METHOD AND DEVICE FOR AVERTING A MANIPULATION ON A CAN BUS USING A NODE CONNECTED TO THE BUS BY A CAN CONTROLLER
20180302431 ยท 2018-10-18
Inventors
- Andreas Soenkens (Remseck Am Neckar, DE)
- Arthur Mutter (Neuhausen, DE)
- Florian Hartwich (Reutlingen, DE)
- Thomas Keller (Rottweil, DE)
- Timo Lothspeich (Weissach, DE)
Cpc classification
International classification
Abstract
A method for averting a manipulation on a CAN bus using a first node connected to the bus by a CAN controller includes a secured transmit module of the first node monitoring the bus; the transmit module recognizing transmission processes of the CAN controller in a normal operation of the first node; the transmit module recognizing a message transmitted impermissibly on the bus in a manner deviating from the normal operation; and, in the event the transmit module recognizes the message, the transmit module initiating countermeasures provided against the manipulation.
Claims
1-10. (canceled)
11. A method comprising: monitoring a CAN bus by a secured transmit module of a first node; identifying, by the transmit module, transmission processes of a CAN controller, by which the first node is connected to the bus, in a normal operation of the first node; identifying, by the transmit module, a message transmitted impermissibly on the bus in a manner deviating from the normal operation; and responsive to the identifying of the message transmitted impermissibly, initiating, by the transmit module, countermeasures against a manipulation by the transmitted message.
12. The method of claim 11, wherein the countermeasures include generation of an error frame on the bus while the message is being transmitted.
13. The method of claim 11, wherein the countermeasures include reporting of the message via a communication channel.
14. The method of claim 11, wherein the countermeasures include transfer of the bus into an error state.
15. The method of claim 11, wherein: in the normal operation, the transmit module is initialized with permissible object identifiers of the first node; the first node transmits the message; the identification of the message is based on the object identifiers; and the countermeasures include that further transmission processes are prevented by a hardware intervention in the CAN controller.
16. The method of claim 11, further comprising: receiving, by the CAN controller, rules for the transmission processes predefined by a hardware security module; and a second node connected to the bus transmitting the message, wherein the identifying of the message is based on the rules.
17. The method of claim 11, further comprising: in the normal operation, initializing the transmit module with permissible object identifiers of the first node; and a second node connected to the bus transmitting the message, wherein the identifying of the message is based on the rules.
18. A non-transitory computer-readable medium on which are stored instructions that are executable by a processor of a node connected to a CAN bus by a CAN controller and that, when executed by the processor, cause the processor to perform a method, the method comprising: monitoring the CAN bus by a secured transmit module of the node; identifying, by the transmit module, transmission processes of the CAN controller in a normal operation of the node; identifying, by the transmit module, a message transmitted impermissibly on the bus in a manner deviating from the normal operation; and responsive to the identifying of the message transmitted impermissibly, initiating, by the transmit module, countermeasures against a manipulation by the transmitted message.
19. A device comprising: a node connected to a CAN bus by a CAN controller, wherein the node includes a secured transmit module that is configured to: monitor the CAN bus; identify transmission processes of the CAN controller in a normal operation of the node; identify a message transmitted impermissibly on the bus in a manner deviating from the normal operation; and responsive to the identification of the message transmitted impermissibly, initiating countermeasures against a manipulation by the transmitted message.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0015]
[0016]
[0017]
DETAILED DESCRIPTION
[0018] According to an example embodiment, a method provides that bus nodes are equipped with a suitably secured hardware module (HW module), also referred to as a transmit module, capable of observing the bus communication. The transmit module can be linked to and managed by an HSM or other control unit. In normal operation, the module is initialized with the object identifiers that are to be transmitted by the bus node. In an alternative, the CAN-HW module can be developed so that it receives rules from a trustworthy control unit, e.g., the HSM, with regard to the bus node's own intended communication, for example, the periodicity of messages or maximum number of a certain message per unit of time.
[0019] The CAN-HW module recognizes the normal transmission processes of the standard CAN controller, and consequently, if necessary, is able to monitor the cyclical activity of the bus node. The transmission processes of its own bus node are recognized as valid and further measures are not necessary.
[0020] In the event that a bus node, e.g., a gateway, becomes compromised or assumes an error state so that the node transmits illegal messages that do not match with the messages configured in the HW module, or in the event it does not honor the defined communication rules for the messages to be transmitted by the bus node, this is able to be recognized by the HW module of the respective node, and, according to example embodiments of the present invention, at least one of the following countermeasures is responsively initiated: 1. during ongoing transmission of the illegal message, the transmit module generates an error frame and thereby makes the illegal message invalid; 2. the transmit module reports the illegal message to the message consumers via other communication channels, for example, other CAN messages; 3. the control unit (CU) generates a bus-off error state and transfers the remaining bus nodes into a safer state, e.g., a controlled emergency operation; and 4. for example, with the aid of a hardware intervention, the transmit module prevents further CAN messages from being able to be sent, e.g., by disconnecting the transmit line (Tx) between CAN controller and CAN transceiver.
[0021] In the event that a node, for example, a compromised node C or perhaps a node additionally integrated into the network, transmits messages, in the present case, message 11 made up of arbitration field 13, data 14, and end of frame (EOF) 15, which are actually assigned exclusively to another node (e.g., node A), they are able to be recognized by the original sender (node A) and suitable alternate or error reactions can be triggered (see
[0022] If the transmit module of a node A is designed to monitor communication rules (e.g., the periodicity of messages or maximum number of a certain message per unit of time) of other communication nodes, the transmit module of node A is then able to determine that another communication node (e.g., node B) is violating these rules and can trigger suitable alternate or error reactions, such as, for example, at least one of the following: 1. during ongoing transmission of the illegal message, the transmit module generates an error frame and thereby makes the illegal message invalid; 2. the transmit module reports the illegal message to the message consumers via other communication channels, for example, other CAN messages; and 3. the control unit (CU) generates a bus-off error state and transfers the remaining bus nodes into a safer state, e.g., a controlled emergency operation.
[0023] If a plurality of CAN modules (e.g., of the M_CAN type), but only one transmit module are integrated on a controller, the transmit module can be switched over cyclically by hardware multiplexer to one CAN module at a time, and the associated CAN bus may be scanned.