Skip to Main Content
The expected high complexity in future automotive applications will require to frequently update electronic devices supporting those applications. Even if in-car devices are trusted, potential attacks on over the air exchanges impose stringent requirements on both safety and security. To address the formal verification of safety properties, we have previously introduced the AVATAR UML profile whose methodology covers requirement, analysis, design, and formal verification stages . We now propose to extend AVATAR to support both safety and security during all methodological stages, and in the same models. The paper applies the extended AVATAR to an over the-air protocol for trusted firmware updates of in-car control units, with a special focus on design and formal verification stages.