[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111385286A - Method and corresponding device for protecting vehicles from cyberattacks - Google Patents

Method and corresponding device for protecting vehicles from cyberattacks Download PDF

Info

Publication number
CN111385286A
CN111385286A CN201911409023.7A CN201911409023A CN111385286A CN 111385286 A CN111385286 A CN 111385286A CN 201911409023 A CN201911409023 A CN 201911409023A CN 111385286 A CN111385286 A CN 111385286A
Authority
CN
China
Prior art keywords
message
illegal
messages
node
protection device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911409023.7A
Other languages
Chinese (zh)
Other versions
CN111385286B (en
Inventor
C·罗萨迪尼
W·内希
L·巴尔丹齐
L·克罗切蒂
L·法努奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Marilyn Europe
Universita di Pisa
Original Assignee
Marilyn Europe
Universita di Pisa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Marilyn Europe, Universita di Pisa filed Critical Marilyn Europe
Publication of CN111385286A publication Critical patent/CN111385286A/en
Application granted granted Critical
Publication of CN111385286B publication Critical patent/CN111385286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0061Error detection codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40052High-speed IEEE 1394 serial bus
    • H04L12/40104Security; Encryption; Content protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0041Arrangements at the transmitter end
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0045Arrangements at the receiver end
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Small-Scale Networks (AREA)
  • Steering Control In Accordance With Driving Conditions (AREA)
  • Hardware Redundancy (AREA)

Abstract

Described herein is a method for protecting a vehicle CAN communication network from network attacks, the CAN communication network comprising a CAN bus and a plurality of nodes, the nodes being associated in a signal exchange relationship with the CAN bus and at least partially with a unit for controlling a vehicle function; the method comprises the following operations: analyzing contents of the CAN messages transmitted between the nodes to identify illegal CAN messages; and blocking illegal messages; the blocking operation comprises rendering the illegal message invalid for an integrity check performed by the CAN controller of the node by inserting a corrupt bit sequence identified as erroneous by the CAN controller to obtain a corrupted message; wherein a sequence of corrupt bits is inserted into an integrity check field, in particular a CRC field, of an illegal CAN message at a bit time, the value of the bit time being such that the illegal message separator field is aligned in time with the corresponding separator of an error message generated by a network node receiving the illegal message comprising the corrupt sequence.

Description

用于保护车辆免受网络攻击的方法和相应的设备Method and corresponding device for protecting vehicles from cyberattacks

技术领域technical field

本发明涉及用于保护车辆CAN(控制器局域网(Controller Area Network))通信网络免受网络攻击的技术,该车辆CAN通信网络包括CAN总线和多个节点,这些节点以信号交换关系与所述CAN总线相关联并且至少部分地与用于控制车辆功能的单元相关联;The present invention relates to a technique for protecting a vehicle CAN (Controller Area Network) communication network from network attacks, the vehicle CAN communication network comprising a CAN bus and a plurality of nodes in a signal exchange relationship with the CAN a bus associated and at least partially associated with a unit for controlling vehicle functions;

上述技术包括以下操作:The above techniques include the following operations:

分析在所述多个节点的节点之间传输的CAN消息的内容,以便识别非法的CAN消息;以及analyzing the content of CAN messages transmitted between nodes of the plurality of nodes in order to identify illegal CAN messages; and

阻断所述非法消息,blocking said illegal messages,

所述阻断操作包括通过插入被所述CAN控制器识别为错误的破坏位序列,特别是通过用破坏的序列替换原始位序列的一部分,来致使所述非法消息对于由所述节点的CAN控制器执行的完整性检查而言无效,以获得破坏的消息。Said blocking operation comprises causing said illegal message to be relevant to the CAN control by said node by inserting a corrupted bit sequence which is identified as erroneous by said CAN controller, in particular by replacing part of the original bit sequence with a corrupted sequence. Invalid in terms of integrity checks performed by the server to obtain corrupted messages.

CAN总线(在机动车辆中用作通信总线)是串行和多主线类型的通信方式,其中连接到该总线的每个主线(也称为“节点”)都能够发送和接收消息并解决由于多个传输节点同时访问而引起的任何冲突。The CAN bus (used as a communication bus in motor vehicles) is a serial and multi-bus type of communication, where each bus (also called a "node") connected to the bus is able to send and receive messages and resolve issues due to multiple Any conflict caused by simultaneous access of two transport nodes.

如图1A中所示,能够在CAN总线10上进行通信的节点11通常包括:As shown in Figure 1A, the nodes 11 capable of communicating on the CAN bus 10 typically include:

-CAN收发器12,其通过传输线TT和接收线TR与CAN总线10相关联,并且配置成用于管理CAN总线的适当电平(OSI模型的物理层);a CAN transceiver 12, which is associated with the CAN bus 10 via the transmission line TT and the reception line TR and is configured to manage the appropriate levels of the CAN bus (physical layer of the OSI model);

-CAN控制器13,其通过相应的传输线CT和接收线CR连接到CAN收发器12,并且配置成用于管理CAN总线10的逻辑水平和序列化(serialization)(OSI模型的数据链路层);以及- a CAN controller 13, which is connected to the CAN transceiver 12 via respective transmission lines CT and receive lines CR and is configured to manage the logic level and serialization of the CAN bus 10 (data link layer of the OSI model) ;as well as

-微控制器14,其包含关于发送和接收消息的逻辑(数据链路层上方的OSI层的管理)。- A microcontroller 14, which contains the logic for sending and receiving messages (management of the OSI layer above the data link layer).

图1A示出可能的实施方案之一,该实施方案设想将CAN控制器13和微控制器14设置在同一个片上系统(System-on-Chip)15中,而CAN收发器处在单独的芯片上。Figure 1A shows one of the possible implementations which envisages having the CAN controller 13 and the microcontroller 14 in the same System-on-Chip 15, with the CAN transceiver on a separate chip superior.

如图1中所示,已知在CAN控制器13和CAN收发器12之间安装用于保护免受网络攻击的设备16。保护设备16处理(特别是分析)CAN控制器13和CAN收发器12之间传输的消息,识别非法或恶意消息,并实施用于阻断在不同使用情况下将这些恶意消息注入到CAN总线上的操作,所述操作在图2、3、4和5中描述。As shown in FIG. 1 , it is known to install a device 16 between the CAN controller 13 and the CAN transceiver 12 for protection from network attacks. The protection device 16 processes (especially analyzes) the messages transmitted between the CAN controller 13 and the CAN transceiver 12, identifies illegal or malicious messages, and implements a method for blocking the injection of these malicious messages on the CAN bus in different use cases , described in Figures 2, 3, 4 and 5.

特别地,在图1B中,保护设备16在从CAN控制器13到保护设备16的传输线CT上接收CAN消息,并经由前述的阻断操作对所述消息进行分析和过滤,从而在保护设备16和CAN收发器12之间的线路是滤过的传输线DT,由保护设备16处理过的CAN消息在该传输线DT上传输。在相反的方向上,来自收发器12的CAN消息在连接这些模块的接收线CR上到达保护设备,并在保护设备16处进行处理,并在滤过的接收线DR上由保护设备16传输给CAN控制器13。In particular, in FIG. 1B , the protection device 16 receives CAN messages on the transmission line CT from the CAN controller 13 to the protection device 16 , and analyzes and filters the messages via the aforementioned blocking operation, so that the protection device 16 The line between the CAN transceiver 12 is the filtered transmission line DT on which the CAN messages processed by the protection device 16 are transmitted. In the opposite direction, CAN messages from the transceiver 12 arrive at the protection device on the receive line CR connecting these modules and are processed at the protection device 16 and transmitted by the protection device 16 on the filtered receive line DR to CAN controller 13 .

特别地,图2示出了一种情况,其中给出包括多个节点111,……,11n的车辆网络20,例如所述节点表示车辆控制单元,诸如ECU(电子控制单元),例如发动机控制单元和用于照明、空调、变速器、ABS、悬架和其他专门用于其他车辆服务的处理器模块的控制单元。在这些多个节点111,……,11n中,节点111是受保护节点,即配备有保护设备16的节点,并且在图中表示的是受保护节点111是恶意的并且将恶意的即非法的CAN消息或CAN帧MF注入到车辆网络20中的情况。这种使用情况例如是这种情况,即例如微控制器14已被其他通信通道(诸如无线通道)侵犯,如对于对应于信息娱乐/远程信息处理单元的节点而言可能发生的那样。在这种情况下,保护设备16的存在阻止这些消息MF到达车辆网络20,即阻止这些消息MF到达其他非保护节点112,……,11nIn particular, FIG. 2 shows a situation where a vehicle network 20 is given comprising a plurality of nodes 11 1 , . . . , 11 n representing, for example, a vehicle control unit, such as an ECU (Electronic Control Unit), eg Engine control units and control units for lighting, air conditioning, transmission, ABS, suspension and other processor modules dedicated to other vehicle services. Of these multiple nodes 11 1 , . . . , 11 n , the node 11 1 is a protected node, ie a node equipped with a protection device 16, and it is represented in the figure that the protected node 11 1 is malicious and will be malicious ie the situation in which an illegal CAN message or CAN frame MF is injected into the vehicle network 20 . Such a use case is, for example, the case where, for example, the microcontroller 14 has been violated by other communication channels, such as wireless channels, as can happen for nodes corresponding to infotainment/telematics units. In this case, the presence of the protection device 16 prevents these messages MF from reaching the vehicle network 20 , ie preventing these messages MF from reaching the other non-protected nodes 11 2 , . . . , 11 n .

图3示出恶意CAN消息MF由车辆网络20注入的情况,即由未设置有保护设备的节点之一、即未受保护的节点112,……,11n之一、特别是节点112注入的情况。图3表示车辆网络20的任何节点被侵犯的情况。在这种情况下,保护设备16的存在防止无关于相应受保护的CAN节点111的消息被微控制器14处理,其中保护设备16本身安装在相应受保护的CAN节点111上。FIG. 3 shows the situation in which a malicious CAN message MF is injected by the vehicle network 20 , ie by one of the nodes not provided with a protection device, ie by one of the unprotected nodes 11 2 , . . . , 11 n , in particular by the node 11 2 injection situation. FIG. 3 represents a situation where any node of the vehicle network 20 is violated. In this case, the presence of the protection device 16 prevents messages not related to the respective protected CAN node 111 from being processed by the microcontroller 14, where the protection device 16 itself is installed on the respective protected CAN node 111 .

图4示出在CAN网关18内使用保护设备16的情况。该配置使得可以隔离两个不同的CAN网络20A和20B,两个不同的CAN网络20A和20B具有各自的节点11A1,……,11An和11B1,……,11Bn,这些节点通常是不受保护的,并且该配置使得可以保证过滤在一个网络与另一个网络之间输送的CAN帧。在图4的特定情况下,保护设备16阻断由网络20A传输的非法消息MF,并防止它们在网络20B上扩散。显然,保护设备16还可以阻断由网络20B的节点通过网关18向网络20A传输的非法CAN消息MF。FIG. 4 shows the use of the protection device 16 within the CAN gateway 18 . This configuration makes it possible to isolate two different CAN networks 20A and 20B having respective nodes 11A 1 , . . . , 11A n and 11B 1 , . Unprotected, and this configuration makes it possible to guarantee filtering of CAN frames transported between one network and the other. In the particular case of FIG. 4 , the protection device 16 blocks illegal messages MF transmitted by the network 20A and prevents them from spreading over the network 20B. Obviously, the protection device 16 can also block illegal CAN messages MF transmitted by the nodes of the network 20B through the gateway 18 to the network 20A.

背景技术Background technique

美国专利申请第US2015/191136A1号描述了一种在机动车辆CAN总线上运行的保护设备,该设备设想在输送中阻断其参数符合非法消息标准的消息。阻断是通过下列方式执行的,即通过致使非法消息对于由CAN控制器执行的有效性检查而言无效,即通过在CAN收发器和CAN控制器之间的非法消息传输期间,经过由CAN控制器识别为错误的位序列(即填充位)的插入特别是经由通过不遵守由CAN协议设想的位填充规则的序列插入填充错误来破坏非法消息从而导致CAN控制器忽略这些非法消息而不通过CAN网络传送它们。但是,填充位数量的处理可能会在破坏的消息(通过总线发送)和由接收到破坏的消息的CAN节点生成的帧错误消息之间产生时间上的未对准。US Patent Application No. US 2015/191136 A1 describes a protection device operating on the CAN bus of a motor vehicle, which envisages blocking messages in transit whose parameters meet the criteria for illegal messages. Blocking is performed by rendering the illegal message invalid for the validity check performed by the CAN controller, i.e. by The insertion of bit sequences (i.e. stuffing bits) that the controller recognizes as erroneous, in particular, corrupts illegal messages by inserting stuffing errors through sequences that do not obey the bit stuffing rules envisaged by the CAN protocol, causing the CAN controller to ignore these illegal messages without passing the CAN network to deliver them. However, the handling of the number of padding bits may create a time misalignment between the corrupted message (sent over the bus) and the framing error message generated by the CAN node that received the corrupted message.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种监测方法,该监测方法将使非法消息能够变得无效,同时确保适当的对准。It is an object of the present invention to provide a monitoring method that will enable invalidation of illegal messages while ensuring proper alignment.

根据本发明,上述目的由于保护方法以及相应的保护设备而得以实现,该保护方法以及相应的保护设备具有在所附权利要求中特别提到的特征。According to the invention, the above-mentioned objects are achieved thanks to a protection method and a corresponding protection device having the features particularly mentioned in the appended claims.

附图说明Description of drawings

将参考附图来描述本发明,这些附图仅通过非限制性示例的方式提供,其中:The present invention will be described with reference to the accompanying drawings, provided by way of non-limiting example only, in which:

-前面已经描述了图1A和图1B,图2,图3,图4;- Figures 1A and 1B, Figure 2, Figure 3, Figure 4 have been described previously;

-图5示出实施本文所述方法的保护设备的原理框图;- Figure 5 shows a functional block diagram of a protection device implementing the method described herein;

-图6是示意性地表示由保护设备处理的CAN消息的图;- Figure 6 is a diagram schematically representing the CAN messages processed by the protection device;

-图7A,图7B和图7C是本文所述保护设备在方法的三个操作步骤中的示意图;以及- Figures 7A, 7B and 7C are schematic representations of the protection device described herein in three operational steps of the method; and

-图8是说明本文所述方法的操作的流程图。- Figure 8 is a flow chart illustrating the operation of the method described herein.

具体实施方式Detailed ways

图5示出根据本发明的保护设备26的原理框图。该保护设备26表示为在CAN网络10的受保护节点中设置在CAN控制器13和CAN收发器12之间,如例如以节点111的图3的配置设置。这里描述的解决方案无关于其上所应用的CAN版本(CAN2.0或CAN-FD),并且为了便于说明,仅描述与CAN2.0版本相对应的方案。Figure 5 shows a functional block diagram of the protection device 26 according to the invention. The protection device 26 is represented as being arranged between the CAN controller 13 and the CAN transceiver 12 in a protected node of the CAN network 10 , as eg arranged in the configuration of FIG. 3 of the node 111 . The solutions described here have nothing to do with the CAN version (CAN2.0 or CAN-FD) applied on it, and for ease of illustration, only the solutions corresponding to the CAN2.0 version are described.

保护设备26包括防火墙模块261,防火墙模块261通常接收在接收线CR上和在传输线CT上发送的CAN消息M的序列,并在滤过的接收线DR上和在滤过的传输线DT上发送CAN消息的滤过的序列。如上所述,消息M可以是非法消息MF。如以下更充分描述的那样,滤过的序列可能包含CAN消息M它们本身,可能包含从非法消息MF获取的破坏消息MF',或者可能通过合法消息M和非法消息MF的破坏(以下描述的模式B2)应用完全阻断。The protection device 26 comprises a firewall module 261 which normally receives the sequence of CAN messages M sent on the receive line CR and on the transmission line CT and sends CAN messages on the filtered receive line DR and on the filtered transmission line DT A filtered sequence of messages. As mentioned above, the message M may be an illegal message MF. As described more fully below, the filtered sequence may contain CAN messages M themselves, may contain corrupt messages MF' obtained from illegal messages MF, or may be corrupted by both legal messages M and illegal messages MF (schema described below). B2) The application is completely blocked.

因此,上述防火墙模块261配置成用于:Therefore, the firewall module 261 described above is configured to:

-提取在传输线CT或接收线CR上输送的CAN消息M的信息内容;- extracting the information content of the CAN message M conveyed on the transmission line CT or the receiving line CR;

-分析上述信息内容;例如,这包括将输送中的CAN消息M的字段的值与存储在规则存储模块262中的防火墙规则R集进行比较,该规则存储模块262代表规则数据库,防火墙模块261至少可以访问该规则数据库以便进行读取;- analysis of the above-mentioned information content; for example, this includes comparing the values of the fields of the CAN messages M in transit with the set of firewall rules R stored in the rules storage module 262, which represents a database of rules, the firewall module 261 at least The rules database can be accessed for reading;

-在基于其内容被识别为非法CAN消息MF的情况下,致使输送中的CAN消息M无效;在被分析的消息M被识别为非法消息MF而非法消息MF仍在CAN总线上输送的情况下,致使输送中的CAN消息M无效是通过在由保护设备26的传输期间根据阻断模式(例如,B1和B2,在下文将更详细地描述)执行其破坏而获得的。- invalidation of the CAN message M in transit if it is identified as an illegal CAN message MF on the basis of its content; in case the analyzed message M is identified as an illegal message MF while the illegal message MF is still being transmitted on the CAN bus , invalidating the CAN message M in transit is obtained by performing its destruction according to blocking modes (eg, B1 and B2, described in more detail below) during transmission by the protection device 26 .

如上所述,保护设备26还包括规则数据库262,该数据库包含由防火墙261应用于被分析的CAN消息(即在输送中)以识别非法消息MF的规则R。来自传输线CT和来自接收线CR的输送中的CAN消息M可服从于规则数据库262中的同一个规则R集,或者规则数据库262可以包含在接收CR和传输CT独立应用的两个规则集。As mentioned above, the protection device 26 also includes a rules database 262 containing rules R applied by the firewall 261 to the analyzed CAN messages (ie in transit) to identify illegal messages MF. CAN messages M in transit from transmit line CT and from receive line CR may be subject to the same set of rules R in rules database 262, or rules database 262 may contain two sets of rules applied independently on receive CR and transmit CT.

保护设备26还包括操作存储模块263,即,用于在CAN总线10上存储由保护设备26执行的操作B的日志的专用存储区域。保护设备26访问上述模块263以写入由保护设备在CAN总线10上执行的操作B。日志B包含有关防火墙261活动的统计信息(诸如,传输线CT上破坏的非法帧MF的数量,接收线CR上破坏的非法帧的数量),所述统计信息可以通过配置接口264进行查询,该接口264能够访问操作存储模块263以便进行读取,如图5中所示。The protection device 26 also includes an operation storage module 263 , ie a dedicated storage area for storing a log of operations B performed by the protection device 26 on the CAN bus 10 . The protection device 26 accesses the aforementioned module 263 to write operation B performed by the protection device on the CAN bus 10 . Log B contains statistics about firewall 261 activity (such as the number of illegal frames MF corrupted on the transmission line CT, the number of illegal frames corrupted on the receive line CR), which can be queried through the configuration interface 264, which 264 can access the operational storage module 263 for reading, as shown in FIG. 5 .

如上所述,保护设备26包括配置接口264,用于定义由防火墙261应用并存储在模块262中的过滤规则R。特别地,该配置接口可从外部通信接口(图中未示出)接收保护设备26的过滤配置,即规则R。该配置接口264与规则数据库262处于数据交换关系,其中它例如写入用于通过防火墙进行过滤的规则R集,并且如上所述,该配置接口264与操作存储模块263处于数据交换关系,例如用于读取防火墙261的操作日志中的数据。As mentioned above, the protection device 26 includes a configuration interface 264 for defining filtering rules R applied by the firewall 261 and stored in the module 262 . In particular, the configuration interface may receive the filtering configuration of the protection device 26, ie the rules R, from an external communication interface (not shown in the figure). The configuration interface 264 is in a data exchange relationship with the rules database 262, in which it writes, for example, a set of rules R for filtering through firewalls, and as described above, the configuration interface 264 is in a data exchange relationship with the operation storage module 263, for example with It is used to read the data in the operation log of the firewall 261 .

与配置接口264相关联的是认证模块265,认证模块265配置为例如经由数字签名和数据加密机制来检查从外部通信接口接收的过滤配置的真实性。Associated with the configuration interface 264 is an authentication module 265 configured to check the authenticity of the filtering configuration received from the external communication interface, eg, via digital signature and data encryption mechanisms.

保护设备26通常配置成用于实现过滤器,该过滤器阻断恶意的和不相关的CAN消息,仅允许合法数据通过。The protection device 26 is typically configured to implement a filter that blocks malicious and irrelevant CAN messages, allowing only legitimate data to pass through.

合法消息与非法消息之间的区别可以基于保护设备26的使用目的地来配置,并且可以通过以下区别参数C来定义:The distinction between legitimate and illegal messages can be configured based on the use destination of the protection device 26 and can be defined by the following distinction parameter C:

C1:CAN消息标识符;C1: CAN message identifier;

C2:CAN消息长度;C2: CAN message length;

C3:传输时间,例如在周期性消息情况下的频率;C3: transmission time, eg frequency in case of periodic messages;

C4:消息内容;此参数仅用于诊断类型的消息;C4: message content; this parameter is only used for diagnostic type messages;

C5:车辆状态;此参数仅用于诊断类型的消息;以及C5: Vehicle Status; this parameter is only used for diagnostic type messages; and

C6:每单位时间使用总线的百分比。C6: Percentage of bus used per unit time.

保护设备26配置为通常将规则R集应用于非诊断和诊断消息,在输送中的帧被识别为诊断类型的情况下,在该集上应用进一步的并且特定的过滤规则。The protection device 26 is configured to generally apply a set of rules R to non-diagnostic and diagnostic messages, on which further and specific filtering rules are applied in case a frame in transit is identified as a diagnostic type.

此外,特别是通过防火墙模块261配置保护设备26,以用于实现以下两种消息阻断模式之一:Furthermore, the protection device 26 is configured in particular by the firewall module 261 for implementing one of the following two message blocking modes:

选择性阻断模式B1,由此所有且仅有非法CAN消息MF被阻断;以及selective blocking mode B1 whereby all and only illegal CAN messages MF are blocked; and

完全阻断模式B2,由此所有CAN消息(合法消息M和非法消息MF两者)都被阻断。Mode B2 is completely blocked, whereby all CAN messages (both legitimate messages M and illegal messages MF) are blocked.

完全阻断模式B2可配置为以下使用模式:Complete blocking mode B2 can be configured for the following usage modes:

第一使用模式BC1,其中完全阻断模式B2被启用或禁用;a first usage mode BC1 in which the full blocking mode B2 is enabled or disabled;

第二使用模式BC2,如果启用完全阻断模式B2,则其可以在保护设备26中定义违规类型和违规数量以及阻断模式保持激活状态期间的时间,对于每种指定的违规类型,一旦达到其,必须激活完全阻断模式B2;在第二使用模式B2中,因此在包括违规类型、违规数量和停用时间的列表中定义一个或多个停用参数。The second usage mode BC2, if full blocking mode B2 is enabled, can define in the protection device 26 the type of violation and the number of violations and the time during which the blocking mode remains active, for each specified violation type, once its , the full blocking mode B2 must be activated; in the second usage mode B2, one or more deactivation parameters are therefore defined in a list including the type of violation, the number of violations and the deactivation time.

完全阻断模式B2使第i个节点11i或网络(例如图4中的20B)能够从CAN总线10实际断开任意时间段,根据配置,该时间段甚至可以实际上是无限的,因此在经过设置的时间段后节点11i或网络完全隔离,或者节点11i恢复通信能力。Complete blocking mode B2 enables the i-th node 11 i or the network (eg 20B in Fig. 4) to be disconnected from the CAN bus 10 for virtually any period of time, which may even be virtually infinite depending on the configuration, so in After a set period of time, the node 11 i or the network is completely isolated, or the node 11 i recovers the communication capability.

保护设备26阻断非法CAN消息的机制实现了零延迟模式。这在所有应用中都有利地使用了保护设备26,在这些应用中,由附加过滤元件(如实际上是保护设备26)引入的传送延迟将被最小化。The mechanism by which the protection device 26 blocks illegal CAN messages enables a zero-delay mode. This advantageously uses the protection device 26 in all applications where the propagation delay introduced by the additional filter element (eg actually the protection device 26) will be minimized.

如上所述,由保护设备26实现的零延迟消息过滤模式设想的是通过这种方式来利用已经存在于CAN总线中的完整性检查机制:通过在CAN总线上传输期间使非法CAN消息MF无效(即破坏非法CAN消息),使得接收节点将忽略已经在CAN控制器13的数字级别(即数据链路层)处的上述非法消息MF,其中在CAN控制器13的数字级别(即数据链路层)处执行消息完整性检查,而无需将该消息传送到微控制器14(以及传送到OSI堆栈的上层)。因此,甚至在零分析时间的理想条件下,上述零延迟模式与过滤元件接收-分析-重新传输的方式完全不同,如过滤元件接收-分析-重新传输的方式是网关的典型行为,过滤元件在任何情况下都必须在分析消息之前等待消息以便终止,并且在该消息合法且必须重新传输的情况下,再次参与总线争用和仲裁(在分析之后),从而引入等于至少是消息本身的重传持续时间的附加延迟。此外,由于过滤元件必须能够赢得CAN总线争用,以便其能够重新传输先前被分析的消息,因此该附加延迟可能会明显更长,其上限是由CAN协议的特性而引起的,因此其上限在理论上是无限的,这是在更高优先级的消息要由其他网络节点传输的情况下便是如此。As mentioned above, the zero-delay message filtering mode implemented by the protection device 26 envisages taking advantage of the integrity checking mechanisms already present in the CAN bus in this way: by invalidating illegal CAN messages MF during transmission on the CAN bus ( i.e. destroy the illegal CAN message), so that the receiving node will ignore the above illegal message MF already at the digital level of the CAN controller 13 (i.e. the data link layer), where the digital level of the CAN controller 13 (i.e. the data link layer) ) performs a message integrity check without passing the message to the microcontroller 14 (and to the upper layers of the OSI stack). Therefore, even under ideal conditions of zero analysis time, the zero-delay mode described above is completely different from the way the filter element receives-analyze-retransmits, as the filter element receives-analyze-retransmits the typical behavior of a gateway, where the filter element is in In any case, the message must be waited for termination before analyzing the message, and if the message is legitimate and must be retransmitted, again engage in bus contention and arbitration (after analysis), thereby introducing a retransmission equal to at least the message itself Additional delay for duration. Furthermore, since the filtering element must be able to win the CAN bus contention so that it can retransmit previously analyzed messages, this additional delay may be significantly longer, and its upper limit is due to the nature of the CAN protocol, so its upper limit is In theory infinite, this is the case if higher priority messages are to be transmitted by other network nodes.

相反,由保护设备26实施的零延迟模式使得能够检验传输中(即在由设备26安装在其上的节点发送过程中或接收过程中)的CAN消息,因此使其可以:Conversely, the zero-delay mode implemented by the protection device 26 enables the inspection of CAN messages in transit (ie during transmission or reception by the node on which the device 26 is installed), thus making it possible to:

-即使在消息传输或接收终止之前,如果消息是非法的,立即通过破坏消息而采取行动;以及- take immediate action by destroying the message if the message is unlawful, even before the transmission or reception of the message is terminated; and

-如果消息是合法的,则使其保持不变,从而不影响其传送时间。- If the message is legitimate, leave it unchanged so that it doesn't affect its delivery time.

由保护设备26实施的通过第一选择性的阻断模式B1或第二完全阻断模式B2对CAN帧进行零延迟过滤的过程具体包括两个操作,所述两个操作是如此的以便不改变CAN消息的传送时间,并且不导致表现为非法消息已被成功发送的恶意节点。The process of zero-delay filtering of CAN frames by the first selective blocking mode B1 or the second full blocking mode B2 carried out by the protection device 26 specifically includes two operations, which are so as not to change The transmission time of CAN messages and does not lead to malicious nodes appearing as illegal messages have been successfully sent.

第一操作是操作F1,其通过破坏CAN消息本身的位序列来由保护设备26执行来阻断输送中的消息。The first operation is operation Fl, which is performed by the protection device 26 to block the message in transit by corrupting the bit sequence of the CAN message itself.

第二操作是操作F2,其包括从恶意CAN节点(恶意CAN节点传输由保护设备26拦截的非法CAN消息MF)隐藏由恶意CAN节点传输的非法CAN消息的破坏,并因此通过在其他CAN节点的CAN控制器中实施的完整性检查而阻断CAN消息。The second operation is operation F2, which consists of concealing the corruption of the illegal CAN message transmitted by the malicious CAN node from the malicious CAN node (the malicious CAN node transmitting the illegal CAN message MF intercepted by the protection device 26), and therefore by The integrity check implemented in the CAN controller blocks CAN messages.

由于分别通过破坏F1和隐藏F2的上述阻断模式B1或B2,保护设备26和由设备26实现的保护方法保证在非法CAN消息的输送结束与错误消息的传输结束之间的同时性,该非法CAN消息通过由保护设备26执行的操作F1破坏,而错误消息响应于上述破坏的非法CAN消息(即作为检测到由保护设备26引入到恶意CAN消息中以便破坏它的错误条件的结果)而由一个或多个接收CAN节点111,……,11n(除了包括将阻断操作F1应用到非法消息MF的保护设备26的节点和除了注入非法消息MF的CAN节点)发送。Since the protection device 26 and the protection method implemented by the device 26 guarantee the simultaneity between the end of the transmission of the illegal CAN message and the end of the transmission of the error message, the illegal CAN messages are corrupted by operation F1 performed by protection device 26, while error messages are corrupted by the above-mentioned corrupted illegal CAN message (ie as a result of detecting an error condition introduced by protection device 26 into a malicious CAN message in order to corrupt it) by One or more receiving CAN nodes 11 1 , . . . , 11 n (other than the node comprising the protection device 26 applying the blocking operation F1 to the illegal message MF and the CAN node other than the CAN node injecting the illegal message MF) send.

该同时性表示一个方面,该方面是防止触发已发送消息的不对准叠加的基础,因为不对准叠加将导致CAN总线10上的数据不断破坏,并经常地占用总线,并最终导致通信中断。This simultaneity represents an aspect that is the basis for preventing triggering of misaligned superpositions of sent messages, as misaligned superpositions would result in constant corruption of data on the CAN bus 10, frequently occupying the bus, and eventually leading to communication interruptions.

由保护设备通过破坏F1和隐藏F2的操作实现的保护方法利用CAN协议的数据和错误类型的消息的特定结构。The protection method implemented by the protection device by destroying the operation of F1 and hiding F2 makes use of the specific structure of the data and error type messages of the CAN protocol.

特别地,数据类型的消息由下表1中列出的连续位的部分S构成。In particular, a message of data type consists of a portion S of consecutive bits listed in Table 1 below.

Figure BDA0002349464570000081
Figure BDA0002349464570000081

Figure BDA0002349464570000091
Figure BDA0002349464570000091

表1Table 1

在CAN总线标准中,数据类型的消息的部分S的结构本身就是已知的。In the CAN bus standard, the structure of the part S of the message of the data type is known per se.

错误类型的消息包括主动类型的消息和被动类型的消息。对于主动错误(activeerror),消息的结构如下表2中所示。Error-type messages include active-type messages and passive-type messages. For active errors, the structure of the message is shown in Table 2 below.

Figure BDA0002349464570000092
Figure BDA0002349464570000092

表2Table 2

相反,对于被动错误,消息的结构如下表3中所示。Conversely, for passive errors, the structure of the message is shown in Table 3 below.

Figure BDA0002349464570000093
Figure BDA0002349464570000093

表3table 3

在图6中通过示例的方式示出了涉及主动错误的情况。由MF表示的是正在传输的非法CAN消息,而由MF'表示的是破坏的消息,该破坏的消息在其结尾处具有错误消息EM,该错误消息EM是响应错误类型的CAN消息,该错误消息EM由接收节点之一在由其CAN控制器实施的完整性检查检测到破坏之后发送。A situation involving active errors is shown by way of example in FIG. 6 . Denoted by MF is an illegal CAN message being transmitted, and denoted by MF' is a corrupted message which has at its end an error message EM which is a CAN message of the response error type, the error The message EM is sent by one of the receiving nodes after a corruption has been detected by an integrity check implemented by its CAN controller.

此外,由bt表示的是位-时间轴,以及由NV表示的是在非法CAN消息MF中由保护设备26写入的信号。由Si表示的是由保护设备产生的内部信号。特别地,信号Si在正在传输消息的情况下是保护设备26中的信号DT,或者替代性地在正在接收消息的情况下是保护设备26的信号DR。Furthermore, denoted by bt is the bit-time axis, and denoted by NV is the signal written by the protection device 26 in the illegal CAN message MF. Denoted by Si is the internal signal generated by the protection device. In particular, the signal Si is the signal DT in the protection device 26 if a message is being transmitted, or alternatively the signal DR of the protection device 26 if a message is being received.

在此为了确保在由保护设备26破坏的数据类型的非法CAN消息MF的传输结束和由接收节点11的任何一个进行的响应错误类型的相应消息EM的传输结束之间的同时性,即,对于要对准和叠加的上述消息的ITM(间歇)字段(用于非法消息MF的字段S8和用于错误消息EM的字段SE3)而言,有必要在准确的插入点即在非法消息MF的位时间bt的特定值处插入一个错误条件。特别地,这通过用破坏序列替换原始位序列的一部分以获得破坏的消息来执行。In order here to ensure simultaneity between the end of the transmission of the illegal CAN message MF of the data type corrupted by the protection device 26 and the end of the transmission of the corresponding message EM of the response error type by any of the receiving nodes 11, ie for For the ITM (intermittent) fields of the above-mentioned messages to be aligned and superimposed (field S8 for the illegal message MF and field SE3 for the error message EM), it is necessary to be at the exact insertion point, ie at the bit of the illegal message MF Inserts an error condition at a specific value of time bt. In particular, this is performed by replacing part of the original bit sequence with a corrupted sequence to obtain a corrupted message.

要插入由六个连续位(NV)组成的破坏序列的确切插入点是由数据包的格式和由CAN协议的规则唯一确定的,并且需要使用逻辑资源/模块,所述逻辑资源/模块专用于插入点的计算以及构成上述破坏序列NV的位的极性的计算。The exact insertion point at which a corrupt sequence consisting of six consecutive bits (NV) is to be inserted is uniquely determined by the format of the data packet and by the rules of the CAN protocol and requires the use of logical resources/modules dedicated to The calculation of the insertion point and the calculation of the polarity of the bits constituting the above-mentioned destruction sequence NV.

特别地,为了计算CRC(循环冗余校验(Cyclic Redundancy Check))字段内的六个连续位的序列的开始点以及组成它的位的(显性或隐性)极性,保护设备26特别是防火墙模块261设置有一个或多个逻辑模块/元件,其设计或配置成用于:In particular, in order to calculate the starting point of a sequence of six consecutive bits within a CRC (Cyclic Redundancy Check) field and the (dominant or recessive) polarity of the bits that make up it, the protection device 26 particularly The firewall module 261 is provided with one or more logical modules/elements designed or configured to:

-动态地(在运行时)计算CRC字段S5的值,以便预测将出现在CRC字段内的填充位的数量;- Calculate the value of the CRC field S5 dynamically (at runtime) in order to predict the number of padding bits that will appear in the CRC field;

-分析在上一步中重建的CRC字段的内容,还考虑到CRC之前的位,以便评估在CRC字段(即消息M,MF的字段S5)中将出现的填充位的数量;由于CRC字段是数据相关的(并且因此在运行时也会像数据一样变化),因此也以动态方式确定破坏序列的确切插入点。- analyze the content of the CRC field reconstructed in the previous step, also taking into account the bits before the CRC, in order to evaluate the number of padding bits that will be present in the CRC field (ie message M, field S5 of MF); since the CRC field is the data Correlated (and thus also changes at runtime like data), so the exact insertion point of the breaking sequence is also dynamically determined.

参考图6,破坏序列的确切插入点是瞬间btj-5,而接收节点检测到填充错误条件(SPE)时的瞬间是瞬间btj。在图中,紧接在破坏序列第一位之前的最后一位用btj-6表示,以便强调以下事实,即破坏序列必须具有与该位相反的极性。Referring to Figure 6, the exact insertion point of the corrupt sequence is instant bt j -5, and the instant bt j is the instant when the receiving node detects a stuffing error condition (SPE). In the figure, the last bit immediately before the first bit of the corruption sequence is denoted by bt j -6 in order to emphasize the fact that the corruption sequence must have the opposite polarity to this bit.

因此:therefore:

-接收破坏消息MF的CAN节点11会以错误消息EM(至于在示例中显示为主动错误的字段SE1,SE2,SE3;否则,对于被动错误,使用字段SP1,SP2,SP3)进行响应,错误消息EM在发生填充错误条件SPE的点处从紧接在位时间btj之后的位时间btj+1开始;更具体地,如图6中所示,从位时间btj+1开始,写入错误消息EM;在多个接收节点的情况下,每个接收节点11i传输错误类型的CAN消息EM,其错误帧精确地叠加在由任何其他接收节点发送的任何其他的错误类型CAN消息EM的错误帧上;- the CAN node 11 receiving the corrupt message MF will respond with an error message EM (as for the fields SE1, SE2, SE3 shown in the example as active errors; otherwise, for passive errors, use the fields SP1, SP2, SP3), the error message EM starts at bit time bt j +1 immediately after bit time bt j at the point where the stuffing error condition SPE occurs; more specifically, as shown in FIG . Error message EM; in the case of multiple receiving nodes, each receiving node 11i transmits an error-type CAN message EM whose error frame is superimposed exactly on the error frame;

-错误消息(或叠加的错误消息)的结束即部分SE3 ITM与非法消息MF的相应ITM字段S8在时间上对准,部分SE3 ITM包含隐性位(特别是三位)的字段,该字段用作消息之间的分隔符,即用作中断字段,该非法消息MF同时未经更改地重新传输到发送恶意节点。- the end of the error message (or superimposed error message) i.e. the partial SE3 ITM is time aligned with the corresponding ITM field S8 of the illegal message MF, the partial SE3 ITM contains a field of recessive bits (in particular three bits) which is used with As a separator between messages, ie as a break field, the illegal message MF is simultaneously retransmitted unaltered to the sending malicious node.

即使假定CAN消息的数据类型的帧的各个字段的长度相同,由于可能插入填充位,CAN消息的长度也可以基于上述字段的内容而变化。因此,保护设备26配置为针对每个CAN消息动态地计算CRC字段的点btj-5,在帧MF必须被破坏的情况下在该点处必须插入具有相同极性的六个连续位的序列NV。保护设备26配置为针对每个CAN消息动态地计算需要插入具有相同极性的六个连续位的序列NV的CRC字段的点btj-5和上述序列NV的位的极性,在帧MF必须被破坏的情况下,上述序列NV的位的极性必须与位btj-6的极性相反。Even if it is assumed that the length of each field of the frame of the data type of the CAN message is the same, the length of the CAN message may vary based on the contents of the above-mentioned fields due to possible insertion of padding bits. Therefore, the protection device 26 is configured to dynamically calculate for each CAN message the point bt j -5 of the CRC field at which a sequence of six consecutive bits of the same polarity must be inserted if the frame MF must be corrupted nv. The protection device 26 is configured to dynamically calculate for each CAN message the point bt j -5 of the CRC field that needs to insert a sequence NV of six consecutive bits with the same polarity and the polarity of the bits of the sequence NV, which must be inserted in the frame MF. In the case of destruction, the polarity of the bits of the above sequence NV must be opposite to the polarity of bits bt j -6.

如上所述,由保护设备26执行的另一基本操作包括从恶意CAN节点(恶意CAN节点传输由保护设备26拦截的非法CAN消息)隐藏F2上述非法CAN消息的破坏,以及因此通过在其他CAN节点的CAN控制器中实现的完整性检查对其的阻断。As mentioned above, another basic operation performed by the protection device 26 consists of concealing F2 the destruction of the above-mentioned illegal CAN messages from malicious CAN nodes (the malicious CAN nodes transmitting illegal CAN messages intercepted by the protection device 26), and thus by It is blocked by the integrity check implemented in the CAN controller.

在保护设备26破坏非法帧MF的情况下,如果保护设备26不隐藏该破坏,即序列NV在非法帧MF的CRC字段S5的插入点btj-5处被插入并在点btj处确定填充错误条件SPE,已经发送恶意帧MF的CAN节点将检测到该填充错误条件SPE,结果将中断恶意帧MF的传输,将传输错误类型EM的帧(不与由所有其他接收节点发送的错误类型的所有其他的帧对准),然后将尝试重新传输相同的恶意帧。In the case where the protection device 26 corrupts an illegal frame MF, if the protection device 26 does not conceal the corruption, the sequence NV is inserted at the insertion point bt j -5 of the CRC field S5 of the illegal frame MF and the padding is determined at point bt j Error condition SPE, the filling error condition SPE will be detected by the CAN node that has sent the malicious frame MF, as a result, the transmission of the malicious frame MF will be interrupted, and the frame of the error type EM will be transmitted (not with the error type sent by all other receiving nodes. All other frames are aligned) and will then attempt to retransmit the same malicious frame.

将隐藏传输中的消息破坏过程的操作F2如图7中所示进行处理,其中所表示的CAN控制器元件13和CAN收发器元件12例如是属于保护设备26安装在其上的受保护的CAN节点111的那些元件,并且受保护的CAN节点发送恶意消息MF(这是侵犯了保护设备26安装在其上的CAN节点的主机的情况)。特别地,因为也在接收线CR上重新读取在传输线CT上传输的CAN消息MF的每个位,所以保护设备26如下所述进行操作,在传输线CT上已经识别出到达设备26处的恶意帧MF(参见图7A)之后,上述恶意帧MF的破坏操作分两步进行。The operation F2 of concealing the message corruption process in transmission is processed as shown in FIG. 7 , wherein the CAN controller element 13 and the CAN transceiver element 12 represented are, for example, protected CAN belonging to the protection device 26 on which the protection device 26 is mounted. those elements of node 111, and the protected CAN node sends a malicious message MF (this is the case for a violation of the host of the CAN node on which the protection device 26 is installed). In particular, since every bit of the CAN message MF transmitted on the transmission line CT is also reread on the receive line CR, the protection device 26 operates as described below, on the transmission line CT having identified a malicious arrival at the device 26 After the frame MF (see FIG. 7A ), the above-mentioned destruction operation of the malicious frame MF is performed in two steps.

在图7B中所示的第一步中,在主机侧,即朝向恶意节点(传输线CT和滤后的接收线DR),复制非法CAN消息MF,而无需改变滤过的接收线DR上的位流,而在收发器12下游的CAN总线侧,即朝向非恶意接收节点,即在滤过的传输线DT和在未经过滤的接收线CR上,通过修改其位流以适当方式破坏非法消息MF,以获得破坏的消息MF'。In the first step shown in Figure 7B, on the host side, i.e. towards the malicious node (transmission line CT and filtered receive line DR), the illegal CAN message MF is replicated without changing the bits on the filtered receive line DR stream, while on the CAN bus side downstream of the transceiver 12, i.e. towards the non-malicious receiving node, i.e. on the filtered transmission line DT and on the unfiltered receive line CR, the illegal message MF is corrupted in an appropriate way by modifying its bit stream , to obtain the corrupted message MF'.

在第二步骤(如图7C所示)中,在主机侧,即朝向恶意节点,保护设备26,经由在线路DR(图7C)上正确接收OR的消息、通过通知由网络20的其他节点112,……,11n正确接收消息来模拟CAN总线,特别是经由在位时间ACK位置期间发送显性位(dominant bit);同时,在CAN总线侧,保护设备26经由由CAN协议设想的错误帧EM、通过已经接收破坏消息MF'的网络的其他节点11来阻断在线路CR上发出的错误警告。In a second step (shown in FIG. 7C ), on the host side, ie towards the malicious node, the protection device 26 , via a message that correctly receives the OR on the line DR ( FIG. 7C ), is notified by the other nodes 11 of the network 20 . 2 , . . . , 11 n correctly receive the message to simulate the CAN bus, in particular via sending the dominant bit during the bit time ACK position; meanwhile, on the CAN bus side, the protection device 26 via the error envisaged by the CAN protocol Frame EM, the false warning issued on line CR is blocked by the other nodes 11 of the network that have received the destruction message MF'.

隐藏传输中的消息的破坏过程的操作F2也适用于接收非法消息的情况,即由除保护设备26安装其上的受保护CAN节点111以外的CAN节点111以与在消息接收的情况下根据CAN协议的特征在上面已经表示的以及与图7A,图7B和图7C所示的方式类似的方式发送的消息的情况。特别地,在这种情况下,要发送、复制到恶意节点、通过二元性(duality)应在线路DT上进行传输的消息MF是不必要的;即,不执行复制动作,但是正确接收OR的消息足以提供正确接收恶意消息(这次其是在CAN总线10上)的证据。The operation F2 of concealing the destruction process of the message in transit is also applicable in the case of receiving an illegal message, i.e. by a CAN node 111 other than the protected CAN node 111 on which the protection device 26 is installed to be different from the situation in which the message is received In the case of messages sent in a manner similar to that shown in Figures 7A, 7B and 7C, the features of the CAN protocol have been represented above and in Figures 7C. In particular, in this case, the message MF to be sent, copied to the malicious node, which should be transmitted on the wire DT by duality, is unnecessary; i.e., no copy action is performed, but the OR is correctly received The message is sufficient to provide evidence of correct reception of the malicious message (this time on the CAN bus 10).

因此,用于防止车辆CAN通信网络20中的网络攻击的方法包括以下操作,其中车辆CAN通信网络20包括CAN总线10和多个节点11,节点11以信号交换关系与所述CAN总线10相关联并且至少部分地与用于控制车辆功能的单元相关联,所述方法包括以下操作:分析在所述多个节点11的节点之间的传输中的CAN消息M的内容,以识别非法CAN消息MF,并通过阻断模式B1,B2阻断所述非法消息MF,其中所述通过阻断模式B1,B2进行阻断的操作包括致使非法消息MF对于由所述节点11的CAN控制器13进行的完整性检查而言无效,即通过插入F1由所述CAN控制器13识别为错误的破坏位序列NV来破坏它,以获得破坏的消息MF',具体地设想在位时间btj-5处在非法CAN消息MF的完整性检查字段S5、特别是CRC字段中插入F1所述破坏位序列NV,位时间btj-5的值是如此的以便使得将非法消息的分隔符字段(即ITM,尤其是由三个隐性位组成的中断字段)与错误消息EM的对应的分隔符字段在时间上对准,错误消息EM由接收到所述非法消息MF的网络20的节点生成,其包括所述破坏序列NV。应当指出的是,上述插入操作是通过用破坏位序列即位序列NV来替换原始位序列的一部分、特别是完整性检查字段S5的一部分来执行的,特别是该位序列NV具有的极性与时间btj-6时的位的极性相反,时间btj-6时的位在插入点btj-5处的位之前,以获得破坏或非法消息MF'。Accordingly, a method for preventing cyber attacks in a vehicular CAN communication network 20 includes the following operations, wherein the vehicular CAN communication network 20 includes a CAN bus 10 and a plurality of nodes 11 associated with the CAN bus 10 in a handshake relationship with the CAN bus 10 and associated at least in part with a unit for controlling vehicle functions, said method comprising the operation of analyzing the content of CAN messages M in transmissions between nodes of said plurality of nodes 11 to identify illegal CAN messages MF , and block the illegal message MF through the blocking mode B1, B2, wherein the blocking operation through the blocking mode B1, B2 includes causing the illegal message MF to be processed by the CAN controller 13 of the node 11. Invalid for integrity checking, i.e. corrupting it by inserting F1 which is identified as wrong by said CAN controller 13 as a corrupted bit sequence NV to obtain corrupted message MF', specifically envisaged at bit time bt j -5 The corrupted bit sequence NV described by F1 is inserted in the integrity check field S5 of the illegal CAN message MF, in particular the CRC field, the value of the bit time bt j -5 is such that the delimiter field of the illegal message (i.e. the ITM, especially the is an interrupt field consisting of three recessive bits) is aligned in time with the corresponding separator field of the error message EM, which is generated by the node of the network 20 that receives the illegal message MF, which includes the Destroy sequence NV. It should be noted that the above insertion operation is performed by replacing a part of the original bit sequence, in particular a part of the integrity check field S5, with a corrupted bit sequence, i.e. bit sequence NV, in particular the polarity and time of this bit sequence NV. The bits at time bt j -6 are of opposite polarity, and the bit at time bt j -6 precedes the bit at time bt j -5 to obtain the corrupted or illegal message MF'.

所述方法然后包括:The method then includes:

-在传输过程中提取传输中的消息M的信息内容;- extracting the information content of the message M in transit during transmission;

-根据防火墙规则R集对所述信息内容进行分析;以及- an analysis of the information content according to the firewall rule R set; and

-在信息内容的所述分析识别出被分析为非法消息MF的消息M的情况下,致使消息M无效,以获得破坏的消息MF'。- In case said analysis of the information content identifies a message M that is analyzed as an illegal message MF, invalidating the message M to obtain a corrupted message MF'.

所描述的方法然后包括:选择是否至少根据选择性地阻断所有并且仅非法CAN消息MF的模式B1来应用致使F1非法消息MF无效的操作,还是选择根据完全阻断所有CAN消息的模式B2来应用致使F1非法消息MF无效的操作,而无论这些CAN消息是合法消息M还是非法消息MF。The described method then includes selecting whether to apply the operation that renders the F1 illegal message MF invalid at least according to mode B1 which selectively blocks all and only illegal CAN messages MF, or whether to apply the operation according to mode B2 which completely blocks all CAN messages. The operation that renders F1 illegal messages MF invalid is applied, regardless of whether these CAN messages are legal messages M or illegal messages MF.

然后,所描述的方法设想以下可能性:致使非法消息MF无效的所述操作将包括通过以下步骤从发送非法CAN消息MF的CAN节点或CAN网络隐藏F2插入破坏位NV的所述操作的操作,所述步骤为:The described method then envisages the possibility that said operation to invalidate the illegal message MF would comprise an operation to hide the operation of F2 inserting said operation of the corrupt bit NV from the CAN node or CAN network sending the illegal CAN message MF by the following steps, The steps are:

将没有任何改变、特别是没有序列NV的复制的所述非法CAN消息MF发送到传输所述非法消息MF的CAN节点11,或者对于传输所述非法消息MF的CAN网络10不采取任何复制动作;以及Send the illegal CAN message MF without any change, especially without the copying of the sequence NV, to the CAN node 11 transmitting the illegal message MF, or do not take any copying action for the CAN network 10 transmitting the illegal message MF; as well as

对于分别由CAN节点11或CAN总线10传输非法消息的情况下,模拟CAN总线10或CAN节点11,通知由一个或多个接收节点正确接收非法消息MF,同时关于传输所述非法消息的所述CAN节点或CAN网络来阻断与所述非法消息MF相关联的错误消息EM。For the case of illegal messages being transmitted by CAN node 11 or CAN bus 10, respectively, simulate CAN bus 10 or CAN node 11, notify one or more receiving nodes to correctly receive illegal messages MF, A CAN node or CAN network to block the error message EM associated with the illegal message MF.

基于存储在存储模块262中的规则R,上述操作由保护设备26、特别是由其防火墙模块261实施。Based on the rules R stored in the storage module 262 , the above-mentioned operations are carried out by the protection device 26 , in particular by its firewall module 261 .

为此目的,在变型实施例中,保护设备26可以设置在CAN节点的CAN控制器13和CAN收发器12之间,CAN节点因此是受保护的节点,即使其本身就是恶意节点。For this purpose, in a variant embodiment, the protection device 26 can be arranged between the CAN controller 13 and the CAN transceiver 12 of the CAN node, which is thus a protected node, even if it is itself a malicious node.

在另外的变型实施例中,保护设备26可以与网关18相关联地设置在两个CAN网络20A,20B之间。In a further variant embodiment, the protection device 26 may be arranged between the two CAN networks 20A, 20B in association with the gateway 18 .

如前所述,保护设备26具有一个配置接口,即接口264,它可以经由以下列表和参数来定义防火墙规则R:As previously mentioned, protection device 26 has a configuration interface, interface 264, which can define firewall rules R via the following lists and parameters:

-白名单,即授权或允许的元素列表,用于在给定的车辆条件下应用的允许消息(以任何方向);该列表的每个项目均包含以下字段:- A whitelist, i.e. a list of authorized or permitted elements for permitted messages (in any direction) applied under the given vehicle conditions; each item of this list contains the following fields:

a)标识符;a) an identifier;

b)长度;b) length;

c)传输和违规阈值参数;c) transmission and violation threshold parameters;

d)消息类型(诊断/非诊断)d) message type (diagnostic/non-diagnostic)

-允许的诊断服务白名单(此列表仅适用于诊断类型的消息);- Whitelist of allowed diagnostic services (this list only applies to diagnostic type messages);

-黑名单,即诊断服务未经授权或不允许的元素列表,其不允许在给定的车辆状况下使用(此列表仅适用于诊断类型的消息);- blacklist, i.e. a list of unauthorized or disallowed elements of the diagnostic service, which are not allowed in a given vehicle condition (this list only applies to diagnostic type messages);

-用于激活完全阻断模式的“白名单/黑名单违规阈值”;- "Whitelist/Blacklist Violation Threshold" for activating full blocking mode;

-用于激活完全阻断模式的“总线占用阈值”;以及- a "bus occupancy threshold" for activating full blocking mode; and

-用于确定状态是什么(例如,当前速度高于5km/h)的“关于检测车辆状况的信息”,将与“诊断服务的黑名单”和允许消息的“白名单”一起使用。- "Information on detected vehicle condition" for determining what the status is (eg current speed above 5km/h), to be used together with "Blacklist for diagnostic services" and "Whitelist" for allowed messages.

通过上述参数和列表设置的防火墙规则R存储在存储模块262的表中,并且可以通过添加新的防火墙规则R或者通过覆盖和/或消除现有的防火墙规则R来更新。保护设备26将与防火墙的活动相对应的所有统计信息B(在线路DT上破坏的非法帧的数量,在线路DR上破坏的非法帧的数量等)存储于存储模块263中,并且如图5中所示,其可以经由能够访问模块263的配置接口264进行咨询。The firewall rules R set by the above parameters and lists are stored in the table of the storage module 262 and can be updated by adding new firewall rules R or by overwriting and/or eliminating existing firewall rules R. The protection device 26 stores all the statistical information B corresponding to the activity of the firewall (the number of illegal frames destroyed on the line DT, the number of illegal frames destroyed on the line DR, etc.) in the storage module 263, and as shown in Fig. 5 As shown, it can be consulted via a configuration interface 264 that can access the module 263 .

对于数据帧或远程帧类型的每个CAN消息M,实施在存储模块262中定义和包含的防火墙规则R的应用。过滤过程的示意图如图8中所示。For each CAN message M of the data frame or remote frame type, the application of the firewall rules R defined and contained in the storage module 262 is implemented. A schematic diagram of the filtering process is shown in FIG. 8 .

根据图8的流程图,描述由保护设备26执行的以保护程序100为例的实施例。According to the flowchart of FIG. 8 , an embodiment of the protection program 100 executed by the protection device 26 is described as an example.

在该过程的开始105之后,在步骤110中,防火墙261从传输中的CAN消息M的仲裁字段S2中提取消息标识符(ID,11/29位),将该消息标识符与“白名单”的相应字段进行比较用于车辆的状况集。如果消息标识符存在,则执行下一步骤120;否则,消息M被认为是非法消息MF,并且控制转到步骤180。After the start 105 of the process, in step 110, the firewall 261 extracts the message identifier (ID, 11/29 bits) from the arbitration field S2 of the CAN message M in transit, associates the message identifier with the "white list" The corresponding fields are compared for the vehicle's condition set. If the message identifier is present, the next step 120 is performed; otherwise, the message M is considered an illegal message MF and control passes to step 180.

在步骤120中,防火墙261从传输中的CAN消息M的控制字段S3中提取消息长度(DLC,4位),将该消息长度与“白名单”的相应字段进行比较。如果长度正确,则执行下一步骤130;否则,CAN消息M被认为是非法消息MF,并且控制转到步骤180。In step 120, the firewall 261 extracts the message length (DLC, 4 bits) from the control field S3 of the CAN message M in transmission, and compares the message length with the corresponding field of the "white list". If the length is correct, the next step 130 is performed; otherwise, the CAN message M is considered an illegal message MF and control passes to step 180 .

在步骤130中,基于标识符来测量自从最后一次接收到相同消息以来经过的时间,并将其与配置的时间阈值进行比较,例如,在最大时间Tmax和最小时间Tmin之间定义的时间间隔,或经过一个阶段等,也与违反计时规则的顺序有关。如果自最后一次接收到相同消息以来经过的时间落入允许的间隔内,或者未落入允许的间隔内、但检测到的违规次数低于给定的阈值(所有这些参数均从“白名单”提取,像时间间隔的参数),则执行下一步骤135;否则,CAN消息M被认为是非法消息MF,并且控制转到步骤180。In step 130, the time elapsed since the last time the same message was received is measured based on the identifier and compared to a configured time threshold, e.g. a time interval defined between a maximum time Tmax and a minimum time Tmin, Or go through a stage, etc., also related to the order in which the timing rules are violated. If the elapsed time since the last reception of the same message falls within the allowed interval, or does not fall within the allowed interval but the number of detected violations is below a given threshold (all these parameters are removed from the "whitelist" extraction, parameters like the time interval), then the next step 135 is performed;

在步骤135中,进行检查以验证消息M是否为诊断类型。如果不是,则控制转到步骤160,在此更新车辆的状态。如果是,则在步骤140中从“数据”字段中提取诊断服务的值,并进行检查以查看其是否存在于模块262中存储的“诊断服务白名单”中。如果其存在,则执行下一步骤150;否则,CAN消息M被认为是非法消息MF,并且控制转到步骤180。In step 135, a check is made to verify that the message M is of the diagnostic type. If not, control passes to step 160 where the state of the vehicle is updated. If so, the value of the diagnostic service is extracted from the "data" field in step 140 and checked to see if it exists in the "diagnostic service whitelist" stored in module 262. If it exists, the next step 150 is performed; otherwise, the CAN message M is considered an illegal message MF, and control passes to step 180 .

在步骤150中,从数据字段S4中提取诊断服务的值,并进行检查以查看其是否存在于针对车辆的状态设置的“诊断服务黑名单”中(参见步骤160)。如果其存在,则将消息M视为非法消息MF,并且控制转到步骤180;否则,将其视为合法消息,并且执行更新车辆状态的下一步骤160。In step 150, the value of the diagnostic service is extracted from the data field S4 and checked to see if it exists in the "diagnostic service blacklist" set for the state of the vehicle (see step 160). If it exists, the message M is treated as an illegal message MF, and control passes to step 180; otherwise, it is treated as a legitimate message, and the next step 160 of updating the vehicle state is performed.

在步骤160中,将“关于车辆状况的检测的信息”与消息M的仲裁字段和数据字段一起使用,来更新表示车辆状况的内部信息。具体地,在步骤160中,进行检查以核实是否有必要进行车辆状态的更新。用于评估是否要更新车辆状态的鉴别因素包含在规则R集中。检查是基于传输中的帧的仲裁字段和数据字段。In step 160, the "information on detection of vehicle condition" is used with the arbitration field and data field of message M to update the internal information representing the vehicle condition. Specifically, in step 160, a check is made to verify whether an update of the vehicle status is necessary. The discriminator for evaluating whether to update the vehicle state is included in the set of rules R. The check is based on the arbitration field and the data field of the frame in transit.

接下来,在步骤170中,从消息的总长度中更新占用总线的值,并将其与“总线占用阈值”进行比较。如果该消息不遵守这些阈值,则将CAN消息M视为非法消息MF,并且控制转到步骤180。否则,过程100在步骤195中终止。Next, in step 170, the value of the occupied bus is updated from the total length of the message and compared with the "bus occupancy threshold". If the message does not comply with these thresholds, the CAN message M is considered an illegal message MF and control passes to step 180 . Otherwise, process 100 terminates in step 195 .

因此,通常,由防火墙261执行的提取在传输线CT上或在接收线CR上的传输中的CAN消息M的信息内容以及对该信息内容进行的分析的操作包括一个或多个操作110、120、130、135、140、150、170。Thus, generally, the operations performed by the firewall 261 to extract the information content of a CAN message M in transit on the transmission line CT or on the receive line CR and the analysis of the information content include one or more of operations 110, 120, 130, 135, 140, 150, 170.

在步骤180中,由于CAN消息M被认为是非法消息MF,因此通过将检测到的违规类型与“白名单/黑名单违规的阈值”相结合,来决定是激活阻断模式B1还是阻断模式B2。In step 180, since the CAN message M is considered to be an illegal message MF, it is decided whether to activate blocking mode B1 or blocking mode by combining the detected violation type with the "threshold for whitelist/blacklist violation" B2.

在步骤190中,将与消息的有效性和将要实施的阻断模式(无论是B1还是B2)有关的信息发送到防火墙模块261,防火墙模块261通过破坏F1和隐藏F2执行由阻断模式(即完全阻断(B1)或阻断(B2))所需的操作。In step 190, information about the validity of the message and the blocking mode to be implemented (whether B1 or B2) is sent to the firewall module 261, which performs the blocking mode by destroying F1 and hiding F2 (i.e. Action required to completely block (B1) or block (B2)).

保护设备26设想既可以使用单帧诊断消息也可以使用多帧诊断消息来进行操作的可能性。在多帧诊断消息的情况下,如果消息链的第一帧被识别为恶意的,则保护设备26能够通过步骤135阻断该消息以及构成多帧消息的所有后续消息。因此,保护设备26中存在计数器,以跟踪在CAN总线上经过了多少CAN帧,并确定何时终止特定诊断服务的破坏过程。The protection device 26 envisages the possibility of operating using both single-frame diagnostic messages and multi-frame diagnostic messages. In the case of a multi-frame diagnostic message, if the first frame of the message chain is identified as malicious, the protection device 26 can block this message and all subsequent messages that make up the multi-frame message via step 135 . Therefore, a counter exists in the protection device 26 to keep track of how many CAN frames have passed on the CAN bus and to determine when to terminate the sabotage process for a particular diagnostic service.

因此,从上面的描述中,所提出的解决方案的优点清楚地显现出来。Thus, from the above description, the advantages of the proposed solution appear clearly.

所描述的设备和方法防止破坏的消息(在总线上发送)和由接收破坏消息的CAN节点生成的错误帧消息之间的任何时间上的未对准。The described apparatus and method prevent any temporal misalignment between the corrupted message (sent on the bus) and the erroneous frame message generated by the CAN node receiving the corrupted message.

此外,所描述的设备和方法使得可以通过适当的隐藏过程来掩盖来自已经发送非法帧的CAN节点的破坏操作。这样可以防止由恶意CAN节点自动重新传输,由恶意CAN节点自动重新传输导致占用CAN总线。Furthermore, the described apparatus and method make it possible to conceal, by appropriate concealment procedures, corrupt operations from CAN nodes that have sent illegal frames. This can prevent automatic retransmission by malicious CAN nodes, which would result in occupation of the CAN bus.

所描述的设备和方法使得不引入CAN消息的传从的任何延迟成为可能,从而保证由所涉及的CAN节点以透明的方式使用它。The described apparatus and method make it possible not to introduce any delay in the transmission of the CAN message, thus ensuring that it is used in a transparent manner by the CAN nodes involved.

本文所述的设备和方法使得也可以利用诊断类型的CAN消息进行操作。由于专用的控制逻辑,如果诊断服务被识别为恶意的,则可以识别多帧类型的诊断消息序列并使整个消息链无效。The apparatus and methods described herein make it possible to also operate with diagnostic type CAN messages. Thanks to dedicated control logic, if the diagnostic service is identified as malicious, it is possible to identify a multi-frame type of diagnostic message sequence and invalidate the entire message chain.

Claims (11)

1.一种用于保护车辆CAN(控制器局域网)通信网络(20)免受网络攻击的方法,所述车辆CAN通信网络(20)包括CAN总线(10)和多个节点(11),所述节点(11)以信号交换关系与所述CAN总线(10)相关联,并且至少部分地与用于控制车辆功能的单元相关联;1. A method for protecting a vehicle CAN (Controller Area Network) communication network (20) from network attacks, the vehicle CAN communication network (20) comprising a CAN bus (10) and a plurality of nodes (11), so said node (11) is associated with said CAN bus (10) in a handshake relationship and is at least partially associated with a unit for controlling vehicle functions; 所述方法包括以下操作:The method includes the following operations: 分析在所述多个节点(11)的节点之间传输的CAN消息(M)的内容,以识别非法的CAN消息(MF);以及analyzing the content of CAN messages (M) transmitted between nodes of the plurality of nodes (11) to identify illegal CAN messages (MF); and 阻断(B1,B2)所述非法消息(MF);Block (B1, B2) the illegal message (MF); 所述阻断操作(B1,B2)包括:通过插入(F1)由所述CAN控制器(13)识别为错误的破坏位序列(NV),致使(F1,F2)所述非法消息(MF)对于由所述节点(11)的CAN控制器(13)执行的完整性检查而言无效,以获得破坏的消息(MF'),The blocking operation (B1, B2) comprises: causing (F1, F2) the illegal message (MF) by inserting (F1) a corrupt bit sequence (NV) identified by the CAN controller (13) as an error invalid for the integrity check performed by the CAN controller (13) of said node (11) to obtain a corrupted message (MF'), 所述方法的特征在于:The method is characterized by: 将所述破坏位序列(NV)在位时间(btj-5)处插入(F1)到非法CAN消息(MF)的完整性检查字段(S5)、特别是CRC字段中,所述位时间(btj-5)的值是如此的以便使得非法消息的分隔符字段(ITM)与由接收包括所述破坏序列(NV)的所述非法消息(MF)的网络(20)的节点生成的错误消息(EM)的对应分隔符在时间上对准。Inserting (F1) the corrupted bit sequence (NV) into the integrity check field (S5), in particular the CRC field, of the illegal CAN message (MF) at the bit time (bt j -5), the bit time ( The value of bt j -5) is such that the delimiter field (ITM) of the illegal message is related to the error generated by the node of the network (20) receiving the illegal message (MF) including the destruction sequence (NV). The corresponding delimiters of the message (EM) are aligned in time. 2.根据权利要求1所述的方法,其特征在于所述方法包括:2. The method according to claim 1, characterized in that the method comprises: -在传输过程中提取传输中的消息(M)的信息内容;- extracting the information content of the message (M) in transit during transmission; -根据防火墙规则(R)集来分析上述信息内容;以及- analysis of the above information content against the set of firewall rules (R); and -在信息内容的所述分析将分析的消息(M)识别为非法消息(MF)的情况下,致使该消息(M)无效(F1,F2、190),以获得破坏的消息(MF')。- invalidating (F1, F2, 190) the analysed message (M) in case said analysis of the information content identifies the analysed message (M) as an illegal message (MF) to obtain a corrupted message (MF') . 3.根据权利要求1所述的方法,其特征在于至少根据选择性地阻断所有且仅非法CAN消息(MF)的模式(B1)或者根据完全阻断所有CAN消息(M,MF)的模式(B2),进行是否应用所述致使非法消息(MF)无效(F1,F2、190)的操作的选择(180)。3. The method according to claim 1, characterized in that at least according to a mode (B1) of selectively blocking all and only illegal CAN messages (MF) or according to a mode of completely blocking all CAN messages (M, MF) (B2), a selection (180) of whether or not to apply the operation of invalidating the illegal message (MF) (F1, F2, 190) is performed. 4.根据权利要求1至3中任一项所述的方法,其特征在于所述致使所述非法消息(MF)无效(F1,F2、190)的操作包括通过以下步骤从传输非法CAN消息(MF)的CAN节点(11)或CAN网络(10)隐藏(F2)所述插入破坏位序列(NV)的操作的操作,所述步骤为:4. The method according to any one of claims 1 to 3, characterized in that the operation of rendering the illegal message (MF) invalid (F1, F2, 190) comprises the following steps from transmitting an illegal CAN message ( The CAN node (11) or CAN network (10) of MF) hides (F2) the operation of the operation of inserting the destruction bit sequence (NV), and the steps are: 将复制而没有任何改变的所述非法CAN消息(MF)发送到传输所述非法消息(MF)的CAN节点(11),或者不对传输所述非法消息(MF)的CAN网络(10)采取任何复制动作;以及Send the illegal CAN message (MF) copied without any change to the CAN node (11) transmitting the illegal message (MF), or take no action on the CAN network (10) transmitting the illegal message (MF) copy actions; and 在通过CAN节点(11)或CAN网络(10)传输非法消息的情况下,分别模拟CAN总线(10)或CAN节点(11),通知由一个接收节点或多个接收节点正确接收非法消息(MF),并且同时对于传输所述非法消息(MF)的所述CAN节点(11)或CAN网络(10)阻断与所述非法消息(MF)相关联的错误消息(EM)。In the case of transmission of illegal messages through CAN node (11) or CAN network (10), simulate the CAN bus (10) or CAN node (11), respectively, and notify a receiving node or multiple receiving nodes that the illegal message is correctly received (MF ) and at the same time block the error message (EM) associated with the illegal message (MF) for the CAN node (11) or CAN network (10) transmitting the illegal message (MF). 5.根据权利要求2至4中任一项所述的方法,其特征在于所述防火墙规则(R)集包括以下列表和参数中的一个或多个:5. The method according to any one of claims 2 to 4, characterized in that the set of firewall rules (R) comprises one or more of the following lists and parameters: -在给定的车辆条件下应用的用于允许消息的白名单;- Whitelist for allowed messages applied under given vehicle conditions; -允许的诊断服务的白名单;- Whitelist of allowed diagnostic services; -在给定的车辆条件下应用的不允许的诊断服务的黑名单;- a blacklist of disallowed diagnostic services applied under the given vehicle conditions; -用于激活完全阻断模式(B2)的白名单和黑名单违规阈值;- whitelist and blacklist violation thresholds for activating full block mode (B2); -用于激活完全阻断模式(B2)的CAN总线(10)的占用阈值;以及- the occupancy threshold of the CAN bus (10) for activating the full blocking mode (B2); and -关于车辆状况检测的信息,所述信息指示用于评估所述诊断服务的黑名单和用于允许消息的所述白名单的车辆状况。- Information on vehicle condition detection indicating the vehicle condition for evaluating the blacklist for the diagnostic service and for the whitelist for allowing messages. 6.根据权利要求5所述的保护方法,其特征在于所述保护方法包括分析CAN消息(M)的信息内容的以下操作的一个或多个:6. The protection method according to claim 5, characterized in that the protection method comprises one or more of the following operations of analyzing the information content of the CAN message (M): -提取(110)消息标识符并将消息标识符与给定车辆状况的白名单的相应字段进行比较;- extracting (110) the message identifier and comparing the message identifier with the corresponding fields of the whitelist for the given vehicle condition; -提取(120)消息长度,将消息长度与白名单的相应字段进行比较;- extracting (120) the message length, comparing the message length with the corresponding field of the whitelist; -测量(130)自最后一次接收相同消息以来已经经过的时间,并将已经经过的时间与时间阈值进行比较,以便:- measure (130) the time that has elapsed since the last reception of the same message and compare the elapsed time to a time threshold in order to: a)如果消息属于诊断类型,检查消息是否存在于诊断服务的白名单中;以及a) if the message is of the diagnostic type, check if the message exists in the whitelist of the diagnostic service; and b)如果该消息属于诊断类型,提取诊断服务的值并针对给定的车辆状况检查消息是否存在于诊断服务的黑名单中;b) if the message is of the diagnostic type, extract the value of the diagnostic service and check whether the message exists in the blacklist of the diagnostic service for the given vehicle condition; -更新总线占用值并将更新的总线占用值与总线占用阈值进行比较。- Update the bus occupancy value and compare the updated bus occupancy value with the bus occupancy threshold. 7.根据前述权利要求中的任一项所述的保护方法,其特征在于紧接在所述破坏序列(NV)的第一位(btj-5)之前的最后位(btj-6)具有的极性与破坏序列(NV)的所述第一位(btj-5)的极性相反。7. The protection method according to any one of the preceding claims, characterized by the last bit (bt j -6) immediately preceding the first bit (bt j -5) of the destruction sequence (NV) Has a polarity opposite to that of the first bit (bt j -5) of the destruction sequence (NV). 8.一种用于防止车辆CAN(控制器局域网)通信网络(20)中的网络攻击的设备,车辆CAN通信网络(20)包括CAN总线(10)和多个节点(11),所述节点(11)以信号交换关系与所述CAN总线(10)相关联,并且至少部分地与用于控制车辆功能的单元相关联,其特征在于所述设备配置成根据权利要求1至7中的一项或多项所述的方法进行操作。8. A device for preventing network attacks in a vehicle CAN (Controller Area Network) communication network (20), the vehicle CAN communication network (20) comprising a CAN bus (10) and a plurality of nodes (11), the nodes (11) Associated in a handshake relationship with the CAN bus (10) and at least partly associated with a unit for controlling vehicle functions, characterized in that the device is configured according to one of claims 1 to 7 one or more of the methods described. 9.根据权利要求8所述的保护设备,其特征在于所述保护设备包括:9. The protection device according to claim 8, characterized in that the protection device comprises: 防火墙模块(261),所述防火墙模块(261)配置为至少执行以下操作:分析CAN消息(M)的内容,以及致使非法消息(MF)对于由所述节点(11)的CAN控制器(13)执行的完整性检查而言无效(F1,F2);和A firewall module (261) configured to perform at least the following operations: analyzing the content of CAN messages (M), and causing illegal messages (MF) to be detected by the CAN controller (13) of the node (11) ) is invalid for the integrity checks performed (F1, F2); and 存储模块,所述存储模块用于存储防火墙的所述规则(R)集。A storage module, the storage module is used for storing the rule (R) set of the firewall. 10.根据权利要求8或9所述的保护设备,其特征在于所述保护设备(26)设置在CAN节点的CAN控制器(13)与CAN收发器(12)之间。10. The protection device according to claim 8 or 9, characterized in that the protection device (26) is arranged between the CAN controller (13) of the CAN node and the CAN transceiver (12). 11.根据权利要求8或9所述的保护设备,其特征在于所述保护设备(26)与网关(18)相关联地设置在两个CAN网络(20A,20B)之间。11. The protection device according to claim 8 or 9, characterized in that the protection device (26) is arranged between two CAN networks (20A, 20B) in association with a gateway (18).
CN201911409023.7A 2018-12-31 2019-12-31 Methods and corresponding equipment for protecting vehicles against cyberattacks Active CN111385286B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IT102018000021550A IT201800021550A1 (en) 2018-12-31 2018-12-31 "Procedure for protecting against computer attacks on the vehicle and corresponding device"
IT102018000021550 2018-12-31

Publications (2)

Publication Number Publication Date
CN111385286A true CN111385286A (en) 2020-07-07
CN111385286B CN111385286B (en) 2023-09-26

Family

ID=66589619

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911409023.7A Active CN111385286B (en) 2018-12-31 2019-12-31 Methods and corresponding equipment for protecting vehicles against cyberattacks

Country Status (3)

Country Link
JP (1) JP7528402B2 (en)
CN (1) CN111385286B (en)
IT (1) IT201800021550A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113228594B (en) * 2021-03-31 2022-07-29 华为技术有限公司 Method, apparatus, device and computer-readable storage medium for determining protection scheme
JP2023112712A (en) * 2022-02-02 2023-08-15 株式会社オートネットワーク技術研究所 On-vehicle relay device, on-vehicle relay method and on-vehicle relay program
DE102023001972B4 (en) * 2023-05-15 2024-11-28 Mercedes-Benz Group AG communication system and vehicle

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060168273A1 (en) * 2004-11-03 2006-07-27 Ofir Michael Mechanism for removing data frames or packets from data communication links
US20080186870A1 (en) * 2007-02-01 2008-08-07 Nicholas Lloyd Butts Controller Area Network Condition Monitoring and Bus Health on In-Vehicle Communications Networks
CN101494519A (en) * 2008-06-10 2009-07-29 杨福宇 Method and apparatus for implementing passive error frame in CAN protocol
JP2012165257A (en) * 2011-02-08 2012-08-30 Nippon Soken Inc Communication system, transceiver, and node
CN103078836A (en) * 2011-10-25 2013-05-01 通用汽车环球科技运作有限责任公司 Cyber security in an automotive network
CN106170953A (en) * 2014-04-17 2016-11-30 松下电器(美国)知识产权公司 Vehicle-mounted network system, abnormal detection electronic control unit, and abnormal detection method
US20170013006A1 (en) * 2014-04-03 2017-01-12 Panasonic Intellectual Property Corporation Of America Method for preventing electronic control unit from executing process based on malicious frame transmitted to bus
US20180025156A1 (en) * 2016-07-21 2018-01-25 Ramot At Tel-Aviv University Ltd. Anti-Spoofing Defense System for a Can Bus
CN107710657A (en) * 2015-07-22 2018-02-16 阿瑞路资讯安全科技股份有限公司 Vehicle communication bus data safety
EP3316524A1 (en) * 2016-10-28 2018-05-02 Magneti Marelli S.p.A. Protection device from cyber attacks to a vehicle through a diagnostic connector and related method
US20180152472A1 (en) * 2015-09-29 2018-05-31 Panasonic Intellectual Property Corporation Of America Invalidity detection electronic control unit, in-vehicle network system, and communication method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8788731B2 (en) * 2012-07-30 2014-07-22 GM Global Technology Operations LLC Vehicle message filter
EP2800316A1 (en) 2013-05-01 2014-11-05 Renesas Electronics Europe GmbH Can fd
US10369942B2 (en) 2014-01-06 2019-08-06 Argus Cyber Security Ltd. Hosted watchman

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060168273A1 (en) * 2004-11-03 2006-07-27 Ofir Michael Mechanism for removing data frames or packets from data communication links
US20080186870A1 (en) * 2007-02-01 2008-08-07 Nicholas Lloyd Butts Controller Area Network Condition Monitoring and Bus Health on In-Vehicle Communications Networks
CN101494519A (en) * 2008-06-10 2009-07-29 杨福宇 Method and apparatus for implementing passive error frame in CAN protocol
JP2012165257A (en) * 2011-02-08 2012-08-30 Nippon Soken Inc Communication system, transceiver, and node
CN103078836A (en) * 2011-10-25 2013-05-01 通用汽车环球科技运作有限责任公司 Cyber security in an automotive network
US20170013006A1 (en) * 2014-04-03 2017-01-12 Panasonic Intellectual Property Corporation Of America Method for preventing electronic control unit from executing process based on malicious frame transmitted to bus
CN106170953A (en) * 2014-04-17 2016-11-30 松下电器(美国)知识产权公司 Vehicle-mounted network system, abnormal detection electronic control unit, and abnormal detection method
CN107710657A (en) * 2015-07-22 2018-02-16 阿瑞路资讯安全科技股份有限公司 Vehicle communication bus data safety
US20180189483A1 (en) * 2015-07-22 2018-07-05 Arilou Information Security Technologies Ltd. Vehicle communications bus data security
US20180152472A1 (en) * 2015-09-29 2018-05-31 Panasonic Intellectual Property Corporation Of America Invalidity detection electronic control unit, in-vehicle network system, and communication method
US20180025156A1 (en) * 2016-07-21 2018-01-25 Ramot At Tel-Aviv University Ltd. Anti-Spoofing Defense System for a Can Bus
EP3316524A1 (en) * 2016-10-28 2018-05-02 Magneti Marelli S.p.A. Protection device from cyber attacks to a vehicle through a diagnostic connector and related method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
VISAL CHEA: "《Hamming Distance as a Metric for the Detection of CRC-Based Side-Channel Communications in 802.11 Wireless Networks》", 《2015 IEEE CONFERENCE ON COMMUNICATIONS AND NETWORK SECURITY (CNS)》 *

Also Published As

Publication number Publication date
IT201800021550A1 (en) 2020-07-01
JP2020109953A (en) 2020-07-16
JP7528402B2 (en) 2024-08-06
CN111385286B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
CN109076001B (en) Frame transfer preventing device, frame transfer preventing method, and in-vehicle network system
Cho et al. Error handling of in-vehicle networks makes them vulnerable
US20200213351A1 (en) Exploiting safe mode of in-vehicle networks to make them unsafe
CN111448787B (en) Systems and methods for providing secure in-vehicle networks
US11522872B2 (en) CAN transceiver
CN107710657B (en) Method and apparatus for real-time data security of a communication bus
CN111385286B (en) Methods and corresponding equipment for protecting vehicles against cyberattacks
CN109104352B (en) Vehicle network operation protocol and method
JP2017069941A (en) Fraud-detection electronic control unit, in-vehicle network system, and communication method
US11665021B2 (en) Can transceiver
CN112347021B (en) Security module for serial communication device
US11218501B2 (en) Detector, detection method, and detection program
CN113226858B (en) Information processing apparatus
US10922264B1 (en) CAN transceiver
JP2014236248A (en) Electronic control device and electronic control system
CN112583786B (en) Method, sender device and receiver device for alerting
KR20180127222A (en) Method for protecting a network against a cyber attack
Talebi A Security Evaluation and Internal Penetration Testing Of the CAN-bus
Cho From attack to defense: toward secure in-vehicle networks
Longari et al. CANter: data-link layer detection of drop-and-spoof attacks on CAN and CAN FD
US11431439B1 (en) Controller area network transceiver
EP4304135A1 (en) Controller area network (can) transceiver, can node, can system and method for the can transceiver
CN113783958A (en) Gateway device, method and in-vehicle network system
EP4099642A2 (en) Can transceiver
US20230013980A1 (en) Frame invalidation in bus system via receive line

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant