Craton Shield

Craton Shield — ISO 26262 ASIL-B Safety Case

Craton Shield — ISO 26262 ASIL-B Safety Case

Version: 1.2.0 | Date: 2026-03-13 | Classification: ASIL-B (QM decomposition where applicable)

1 Executive Summary

Craton Shield is a #![no_std] automotive intrusion detection and prevention platform designed as a Safety Element out of Context (SEooC) per ISO 26262-10. This safety case covers the security-relevant functions that execute on vehicle ECUs and whose failure could propagate to safety-critical domains (powertrain, chassis, ADAS) via the CAN, Ethernet, or diagnostic interfaces.

Scope of ASIL-B qualification:

FunctionSubsystem CratesASIL
CAN frame anomaly detectionvs-can-monitor, vs-anomalyASIL-B
Ethernet / SOME/IP firewallvs-eth-monitor, vs-netfwASIL-B
OTA integrity verificationvs-ota-validator, vs-cryptoASIL-B
Runtime orchestrationvs-runtimeASIL-B
Event logging / telemetryvs-event-logger, vs-storageQM

Note: Additional automotive-specific crates are available in the auto/ repository.

2 Safety Concept — SEooC Assumptions

Craton Shield is integrated by an OEM into an ECU whose system-level safety concept assigns the cybersecurity monitoring function an ASIL rating. The following assumptions of use apply:

  1. A-01: The integrator provides a monotonic time source with ≤1 ms jitter to Craton Shield::tick().
  2. A-02: The integrator invokes tick() at the configured period (default 10 ms) without unbounded delay.
  3. A-03: CAN frames are delivered to Craton Shield in reception order with no silent drops.
  4. A-04: The hardware watchdog is configured externally; Craton Shield reports health via PlatformHealth.
  5. A-05: Cryptographic key material is provisioned before init() returns and is protected by an HSM or TEE.
  6. A-06: The stack memory budget advertised in PlatformHealth::peak_stack_bytes is allocated by the integrator.
  7. A-07: The integrator routes SecurityAlert events to a downstream VSOC or DTC handler within the vehicle's fault management strategy.

3 Hazard Analysis and Risk Assessment (HARA)

Per ISO 26262-3 Clause 7, the following hazardous events are identified:

IDHazardous EventSECASIL
HE-01Malicious CAN injection to braking ECU undetected → unintended decelerationS3E4C3D
HE-02Firewall bypass allows unauthorized SOME/IP service control → actuator command injectionS3E3C3C
HE-03Diagnostic session hijack enables ECU reflash → loss of safety functionS3E2C3B
HE-04OTA update with tampered firmware installed → arbitrary code executionS3E2C3B
HE-05V2X spoofed BSM accepted as genuine → incorrect collision avoidanceS3E3C2B
HE-06False-positive CAN alert suppresses legitimate braking commandS3E3C2B
HE-07Runtime crash (panic/stack overflow) disables all security monitoringS2E4C3C
HE-08Crypto key compromise enables authenticated attacker accessS3E1C3A

Safety Goals

SGDerived FromDescriptionASIL
SG-01HE-01, HE-06Detect malicious CAN frames within 50 µs WCETB
SG-02HE-02Enforce network firewall default-deny policyB
SG-03HE-08Protect cryptographic key material with zeroizationB
SG-04HE-04Validate OTA update signatures before installationB
SG-05HE-03, HE-08Maintain tamper-evident audit trailB
SG-06HE-04Detect boot chain integrity violationsB
SG-07HE-07Runtime shall remain operational under all input conditions (no panic)B

4 FMEA — Software Component Failure Modes

4.1 CAN Monitor (vs-can-monitor, vs-anomaly)

Failure ModeEffectSeverityDetectionMitigation
FM-CAN-01: Missed detection (threshold too high)Malicious frame reaches target ECUHighIntegration test with known-attack datasetConfigurable thresholds, dual-detector ensemble
FM-CAN-02: False positive (threshold too low)Legitimate frame blockedHighStatistical validation in CIEWMA warm-up period, z-score calibration
FM-CAN-03: Frame counter overflowIncorrect frequency calculationMediumCompile-time overflow checks (wrapping_add)Explicit wrapping arithmetic, tick reset
FM-CAN-04: Signal extraction out-of-bounds readUndefined behaviorCritical#![deny(unsafe_code)], bounds checksAll bit extraction uses checked indexing

4.2 Ethernet Firewall (vs-eth-monitor, vs-netfw)

Failure ModeEffectSeverityDetectionMitigation
FM-ETH-01: Rule table corruptionFirewall bypassCriticalCRC32 integrity check on rule tablecheck_integrity() on every tick()
FM-ETH-02: Default-deny not enforcedUnconfigured traffic passesHighTest: empty rule table rejects allDefaultPolicy::Deny is compile-time default
FM-ETH-03: SOME/IP-SD flood not detectedDoS on service discoveryMediumRate threshold testSD_FLOOD_THRESHOLD constant, per-tick counter

4.3 Cryptographic Provider (vs-crypto)

Failure ModeEffectSeverityDetectionMitigation
FM-CRY-01: Key material leak via memoryKey compromiseCriticalZeroize-on-drop testzeroize crate, Drop impl on KeyEntry
FM-CRY-02: ECDSA verification accepts invalid signatureAuthentication bypassCriticalKnown-answer tests (KAT)RustCrypto p256 crate (audited)
FM-CRY-03: AES-GCM authentication tag not checkedCiphertext tampering undetectedCriticalModified-ciphertext testaes-gcm crate AEAD API enforces tag check
FM-CRY-04: RNG returns predictable output (e.g., all zeros)Predictable keys/noncesCriticalRNG output validation testdefault_rng() rejects zero-entropy output (S1 fix)
FM-CRY-05: Timing side-channel in comparisonKey/signature leak via timingHighConstant-time verification testsubtle::ConstantTimeEq (S9 fix)

4.4 Runtime (vs-runtime)

Failure ModeEffectSeverityDetectionMitigation
FM-RT-01: Init failure not reportedSubsystem silently disabledHighPlatformHealth test for NotInitialized statesAll 18 subsystem statuses checked
FM-RT-02: Tick exceeds WCET budgetWatchdog timeoutHighWCET measurement on targetBounded-loop design, no heap allocation
FM-RT-03: Stack overflowUndefined behaviorCriticalStack watermark analysisFixed-size arrays, no recursion

5 Software Safety Requirements (SSR)

IDRequirementASILTraces ToVerified By
SSR-01CAN frame processing shall complete within 50 µs WCETBSG-01, SG-07WCET analysis on target
SSR-02CAN allowlist shall reject unknown arbitration IDsBSG-01test_allowlist_rejects_unknown_id
SSR-03Ethernet firewall shall enforce default-deny policyBSG-02test_empty_rules_reject_all
SSR-04OTA signature verification shall support ECDSA P-256BSG-04test_ota_signature_verification
SSR-05Cryptographic operations shall use SoftwareCryptoProvider or HSMBSG-03test_crypto_provider_operations
SSR-06Key material shall be zeroized on dropBSG-03test_key_zeroize_on_drop
SSR-07Event log shall maintain HMAC chain integrityBSG-05test_event_log_hmac_chain
SSR-08Anomaly detection shall use EWMA and entropy methodsBSG-01test_anomaly_detection_ewma_entropy
SSR-09Secure boot shall verify firmware hash chainBSG-06test_secure_boot_hash_chain
SSR-10Runtime integrity shall detect memory corruptionBSG-06test_runtime_integrity_corruption
SSR-11Policy engine shall evaluate without allocationBSG-07test_policy_engine_no_alloc
SSR-12IDS engine shall coordinate all monitorsBSG-01, SG-02test_ids_engine_coordination
SSR-13Security alerts shall include monotonic timestampsBSG-05test_alert_monotonic_timestamps
SSR-14Rate limiting shall prevent log floodingBSG-05test_rate_limiting
SSR-15OTA rollback protection shall use monotonic counterBSG-04test_ota_rollback_protection
SSR-16FFI shall catch panics and return error codesBSG-07test_ffi_panic_catch

6 ASIL Decomposition

Per ISO 26262-9 Clause 5, the following decomposition is applied:

ComponentASILRationale
vs-runtimeASIL-BOrchestrates all safety-relevant subsystems
vs-can-monitorASIL-BDirectly protects CAN bus safety functions
vs-anomalyASIL-BCore detection algorithm for CAN IDS
vs-eth-monitorASIL-BEthernet/SOME/IP firewall enforcement
vs-netfwASIL-BNetwork firewall rule engine
vs-cryptoASIL-BAuthentication for OTA and key operations
vs-ota-validatorASIL-BOTA integrity verification
vs-key-managerASIL-BKey storage, rotation, and zeroization
vs-secure-bootASIL-BBoot chain integrity verification
vs-integrityASIL-BRuntime memory integrity checks
vs-ids-engineASIL-BCentral IDS coordination
vs-policy-engineASIL-BRule-based policy evaluation
vs-typesASIL-BShared types used by all ASIL components
vs-hal / vs-hal-linuxQMHardware abstraction layer
vs-event-loggerQMLogging/telemetry, no safety function
vs-storageQMPersistent storage, no safety function
vs-ffiQMForeign function interface layer
vs-report-iec62443QMIEC 62443 compliance report generation
vs-report-iso21434QMISO/SAE 21434 TARA report generation
vs-report-iec62304QMIEC 62304 traceability matrix generation

Note: The workspace contains 21 crates in total (17 listed above plus the 3 report crates and vs-hal-linux). Additional automotive-specific crates (signal-ids, diag-gateway, v2x, autosar) are available in the auto/ repository.

6.1 SG-06 ASIL Retention and Independence Argument

Safety Goal SG-06 ("Detect boot chain integrity violations") is retained at ASIL-B without further decomposition. Per ISO 26262-9 Clause 5.4.3, ASIL decomposition may be omitted when an independent safety mechanism provides sufficient diagnostic coverage for the safety goal.

In the Craton Shield integration architecture, the external hardware watchdog (configured by the integrator per assumption A-04) serves as an independent safety mechanism that is:

  1. Independent of Craton Shield software — the watchdog runs on dedicated hardware outside the monitored ECU's application core, with its own clock domain and power supply.
  2. Capable of detecting SG-06 failures — if the secure boot verification in vs-secure-boot fails or hangs (i.e., verify_chain() does not complete within the configured watchdog timeout), the watchdog triggers a reset, preventing execution of unverified firmware.
  3. Not subject to common-cause failure — the watchdog is not implemented in Rust, does not share memory with Craton Shield, and is not affected by software faults in the boot chain verification logic.

Because the external hardware watchdog provides an independent detection path for boot chain integrity failures, the conditions of ISO 26262-9 Clause 5.4.3 are satisfied, and SG-06 is retained at ASIL-B for the vs-secure-boot and vs-integrity crates without decomposition to lower ASIL sub-elements.

Integrator obligation: The integrator shall configure the hardware watchdog timeout to be no greater than the secure boot WCET budget documented in Section 9.4, ensuring that a stalled or failed boot verification is detected before control is passed to application software.

7 Traceability Matrix

SSRTest Case(s)Source Location
SSR-01WCET measurement (target)crates/can-monitor/src/lib.rsprocess_frame()
SSR-02allowlist_rejects_unknown_idcrates/can-monitor/src/lib.rscheck_allowlist()
SSR-03empty_rule_table_rejectscrates/netfw/src/lib.rsevaluate()
SSR-04ota_signature_verificationcrates/ota-validator/src/lib.rsverify_signature()
SSR-05crypto_provider_operationscrates/crypto/src/software.rsSoftwareCryptoProvider
SSR-06key_zeroize_on_dropcrates/key-manager/src/lib.rsDrop for KeyEntry
SSR-07event_log_hmac_chaincrates/event-logger/src/lib.rsappend()
SSR-08anomaly_detection_ewma_entropycrates/anomaly/src/lib.rsdetect()
SSR-09secure_boot_hash_chaincrates/secure-boot/src/lib.rsverify_chain()
SSR-10runtime_integrity_corruptioncrates/integrity/src/lib.rsverify_region()
SSR-11policy_engine_no_alloccrates/policy-engine/src/lib.rsevaluate()
SSR-12ids_engine_coordinationcrates/ids-engine/src/lib.rscoordinate()
SSR-13alert_monotonic_timestampscrates/types/src/lib.rsSecurityAlert
SSR-14rate_limitingcrates/event-logger/src/lib.rsrate_limit()
SSR-15ota_rollback_protectioncrates/ota-validator/src/lib.rscheck_rollback()
SSR-16ffi_panic_catchcrates/ffi/src/lib.rscatch_unwind()

8 Tool Qualification (ISO 26262-8 Clause 11)

ToolVersionTCLQualification Method
Rust compiler (rustc)1.82+TCL2Validation suite (Rust test suite), community audit

Note on compiler qualification: The community rustc compiler is not formally qualified under ISO 26262. For series-production ASIL-B deployment, integrators should use the Ferrocene qualified Rust compiler, which provides ISO 26262 TCL2 and IEC 61508 T3 qualification evidence. Craton Shield is compatible with Ferrocene; no source changes are required. | Clippy | Latest | TCL1 | Static analysis tool, advisory only | | cargo-llvm-cov | 0.6+ | TCL1 | Coverage measurement, no code generation | | cargo-audit | Latest | TCL1 | Dependency vulnerability scanner | | GitHub Actions CI | N/A | TCL1 | Build automation, no code transformation |

TI 1 (Tool Impact): Tools generate or transform code → TCL2 (rustc only) TD 1 (Tool Detection): Output verified by test suite → high confidence

9 Verification and Validation Plan

9.1 Unit Tests

  • Coverage target: ≥80% line coverage (measured by cargo-llvm-cov)
  • Current: 1,589 tests (1,248 unit + 341 integration) across 21 crates, zero clippy warnings
  • Framework: #[cfg(test)] in-crate tests, tests/ integration tests

9.2 Integration Tests

  • Full-stack tests in tests/full_stack.rs exercising runtime init → tick → alert flow
  • OTA attack simulation in tests/ota_attack.rs
  • 25 integration test files with 341 tests total (see test plan for full breakdown)

Note: Diagnostic session tests are maintained in the auto/ repository.

9.3 Static Analysis

  • cargo clippy --workspace --all-targets -- -D warnings (zero warnings enforced)
  • #![deny(unsafe_code)] on all crates except vs-ffi, vs-hal-linux, and vs-storage, which require unsafe for C-ABI, libc FFI, and memory-locking respectively and use #![allow(unsafe_code)] with per-block safety comments — 37 unsafe items in production code (6 in vs-ffi, 29 in vs-hal-linux, 2 in vs-storage)
  • #![no_std] verified via --target thumbv7em-none-eabihf cross-compilation

9.4 WCET Analysis

  • To be measured on target hardware (Cortex-M4 @ 150 MHz or Cortex-A53 @ 1.2 GHz)
  • Budget: tick() ≤ 1 ms, process_frame() ≤ 50 µs, inspect_packet() ≤ 100 µs

9.5 Penetration Testing

  • Third-party pentest before series production release
  • Scope: CAN injection, SOME/IP fuzzing, OTA MITM, secure boot bypass, key extraction
  • Acceptance: no critical or high findings

9.6 Formal Review

  • Architecture review per ISO 26262-6 Table 1 (ASIL-B methods)
  • Code review: all changes reviewed before merge (enforced by CI branch protection)

10 Configuration Management

  • Version control: Git with signed commits
  • Branch protection: main requires CI pass + code review
  • Release tagging: Semantic versioning (e.g., v1.1.0)
  • SBOM: Generated via cargo-cyclonedx for each release
  • Artifact hashes: SHA-256 of release binaries stored in release notes

Appendix A — Glossary

TermDefinition
SEooCSafety Element out of Context (ISO 26262-10)
ASILAutomotive Safety Integrity Level (A–D)
HARAHazard Analysis and Risk Assessment
FMEAFailure Mode and Effects Analysis
SSRSoftware Safety Requirement
WCETWorst-Case Execution Time
TCLTool Confidence Level
PSIDProvider Service Identifier (IEEE 1609.2)
SPDUSecured Protocol Data Unit (IEEE 1609.2)
BSMBasic Safety Message (SAE J2735)