which are best suited for use by humans. In the former case, compromising the access credentials of a data processor or originator exposes the log data on other data processors and originators that use the same access credentials for the log drive.
In the following description numerous specific details are set forth in order to provide a thorough understanding of the present disclosure for the purposes of explanation. It will be apparent, however, that the embodiments described by the present disclosure can be practiced without these specific details. In some instances, well-known structures and devices are illustrated in block diagram form in order to avoid unnecessarily obscuring aspects of the present disclosure.
Specific arrangements or orderings of schematic elements, such as those representing systems, devices, modules, instruction blocks, data elements, and/or the like are illustrated in the drawings for ease of description. However, it will be understood by those skilled in the art that the specific ordering or arrangement of the schematic elements in the drawings is not meant to imply that a particular order or sequence of processing, or separation of processes, is required unless explicitly described as such. Further, the inclusion of a schematic element in a drawing is not meant to imply that such element is required in all embodiments or that the features represented by such element may not be included in or combined with other elements in some embodiments unless explicitly described as such.
Further, where connecting elements such as solid or dashed lines or arrows are used in the drawings to illustrate a connection, relationship, or association between or among two or more other schematic elements, the absence of any such connecting elements is not meant to imply that no connection, relationship, or association can exist. In other words, some connections, relationships, or associations between elements are not illustrated in the drawings so as not to obscure the disclosure. In addition, for ease of illustration, a single connecting element can be used to represent multiple connections, relationships or associations between elements. For example, where a connecting element represents communication of signals, data, or instructions (e.g., “software instructions”), it should be understood by those skilled in the art that such element can represent one or multiple signal paths (e.g., a bus), as may be needed, to affect the communication.
Although the terms first, second, third, and/or the like are used to describe various elements, these elements should not be limited by these terms. The terms first, second, third, and/or the like are used only to distinguish one element from another. For example, a first contact could be termed a second contact and, similarly, a second contact could be termed a first contact without departing from the scope of the described embodiments. The first contact and the second contact are both contacts, but they are not the same contact.
The terminology used in the description of the various described embodiments herein is included for the purpose of describing particular embodiments only and is not intended to be limiting. As used in the description of the various described embodiments and the appended claims, the singular forms “a,” “an” and “the” are intended to include the plural forms as well and can be used interchangeably with “one or more” or “at least one,” unless the context clearly indicates otherwise. It will also be understood that the term “and/or” as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. It will be further understood that the terms “includes,” “including,” “comprises,” and/or “comprising,” when used in this description specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
As used herein, the terms “communication” and “communicate” refer to at least one of the reception, receipt, transmission, transfer, provision, and/or the like of information (or information represented by, for example, data, signals, messages, instructions, commands, and/or the like). For one unit (e.g., a device, a system, a component of a device or system, combinations thereof, and/or the like) to be in communication with another unit means that the one unit is able to directly or indirectly receive information from and/or send (e.g., transmit) information to the other unit. This may refer to a direct or indirect connection that is wired and/or wireless in nature. Additionally, two units may be in communication with each other even though the information transmitted may be modified, processed, relayed, and/or routed between the first and second unit. For example, a first unit may be in communication with a second unit even though the first unit passively receives information and does not actively transmit information to the second unit. As another example, a first unit may be in communication with a second unit if at least one intermediary unit (e.g., a third unit located between the first unit and the second unit) processes information received from the first unit and transmits the processed information to the second unit. In some embodiments, a message may refer to a network packet (e.g., a data packet and/or the like) that includes data.
As used herein, the term “if” is, optionally, construed to mean “when”, “upon”, “in response to determining,” “in response to detecting,” and/or the like, depending on the context. Similarly, the phrase “if it is determined” or “if [a stated condition or event] is detected” is, optionally, construed to mean “upon determining,” “in response to determining,” “upon detecting [the stated condition or event],” “in response to detecting [the stated condition or event],” and/or the like, depending on the context. Also, as used herein, the terms “has”, “have”, “having”, or the like are intended to be open-ended terms. Further, the phrase “based on” is intended to mean “based at least partially on” unless explicitly stated otherwise.
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the various described embodiments. However, it will be apparent to one of ordinary skill in the art that the various described embodiments can be practiced without these specific details. In other instances, well-known methods, procedures, components, circuits, and networks have not been described in detail so as not to unnecessarily obscure aspects of the embodiments.
General Overview
In some aspects and/or embodiments, systems, methods, and computer program products described herein include and/or implement technology that protects confidentiality of air-gapped logs during drive initialization, log collection, and processing.
In an embodiment, during a first log processing cycle of a log ingestion system, a data processor key and a drive encryption key are obtained from storage or generated by a secure hardware. In other embodiments, the data processor key is also stored in secure hardware or wrapped by secure hardware and stored on a non-secured storage device or database. The data processor key and the drive encryption key are unique to a log drive (e.g., a hard disk) mounted to at least one computer processor (e.g., log drive added to OS file system running on computer processor). The drive encryption key is wrapped (e.g., encrypt cryptographic key material with a key encapsulated by secure hardware) with the data processor key and stored in a database that is mapped to data uniquely identifying the log drive. The drive encryption key is wrapped with a default key that is known to at least one originator device (e.g., an automotive ECU) and the log drive is wiped (e.g., contents erased). The wrapped drive encryption key is written to the log drive.
In an embodiment, the drive encryption key and the data processor key are changed each time the log drive is reinitialized.
In an embodiment, during a second log processing cycle following the first log processing cycle, the data processor key and the drive encryption key are replaced by a new data processor key and a new drive encryption key, and the database is updated with the new drive encryption key wrapped by the new data processor key.
In an embodiment, the data processor key and the drive encryption key are generated in secure hardware.
In an embodiment, the identifier is a unique identifier (ID) or serial number of the log drive.
In an embodiment, there are two or more originator devices and a unique default key is known to each originator device
In an embodiment, a method comprises: obtaining, with at least one computer processor, a wrapped drive encryption key; loading, with the at least one computer processor, the wrapped drive encryption key into secure hardware; unwrapping, with the at least one computer processor, the drive encryption key with a default key; generating, with the at least one computer processor, an originator key; wrapping, with the at least one computer processor, the drive encryption key with the originator key; erasing, with the at least one computer processor, a partition of the log drive with the drive encryption key; encrypting, with the at least one computer processor, the partition of the log drive with the drive encryption key; and appending, with the at least one computer processor, data to at least one log in the partition on the encrypted log drive.
In an embodiment, the method further comprises: periodically or upon a predefined event, mounting the log drive on the computer processor; fetching, with the at least one computer processor, the wrapped drive encryption key from a database; unwrapping, with the at least one computer processor, the drive encryption key; decrypting, with the at least one computer processor, the partition on the log drive using the drive encryption key; and retrieving, with the at least one computer processor, log data from the partition.
In an embodiment, the computer processor re-initializes the log drive.
In an embodiment, the mounting of the log drive to the computer processor is performed by a trusted operator in a controlled environment.
In an embodiment, the originator key is generated in secure hardware.
In an embodiment, the partition is erased and encrypted with a second drive encryption key derived from the drive encryption key.
By virtue of the implementation of systems, methods, and computer program products described herein, techniques for protecting confidentiality of air-gapped logs provide at least the following advantages. The techniques allow multiple entities to share access to log data across an air gap while maintaining confidentiality. The techniques are useful, for example, to centralize storage and processing of “black box” logs collected across a fleet of vehicles, and also allows for scalable management of logs across the fleet. Thus, the disclosed techniques provide advantages over conventional techniques of protecting air-gapped logs that share the same credentials across multiple entities, or use passwords that are better suited for use by humans. If credentials are shared, then compromising the credentials on one entity (e.g., a vehicle) will expose the log data on other entities using the same credentials.
The log drive can be used on any originator that supports the same encryption sharing mechanism reducing logistical complexity. Each data processing entity involved in the log processing can use its own access credentials to seal the log drive encryption key, without exposing the shared secret (i.e., the drive encryption key). Only a default key (described below) is shared between the entities. After an originator mounts the log drive for the first time, only the originator and data processor can access the log data, which reduces the attack surface.
The disclosed techniques can be used in most embedded applications that require confidentiality while sharing persistent data across an air gap, such as between automotive ECUs and log ingestion station.
Referring now to
Vehicles 102a-104n (referred to individually as vehicle 102 and collectively as vehicles 102) include at least one device configured to transport goods and/or people. In some embodiments, vehicles 102 are configured to be in communication with V2I device 110, remote AV system 114, fleet management system 116, and/or V2I system 118 via network 112. In some embodiments, vehicles 102 include cars, buses, trucks, trains, and/or the like. In some embodiments, vehicles 102 are the same as, or similar to, vehicles 200, described herein (see
Objects 104a-104n (referred to individually as object 104 and collectively as objects 104) include, for example, at least one vehicle, at least one pedestrian, at least one cyclist, at least one structure (e.g., a building, a sign, a fire hydrant, etc.), and/or the like. Each object 104 is stationary (e.g., located at a fixed location for a period of time) or mobile (e.g., having a velocity and associated with at least one trajectory). In some embodiments, objects 104 are associated with corresponding locations in area 108.
Routes 106a-106n (referred to individually as route 106 and collectively as routes 106) are each associated with (e.g., prescribe) a sequence of actions (also known as a trajectory) connecting states along which an AV can navigate. Each route 106 starts at an initial state (e.g., a state that corresponds to a first spatiotemporal location, velocity, and/or the like) and a final goal state (e.g., a state that corresponds to a second spatiotemporal location that is different from the first spatiotemporal location) or goal region (e.g. a subspace of acceptable states (e.g., terminal states)). In some embodiments, the first state includes a location at which an individual or individuals are to be picked-up by the AV and the second state or region includes a location or locations at which the individual or individuals picked-up by the AV are to be dropped-off. In some embodiments, routes 106 include a plurality of acceptable state sequences (e.g., a plurality of spatiotemporal location sequences), the plurality of state sequences associated with (e.g., defining) a plurality of trajectories. In an example, routes 106 include only high level actions or imprecise state locations, such as a series of connected roads dictating turning directions at roadway intersections. Additionally, or alternatively, routes 106 may include more precise actions or states such as, for example, specific target lanes or precise locations within the lane areas and targeted speed at those positions. In an example, routes 106 include a plurality of precise state sequences along the at least one high level action sequence with a limited lookahead horizon to reach intermediate goals, where the combination of successive iterations of limited horizon state sequences cumulatively correspond to a plurality of trajectories that collectively form the high level route to terminate at the final goal state or region.
Area 108 includes a physical area (e.g., a geographic region) within which vehicles 102 can navigate. In an example, area 108 includes at least one state (e.g., a country, a province, an individual state of a plurality of states included in a country, etc.), at least one portion of a state, at least one city, at least one portion of a city, etc. In some embodiments, area 108 includes at least one named thoroughfare (referred to herein as a “road”) such as a highway, an interstate highway, a parkway, a city street, etc. Additionally, or alternatively, in some examples area 108 includes at least one unnamed road such as a driveway, a section of a parking lot, a section of a vacant and/or undeveloped lot, a dirt path, etc. In some embodiments, a road includes at least one lane (e.g., a portion of the road that can be traversed by vehicles 102). In an example, a road includes at least one lane associated with (e.g., identified based on) at least one lane marking.
Vehicle-to-Infrastructure (V2I) device 110 (sometimes referred to as a Vehicle-to-Infrastructure (V2X) device) includes at least one device configured to be in communication with vehicles 102 and/or V2I infrastructure system 118. In some embodiments, V2I device 110 is configured to be in communication with vehicles 102, remote AV system 114, fleet management system 116, and/or V2I system 118 via network 112. In some embodiments, V2I device 110 includes a radio frequency identification (RFID) device, signage, cameras (e.g., two-dimensional (2D) and/or three-dimensional (3D) cameras), lane markers, streetlights, parking meters, etc. In some embodiments, V2I device 110 is configured to communicate directly with vehicles 102. Additionally, or alternatively, in some embodiments V2I device 110 is configured to communicate with vehicles 102, remote AV system 114, and/or fleet management system 116 via V2I system 118. In some embodiments, V2I device 110 is configured to communicate with V2I system 118 via network 112.
Network 112 includes one or more wired and/or wireless networks. In an example, network 112 includes a cellular network (e.g., a long term evolution (LTE) network, a third generation (3G) network, a fourth generation (4G) network, a fifth generation (5G) network, a code division multiple access (CDMA) network, etc.), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the public switched telephone network (PSTN), a private network, an ad hoc network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, etc., a combination of some or all of these networks, and/or the like.
Remote AV system 114 includes at least one device configured to be in communication with vehicles 102, V2I device 110, network 112, remote AV system 114, fleet management system 116, and/or V2I system 118 via network 112. In an example, remote AV system 114 includes a server, a group of servers, and/or other like devices. In some embodiments, remote AV system 114 is co-located with the fleet management system 116. In some embodiments, remote AV system 114 is involved in the installation of some or all of the components of a vehicle, including an autonomous system, an autonomous vehicle compute, software implemented by an autonomous vehicle compute, and/or the like. In some embodiments, remote AV system 114 maintains (e.g., updates and/or replaces) such components and/or software during the lifetime of the vehicle.
Fleet management system 116 includes at least one device configured to be in communication with vehicles 102, V2I device 110, remote AV system 114, and/or V2I infrastructure system 118. In an example, fleet management system 116 includes a server, a group of servers, and/or other like devices. In some embodiments, fleet management system 116 is associated with a ridesharing company (e.g., an organization that controls operation of multiple vehicles (e.g., vehicles that include autonomous systems and/or vehicles that do not include autonomous systems) and/or the like).
In some embodiments, V2I system 118 includes at least one device configured to be in communication with vehicles 102, V2I device 110, remote AV system 114, and/or fleet management system 116 via network 112. In some examples, V2I system 118 is configured to be in communication with V2I device 110 via a connection different from network 112. In some embodiments, V2I system 118 includes a server, a group of servers, and/or other like devices. In some embodiments, V2I system 118 is associated with a municipality or a private institution (e.g., a private institution that maintains V2I device 110 and/or the like).
The number and arrangement of elements illustrated in
Referring now to
Autonomous system 202 includes a sensor suite that includes one or more devices such as cameras 202a, LiDAR sensors 202b, radar sensors 202c, and microphones 202d. In some embodiments, autonomous system 202 can include more or fewer devices and/or different devices (e.g., ultrasonic sensors, inertial sensors, GPS receivers (discussed below), odometry sensors that generate data associated with an indication of a distance that vehicle 200 has traveled, and/or the like). In some embodiments, autonomous system 202 uses the one or more devices included in autonomous system 202 to generate data associated with environment 100, described herein. The data generated by the one or more devices of autonomous system 202 can be used by one or more systems described herein to observe the environment (e.g., environment 100) in which vehicle 200 is located. In some embodiments, autonomous system 202 includes communication device 202e, autonomous vehicle compute 202f, and drive-by-wire (DBW) system 202h.
Cameras 202a include at least one device configured to be in communication with communication device 202e, autonomous vehicle compute 202f, and/or safety controller 202g via a bus (e.g., a bus that is the same as or similar to bus 302 of
In an embodiment, camera 202a includes at least one camera configured to capture one or more images associated with one or more traffic lights, street signs and/or other physical objects that provide visual navigation information. In some embodiments, camera 202a generates traffic light data associated with one or more images. In some examples, camera 202a generates TLD data associated with one or more images that include a format (e.g., RAW, JPEG, PNG, and/or the like). In some embodiments, camera 202a that generates TLD data differs from other systems described herein incorporating cameras in that camera 202a can include one or more cameras with a wide field of view (e.g., a wide-angle lens, a fish-eye lens, a lens having a viewing angle of approximately 120 degrees or more, and/or the like) to generate images about as many physical objects as possible.
Laser Detection and Ranging (LiDAR) sensors 202b include at least one device configured to be in communication with communication device 202e, autonomous vehicle compute 202f, and/or safety controller 202g via a bus (e.g., a bus that is the same as or similar to bus 302 of
Radio Detection and Ranging (radar) sensors 202c include at least one device configured to be in communication with communication device 202e, autonomous vehicle compute 202f, and/or safety controller 202g via a bus (e.g., a bus that is the same as or similar to bus 302 of
Microphones 202d includes at least one device configured to be in communication with communication device 202e, autonomous vehicle compute 202f, and/or safety controller 202g via a bus (e.g., a bus that is the same as or similar to bus 302 of
Communication device 202e include at least one device configured to be in communication with cameras 202a, LiDAR sensors 202b, radar sensors 202c, microphones 202d, autonomous vehicle compute 202f, safety controller 202g, and/or DBW system 202h. For example, communication device 202e may include a device that is the same as or similar to communication interface 314 of
Autonomous vehicle compute 202f include at least one device configured to be in communication with cameras 202a, LiDAR sensors 202b, radar sensors 202c, microphones 202d, communication device 202e, safety controller 202g, and/or DBW system 202h. In some examples, autonomous vehicle compute 202f includes a device such as a client device, a mobile device (e.g., a cellular telephone, a tablet, and/or the like) a server (e.g., a computing device including one or more central processing units, graphical processing units, and/or the like), and/or the like. In some embodiments, autonomous vehicle compute 202f is the same as or similar to autonomous vehicle compute 400, described herein. Additionally, or alternatively, in some embodiments autonomous vehicle compute 202f is configured to be in communication with an autonomous vehicle system (e.g., an autonomous vehicle system that is the same as or similar to remote AV system 114 of
Safety controller 202g includes at least one device configured to be in communication with cameras 202a, LiDAR sensors 202b, radar sensors 202c, microphones 202d, communication device 202e, autonomous vehicle computer 202f, and/or DBW system 202h. In some examples, safety controller 202g includes one or more controllers (electrical controllers, electromechanical controllers, and/or the like) that are configured to generate and/or transmit control signals to operate one or more devices of vehicle 200 (e.g., powertrain control system 204, steering control system 206, brake system 208, and/or the like). In some embodiments, safety controller 202g is configured to generate control signals that take precedence over (e.g., overrides) control signals generated and/or transmitted by autonomous vehicle compute 202f.
DBW system 202h includes at least one device configured to be in communication with communication device 202e and/or autonomous vehicle compute 202f. In some examples, DBW system 202h includes one or more controllers (e.g., electrical controllers, electromechanical controllers, and/or the like) that are configured to generate and/or transmit control signals to operate one or more devices of vehicle 200 (e.g., powertrain control system 204, steering control system 206, brake system 208, and/or the like). Additionally, or alternatively, the one or more controllers of DBW system 202h are configured to generate and/or transmit control signals to operate at least one different device (e.g., a turn signal, headlights, door locks, windshield wipers, and/or the like) of vehicle 200.
Powertrain control system 204 includes at least one device configured to be in communication with DBW system 202h. In some examples, powertrain control system 204 includes at least one controller, actuator, and/or the like. In some embodiments, powertrain control system 204 receives control signals from DBW system 202h and powertrain control system 204 causes vehicle 200 to start moving forward, stop moving forward, start moving backward, stop moving backward, accelerate in a direction, decelerate in a direction, perform a left turn, perform a right turn, and/or the like. In an example, powertrain control system 204 causes the energy (e.g., fuel, electricity, and/or the like) provided to a motor of the vehicle to increase, remain the same, or decrease, thereby causing at least one wheel of vehicle 200 to rotate or not rotate.
Steering control system 206 includes at least one device configured to rotate one or more wheels of vehicle 200. In some examples, steering control system 206 includes at least one controller, actuator, and/or the like. In some embodiments, steering control system 206 causes the front two wheels and/or the rear two wheels of vehicle 200 to rotate to the left or right to cause vehicle 200 to turn to the left or right.
Brake system 208 includes at least one device configured to actuate one or more brakes to cause vehicle 200 to reduce speed and/or remain stationary. In some examples, brake system 208 includes at least one controller and/or actuator that is configured to cause one or more calipers associated with one or more wheels of vehicle 200 to close on a corresponding rotor of vehicle 200. Additionally, or alternatively, in some examples brake system 208 includes an automatic emergency braking (AEB) system, a regenerative braking system, and/or the like.
In some embodiments, vehicle 200 includes at least one platform sensor (not explicitly illustrated) that measures or infers properties of a state or a condition of vehicle 200. In some examples, vehicle 200 includes platform sensors such as a global positioning system (GPS) receiver, an inertial measurement unit (IMU), a wheel speed sensor, a wheel brake pressure sensor, a wheel torque sensor, an engine torque sensor, a steering angle sensor, and/or the like.
Referring now to
Bus 302 includes a component that permits communication among the components of device 300. In some embodiments, computer processor 304 is implemented in hardware, software, or a combination of hardware and software. In some examples, computer processor 304 includes a computer processor (e.g., a central processing unit (CPU), a graphics processing unit (GPU), an accelerated processing unit (APU), and/or the like), a microphone, a digital signal processor (DSP), and/or any processing component (e.g., a field-programmable gate array (FPGA), an application specific integrated circuit (ASIC), and/or the like) that can be programmed to perform at least one function. Memory 306 includes random access memory (RAM), read-only memory (ROM), and/or another type of dynamic and/or static storage device (e.g., flash memory, magnetic memory, optical memory, and/or the like) that stores data and/or instructions for use by computer processor 304.
Storage component 308 stores data and/or software related to the operation and use of device 300. In some examples, storage component 308 includes a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optic disk, a solid state disk, and/or the like), a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a cartridge, a magnetic tape, a CD-ROM, RAM, PROM, EPROM, FLASH-EPROM, NV-RAM, and/or another type of computer readable medium, along with a corresponding drive.
Input interface 310 includes a component that permits device 300 to receive information, such as via user input (e.g., a touchscreen display, a keyboard, a keypad, a mouse, a button, a switch, a microphone, a camera, and/or the like). Additionally or alternatively, in some embodiments input interface 310 includes a sensor that senses information (e.g., a global positioning system (GPS) receiver, an accelerometer, a gyroscope, an actuator, and/or the like). Output interface 312 includes a component that provides output information from device 300 (e.g., a display, a speaker, one or more light-emitting diodes (LEDs), and/or the like).
In some embodiments, communication interface 314 includes a transceiver-like component (e.g., a transceiver, a separate receiver and transmitter, and/or the like) that permits device 300 to communicate with other devices via a wired connection, a wireless connection, or a combination of wired and wireless connections. In some examples, communication interface 314 permits device 300 to receive information from another device and/or provide information to another device. In some examples, communication interface 314 includes an Ethernet interface, an optical interface, a coaxial interface, an infrared interface, a radio frequency (RF) interface, a universal serial bus (USB) interface, a Wi-Fi® interface, a cellular network interface, and/or the like.
In some embodiments, device 300 performs one or more processes described herein. Device 300 performs these processes based on computer processor 304 executing software instructions stored by a computer-readable medium, such as memory 305 and/or storage component 308. A computer-readable medium (e.g., a non-transitory computer readable medium) is defined herein as a non-transitory memory device. A non-transitory memory device includes memory space located inside a single physical storage device or memory space spread across multiple physical storage devices.
In some embodiments, software instructions are read into memory 306 and/or storage component 308 from another computer-readable medium or from another device via communication interface 314. When executed, software instructions stored in memory 306 and/or storage component 308 cause computer processor 304 to perform one or more processes described herein. Additionally or alternatively, hardwired circuitry is used in place of or in combination with software instructions to perform one or more processes described herein. Thus, embodiments described herein are not limited to any specific combination of hardware circuitry and software unless explicitly stated otherwise.
Memory 306 and/or storage component 308 includes data storage or at least one data structure (e.g., a database and/or the like). Device 300 is capable of receiving information from, storing information in, communicating information to, or searching information stored in the data storage or the at least one data structure in memory 306 or storage component 308. In some examples, the information includes network data, input data, output data, or any combination thereof.
In some embodiments, device 300 is configured to execute software instructions that are either stored in memory 306 and/or in the memory of another device (e.g., another device that is the same as or similar to device 300). As used herein, the term “module” refers to at least one instruction stored in memory 306 and/or in the memory of another device that, when executed by computer processor 304 and/or by a computer processor of another device (e.g., another device that is the same as or similar to device 300) cause device 300 (e.g., at least one component of device 300) to perform one or more processes described herein. In some embodiments, a module is implemented in software, firmware, hardware, and/or the like.
The number and arrangement of components illustrated in
Referring now to
In some embodiments, perception system 402 receives data associated with at least one physical object (e.g., data that is used by perception system 402 to detect the at least one physical object) in an environment and classifies the at least one physical object. In some examples, perception system 402 receives image data captured by at least one camera (e.g., cameras 202a), the image associated with (e.g., representing) one or more physical objects within a field of view of the at least one camera. In such an example, perception system 402 classifies at least one physical object based on one or more groupings of physical objects (e.g., bicycles, vehicles, traffic signs, pedestrians, and/or the like). In some embodiments, perception system 402 transmits data associated with the classification of the physical objects to planning system 404 based on perception system 402 classifying the physical objects.
In some embodiments, planning system 404 receives data associated with a destination and generates data associated with at least one route (e.g., routes 106) along which a vehicle (e.g., vehicles 102) can travel along toward a destination. In some embodiments, planning system 404 periodically or continuously receives data from perception system 402 (e.g., data associated with the classification of physical objects, described above) and planning system 404 updates the at least one trajectory or generates at least one different trajectory based on the data generated by perception system 402. In some embodiments, planning system 404 receives data associated with an updated position of a vehicle (e.g., vehicles 102) from localization system 406 and planning system 404 updates the at least one trajectory or generates at least one different trajectory based on the data generated by localization system 406.
In some embodiments, localization system 406 receives data associated with (e.g., representing) a location of a vehicle (e.g., vehicles 102) in an area. In some examples, localization system 406 receives LiDAR data associated with at least one point cloud generated by at least one LiDAR sensor (e.g., LiDAR sensors 202b). In certain examples, localization system 406 receives data associated with at least one point cloud from multiple LiDAR sensors and localization system 406 generates a combined point cloud based on each of the point clouds. In these examples, localization system 406 compares the at least one point cloud or the combined point cloud to two-dimensional (2D) and/or a three-dimensional (3D) map of the area stored in database 410. Localization system 406 then determines the position of the vehicle in the area based on localization system 406 comparing the at least one point cloud or the combined point cloud to the map. In some embodiments, the map includes a combined point cloud of the area generated prior to navigation of the vehicle. In some embodiments, maps include, without limitation, high-precision maps of the roadway geometric properties, maps describing road network connectivity properties, maps describing roadway physical properties (such as traffic speed, traffic volume, the number of vehicular and cyclist traffic lanes, lane width, lane traffic directions, or lane marker types and locations, or combinations thereof), and maps describing the spatial locations of road features such as crosswalks, traffic signs or other travel signals of various types. In some embodiments, the map is generated in real-time based on the data received by the perception system.
In another example, localization system 406 receives Global Navigation Satellite System (GNSS) data generated by a global positioning system (GPS) receiver. In some examples, localization system 406 receives GNSS data associated with the location of the vehicle in the area and localization system 406 determines a latitude and longitude of the vehicle in the area. In such an example, localization system 406 determines the position of the vehicle in the area based on the latitude and longitude of the vehicle. In some embodiments, localization system 406 generates data associated with the position of the vehicle. In some examples, localization system 406 generates data associated with the position of the vehicle based on localization system 406 determining the position of the vehicle. In such an example, the data associated with the position of the vehicle includes data associated with one or more semantic properties corresponding to the position of the vehicle.
In some embodiments, control system 408 receives data associated with at least one trajectory from planning system 404 and control system 408 controls operation of the vehicle. In some examples, control system 408 receives data associated with at least one trajectory from planning system 404 and control system 408 controls operation of the vehicle by generating and transmitting control signals to cause a powertrain control system (e.g., DBW system 202h, powertrain control system 204, and/or the like), a steering control system (e.g., steering control system 206), and/or a brake system (e.g., brake system 208) to operate. In an example, where a trajectory includes a left turn, control system 408 transmits a control signal to cause steering control system 206 to adjust a steering angle of vehicle 200, thereby causing vehicle 200 to turn left. Additionally, or alternatively, control system 408 generates and transmits control signals to cause other devices (e.g., headlights, turn signal, door locks, windshield wipers, and/or the like) of vehicle 200 to change states.
In some embodiments, perception system 402, planning system 404, localization system 406, and/or control system 408 implement at least one machine learning model (e.g., at least one multilayer perceptron (MLP), at least one convolutional neural network (CNN), at least one recurrent neural network (RNN), at least one autoencoder, at least one transformer, and/or the like). In some examples, perception system 402, planning system 404, localization system 406, and/or control system 408 implement at least one machine learning model alone or in combination with one or more of the above-noted systems. In some examples, perception system 402, planning system 404, localization system 406, and/or control system 408 implement at least one machine learning model as part of a pipeline (e.g., a pipeline for identifying one or more objects located in an environment and/or the like).
Database 410 stores data that is transmitted to, received from, and/or updated by perception system 402, planning system 404, localization system 406 and/or control system 408. In some examples, database 410 includes a storage component (e.g., a storage component that is the same as or similar to storage component 308 of
In some embodiments, database 410 can be implemented across a plurality of devices. In some examples, database 410 is included in a vehicle (e.g., a vehicle that is the same as or similar to vehicles 102 and/or vehicle 200), an autonomous vehicle system (e.g., an autonomous vehicle system that is the same as or similar to remote AV system 114, a fleet management system (e.g., a fleet management system that is the same as or similar to fleet management system 116 of
The data processor is responsible for log drive device initialization, and may be the same as, or similar to, one or more devices included in environment 100 and/or vehicle 200 (e.g., one or more computer processors 304 included in one or more devices included in environment 100 and/or vehicle 200).
After mounting the log drive (Id) (501), data processor secure process (dpsp) generates a data processor key (dpk) (502) and a drive encryption key (dek) (503) and writes the data processor key to data processor secure storage (dpss) (504). The data processor key and drive encryption key are generated in secure hardware. Depending on the application, the data processor key and drive encryption key can also be changed each time the log drive is reinitialized, so that any compromise of the device encryption key does not affect the same log drive during a different logging cycle.
Data processor secure process wraps the drive encryption key with the data processor key (505) and writes the wrapped drive encryption key in a database (e.g., database 410) configured in data processor storage (dps) (506), which is mapped to a unique ID or serial number of the log drive. When the data processor key and drive encryption key are replaced on every cycle, the database is also updated with the new wrapped drive encryption key.
Data processor secure process reads the default key (dk) from data processor secure storage (507) and wraps the drive encryption key with a default key (dk) (508), which is known to all relevant originators. In other embodiments, the default key can be wrapped with another key and stored on data processor storage. Although the default key could also be configured uniquely for each originator, such a configuration would increase the complexity of the overall system without making the system more secure against insider attacks. Data processor process (dps) wipes (i.e., erases) the log drive, reads the wrapped drive encryption key from the data processor secure process (509) and writes the drive encryption key wrapped by default key on the log drive (510). The log drive is unmounted (511) from the data processor's computer processor (e.g., unmounted by a file management system and/or operating system) and transferred/mounted to the originator's computer processor by a trusted operator (e.g., a person expected to transfer the log drive without tampering with the log drive) in a controlled environment.
When the log drive is deployed to the originator, an originator process (op) (e.g., a process implemented by an originator computer) reads the wrapped drive encryption key from the log drive (602) and an originator secure process (osp) reads the wrapped drive encryption key into secure hardware (603), reads the default key from originator secure process (604), and unwraps the drive encryption key with the default key (605). In other embodiments, the default key can be wrapped with another key and stored on originator storage (os). The originator secure process wipes (606) and encrypts (607) the entire log drive partition with the drive encryption key or an encryption key derived from the drive encryption key. The originator secure process generates an originator key (ok) in secure hardware (608), writes the originator key to originator secure storage (oss) (609), wraps the drive encryption key with the originator key (610) and writes the drive encryption key wrapped with the originator key onto originator storage (611). The originator process writes data to the originator secure process (612) which writes the data (e.g., appends the data) to the log on the now encrypted log drive (613). Periodically or upon a predefined event, the log drive is unmounted from the originator's computer (614) and mounted on the processor's computer, by a trusted operator in a controlled/secure environment.
Note that in
The read( )/write( ) operations are implemented according to the particular file management system and/or operating system used to read and write data from/to hard drives. Any other suitable key wrapping and cryptographic algorithms are also applicable to the disclosed embodiments.
The above description also references secure hardware. Examples of secure hardware include but are not limited to: a trusted execution environment (TEE), trusted platform module (TPM), or hardware security module (HSM).
In an embodiment, processor 801 includes data processor secure world 804. Data processor secure world 804 is a secure area of a main computer processor (e.g., for TEE) or secure hardware within the processing system (e.g., for TPM/HSM) that ensures code and data loaded inside the data processor secure world 804 is protected with respect to confidentiality and integrity. In this embodiment, the data processor secure process 805 reads (813) encrypted log data from log drive 803 and writes (814) the encrypted log data to data processor storage 806. Data processor storage 806 also stores a default key. The main processor (or a separate hardware processor or processor core) runs a data secure process 805 to read/write (815A, 815B) a device encryption key and data processor key from/to data processor secure storage 807, wraps the device encryption key with the default key, and writes (816) the wrapped key to data processor process 808, which writes (817) the wrapped key to log drive 803. The same or another data processor secure process 805 wraps the device encryption key with a data processor key read from data processor secure storage 807, and writes (818) the wrapped device encryption key to a database in data processor storage 806.
In an embodiment, the drive encryption key and the data processor key are changed each time the log drive is initialized.
In an embodiment, during a second log processing cycle following a first log ingestion cycle, the data processor key and the drive encryption key are replaced by a new data processor key and a new drive encryption key, and the database in data processor storage 806 is updated with the new drive encryption key wrapped by the new data processor key.
In an embodiment, the data processor key and the drive encryption key are generated by a secure process and stored data processor secure storage 807.
In an embodiment, originator 802 includes originator secure world 809. Originator secure world 809 is a secure area of a main computer processor (not shown) that ensures code and data loaded inside the originator secure world 809 is protected with respect to confidentiality, authenticity and integrity. In this embodiment, secure process 812 writes (820A) encrypted log data to log drive 803, reads (820B) the device encryption key wrapped by the default key stored in log drive 803 and writes (821) the device encryption key wrapped by the default key to originator secure process 812. Originator storage 811 stores the default key. The main processor also runs an originator secure process 812 to read/write (824) an originator key from/to originator secure storage 819, write (822) the device encryption key wrapped by the originator key to originator storage 811 and read (823) the default key from originator storage 819.
As can be observed from
In an embodiment, the originator key is generated in secure hardware by a secure process.
In an embodiment, there are two or more originator devices and a unique default key is known to each originator device.
Process 900 includes obtaining, during a first log processing cycle, a data processor key and a drive encryption key (901). The data processor key and the drive encryption key are unique to a log drive mounted to the at least one computer processor, as described in reference to
Process 900 continues by wrapping the drive encryption key with the data processor key (902) and storing the drive encryption key wrapped by the data processor key in a database (903). In an embodiment, the database is mapped to data uniquely identifying the log drive, such as a unique identifier or serial number.
Process 900 continues by wrapping the drive encryption key with a default key that is known to at least one originator device (904), wiping the log drive (905), and writing the drive encryption key wrapped by the default key to the log drive (906).
Process 1000 includes obtaining a wrapped drive encryption key (1001), loading the wrapped drive encryption key into secure hardware (1002) and unwrapping the drive encryption key with a default key (1003).
Process 1000 further includes obtaining an originator key (1004), wrapping the drive encryption key with the originator key (1005), erasing a partition of the log drive with the drive encryption key (1006), encrypting the partition of the log drive with the drive encryption key (1007) and appending data to at least one log in the partition on the encrypted log drive (1008).
In the foregoing description, aspects and embodiments of the present disclosure have been described with reference to numerous specific details that can vary from implementation to implementation. Accordingly, the description and drawings are to be regarded in an illustrative rather than a restrictive sense. The sole and exclusive indicator of the scope of the invention, and what is intended by the applicants to be the scope of the invention, is the literal and equivalent scope of the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction. Any definitions expressly set forth herein for terms contained in such claims shall govern the meaning of such terms as used in the claims. In addition, when we use the term “further comprising,” in the foregoing description or following claims, what follows this phrase can be an additional step or entity, or a sub-step/sub-entity of a previously-recited step or entity.