JP2014236248A - Electronic control device and electronic control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent an electronic control device connected with a network from operating erroneously due to unauthorized data at relatively low cost.SOLUTION: An electronic control device according to the invention comprises an I/O control unit connected with a communication bus in parallel with a communication control unit, and the I/O control unit outputs a signal invalidating unauthorized data to the communication bus before an ACK field of the unauthorized data is received.

Description

  The present invention relates to an electronic control device.

  Conventionally, as a technology related to this technical field, the problem is “provide an in-vehicle gateway that can eliminate unnecessary data transfer.” On the other hand, it is connected to the open bus 105 and has a function of converting a protocol, etc. When necessary data or regular data is sent to the gateway 100b, the data is transferred to another bus. In this case, a technique is proposed in which “when incomplete data or illegal data is sent to the gateway 100b, the data is not transferred in the gateway 100b” (Patent Document 1: Abstract).

  Another object of the present invention is to reduce the time required for key exchange in a communication system that performs cryptographic communication using a common cryptographic key via a local area network. When the system is activated, the gateway ECU (GW) generates an encryption key, and the encrypted data obtained by encrypting the encryption key using the seed key is distributed to all the ECUs (ECU1 to ECUN) in a broadcast format. The received encrypted data is decrypted using a seed key, and the decryption result is used as an encryption key for subsequent communication data encryption and decryption, and the ECU that has set the encryption key sends a response (key confirmation) ) And the encrypted data encrypted using the encryption key is returned to the gateway ECU, which determines the legitimacy of each ECU based on the response. . To "have been proposed technology and solutions that (Patent Document 2: Summary).

JP 2002-016614 A JP 2005-341528 A

  In the above-mentioned patent document 1, it is described that a GW having a firewall function is installed at the entrance of an in-vehicle network as a technique for preventing intrusion of illegal data. However, for example, an attack that causes unauthorized data to enter the in-vehicle network without going through the GW, such as mounting a device that transmits unauthorized data inside the GW, cannot be prevented, and the range that can be protected is limited. The problem remains.

  Patent Document 2 describes that the entire network is encrypted so that the in-vehicle electronic control device does not recognize unauthorized data, thereby preventing malfunction of the in-vehicle electronic control device due to unauthorized data. However, in order to realize this, it is necessary to make all of the vehicle-mounted electronic control devices connected to the network compatible with encryption, and the man-hours for ensuring quality are large. In addition, there is a possibility that defects may occur in the work process for ensuring quality.

  The present invention has been made in view of the above problems, and an object thereof is to prevent an electronic control device connected to a network from malfunctioning due to unauthorized data at a relatively low cost.

  The electronic control device according to the present invention includes an I / O control unit connected in parallel to the communication control unit with respect to the communication bus, and the I / O control unit receives the illegal data before receiving the ACK field of the illegal data. A signal for invalidating is output to the communication bus.

  According to the electronic control device of the present invention, malfunction due to unauthorized data can be prevented with a simple configuration. Further, by invalidating illegal data, even if an illegal device enters the network, the electronic control device can be protected from the attack.

1 is a configuration diagram of a vehicle 1 equipped with an electronic control system 2 according to Embodiment 1. FIG. It is a figure which shows the example of a connection of the electronic control system 2 and the electronic control system 4. FIG. 2 is a diagram illustrating an internal configuration example of an electronic control system 2. FIG. 2 is an internal configuration diagram of an ECU 302. FIG. 3 is a diagram illustrating an example of a frame structure of data flowing on a network bus 301. FIG. 6 is a time chart showing the operation timing of the ECU 302 and the state of the network bus 301 when unauthorized data is received. It is a flowchart explaining the process which ECU302 detects and invalidates illegal data. It is a flowchart which shows the detail of step S701. It is a flowchart which shows the detail of step S703. It is a flowchart which shows the detail of step S704. The internal structure of ECU302 in Embodiment 3 is shown. It is a flowchart explaining the procedure in which CPU control part 405 performs the fraud prevention program 4071-4074. It is a figure which shows the internal structure of ECU302 and monitoring ECU131 in Embodiment 4. FIG.

<Embodiment 1: Configuration of electronic control system>
FIG. 1 is a configuration diagram of a vehicle 1 equipped with an electronic control system 2 according to Embodiment 1 of the present invention. The vehicle 1 has an electronic control system 2. The electronic control system 2 is an in-vehicle network system in which electronic control devices are connected using a protocol such as CAN, FlexRay (registered trademark), Ethernet, or the like. The wireless communication unit 3 performs wireless communication with the outside of the electronic control system 2 (for example, communication using a mobile phone, a wireless LAN, a WAN, or the like). The electronic control system 4 is an in-vehicle network system different from the electronic control system 2. The wired communication unit 5 accesses the electronic control system 2 through a wired connection such as a diagnostic terminal (OBD), an Ethernet terminal, or an external recording medium (for example, USB memory, SD card, etc.) terminal. The display device 6 is a device such as a liquid crystal display that receives data from the electronic control system 2 and displays necessary information such as a message.

  FIG. 2 is a diagram illustrating an example of connection between the electronic control system 2 and the electronic control system 4. The gateway (GW) 7 relays data between the network buses of each electronic control system. Also, the communication protocol is converted as necessary.

  FIG. 3 is a diagram illustrating an internal configuration example of the electronic control system 2. A network bus 301 is a communication bus such as a CAN bus for connecting the electronic control device 302 on the network. An ECU (Electronic Control Unit) 302 is connected to the network bus 301 and transmits / receives data to / from another ECU 302 via the network bus 301. The ECU 302 is connected to an H / W (not shown) via the network bus 301 and controls the H / W. For example, the display device 6 can be configured to be controlled by the ECU 302.

  The GW 7 and the ECU 302 may have both functions or only one of the functions. The electronic control device according to the present invention assumes the ECU 302, but the GW 7 can be similarly configured.

  FIG. 4 is an internal configuration diagram of the ECU 302. Main CPU401 is a processor which controls H / W with which vehicles 1, such as an engine and a transmission, are provided, for example. The SubCPU 402 is a processor that executes control such as runaway monitoring of the Main CPU. The communication I / F 403 transmits / receives data to / from the network bus 301. The internal bus 404 is a communication bus for communication within the ECU 302.

  The Main CPU 401 includes a CPU control unit 405, an I / O control unit 406, a storage element 407, and a communication control unit 408.

  The CPU control unit 405 generates a function for reading the information stored in the storage element 407 and performing an operation, a function for storing the operation result in the storage element 407, and an instruction for the I / O control unit 406 and the communication control unit 408. It has the function to do. The I / O control unit 406 is connected to the network bus 301 in parallel with the communication control unit 408 and the communication I / F 403, and has a function of storing data received from the network bus 301 in the storage element 407, a CPU control unit A function of outputting an electrical signal to the network bus 301 in accordance with a command from 405 is provided. The storage element 407 is a storage element such as a ROM, a RAM, or a register. The communication control unit 408 has a function of instructing the communication I / F 403 to transmit / receive communication data in accordance with a command from the CPU control unit 405 and a function of storing the received value in the storage element 407.

  The SubCPU 402 includes a CPU control unit 409, an I / O control unit 410, and a storage element 411. These functions are the same as those of the CPU control unit 405, the I / O control unit 406, and the storage element 407.

  The communication I / F 403 monitors an electrical signal flowing on the network bus 301, converts the electrical signal into data at a timing when reception of data transmitted from another electronic device to the network bus 301 is completed, and a communication control unit Output to 408. The communication control unit 408 filters data to be received by the ECU 302 from the received data and stores the data in the storage element 407. Data to be received by the ECU 302 can be filtered by the CPU control unit 405 specifying the ID of the data to the communication control unit 408.

  The CPU control unit 405 stores the data to be transmitted in the storage element 407 and outputs a transmission instruction to the communication control unit 408. When the communication control unit 408 receives a transmission instruction from the CPU control unit 405, the communication control unit 408 reads data to be transmitted from the storage element 407, converts the data to a data format conforming to a communication protocol to be compliant, and combines the communication I / O with the transmission instruction. Output to F403. When receiving the transmission data and the transmission instruction from the communication control unit 408, the communication I / F 403 converts the transmission data into an electric signal and outputs it to the network bus 301.

  The I / O control unit 406 is directly connected to the network bus 301, and the CPU control unit 405 monitors the electric signal level flowing on the network bus 301 via the I / O control unit 406 in real time. Thereby, the data flowing on the network bus 301 can be monitored in real time without waiting until the communication I / F 403 completes reception of the data flowing on the network bus 301. The I / O control unit 406 takes in the electric signal level flowing on the network bus 301 and stores it in the storage element 407. The CPU control unit 405 monitors the electrical signal level of the network bus 301 in real time by reading the current electrical signal level of the network bus 301 stored in the storage element 407.

  The I / O control unit 406 can directly output an electrical signal to the network bus 301 without passing through the communication control unit 408 and the communication I / F 403. When the I / O control unit 406 receives a command from the CPU control unit 405 so as to output an electrical signal to the network bus 301, the network bus does not pass through the communication control unit 408 and the communication I / F 403 according to the command. An electrical signal is output to 301.

<Embodiment 1: Example of network protocol>
FIG. 5 is a diagram illustrating a frame structure example of data flowing on the network bus 301. Here, the data structure of a data frame when CAN is used as a communication protocol is shown. The numerical value of each field represents the number of bits.

  In CAN, when a network device transmits data, the bus signal is set to a dominant level (0), and when a network device connected on the same bus transmits or receives data, the bus signal is set to a dominant level (0). Alternatively, data communication is arbitrated by detecting which of the recessive level (1). Since the dominant level has a higher priority than the recessive level, when any network device is transmitting the dominant level, the network bus 301 is set to the dominant level even if another network device transmits the recessive level. Is done.

  SOF (Start Of Frame) indicates the start position of the data frame, and is used to synchronize the data frame. SOF is always transmitted as a dominant.

  The identifier (ID) indicates an ID of data (hereinafter referred to as a data ID), and each network device can identify the type of the data by this data ID.

  An ID and an RTR (Remote Transmission Request) bit are called an arbitration field, and arbitration of the network bus 301 is performed by this field. The RTR is always set to a dominant level in the example shown in FIG. When the value of RTR is a recessive level, it indicates that an extended format as shown in FIG. 5B is used. In this case, the ID can be expressed by 29 bits. The structure after the data field of the extended format is the same as that shown in FIG.

RB1 and RB0 are reserved bits, and a dominant level is always set.
DLC represents the data length (number of bytes) of the data field.

  The data field indicates the content of data to be transmitted, and N bytes of data are transmitted with a variable length.

  In the CRC field, the CRC of the data frame is input. The CRC boundary represents the boundary between the acknowledge and the CRC field and is always transmitted at a recessive level. If the CRC boundary is set to the dominant level, the data frame is considered invalid.

  The acknowledge is a field for setting and transmitting the dominant level as a confirmation response when the receiving node (ECU 302 or GW 7) correctly receives data. The acknowledge boundary represents the boundary between the acknowledge and the EOF, and is always transmitted at a recessive level.

  EOF (End Of Frame) indicates the end of the data frame, and a 7-bit recessive level is transmitted.

  In an in-vehicle network, a specific network device periodically transmits a value (for example, a sensor value) observed by the own network device to the network, and notifies the status to another network device. In the CAN, data in the format described with reference to FIG. 5 is transmitted / received. When the network device receiving the data detects that the transmitted data is transmitted in a format different from the predetermined format, it detects it as a form error. The network device that has detected the form error immediately outputs an error frame and invalidates subsequent data transmission on the bus.

<Embodiment 1: Example of impersonation attack>
In the present invention, an attack that is mainly targeted for defense and causes malfunction of a network device by intruding illegal data is called a spoofing attack. A spoofing attack in CAN impersonates a data ID with an existing data ID. In addition, if the data to be spoofed has a check code such as a checksum, that code is also impersonated. This prevents the network device that has received the illegal data from determining whether the data is illegal data.

<Embodiment 1: Example of method for detecting illegal data>
A method for detecting illegal data employed in the first embodiment will be described. Data to be detected is data transmitted at a predetermined cycle. The storage element 407 stores a database called illegal data determination database (DB) for determining illegal data. The illegal data determination DB stores a data ID and a transmission cycle for each data transmitted at a predetermined cycle.

  For the data transmitted to the network bus 301, the CPU control unit 405 transmits the transmission cycle calculated from the difference between the previous transmission timing and the current transmission timing, and the transmission registered in the unauthorized data determination DB. Compare periods. As a result of the comparison, when the calculated transmission cycle is shorter than the transmission cycle registered in the unauthorized data determination DB, the CPU control unit 405 determines that the data is unauthorized data that has entered the transmission timing of the predetermined cycle. . The unauthorized data determination DB stores a transmission cycle for each ID of data flowing through the network bus 301.

  In the following description, description will be made on the assumption that a method of detecting illegal data based on a transmission cycle is used. However, as will be described below, other methods may be used to detect illegal data as long as it is possible to determine whether the received data is illegal data by the CRC boundary and invalidate it.

<Embodiment 1: Example of a method for defending against an impersonation attack>
FIG. 6 is a time chart showing the operation timing of the ECU 302 (I / O control unit 406 and CPU control unit 405) and the state of the network bus 301 when illegal data is received. The procedure for invalidating illegal data by the ECU 302 will be described below with reference to FIG.

  The I / O control unit 406 outputs a recessive level so as not to interfere with the network bus 301 except when invalid data is invalidated. The operation when invalid data is invalidated is described below.

  The I / O control unit 406 monitors the electric signal level flowing through the network bus 301 in real time. The CPU control unit 405 detects that data transmission to the network bus 301 is started (SOF) by detecting that the signal level changes from the bus free state.

  The CPU control unit 405 reads out the transmission cycle corresponding to the received ID from the illegal data detection DB at the time 601 when the I / O control unit 406 has completed receiving the ID field, and is the data transmitted at a predetermined cycle? Determine whether or not. If it is determined that the received data is not illegal data, the I / O control unit 406 continues to output a recessive level so as not to interfere with data flowing on the network bus 301. When it is determined that the received data is illegal data, the I / O control unit 406 performs processing for invalidating illegal data described below.

  The I / O control unit 406 outputs a dominant level in order to invalidate illegal data at the timing (time 602) when the CRC boundary of illegal data is transmitted on the network bus 301. As a result, the recessive level signal that is the CRC boundary of illegal data and the dominant level signal output from the I / O control unit 406 coexist on the network bus 301. However, the dominant level and the recessive level are present. The electrical signal level of the network bus 301 becomes dominant according to the priority order. When the electrical signal level at the CRC boundary is dominant, the network device that has received the illegal data detects a form error and transmits an error frame. This invalidates invalid data.

  The signal for invalidating the illegal data needs to be transmitted before other network devices confirm the reception of the illegal data. That is, it is necessary to transmit a signal for invalidating invalid data before the I / O control unit 406 receives an acknowledge of illegal data (for example, as described above, at a CRC boundary). Therefore, the CPU control unit 405 considers the processing time of the CPU control unit 405 and the I / O control unit 406, and the CRC boundary with respect to the I / O control unit 406 at a time before the CRC boundary (for example, time 603). To set to the dominant level.

  FIG. 7 is a flowchart illustrating a process in which the ECU 302 detects invalid data and invalidates it. Hereinafter, each step of FIG. 7 will be described.

(FIG. 7: Step S701)
The I / O control unit 406 receives data from the network bus 301. Details of this step will be described later with reference to FIG.

(FIG. 7: Steps S702 to S704)
The CPU control unit 405 performs step S704 when the reception of the ID field of the data received in step S701 is completed (time 601 in FIG. 6), and before the reception of the CRC boundary (time 603 in FIG. 6). ), Step S703 is performed. Details of steps S703 and S704 will be described later with reference to FIGS. After step S703, this flowchart is ended, and after step S704, the process proceeds to step S705.

(FIG. 7: Step S705)
The I / O control unit 406 returns the output to the recessive level in order to invalidate only illegal data and prevent interference with other data.

  FIG. 8 is a flowchart showing details of step S701. In S801, the I / O control unit 406 specifies each field of the received data. In S <b> 802, the I / O control unit 406 reads each field value (dominant / recessive) of the received data, and stores the data content from the start of transmission (SOF) to the present in the storage element 407.

  FIG. 9 is a flowchart showing details of step S703. Step S703 is processing to output a signal for invalidating illegal data. Hereinafter, each step of FIG. 9 will be described.

(FIG. 9: Step S901)
The CPU control unit 405 determines whether there is a request to output the dominant level. The presence / absence of the request is determined based on, for example, the value of the dominant output request flag described in FIG. If the flag is set, the process proceeds to steps S902 and S903, and if not, this flowchart ends.

(FIG. 9: Step S902)
The CPU control unit 405 transmits an instruction to output a dominant level signal to the network bus 301 to the I / O control unit 406. Upon receiving the instruction, the I / O control unit 406 outputs a dominant level signal for invalidating invalid data to the network bus 301.

(FIG. 9: Step S903)
The CPU control unit 405 clears the set dominant output request flag in order to invalidate only illegal data and prevent interference with other data.

  FIG. 10 is a flowchart showing details of step S704. Step S704 is processing for detecting illegal data. Hereinafter, each step of FIG. 10 will be described.

(FIG. 10: Step S1001)
The CPU control unit 405 identifies the ID of the received data based on the data content captured in step S701 in FIG.

(FIG. 10: Step S1002)
The CPU control unit 405 calculates the transmission cycle of the data based on the difference between the current reception time and the previous reception time of the data received in step S701. For example, the time difference can be calculated using an internal timer mounted on the Main CPU 401.

(FIG. 10: Step S1003)
The CPU control unit 405 compares the transmission cycle calculated in step S1002 with the transmission cycle registered in the unauthorized data determination DB. If the calculated transmission cycle is shorter than the transmission cycle registered in the unauthorized data determination DB, it is determined that the received data is unauthorized data. If it is illegal data, the process proceeds to step S1004; otherwise, the process skips to step S1005. The operation of the CPU control unit 405 in this step corresponds to a “fraud determination unit”.

(FIG. 10: Steps S1004 to S1005)
The CPU control unit 405 sets a dominant output request flag (S1004). The CPU control unit 405 stores the time when data is received from the network bus 301 in the storage element 407. As the previous reception time in step S1002, the time stored in the storage element 407 in this step is used.

<Embodiment 1: Summary>
As described above, according to the ECU 302 according to the first embodiment, the I / O control unit 406 monitors the network bus 301 and detects this before other ECUs complete receiving (acknowledgement) illegal data. Can be disabled. Thereby, all the electronic control apparatuses connected to the in-vehicle network can be protected from the spoofing attack. Further, if at least one ECU 302 is connected to the in-vehicle network, the entire range of the in-vehicle network can be protected, so that an in-vehicle network with ensured reliability can be provided. Further, since the ECU 302 invalidates the illegal data, it is not necessary for all the electronic control devices to have an equivalent anti-fraud function, and the above function can be realized with a relatively small man-hour for ensuring quality. As a result, since the possibility of defects entering the work process for ensuring quality is reduced, the in-vehicle network can be protected from a spoofing attack at a relatively low cost.

  In the first embodiment, the invalid data is invalidated by setting the CRC boundary of the CAN to the dominant level. However, the method for invalidating the invalid data is not limited to this, and depends on the communication protocol. Other suitable techniques can be used. For example, in CAN, if a predetermined number of dominant levels continue, the data frame is regarded as invalid. Therefore, when illegal data is detected, the I / O control unit 406 continuously transmits a dominant level signal to the network bus 301 over that number. It is possible to invalidate invalid data by outputting.

  In the first embodiment, it is sufficient that invalid data is invalidated before another ECU outputs an acknowledge. Therefore, if the same effect as that of setting the CRC boundary to the dominant level can be exhibited, Invalid data may be invalidated by setting the field to the dominant level. However, it is necessary to use the dominant level in view of the priority order of the recessive level and the dominant level. A plurality of methods for invalidating illegal data may be used in combination.

  In the first embodiment, it has been described that the I / O control unit 406 monitors data flowing on the network bus 301 in real time, but the same processing is performed by, for example, the I / O control unit 410 and the I / O control of the SubCPU 402. It can also be realized by using a dedicated IC in which the same function as that of the unit 406 is mounted. Alternatively, a similar function can be realized by allowing the CPU control unit 405 to refer to data being received by the communication I / F 403. Similarly, when the I / O control unit 406 outputs a signal to the network bus 301, other functional units may realize the same function. The data captured by the I / O control unit 406 may be stored in the storage element 411 of the SubCPU 402, for example, or may be stored in a storage element of a dedicated IC added separately.

<Embodiment 2>
In the first embodiment, a function equivalent to that of the ECU 302 for invalidating illegal data can be implemented in another ECU, and the anti-fraud function can be made a redundant system. Thereby, even when the ECU 302 cannot perform the fraud prevention function of the first embodiment due to the influence of a failure or the like, the reliability against the spoofing attack can be maintained.

<Embodiment 3>
In the first and second embodiments, when a function for invalidating illegal data is implemented by a program, if the storage element 407 storing the program is subjected to an attack that is tampered with, the function is operating effectively. Cannot be determined. Therefore, in a third embodiment of the present invention, a configuration example for detecting falsification of a program in which a fraud prevention function is implemented will be described. Other configurations are the same as those in the first and second embodiments. For convenience of description, some components are omitted.

  FIG. 11 shows an internal configuration of the ECU 302 in the third embodiment. In the third embodiment, the storage element 407 stores a fraud prevention program that implements the fraud prevention function described in the first embodiment, and the program is divided into a plurality of (four in the example of FIG. 11) storage areas. Stored. The Main CPU 401 executes the fraud prevention program while jumping the storage area in the storage element 407. The fraud prevention program can be configured such that a single program is divided and stored in a plurality of storage areas, or can be configured such that a plurality of programs call the next program. In the following, it is assumed that the four programs 4071 to 4074 are configured to call the next program in this order.

  The I / O control unit 406 of the Main CPU 401 and the I / O control unit 410 of the SubCPU 402 are connected via an internal bus. The CPU control unit 405 causes the I / O control unit 406 to output a monitoring signal for monitoring whether or not the fraud prevention program has been tampered with in accordance with a flowchart described later with reference to FIG. The I / O control unit 406 outputs a monitoring signal to the I / O control unit 410 in accordance with a command from the CPU control unit 405.

  The fraud prevention program is configured to switch the signal level (Hi / Lo) of the monitoring signal when the processing stored in all the storage areas is completed. If any storage area before the processing is completed is falsified, the jump between the storage areas does not operate normally and is interrupted in the middle, and the fraud prevention program ends without switching the signal level of the monitoring signal. The CPU control 409 detects that the fraud prevention program in the storage element 407 has been tampered with by monitoring whether the signal level (Hi / Lo) of the monitoring signal is switched at every execution period of the fraud prevention program. To do.

  The CPU control unit 405 activates the program 4071 at a predetermined cycle. The programs 4072 to 4074 call the next program in this order. The program 4074 is configured to output a command for inverting the signal level of the monitoring signal. The CPU control unit 405 outputs a command for inverting the signal level of the monitoring signal to the I / O control unit 406 in accordance with the description of the program 4074.

  The CPU control unit 409 activates a program for monitoring the monitoring signal at the same cycle as the fraud prevention program 4071. If the signal level of the monitoring signal has not been reversed since the previous execution, it is determined that all or part of the storage element 407 has been tampered with, and an error signal indicating that fact is output.

  FIG. 12 is a flowchart for explaining a procedure for the CPU control unit 405 to execute the fraud prevention programs 4071 to 4074. The fraud prevention programs 4071 to 4074 are configured to start subsequent programs in the order shown in FIG. The fraud prevention program 4074 inverts the monitoring signal.

  In the above description, it has been described that the Sub CPU 402 monitors the Main CPU 401. However, the same function as that of the Sub CPU 402 can be implemented on a dedicated IC having a CPU control unit and an I / O control unit.

<Embodiment 4>
In the third embodiment, it has been described that the SubCPU 402 mounted on the ECU 302 detects falsification of the fraud prevention program in the storage element 407. In the fourth embodiment of the present invention, a configuration example in which another ECU detects falsification of the fraud prevention program will be described. Other configurations are the same as those of the third embodiment.

  FIG. 13 is a diagram illustrating an internal configuration of the ECU 302 and the monitoring ECU 131 according to the fourth embodiment. In the fourth embodiment, the SubCPU 402 in the ECU 302 does not have a function of monitoring the alteration of the storage element 407. The monitoring ECU 131 is not connected to the network bus 301 and includes a Main CPU 132 and a Sub CPU 133.

  The Main CPU 132 includes a CPU control unit 134 and an I / O control unit 135. The I / O control unit 135 receives a monitoring signal from the I / O control unit 406. The CPU control unit 134 detects an attack in which all or a part of the storage element 407 is falsified based on the monitoring signal by the same method as the SubCPU 402 in the third embodiment.

  In the above description, it has been described that the CPU control unit 134 and the I / O control unit 135 of the monitoring ECU 131 monitor the tampering of the storage element 407, but the SubCPU 133 can also have the same function. Further, a dedicated IC having the same functions as those of the CPU control unit 134 and the I / O control unit 135 can be added to the monitoring ECU 131 to monitor the alteration of the storage element 407.

  Although it has been described in FIG. 13 that the monitoring ECU 131 is not connected to the network bus 301, this is to prevent the monitoring ECU 131 from being attacked via the network bus 301. Therefore, it is desirable that the monitoring ECU 131 is not connected to the network bus, but the storage element 407 can be monitored even in a configuration in which the monitoring ECU 131 is connected to the network bus 301.

  The present invention is not limited to the embodiments described above, and includes various modifications. The above embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described. A part of the configuration of one embodiment can be replaced with the configuration of another embodiment. The configuration of another embodiment can be added to the configuration of a certain embodiment. Further, with respect to a part of the configuration of each embodiment, another configuration can be added, deleted, or replaced.

  For example, in each embodiment, a network in which the CPU control unit 405 cannot refer to the data until the ECU 302 completes reception of data from the network bus 301, such as an in-vehicle network, is assumed. This does not prevent the present invention from being applied to the control device.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized in hardware by designing a part or all of them, for example, with an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  301: Network bus, 302: ECU, 401: Main CPU, 402: SubCPU, 403: Communication I / F, 405: CPU control unit, 406: I / O control unit, 407: Storage element, 408: Communication control unit.

Claims (8)

An apparatus for controlling the operation of an electronic device,
A communication control unit that transmits and receives data to and from other electronic devices via a communication bus;
An I / O control unit that transmits and receives data to and from the communication bus in parallel with the communication control unit;
A fraud determination unit for determining whether the data received from the communication bus by the I / O control unit is fraudulent data;
With
The I / O control unit sends a signal for invalidating the illegal data to the communication bus before receiving the reception confirmation field of the data determined by the fraud determination unit as illegal data from the communication bus. An electronic control device characterized by output. The electronic control device includes a processor configured to receive data from the other electronic device at predetermined intervals via the communication control unit,
The fraud determination unit determines that the data is fraudulent data when the I / O control unit receives data from the communication bus at a time interval shorter than the predetermined period. The electronic control device according to 1. The communication control unit is configured to transmit / receive data to / from the other electronic device using a CAN protocol,
The I / O control unit invalidates the illegal data by outputting to the communication bus a signal for changing a CRC boundary field of data determined to be illegal data by the fraud determination unit to a dominant level. The electronic control device according to claim 2, wherein: The communication control unit is configured to transmit / receive data to / from the other electronic device using a CAN protocol,
The I / O control unit regards the invalid data as invalid data on the CAN protocol before receiving from the communication bus the reception confirmation field of the data determined by the fraud determination unit as the illegal data. The electronic control device according to claim 2, wherein the illegal data is invalidated by continuously outputting a dominant level signal equal to or greater than the number to the communication bus. The I / O control unit outputs the signal for invalidating the illegal data to the communication bus and before the communication control unit starts receiving the next data from the communication bus. The electronic control device according to claim 1, wherein a signal for invalidating the signal is stopped. The electronic control device includes a monitoring unit that receives a monitoring signal indicating whether or not the fraud determination unit is operating normally and determines an operation state of the fraud determination unit based on the monitoring signal,
The fraud determination unit is configured as a fraud determination program stored in a memory device,
The fraud determination program is configured to be executed while jumping an address in the memory device,
The fraud determination program, after completing the last jump, inverts the signal level of the monitoring signal and outputs it to the monitoring unit,
The monitoring unit outputs an alert to the effect that the fraud determination unit is not operating normally when the signal level of the monitoring signal is not reversed every execution period of the fraud determination program. Item 2. The electronic control device according to Item 1. A plurality of electronic control devices according to claim 1,
When the fraud determination unit or the I / O control unit included in any one of the electronic control devices fails, the fraud determination unit and the I / O control unit included in the other electronic control device fail. An electronic control system that operates on behalf of an electronic control device. An electronic control device according to claim 1,
A second electronic control unit comprising a monitoring unit that receives a monitoring signal indicating whether or not the fraud determination unit is operating normally and determines an operation state of the fraud determination unit based on the monitoring signal;
Have
The fraud determination unit is configured as a fraud determination program stored in a memory device,
The fraud determination program is configured to be executed while jumping an address in the memory device,
The fraud determination program, after completing the last jump, inverts the signal level of the monitoring signal and outputs it to the monitoring unit,
The monitoring unit outputs an alert indicating that the fraud determination unit is not operating normally when the signal level of the monitoring signal is not reversed every execution period of the fraud determination program. Control system.

Images