A system comprising a microcontroller located on a communication bus, a power consumption circuit configured to determine power consumption of the microcontroller, wherein a processor is programmed to determine if a clock associated with the microcontroller is paused and whether an average operational power has exceeded a power threshold, and in response to the average operational power exceeding the power threshold and in response to identifying an attacked message or attacked electronics control unit, in response to determining the microcontroller is under the suspected attack, output an alert associated with an event causing change in the bit patterns of messages on the communication bus.

A CAN module that can be integrated between a CAN controller and a CAN transceiver includes a receive data (RXD), input interface for receiving a first bit sequence through a RXD stream and a RXD output interface for sending a manipulated receive data (MRXD), stream including a second bit sequence. A processing logic of the CAN module is configured to manipulate the first bit sequence to generate a second bit sequence comprising a second stuff bit at a second position in the second bit sequence corresponding to a first position of a first stuff bit in the first bit sequence such that the second stuff bit is complementary to a preceding bit of the second stuff bit in the second bit sequence. The present disclosure also relates to a method for the CAN module.

In particular embodiments, a computing system may receive, by a processor in communication with an actuator of a vehicle, an instruction associated with an environment external to the vehicle and configured for controlling the actuator of the vehicle. The system may receive, by the processor, sensor data associated with the environment and generated by one or more sensors associated with the vehicle. The system may determine, by the processor, a state associated with an operation mode of the vehicle based on the received sensor data. The system may evaluate, by the processor, whether the instruction is invalid based on the state associated with the operating mode of the vehicle. The system may, subsequent to determining that the instruction is invalid, based on the evaluation, prevent transmission of the instruction to the actuator of the vehicle.

This document discloses aspects of secure serial peripheral interface (SPI) communication. In some aspects, a secure SPI communication module monitors communications transmitted by a host to a peripheral block that is coupled to the host via a SPI interconnect. The module compares respective commands of the communications sent by the host to information indicating commands that the peripheral block is not authorized to execute. Based on the comparing, the module determines that one of the respective commands is one of the commands that the peripheral block is not authorized to execute. The module then prevents the peripheral block from receiving at least a portion of the respective command of the communication. By so doing, the module can prevent the peripheral block from executing unauthorized commands, which may compromise security of the peripheral block.

A method for dealing with unauthorized frames that makes it possible to take appropriate measures when an unauthorized data frame is detected in a vehicle network system is provided. A plurality of ECUs in the vehicle network system are connected to a bus used for communicating frames. In the method for dealing with unauthorized frames, if a misuse detection ECU that checks a frame appearing in the bus detects an unauthorized frame that does not comply with a certain rule and a certain prevention condition is satisfied, a process for preventing the plurality of ECUs from performing a process corresponding to the unauthorized frame is performed (an error frame is transmitted) or, if the certain prevention condition is not satisfied, the process is not performed.

A method for a determination of the optimal duration of a time slot for computational actions in a time-triggered controller. The controller includes a sensor subsystem, a computational subsystem, an actuator subsystem, and a time-triggered communication system. The time-triggered communication system is placed between the sensor subsystem, the computational subsystem, the actuator subsystem, and a monitor subsystem. An anytime algorithms is executed in the computational subsystem. A plurality of execution slot durations of the anytime algorithms is probed during the development phase, starting from the minimum execution slot duration, increasing this slot duration by the execution slot granularity until the maximum execution slot duration is reached. In each of the execution slot durations, a multitude of frames is executed in a destined application environment. In each frame the computational subsystem calculates imprecise anticipated values of observable state variables by interrupting execution of the anytime algorithm at the end of the provided execution slot duration, using data received from the sensor subsystems at the beginning of the frame.

A secure hardware-based module or Security Electronic Control Unit (SECU) for a Controller Area Network (CAN) prevents an attacker from sending malicious messages through the CAN bus to take over control of a vehicle. The SECU shares a unique key and counter with each ECU on the CAN bus. When a legitimate ECU sends a message, it first compresses the message and then generates a MAC of the counter and a secret key. The counter is increased by one for each transmitted message. The ECU then fits the compressed message and the MAC into one CAN frame and sends it onto the CAN bus. The SECU performs the message verification on behalf of the intended receiver(s) of the message. If the verification passes, the receiver(s) simply decompress the message and use it as a normal CAN message. If the verification fails, the SECU will corrupt the CAN frame before it is fully received by the intended receiver(s). The corrupted CAN frame will be ignored by the intended receiver(s) as if it was never received. Therefore, a malicious message generated by an attacker will inflict no damage on the system.

An apparatus and method are provided for filtering transactions performed between a master device and a slave device, where each transaction comprises one or more transfers. The apparatus has a first interface for coupling to the master device and a second interface for coupling to the slave device. Routing circuitry is used to route, between the first interface and the second interface, signals representing each transfer. Filtering decision generation circuitry is arranged to perform a combinatorial operation to generate a filtering decision dependent on current values of one or more received input variables. The routing circuitry is then responsive to the filtering decision indicating a block condition for a current transfer, to block the current transfer by preventing one or more of the signals representing that current transfer from being passed between the first interface and the second interface in either direction. The filtering decision generation circuitry is responsive to assertion of the current transfer within the apparatus to generate the filtering decision, and thereafter to maintain that filtering decision for a duration of time that the current transfer is asserted, irrespective of a change in the values of the input variables. Such an approach provides a high performance solution while also enabling certain bus protocol violation scenarios to be avoided.

A transmission device has a detector, a generator, and a transmitter. When the detector has detected that a communication rule of a message that has been broadcasted to a network by another transmission device coincides with a communication rule of a message that is broadcasted to the network by the present transmission device, the generator generates an abnormality notification message. Then, the transmitter broadcasts an abnormality notification message to the network.

A method for transmitting data in a sensor bus system and a sensor bus system. The sensor bus system includes an electronic controller, a plurality of sensors, and a twisted two-wire line between the electronic controller and the sensors, wherein the electronic controller is designed to supply electrical energy to the sensors via the twisted two-wire line, and the sensors are designed to transmit received information to the electronic controller in an I/Q-modulated manner via the twisted two-wire line.