CN110460573B

CN110460573B - ECU security upgrade management system and method applied to automobile

Info

Publication number: CN110460573B
Application number: CN201910610375.2A
Authority: CN
Inventors: 肖文平; 何敖东; 王学栋; 陈斌; 张航
Original assignee: Shanghai Hinge Electronic Technologies Co Ltd
Current assignee: Shanghai Hinge Electronic Technologies Co Ltd
Priority date: 2019-07-08
Filing date: 2019-07-08
Publication date: 2022-05-20
Anticipated expiration: 2039-07-08
Also published as: CN110460573A

Abstract

The invention provides a security upgrade management system and a method applied to an automobile ECU (electronic control Unit), which comprises a security management module, an intrusion detection module, a central gateway, a protection ECU and a loophole ECU, wherein the intrusion detection module monitors an in-automobile network in real time, when the in-automobile network is attacked, attack information can be timely fed back to the security management module, the security management module can issue a control instruction to the protection ECU, the protection ECU sends a resistance strategy to the ECU which is possibly attacked or is attacked to resist the attack, a small compensation package is introduced into an upgrade file in the upgrade process, patch packages of different historical versions are replaced by the introduced compensation package, the size of a data package required by upgrade can be greatly reduced, and meanwhile, the transmission time of the ECU upgrade patch package is saved.

Description

ECU security upgrade management system and method applied to automobile

Technical Field

The invention relates to the field of automobile ECUs, in particular to a safety upgrading management system and method applied to the automobile ECUs.

Background

With the popularity of automobiles, more and more automobiles enter thousands of households, but safety issues regarding automobiles are brought about as a result. Recently, many automobile manufacturers and research structures are popularizing intelligent automobiles, so that the automobiles tend to be intelligent and humanized. In the automobile industry, the development of unmanned automobiles, Advanced Driver Assistance Systems (ADAS), ABS (anti-lock braking system), and the like has become the development direction of future technologies. When these functions are installed in a vehicle, the number of Electronic Control Units (ECUs) in the automobile is increasing, and 100 ECUs (electronic control units) are required to control the vehicle system, which increases software size and logic complexity. Furthermore, the software installed in the vehicle is becoming larger and more complex. Due to the bug, if the bug is not repaired in time, great danger can occur. The number of recalls caused by software is increasing and it is important to repair errors quickly once they are detected, and the repair and the addition of new features results in the upgrading of applications with updates becoming very frequent. Currently, vehicle ECUs are connected through a vehicle network, which is used to update the ECU software. In the future, as networked vehicles become more prevalent, the vehicles will add new functionality to provide various services, such as smartphone application downloads. However, by connecting the vehicle to the internet, it may become a target of cyber attack. In fact, it is possible to remotely operate the vehicle by exploiting its vulnerability using a wireless interface, and there has been a situation that has developed into a large-scale recall.

The frequency and importance of ECU software updates will increase due to the addition of new functions, correction of defects and coping with safety risks. Conventional ECU software bug fixes are performed by a user bringing the vehicle to a dealer where an engineer performs the fix over a wired connection using a dedicated diagnostic device. However, the conventional method has two disadvantages. First, in the conventional method, the user must take the automobile to a dealer to install new software, and if the frequency of software update increases in the future, this may be a burden on the user. Second, the number of vehicles that can be updated at one time is limited because software updates require specialized equipment and places where the vehicles are parked. Such restrictions become an obstacle immediately after the update is released or updated on the production line. As a result, the time required to perform the update increases significantly. Over-the-air (OTA) methods for updating onboard software have been developed. If wireless communication (mobile network, Wi-Fi, etc.) is available, the update can be done through OTA. Therefore, the burden caused by software update can be reduced because the user can perform update without going to the dealer. In addition, by using wireless communication, a plurality of vehicle times can be updated simultaneously. Therefore, the update can be performed without being limited by the number of devices or the number of parked vehicles. During an ECU software update, if the transmission speed is too slow and the data packets are too large, the time taken for the ECU software upgrade increases. At this time, the user cannot use the vehicle. The user is dangerous to use the vehicle. Thus, the ECU software update is performed while the vehicle is parked. The user cannot use the car during the software update, so it is necessary to shorten the software update time.

In the prior art, even if the new package is slightly different from the old package, the complete new installation package is downloaded for replacement installation during each version upgrade, and the full-updating mode not only wastes more client network traffic, but also increases the time consumed in the upgrade process. The user can not use the vehicle during the ECU repairing time, which inevitably brings inconvenience to the user, so that compressing the ECU repairing time is a technical problem which needs to be solved urgently at present. Meanwhile, the repair time of the ECU software of the vehicle is required to be informed, so that a user can select a proper time period to upgrade according to the own time arrangement, and the challenge brought by the compression of the upgrade time comes from the reduction of the size of an upgrade package as much as possible. On the other hand, the system is prevented from being attacked by hackers as much as possible, and when the network in the vehicle is discovered to be attacked by the hackers, the network in the vehicle can be discovered as early as possible, and a solution can be taken, so that the damage caused by the attack is reduced to the minimum.

Disclosure of Invention

Based on the defects in the prior art, in order to achieve the above purpose, the invention provides a method for upgrading a file by using an automobile ECU, which can solve the technical problems that the existing upgrading data packet is large and the upgrading process is easy to be attacked by hackers, and specifically comprises the following steps:

a safety upgrading management method applied to an automobile ECU at least comprises the following steps:

a central gateway in the vehicle receives an upgrade file from a server, and the upgrade file is transmitted to an ECU (electronic control unit) to be upgraded through the central gateway;

the intrusion detection module monitors the in-vehicle network in real time, and when finding a data packet containing an attack code in the upgrade file or when the in-vehicle network is attacked, the intrusion detection module feeds back the detected attack information to the security management module;

when the security management module receives attack information fed back by the intrusion detection module, the security management module sends a control instruction to the protection module to prevent the target ECU from being intruded;

the protection module is configured to correspond to the security module, and can adopt a corresponding attack resisting strategy according to a control instruction sent by the security module and send the strategy to the target ECU;

the ECU comprises a resisting module, wherein the resisting module is configured to have a function matched with an attack resisting strategy, and when the target ECU is attacked, the resisting module in the ECU can call a matched application program to resist invasion according to the attack resisting strategy sent by the protecting module;

the attack resisting strategy comprises a target ECU security resetting strategy, a security resetting strategy of a target node gateway and a data packet strategy containing attack codes;

the data packet of the attack code at least comprises data conforming to a CAN message format;

the protection module is configured to protect the ECU, and the strategy of discarding the data packet containing the attack code specifically includes: the security management module sends data containing the attack code to a protection ECU installed in a specific domain, the protection ECU broadcasts information of an attack data packet containing a CAN message identifier to all ECUs in the same domain, and the ECUs call an application program through the resistance module to discard the data packet containing the corresponding CAN message identifier.

The ECU security upgrading management method applied to the automobile further comprises the following steps of:

when the target ECU receives a safety reset strategy, the target ECU enters a safety mode after being automatically restarted, and the safety mode at least comprises the following steps:

is configured to allow basic driving operations to secure the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking and data encryption of received data.

A safety upgrading management method applied to an automobile ECU, further,

when the attack is over, the protection ECU broadcasts again a data packet containing the normal corresponding CAN message identifier.

A security upgrade management method applied to an automobile ECU (electronic control Unit), further, when an in-car network adopts a vehicle-mounted Ethernet for transmission and a node gateway is set to be connected with various domains, and an attack occurs, a security management module sends a control instruction to an attacked target node gateway to instruct the target node gateway to adopt an attack resisting strategy for resisting;

the attack resisting strategy comprises a security resetting strategy of a target node gateway, the security resetting strategy of the node gateway comprises that the node gateway enters a security mode after being automatically restarted, and the security mode of the node gateway at least comprises the following steps: is configured to allow basic driving operations to secure the safety of the vehicle, to allow only the processing of a safety-verified CAN message, or to require integrity checking of received data and data encryption.

A is applied to the car ECU security and upgraded the management method, further, the said CAN message format includes CAN message address, remote request bit at least;

the remote request bit is used for distinguishing fields of a remote frame and a data frame, the data frame is used for data transmission on the CAN bus, the data frame must be dominant, and the remote request bit is represented by 0;

the remote frame is used to send requests and does not contain payload data information, and must be an implicit 1 for the remote request frame, with the remote request bit indicated by a 1.

The method for managing the security upgrade of the automobile ECU further comprises the following steps of:

the safety management module issues a data packet discarding instruction to the protection ECU, the protection ECU changes the remote request bit in the data packet which accords with the CAN message format and contains the attack code of the CAN message address from explicit 0 to implicit 1, and then sends the changed data packet to all ECUs in a broadcasting mode;

the ECU only responds when the received CAN message address is the CAN message address associated with the CAN message address, and directly discards the data packet when the CAN message address is not associated;

the explicit and implicit conversion is realized by changing the value of a remote request bit through the voltage control CAN _ H high voltage and the CAN _ L low voltage on the CAN bus.

The security upgrading management method applied to the automobile ECU further comprises the step of detecting a vulnerability ECU when an intrusion detection module detects an in-automobile network, wherein the vulnerability ECU enables a data packet containing an attack code to be easily detected by the intrusion detection module.

The method is applied to the safety upgrading management of the automobile ECU, and further comprises the steps that an upgrading file at least comprises a patch package, wherein the patch package is synthesized by matching a reference patch package with an ECU to be upgraded;

the method for forming the reference patch package and the compensation package comprises the following steps:

step 1: respectively carrying out difference analysis on the new file and the old file, respectively finding out the difference between the new file and the old file, obtaining a difference data packet of the new file and the old file, and extracting and packaging the difference data packet to form a patch packet; repeating the step 1 until patch packages corresponding to the new files and all old files with different historical versions are obtained;

step 2: selecting one of the plurality of patch packages as a reference patch package;

and step 3: comparing the difference of the selected reference patch package with the difference of the selected patch package, finding out the difference of the reference patch package and the patch package, obtaining the difference data package of the reference patch package and the patch package, extracting, packaging and compressing the difference data package to form a compensation package; and (4) repeating the step (3) until the compensation packages corresponding to the reference patch package and all the old files with different historical versions are obtained.

The method for managing the safe upgrade of the automobile ECU further comprises the following steps of:

step S200: sequencing the old file and the new file by using a suffix array method to form a character string group;

step S201: then, comparing the new file with the old file according to the formed character string group;

step S202: querying the same part between the old file and the new file by utilizing a dichotomy;

step S203: finding out the maximum public subsequence of the new file and the old file and determining a difference part;

step S204: finding out additional parts of the new file and the old file;

step S205, compressing the difference part, the extra part and the control word;

step S206: a patch package is formed.

The addresses of data storage in the new file and the old file are 4 bytes, and the operation code stores fixed 8 bytes under each address.

The method for managing the safe upgrade of the automobile ECU further comprises the following steps:

step S300: decompressing the files of the reference patch package and the patch package to obtain decompressed files of the reference patch package and the patch package respectively, wherein the decompressed files respectively comprise three parts: the control word file, the difference file and the additional file, namely the reference patch package and the patch package respectively comprise: control word files, difference files, extra files;

step S301: removing the control word file of the reference patch package, reserving the control word file of the patch package, and performing differential analysis on the difference file and the extra file in the reference patch package and the difference file and the extra file in the patch package by using a BSDIFF algorithm;

step S302: forming corresponding sub difference files, sub extra files and sub control word files by a BSDIFF algorithm;

step S303: and packaging the formed sub difference file, the sub additional file, the sub control word file and the control word file of the reserved patch package, and then compressing to form the patch package.

step S400: respectively decompressing the compensation package and the reference patch package to respectively obtain decompressed files, wherein the decompressed files of the compensation package comprise: the sub difference file, the sub extra file, the sub control word file and the reserved control word file of the patch package, wherein the file obtained after the standard patch package is decompressed comprises: difference files, extra files, control word files;

step S401: removing the control word file of the standard patch package, reserving the control word file of the patch package, and restoring the sub difference file and the sub extra file into the difference file and the extra file in the standard patch package by adding and inserting the difference file and the extra file into the standard patch according to the guide information in the sub control word file to form the difference file and the extra file in the patch package;

step S402: and packing the difference file, the additional file and the control word file in the reserved patch package in the formed patch package to form the patch package.

The invention also provides a security upgrading management system applied to the automobile ECU, which is characterized by comprising a central gateway, an intrusion detection module, a security management module and a plurality of ECUs, wherein the security management module is electrically connected with the intrusion detection module through the central gateway respectively;

the central gateway is at least used for communication or data processing or in-vehicle network management between the interior and the exterior of the vehicle;

the intrusion detection module is configured as a monitoring module or monitoring equipment and used for monitoring the safety of the in-vehicle network in real time, and when the in-vehicle network is detected to be attacked, the attack information can be fed back to the safety management module; the security management module is control equipment or a control module, and can reduce damage caused by network attack when the intrusion detection module detects the automobile network attack;

the safety management module is configured as a control device or a control module and can issue a control instruction and enable a target to adopt an attack resisting strategy for resisting when the intrusion detection module detects that the network in the vehicle is attacked;

the protection module is configured to adopt an attack resisting strategy according to a control instruction issued by the safety pipe module and send the strategy to the ECU, and the protection module is electrically connected with the central gateway through the CAN bus;

the security management module and the intrusion detection module can exist as independent hardware or are integrated into a central gateway in a software module mode;

when the node gateway does not exist, each ECU is electrically connected with the central gateway through the CAN bus.

The invention also provides a safety upgrading management system applied to the automobile ECU, and further, the protection module is configured to protect the ECU, and the protection ECU and other ECUs are connected into a CAN network through a CAN bus.

The invention also provides a security upgrade management system applied to the automobile ECU, further comprising: and the node gateways are electrically connected with the central gateway through a vehicle-mounted Ethernet bus, and each ECU is electrically connected with the node gateways through a CAN network data bus.

The invention also provides a security upgrade management system applied to the automobile ECU, further comprising a vulnerability ECU, wherein the vulnerability ECU is configured to be an ECU with more security vulnerabilities, so that a data packet containing an attack code is easy to detect by an intrusion detection module;

the system comprises a vehicle-mounted Ethernet, a central gateway and a server, and is characterized by further comprising the server and a communication module, wherein the server is electrically connected with the central gateway through the communication module, the server is used for storing upgrade files required by upgrade, the communication module is arranged in the vehicle and is electrically connected with the central gateway through the vehicle-mounted Ethernet, and the communication module is electrically connected with the server in a wired or wireless mode.

The invention also provides a system for safely upgrading and managing the automobile ECU, and further provides a method for safely upgrading, managing and upgrading the automobile ECU.

The invention has the beneficial effects that:

1. the security management module and the intrusion detection module are used, the ECU comprises a resisting module and a protection ECU, when the network in the vehicle is attacked by a hacker, the intrusion detection module can timely feed attack information back to the security management module, the security management module can send a control command to the protection ECU, the protection ECU can timely adopt a resisting strategy to resist the ECU which is possibly invaded, and the risk that the ECU is damaged due to attack is reduced. Each ECU is not attacked in the upgrading process, and the safety of the system is monitored in time so as to take measures.

2. The introduction of the loophole ECU enables the loophole ECU to be easily attacked firstly when a hacker attacks the loophole ECU, and enables the intrusion detection module to more easily detect that the system is attacked and feed back information to the safety management module in time when the hacker attacks the loophole ECU.

3. Compared with the prior art, the method and the device can simultaneously meet the ECU upgrading of different versions by introducing the reference patch package and the patch package, and reduce the size of the ECU upgrading package to the maximum extent.

4. Compared with the prior art, after the reference patch package and the patch package are introduced, compared with the patch packages adopting a plurality of different versions, the reference patch package and the patch packages occupy far less storage space than the patch packages, so that the reference patch package and the patch packages required by upgrading can be directly downloaded to a central gateway or an on-board host, the load of a system cannot be increased, the transmission time of the ECU upgrading patch package is saved, and the ECU upgrading patch package does not need to be downloaded from a server every time.

5. Compared with the prior art, when the difference analysis is carried out on the new file and the old file, 4 bytes are adopted to represent the storage addresses, and each storage address adopts fixed 8 bytes to store the operation codes. The patch package size can be reduced and the operation efficiency can be improved by combining the 8,16,32-bit CPU in the ECU adopting the ARM platform.

Drawings

The following drawings are merely illustrative and explanatory of the invention and do not limit the scope of the invention.

FIG. 1 is a schematic diagram of a security upgrade management system according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a security upgrade management system including a node gateway according to an embodiment of the present invention;

FIG. 3 is a diagram illustrating message formats of a data frame and a remote frame in a CAN message format according to the present invention;

fig. 4a to 4c are schematic diagrams of the formation and synthesis processes of a patch package, a compensation package and a new file in the embodiment of the present invention, where fig. 4a is a synthesis process of the patch package, fig. 4b is a synthesis process of the compensation package, and fig. 4c is a schematic diagram of a synthesis process of a new file according to the patch package, the compensation package and an old file;

FIG. 5 is a flowchart illustrating an embodiment of obtaining a difference data packet between a new file and an old file;

FIG. 6 is a schematic diagram of a patch package formation process in an embodiment of the invention;

FIG. 7 is a schematic diagram of an operation code of a non-fixed number of bits in accordance with an embodiment of the present invention;

FIG. 8 is a schematic diagram of operation codes for fixing a bit number according to an embodiment of the present invention;

FIG. 9 is a flowchart of a method for obtaining a difference data packet between a reference patch package and a patch package according to an embodiment of the present invention;

FIG. 10 is an example of a process for forming a padding packet according to an embodiment of the present invention;

FIG. 11 illustrates a method for synthesizing a patch package according to an embodiment of the present invention;

FIG. 12 is a diagram illustrating an example of a process for forming a reference patch package and a patch package into a patch package according to an embodiment of the present invention;

fig. 13 shows an example of a server storing a patch package, a reference patch package, and a patch package in an embodiment of the present invention.

Detailed Description

In order to more clearly understand the technical features, objects, and effects of the present invention, embodiments of the present invention will now be described with reference to the accompanying drawings, in which like reference numerals refer to like parts throughout. For the sake of simplicity, the drawings are only schematic representations of the parts relevant to the invention, and do not represent the actual structure of the product. In addition, in order to make the drawings concise and understandable, components having the same structure or function in some of the drawings are only schematically illustrated or only labeled.

As for the control system, it is well known to those skilled in the art that it may take any suitable form, either hardware or software, or a plurality of functional modules arranged discretely, or a plurality of functional units integrated into one piece of hardware. In its simplest form, the control system may be a controller, such as a combinational logic controller, a micro-programmed controller, or the like, so long as the operations described herein are enabled. Of course, the control system may also be integrated as a different module on one physical device without departing from the basic principle and the scope of protection of the present invention.

Example 1:

the embodiment provides a safety management method applied to an automobile, which specifically comprises the following steps:

the intrusion detection module monitors the in-vehicle network in real time, and feeds back the detected attack information to the security management module when finding out a data packet containing an attack code in the upgrade file or when the in-vehicle network is attacked;

the protection module is configured to correspond to the security module, and can adopt a corresponding attack resisting strategy according to a control instruction issued by the security module and send the strategy to the target ECU;

the ECU comprises a resisting module, wherein the resisting module is configured to have a function matched with the attack resisting strategy, and when the target ECU is attacked, the resisting module in the ECU can call the matched application program to resist invasion according to the attack resisting strategy sent by the protecting module;

the attack resisting strategy comprises a target ECU security resetting strategy, a target node gateway security resetting strategy and a data packet strategy for discarding attack codes;

the data packet of the attack code at least comprises data conforming to the CAN message format, and CAN also comprise virus type, attack mode and the like

Specifically, when the target ECU receives a secure reset policy, the target ECU enters a secure mode after being automatically restarted, where the secure mode at least includes: is configured to allow basic driving operations to secure the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking and data encryption of received data.

Specifically, the guard module may be configured to guard the ECUs, and arbitrarily select one of the ECUs as the guard ECU, but generally selects an ECU that does not play a close relationship with safety responsibility, such as a brake, an engine-related ECU, for a safety period. An ECU may also be provided, which has no direct relation to the vehicle body control and is simply used as a protection ECU. At this time, the policy of discarding the data packet containing the attack code specifically includes: the security management module sends data containing an attack code to a protection ECU installed in a specific domain, the protection ECU broadcasts information of an attack data packet containing a CAN message identifier (CAN ID) to all ECUs in the same domain, and the ECUs call an application program through a resisting module to discard the data packet containing the corresponding CAN message identifier;

Specifically, it should be noted that the present invention can classify a plurality of ECUs of an automobile into a power control section, an automobile body section, a security section, an entertainment section, etc., and each section is provided with a protection ECU and a leak ECU.

In another mode in this embodiment, the vehicle-mounted ethernet has a structure in which domains are formed according to functions of a vehicle, the vehicle-mounted ethernet is used for transmission in the vehicle, and the node gateways are set to connect with the multiple domains, and when an attack occurs, the security management module sends a control instruction to the attacked target node gateway to instruct the target node gateway to adopt an attack resisting strategy for resisting the attack. Under the condition that the node gateway exists, the ECU directly connected with the node gateway and the node gateway form specific domains, such as a power control domain, a vehicle body domain, a security domain and an entertainment domain, and each domain is provided with a protection ECU and a vulnerability ECU. Each protection ECU and each vulnerability ECU correspond to a domain.

The attack resisting strategy comprises a security resetting strategy of a target node gateway, the security resetting strategy of the node gateway comprises a security mode entered after the node gateway is automatically restarted, and the security mode of the node gateway at least comprises the following steps: is configured to allow basic driving operations to secure the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking of received data and data encryption.

Specifically, when the intrusion detection module detects the in-vehicle network, the detection of a vulnerability ECU is further included, the vulnerability ECU is configured to be an ECU with more security vulnerabilities, and the vulnerability ECU enables a data packet containing an attack code to be easily detected by the intrusion detection module. The bug ECU is considered to be arranged, does not participate in controlling the general situation in the vehicle, and aims to intentionally leave more bugs and backdoors when the ECU is arranged so as to enable the bugs and the backdoors to be attacked firstly, and once the bugs and the backdoors are attacked, the intrusion detection module can more easily detect the existence of malicious codes so that the security module can respond in time.

Example 2:

the embodiment provides a method for causing an ECU to lose a data packet containing malicious code, which specifically comprises the following steps: see fig. 3. Fig. 3a is a format of a data frame in a CAN message, fig. 3b is a format of a remote frame in the CAN message,

in fig. 3a, the format of the data frame in the CAN message is a standard frame, and the frame start is represented by 1 bit;

the arbitration segment contains an ID (CAN message identifier) of 11 bits and a Remote Transmission Request (RTR), the IDs are distributed from ID28 to ID18, and the prohibited high 7 bits are all recessive; RTR: remote request bit, explicit (0) indicates data frame and implicit (1) indicates remote frame.

A control section: consists of 6 bits, indicates the number of bytes of data of information to be transmitted, and comprises reserved bits IDE/r1, r0(1bit) and DLC (4 bit).

IDE: identifier Extension Bit, which is located in the control field in the standard frame, is always dominant. In the extension frame, in the arbitration field, always in the dominant. r0, r 1: the reserved bits must be transmitted at the dominant level, however, any combination of dominant and recessive sets of levels can be received at the receiving side. DLC: the number of bytes of data must be 0-8 bytes, but the receiver is not considered an error for the case of DLC 9-15.

And (3) data segment: consisting of 0 to 8 bytes for data to be transmitted by the load.

Cyclic Redundancy Check code segment (CRC): consists of 15-bit CRC Sequence and 1-bit CRC limiter, and is used for checking whether the frame has transmission errors. CRC Sequence: CRC sequence, calculation scope is SOF, arbitration domain, control domain and data domain. CRC Delimiter: the CRC delimiter is a normally recessive bit.

Acknowledgement field (ACK): the ACK (acknowledgement field) length is 2 bits. Including ACK Slot and ACK limiter. ACK Slot: and in the response interval, when the sending node sends data, the ACK Slot and the ACK Delimiter are all set to be recessive, and after the receiving node calculates the CRC Sequence to be correct, a dominant bit is sent to the sending party during the ACK Slot to indicate response. ACK Delimiter: the ACK delimiter is a normally recessive bit.

If there are more than 2 receiving nodes on the bus, an ACK is returned as long as any one of them receives the message normally, and if NO node on the bus can receive the message normally, a NO ACK is returned. In addition, the sending node does not send the ACK;

and (4) ending the frame: indicating the end of the frame, consists of 7 recessive bits.

In fig. 3b, the format of the remote frame in the CAN message is different from the message format of the data frame in that the remote frame does not include a data segment, and the remaining segments are all used for distinguishing the data frame from the remote frame, and the identification is performed by using a remote request bit (RTR), and when the RTR shows 0, the identification is performed on the data frame, and the identification is explicit. The RTR is shown as 1, a remote frame, and is implicit at this time.

In this embodiment, no requirement is made for the other message formats, and only the CAN message format is required to at least include a CAN message identifier (CAN ID) and a remote request bit (RTR);

the remote frame is used to send requests and does not contain payload data information, and must be an implicit 1 for the remote request frame, with the remote request bit indicated by 1.

The safety management module issues a data packet discarding instruction to the protection ECU, the protection ECU changes a remote request bit in a data packet which accords with a CAN message format and contains an attack code of a CAN message identifier from explicit 0 to implicit 1, and then sends the changed data packet to all ECUs in a broadcasting mode;

specifically, when the protection ECU receives a data packet containing a CAN message identifier, it will determine whether the CAN message identifier in the data packet is the same as the CAN message identifier containing the attack code according to an instruction issued to it by the security module, if it is determined that the CAN message identifier is the same as the CAN message identifier containing the attack code, the protection ECU will modify the message format of the data packet containing the CAN message identifier containing the attack code, and change the RTR from 0 to 1, so as to change the data frame into a remote frame. After the long-distance frame is sent, the ECU only carries out corresponding when the CAN message identifier is received and is the CAN message identifier associated with the CAN message identifier, and directly discards the data packet when the CAN message identifier is not associated. Although the data packet containing the attack carries data, because the RTR of the data packet is shown as 1 to represent the remote frame, the relevant ECU does not receive the data after receiving the remote frame, and only sends a response based on the request, thereby preventing the ECUs from being attacked. And the unrelated ECU can only not receive the data and directly lose the data.

The explicit and implicit conversion is realized by changing the value of a remote request bit through the voltage control CAN _ H (3.5V) high voltage and CAN _ L (1.5V) low voltage on the CAN bus.

Example 3:

with reference to fig. 4a to 4c, a method for obtaining the upgrade patch of embodiment 1 is provided in this embodiment, where the upgrade file at least includes a patch package, the patch package is synthesized by matching a reference patch package with a compensation package of an ECU to be upgraded,

the forming method of the reference patch package and the compensation package comprises the following steps:

in particular, in the process of repairing the bug of the ECU, it is impossible to be once and for all, the repair of the bug is continuously improved, so that in different hands of users, the upgraded old file of the ECU may exist in multiple versions, for example, the old file of a certain ECU originally in a car factory is gradually updated from the version V0 to the version V6, but the selection of car owners is numerous and is not necessarily updated to the latest version V6. At this time, there may be some owners using the old files of V2 version, some using the old files of V3 version, and so on. Assuming that a new version of the new V7 file is developed recently, these owners need to be upgraded, so the old file contains multiple versions, and the version differences between the old file and the new file need to be considered in the upgrade. Therefore, there are a plurality of old files and a plurality of corresponding patch packs. One of the difference analysis methods is, for example: assuming that there are V0 to V6 old files and one V7 new file, 7 patch packages B0 to B6 are formed. B0 represents the patch package formed by V7 and V0, and so on, and B6 represents the patch package formed by V7 and V6.

Step 2: one of the plurality of patch packages is selected as a reference patch package,

and 3, step 3: respectively carrying out difference analysis on the selected reference patch package and the plurality of patch packages to find out the difference between the new file and the old file so as to form a plurality of patch packages;

specifically, since there are a plurality of versions of the old file, there are also a plurality of versions of the formed patch package, and one of the plurality of versions is selected as the reference patch package, which is any one of the plurality of versions. However, it is considered that most users will upgrade to the current latest and old file version according to the prompt of the car factory (i.e. the latest version before upgrade, for example, there are versions V0 to V6 originally, and there is a latest version of V7 that needs to be upgraded currently, and at this time, V6 is defined as the latest and old file, and V7 is defined as the new file). In general, the patch package obtained by performing difference analysis between the new file and the newest and old file is selected as the reference patch package, i.e., the patch package formed by V7 and V6 is selected as the reference patch package B6. And then, performing difference analysis on the reference patch package and the patch package respectively to form a plurality of compensation packages. For example: b6 forms complementary bags with B0 to B5, respectively, and are labeled as M0 to M5.

Specifically, the patch packages and the patch packages in the new file and the old file are completed at the server side, and the server referred to in the invention is a broad concept, and can be a cloud server only, a local PC computer or a local server, or equipment capable of performing operations on the patch packages and the patch packages.

The synthesis method of the patch package for ECU upgrading comprises the following steps:

synthesizing the data packet of the reference patch packet and the corresponding compensation packet to form a patch packet corresponding to the ECU to be upgraded;

specifically, for example, a reference patch package and a plurality of patch packages, such as the reference patch package B6, are stored, and the plurality of patch packages are M0, M1, M2, M3, M4, and M5. If the ECU needing to be upgraded at present is the latest file of the V6 version and the reference patch package is B6, since the B6 exactly corresponds to the patch package of the latest version, synthesis is not needed at this time, and the ECU directly adopts the reference patch package for upgrading. If the ECU version needing to be upgraded is not the latest old file, finding out the compensation package of the corresponding version according to the version of the latest old file, and then combining the reference patch package and the compensation package to generate the patch package corresponding to the latest old file. For example: when the latest file version of the current ECU is V4, the corresponding patch package is M4, and M4 and the reference patch package B6 are data-combined into a patch package M4.

And carrying out data packet synthesis on the patch packet corresponding to the ECU to be upgraded and the old file in the ECU to form a new file to be upgraded.

Specifically, the formed patch package is combined with the old file in the current ECU into a latest upgrade file package, such as a file package of V7 version, and then the ECU is upgraded by starting an upgrade program.

The generation of the patch package and the restoration of the patch package and the new file may be in different devices, and at this time, the data package may be transferred between the transfer stations in a wired or wireless communication manner.

Transmitting the formed compensation packets and the reference patch packets to a local transfer station through a network;

specifically, after the service end completes the patch package and the reference patch package, the patch package is transmitted to the transfer station through the wireless network or the limited network.

Example 4:

and acquiring the difference data packet of the new file and the old file, utilizing the existing content in the old file as much as possible, and adding new content as little as possible to construct the new file. For example: and matching substrings of the old file and the new file or extracting a public part by using a hash technology, and packaging the rest part in the new file into a patch package or a compensation package. In the composition phase, the old file and the patch package can be combined into a new file by two basic operations of Adding (ADD) and inserting (insertion).

The specific steps of obtaining the difference data packet of the new file and the old file comprise:

specifically, firstly, the character string index is generated, and the index is generated by adopting a fast Suffix ordering (Faster Suffix ordering) algorithm based on a binary idea. The suffix array is a one-dimensional array, which stores a certain arrangement I of I (1 … n), and ensures suffix (I) < suffix (I [ I +1]), i.e., after n suffixes of S are sorted from small to large, the head positions of the ordered suffixes are sequentially put into I.

step S203: finding out the maximum public subsequence of the maximum new file and the old file and determining a difference part;

step S204: finding out an additional part;

step S206: forming patch packages

Specifically, see fig. 6:

such as: assume that the new file is: abedeffaoiutkllklll

The old file is: abcdefdfaouker

By comparing the new file and the old file, the "abcdefdfaoiu" in the new file is different from the "abrdefdfaoiu" in the old file only in the third bit, and thus the difference portion [00200000000], which can be efficiently compressed since it contains a large number of 0 s. The additional part is: tjkllkklll. Since the subsequent data packet formation is performed by copy and insert operations, the insert operation causes a large number of pointer changes and modifications, and the values are recorded so that the modified area can be relocated during the Patch phase. Therefore, the value of the pointer control word needs to be recorded when forming the difference portion and the additional portion. BSDiff greatly reduces the number of pointer control words to be recorded by introducing the concept of difference files, thereby making the patch package smaller.

In the difference analysis stage and the data storage stage, the following processing is performed on the data packet, and in the prior art, referring to fig. 7, in the storage of the data file, the address is represented by 8 bits, each address is used for storing data, and a non-fixed size storage method is used. As in FIG. 7, the address is 80484b4, the stored code is 8b 45f0, the stored code is 6 bits, the address is 80484ba, and the stored code is e8 a1 ff ff ff ff ff ff. The stored code is 10 bytes (byte). However, the ECU is integrated based on the ARM CPU, and in this architecture, a processor having 8 bits, 16 bits, and 32 bits (bit), for example, a 32-bit processor can process an operation code having 32 bits as the maximum binary number at a time. In order to reduce the size of the data packet better, the size of the data packet of the current ECU upgrade packet of the automobile is very small compared with that of a PC system and the like, so that the address is changed into 4-bit byte, and the original code is changed into a code with fixed length capable of storing 8 byte. Referring to fig. 8, for example, one of the addresses of the old file is: 8400, the address stores the code: ebfffba, next address: 8404, the address stores a code: e3a 03000. In the new file, one of which is address 8418, the address stores the code: ebfffb 4, and another address 841c, which stores the code: e51b200 c. By adopting code storage with fixed length, the number of bits used for representing the address is reduced, and the fixed length is 8 bytes, so that the space can be saved and the size of the data packet can be reduced. On the other hand, since the fixed length of the storage code is 8 bytes, it is a multiple of the CPU that identifies the largest binary file. So that the processing efficiency is high.

On the other hand, many differences occur in the memory address portion, which are caused by the sliding reference address. Originally, Bsdiff classified similar portions of the new and old files by memory address and the new code by percentage of the different codes. Furthermore, if the successively different operation codes exceed 8 bytes in length, the sections are defined as dissimilar.

For fixed code, this percentage is changed for optimization. In many cases, the 32-bit fixed opcode only changes 8 bits. Therefore, the threshold should be 75% instead of 50%.

Example 5:

the patch package formed by the embodiment 3 and the embodiment 4 comprises at least three parts: the first is a control word file containing ADD (ADD) and INSERT (INSERT) instructions, the ADD instruction specifies the offset and length in the old file, reads the appropriate number of bytes from the old file and ADDs it to the same number of bytes in the difference file, the INSERT instruction simply specifies a length, the specified number of bytes are read from the extra file; the second is a difference file containing different byte contents in probability matching; third is an additional file that contains content that does not belong to the profile match. Each ADD instruction specifies an offset position and length in the old file, a corresponding number of bytes of content are read from the old file and the same bytes of content are read from the difference file and added. The INSERT instruction only specifies a length for reading a specified number of bytes of content from the additional file.

In step 2 in the embodiment, referring to fig. 9 to 10, the method for forming the patch package specifically includes acquiring a difference data package between a reference patch package and a patch package, where the acquiring of the difference data package includes the following steps:

step S300: decompressing the files of the reference patch package and the patch package to obtain decompressed files of the reference patch package and the patch package respectively, wherein the decompressed files respectively comprise three parts: control word files, difference files, extra files;

the reference patch package and the patch package each include: control word file, difference file, extra file, wherein the reference patch package is marked as control word file 1, difference file 1, extra file 1, patch package: control word file 2, difference file 2, extra file 2.

Step S301: removing the control word file 1 of the reference patch package, reserving the control word file 2 of the patch package, and performing differential analysis on the difference file 1 and the additional file 1 in the reference patch package and the difference file 2 and the additional file 2 in the patch package by using a BSDIFF algorithm;

specifically, when the ECU version to be upgraded corresponds to the reference patch package, the ECU version to be upgraded may be upgraded by directly using the reference patch package. And when the ECU version needing to be upgraded does not correspond to the reference patch package, finding the corresponding patch package for upgrading. Therefore, if the ECU version to be upgraded does not correspond to the reference, the control word file of the reference version is a useless file, and in order to save space, in step S301, the control word file 1 of the reference patch package is removed and the control word file 2 in the patch package corresponding to the upgraded ECU version is completely retained.

step S303: and packaging the formed sub difference file, the sub additional file, the sub control word file and the control word file 2 of the reserved patch package, and then compressing to form the patch package.

The compensation package has a plurality of versions, and the compensation package requiring each corresponding version needs to be formed by repeating steps S300 to S303.

The method for forming the patch package corresponding to the current ECU upgrading requirement through the reference patch package and the corresponding compensation package at least comprises the following steps: see fig. 11-12.

Step S400: respectively decompressing the compensation package and the reference patch package to obtain decompressed files, wherein the decompressed files of the compensation package are as follows: the sub difference file, the sub extra file, the sub control word file, and the control word file 2 of the reserved patch package, wherein the file obtained after the decompression of the reference patch package comprises: difference file 1, extra file 1, control word file 1;

specifically, the compensation package needs to select the compensation package corresponding to the current ECU version corresponding to the upgrade. Although the padding packets and the reference patch packets are decompressed in this embodiment, actually, if the padding packets and the reference patch packets are not decompressed in the transmission process, the data packet file is directly obtained without decompression in the process. Decompression is not a necessary step.

Step S401: removing the control word file 1 of the reference patch package, reserving the control word file 2 of the patch package, and restoring the sub difference file and the sub extra file into the difference file 1 and the extra file 1 in the reference patch by adding and inserting the sub difference file and the sub extra file according to the record in the sub control word file to form the difference file 2 and the extra file 2 in the patch package;

step S402: and packing the difference file 2 in the formed patch package and the control word file 2 in the patch package reserved by the additional file 2 to synthesize the patch package.

After a patch package corresponding to the upgrade of the current ECU version is formed, the current patch package and the old file of the current version need to be subjected to data package to form a corresponding new file.

Specifically, the difference file 2 and the additional file 2 are added and inserted into the current old file to form a corresponding updated new file through the control word file 2 of the patch package and according to the recording position in the control word file.

Example 6:

the embodiment provides an on-vehicle ECU security upgrade system, see fig. 1 to 2.

The method specifically comprises the following steps: the system comprises a central gateway, an intrusion detection module, a security management module and a plurality of ECUs, wherein the security management module is electrically connected with the intrusion detection module through the central gateway respectively;

the ECU comprises a resisting module, wherein the resisting module is configured to have a function matched with the attack resisting strategy, and when the target ECU is attacked, the resisting module in the ECU can call a matched application program to resist invasion according to the attack resisting strategy sent by the protecting module;

The protection module is configured to protect the ECU, and the protection ECU is connected into the CAN network together with other ECUs through the CAN bus. Specifically, the guard module may be configured to guard the ECUs, and arbitrarily select one of the ECUs as the guard ECU, but generally selects an ECU that does not play a close relationship with safety responsibility, such as a brake, an engine-related ECU, for a safety period. An ECU may also be provided, which has no direct relation to the vehicle body control and is simply used as a protection ECU. At this time, the strategy of discarding the data packet containing the attack code specifically includes: the security management module sends data containing the attack code to a protection ECU installed in a specific domain, the protection ECU broadcasts information of an attack data packet containing a CAN message identifier (CAN ID) to all ECUs in the same domain, and the ECUs call an application program through a resistance module to discard the data packet containing the corresponding CAN message identifier;

in the implementation, the vehicle-mounted network comprises a node gateway, the node gateway is electrically connected with the central gateway through a vehicle-mounted ethernet bus, and each ECU is electrically connected with the node gateway through a CAN network data bus.

The system comprises a vulnerability ECU, wherein the vulnerability ECU is configured to be an ECU with more security vulnerabilities, so that a data packet containing an attack code is easy to detect by an intrusion detection module; specifically, when the intrusion detection module detects the in-vehicle network, the detection of a vulnerability ECU is further included, the vulnerability ECU is configured to be an ECU with more security vulnerabilities, and the vulnerability ECU enables a data packet containing an attack code to be easily detected by the intrusion detection module. The bug ECU is considered to be arranged, does not participate in controlling the general situation in the vehicle, and aims to intentionally leave more bugs and backdoors when the ECU is arranged so as to enable the bugs and the backdoors to be attacked firstly, and once the bugs and the backdoors are attacked, the intrusion detection module can more easily detect the existence of malicious codes so that the security module can respond in time.

The system comprises a central gateway, a server and a communication module, wherein the server is electrically connected with the central gateway through the communication module, the server is used for storing upgrade files required by upgrade, the communication module is arranged in a vehicle and is electrically connected with the central gateway through a vehicle-mounted Ethernet, and the communication module is electrically connected with the server in a wired or wireless mode.

The communication module may be a T-box smart antenna.

Specifically, the system further comprises a vehicle-mounted host, and the vehicle-mounted host is electrically connected with the central gateway through a vehicle-mounted Ethernet bus.

If the patch package required to be upgraded by the ECU is not stored in the service, the server calls an application program to synthesize the corresponding patch package and the reference patch package into a patch package matched with the current ECU upgrade, or downloads the corresponding patch package and the reference patch package into a central gateway or an on-vehicle host through a communication module to synthesize the patch package matched with the current ECU upgrade.

Or the patch package and the compensation package in embodiment 3 may be formed by processing in a server, or may be transferred to a service after processing in a local PC computer, or may be transferred to an ECU, a sensor, a camera, or the like in a wired or wireless manner for upgrading after processing in the PC computer, and in this case, the PC also corresponds to the server. The transmission bandwidth of the vehicle-mounted Ethernet is 100Mbps/s, and the transmission capacity of a payload (payload) is 46-1518 bytes. The transmission bandwidth of the CAN bus is 1Mbps/s, and the transmission rate of a payload (payload) is 0-8 bytes. Therefore, the rate of the CAN network is much lower than that of the vehicle-mounted Ethernet, and the CAN network belongs to the maximum limiting factor for limiting the ECU upgrading time. And when the protocol transmission rate based on the CAN network is high, the data cannot be transmitted simultaneously for the reliability of the data, the data are transmitted one by one, and the occupied time is longest in the upgrading stage of the ECU.

Specifically, see the example of the server storing the patch package and the reference patch package and the compensation package in the embodiment of fig. 13.

Fig. 13a shows that when only the patch package exists, the server stores the patch package files in all the historical versions, and fig. 13b shows that there is a patch package in which the reference patch package corresponds to all the historical versions. When the standard patch package is selected, one version of all historical versions of the patch packages can be selected as the standard patch package, and under the normal condition, the patch package corresponding to the latest version of the ECU before upgrading is selected as the standard patch package. Therefore, compared with the storage space occupied by the patch pack required by ECU upgrading and the patch pack of the corresponding version, the storage space occupied by the patch pack is far larger than that occupied by the patch pack. Therefore, by adopting the method for filling the patch package, the ECU updating package required by the updating of all historical versions is a reference patch package and a plurality of filling packages, and the data package is smaller. The larger storage load of the memory is reduced, which is more beneficial to the data transmission, especially in the environment with smaller storage space in the central gateway and the vehicle host, the smaller data packet size can be directly transmitted to the vehicle host or the central gateway, and the transmission time and the resources consumed by the system are further reduced by combining the patch packets at the vehicle host or the central gateway.

Claims

1. A safety upgrading management method applied to an automobile ECU is characterized by at least comprising the following steps:

when the intrusion detection module detects the in-vehicle network, the detection of the vulnerability ECU is also included, and the detection of the vulnerability ECU enables the data packet containing the attack code to be easily detected by the intrusion detection module;

the target ECU comprises a resisting module, wherein the resisting module is configured to have a function matched with an attack resisting strategy, and when the target ECU is attacked, the resisting module in the target ECU can call a matched application program to resist invasion according to the attack resisting strategy sent by the protecting module;

when the target ECU receives the safety reset strategy, the target ECU enters a safety mode after being automatically restarted, and the safety mode at least comprises the following steps:

is configured to allow basic driving operations to secure the safety of the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking and data encryption of received data;

the CAN message format at least comprises a CAN message identifier and a remote request bit;

the remote request bit is used for distinguishing a remote frame and a field of a data frame, the data frame is used for data transmission on the CAN bus, the data frame must be dominant, and the remote request bit is represented by 0;

the remote frame is used for sending requests and does not contain payload data information, the remote request frame must be an implicit 1, and a remote request bit is represented by 1;

the explicit and implicit conversion is realized by changing the value of a remote request bit through the voltage control CAN _ H high voltage and the CAN _ L low voltage on the CAN bus;

the protection module is configured to protect the ECU, and the strategy of discarding the data packet containing the attack code specifically includes: the security management module sends data containing the attack code to a protection ECU installed in a specific domain, the protection ECU broadcasts information of an attack data packet containing a CAN message identifier to all target ECUs in the same domain, and the target ECUs call an application program through a resisting module to discard the data packet containing the corresponding CAN message identifier;

the safety management module issues a data packet discarding instruction to the protection ECU, the protection ECU changes a remote request bit in a data packet which accords with a CAN message format and contains an attack code of a CAN message identifier from explicit 0 to implicit 1, and then sends the changed data packet to all target ECUs in a broadcasting mode;

the target ECU only responds when the CAN message identifier is the CAN message identifier associated with the target ECU, and the target ECU directly discards the data packet when the CAN message identifier is not associated with the target ECU.

2. The ECU security upgrade management method applied to the automobile according to claim 1,

3. The automobile ECU security upgrade management method according to claim 1, wherein when an in-vehicle network transmits by using a vehicle-mounted Ethernet and a node gateway is set to connect with various domains, and an attack occurs, the security management module sends a control instruction to the attacked target node gateway to instruct the target node gateway to adopt the security reset strategy resistance of the target node gateway;

the security reset strategy of the node gateway comprises that the node gateway enters a security mode after being automatically restarted, and the security mode of the node gateway at least comprises the following steps: is configured to allow basic driving operations to secure the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking of received data and data encryption.

4. The automobile ECU security upgrading management method according to claim 1, wherein the upgrading file at least comprises a patch package, and the patch package is synthesized by matching a reference patch package with a compensation package of the ECU to be upgraded;

and step 3: comparing the difference of the selected reference patch package with the difference of the selected patch package, finding out the difference of the reference patch package and the patch package, obtaining the difference data package of the reference patch package and the patch package, extracting, packaging and compressing the difference data package to form a compensation package; and repeating the step 3 until a compensation package of the reference patch package corresponding to all the old files with different historical versions is obtained.

5. The automobile ECU security upgrade management method according to claim 4, wherein the obtaining of the difference data packet of the new file and the old file comprises the following steps:

step S204: finding out additional parts of the new file and the old file;

step S206: forming a patch package;

6. The automobile ECU security upgrade management method according to claim 4, wherein the patch package acquisition comprises the following steps:

7. The automobile ECU security upgrading management method according to claim 6, wherein the step of forming the patch pack by the reference patch pack and the compensation pack comprises the following steps:

step S402: and packaging the difference file, the additional file and the control word file in the reserved patch package to form the patch package.

8. A safety upgrading management system applied to automobile ECUs is characterized by comprising a central gateway, an intrusion detection module, a safety management module and a plurality of ECUs, wherein the safety management module is electrically connected with the intrusion detection module through the central gateway respectively;

the protection module is configured to adopt an attack resisting strategy according to a control instruction issued by the safety management module and send the strategy to the target ECU, and the protection module is electrically connected with the central gateway through the CAN bus;

when the node gateway does not exist, each ECU is electrically connected with the central gateway through the CAN bus;

the safety upgrading management system is applied to the automobile ECU safety upgrading management upgrading method according to any one of claims 1 to 7.

9. The system as claimed in claim 8, wherein the protection module is configured to protect the ECU, and the protection ECU is connected to the CAN network together with other ECUs through the CAN bus.

10. The ECU security upgrade management system for vehicles according to claim 8, further comprising: and the node gateways are electrically connected with the central gateway through a vehicle-mounted Ethernet bus, and each ECU is electrically connected with the node gateways through a CAN network data bus.

11. The system for managing the security upgrade of the automobile ECU according to claim 8, further comprising a vulnerability ECU, wherein the vulnerability ECU is configured as an ECU with more security vulnerabilities, so that a data packet containing an attack code is easy to be detected by the intrusion detection module;