CN117728970A - Technique for mitigating on-board network maneuvers - Google Patents
Technique for mitigating on-board network maneuvers Download PDFInfo
- Publication number
- CN117728970A CN117728970A CN202311206175.3A CN202311206175A CN117728970A CN 117728970 A CN117728970 A CN 117728970A CN 202311206175 A CN202311206175 A CN 202311206175A CN 117728970 A CN117728970 A CN 117728970A
- Authority
- CN
- China
- Prior art keywords
- components
- component
- manipulation
- board network
- preventing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000116 mitigating effect Effects 0.000 title claims abstract description 136
- 238000000034 method Methods 0.000 title claims description 32
- 230000009471 action Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 description 35
- 238000004891 communication Methods 0.000 description 32
- 230000015654 memory Effects 0.000 description 15
- 238000001514 detection method Methods 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 4
- 230000002085 persistent effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000004378 air conditioning Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 2
- 238000000429 assembly Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000003252 repetitive effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009849 deactivation Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/84—Vehicles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
- Small-Scale Networks (AREA)
Abstract
One aspect of the present disclosure relates to an on-board network of vehicles having means for mitigating and preventing software manipulation. The means for mitigating and preventing software manipulation is designed to mitigate and prevent manipulation in each of a plurality of distributed components in a plurality of areas of an on-board network. The means for mitigating and preventing software manipulation are distributed across multiple components of the on-board network. A first component of the plurality of components is disposed in a first region of a plurality of regions of the on-board network. A second component of the plurality of components is disposed in a second region of the plurality of regions of the on-board network.
Description
Background
Vehicles are increasingly being incorporated into open environments (e.g., vehicles are in communication with other vehicles, infrastructure components, or backend). At the same time, vehicle software complexity is increasing and should also be updated in the field (e.g., by wireless updating). These developments make the vehicle more vulnerable to attacks by manipulation of the vehicle software. These attacks may limit the functionality of the vehicle and even jeopardize operational safety in some cases. It is therefore desirable to protect a vehicle from manipulation of its software.
Disclosure of Invention
A first general aspect of the present disclosure relates to an on-board network of vehicles having means for mitigating and preventing software maneuvers. The means for mitigating and preventing software manipulation is designed to mitigate and prevent manipulation in each of a plurality of distributed components in a plurality of areas of an on-board network. The means for mitigating and preventing software manipulation are distributed across multiple components of the on-board network. A first component of the plurality of components is disposed in a first region of a plurality of regions of the on-board network. A second component of the plurality of components is disposed in a second region of the plurality of regions of the on-board network.
A second general aspect of the present disclosure relates to a method for mitigating or preventing software manipulation in an on-board network of a vehicle. The on-board network includes a plurality of distributed components arranged in a plurality of regions. The method comprises the following steps: the tasks for mitigating or preventing manipulation are performed by a first component of a plurality of components of the apparatus for mitigating and preventing software manipulation. The means for mitigating and preventing software maneuvers are designed to mitigate and prevent maneuvers in each of the plurality of components of the on-board network. A first component of the plurality of components is disposed in a first region of a plurality of regions of the on-board network. The second component of the means for mitigating and preventing software manipulation is arranged in a second one of the plurality of areas of the on-board network.
In some examples, the techniques of the first and second general aspects may have one or more of the following advantages.
First, in the techniques of this disclosure, various distributed components of the on-board network are covered (abdacken) by means for mitigating and preventing software manipulation (e.g., components of the on-board network in one area are covered by components of means for mitigating and preventing software manipulation, respectively). Thus, one or more of the following advantages may be realized for each of these components. In some cases, the period of time until the maneuver is alleviated (in some cases significantly reduced) may be reduced as compared to the prior art. As part of the on-board network, the (central) device for mitigating and preventing manipulation may initiate the mitigation method immediately (e.g., within five minutes or within one minute) (e.g., without substantially the assistance of a vehicle external system). In some examples, the means for mitigating and preventing manipulation may not only initiate a measure, but may also perform the measure. In other examples, other components of the on-board network may (also) participate in performing the measure. As a result, the mitigation method may also be performed immediately (e.g., within five minutes or within one minute), and the vehicle may enter a defined state (e.g., enter a safe state according to predetermined safety criteria). In addition, the techniques of this disclosure may save more resources than other methods. Thus, the means for alleviating and preventing manipulation may replace a plurality of means covering only a part of the components or even only a single component, respectively. Additionally, in some cases, already existing components may be reused (wiedervevenden) in the techniques of the present disclosure. For example, persistent memory used to (also) update the software of multiple components of the vehicle (e.g., to store large-scale update packages) may be "reused" to reset the software of the components and thus eliminate manipulation. In some cases, no new memory need be provided for this purpose. Software for providing (Vorhalten) for reset in each of most components can add significantly to the design costs of these components (e.g., control devices). Moreover, the techniques of the present disclosure may be more easily extended and/or deployed in older vehicles (which are not designed according to the latest standards) than some of the techniques in the prior art. For example, the means for mitigating and preventing manipulation may be modified relatively easily to "maintain" (Betreuung) add-on components. In some cases, the "maintained" components need to be modified little or no at all, which makes their deployment in older vehicles easier. In some cases, the central device itself for mitigating manipulation may also be added through software updates. For example, existing components of the vehicle (e.g. the central communication interface of the vehicle or the central computer of the vehicle) may be equipped with (additional) functions of the means for alleviating and preventing manipulation by means of software updates.
Second, while the means for mitigating and preventing software maneuvers may focus on the task of mitigating and preventing maneuvers to some extent (e.g., as compared to the means for mitigating and preventing maneuvers in each component of the on-board network). However, the components of the apparatus for mitigating and preventing manipulation of the present disclosure are distributed in an on-board network. This distribution can be carried out in different perspectives (gesichtsputput) and thus gives different advantages. In some cases, the means for mitigating and preventing software manipulations may be arranged such that the tasks of mitigating and preventing manipulations are performed by different components in different areas. The components may be arranged in the respective areas they cover. In this way, the burden on the on-board network can be reduced in some cases, since the locally (lokal) arranged components take over the tasks for alleviating and preventing manipulation (compared to the case of centrally arranged components only). In this case, the communication load between the remote components can be reduced. Additionally or alternatively, the load on the communication path of the on-board network may be reduced, as the messages of the means for alleviating and preventing manipulation are already processed at an earlier point in time without first being transmitted over a long distance of the on-board network (e.g. along a CAN or ethernet bus). Further additionally or alternatively, the local component may reduce the response time of the means for mitigating and preventing software manipulation (e.g., as compared to a central means for mitigating and preventing software manipulation that may be disposed relatively far from some area of the vehicle). Further additionally or alternatively, in some cases, the distributed components may provide greater security against attacks on the device itself for mitigating and preventing software manipulation. The other distributed components of the apparatus for mitigating and preventing software manipulation may continue to remain operational even though one of the components in a particular area is involved. Further additionally or alternatively, each component in the respective region may be customized (zuschneiden) according to the needs of the respective region. This may increase the performance capabilities of the device for mitigating and preventing software manipulation, while not unduly increasing the complexity of the individual components. In other cases, the means for mitigating and preventing software manipulation may be distributed over different components that are remote from each other (e.g., in different areas of the vehicle), which components respectively assume different tasks for mitigating and preventing software manipulation. For example, the first component may be designed to identify steering possibilities in remote components in multiple areas of the on-board network. The second component (remote from the first component) may be designed to provide a software component for remote components in multiple areas of the on-board network. The third component (remote from the first and second components) may be designed as an initiating means to ease the manipulation and/or prevent repeated manipulation. By assigning means for alleviating and preventing software manipulation according to tasks, said means for alleviating and preventing software manipulation may in some cases be integrated into an existing on-board network without overloading and thus (excessively) adding existing resources. For example, computing operations that occur when running an apparatus for mitigating and preventing software manipulation may be taken over by a number of different components of an on-board network. This may prevent individual components of the on-board network from being overloaded, so that, for example, fairly powerful hardware must be provided in order to perform the tasks of the apparatus for mitigating and preventing software manipulation. For example, providing a software container for the entire vehicle or a large portion of the vehicle may place significant storage space requirements that are only implemented in specific components of the vehicle. There may now be insufficient computing power in these particular components to perform the other tasks of the means for mitigating and preventing software manipulation. Additionally or alternatively, assigning the means for mitigating and preventing software manipulation to different distributed components (verteilen) according to the tasks may also improve security against attacks, as other remote components may continue to remain operational after a successful attack on one component of the means for mitigating and preventing software manipulation.
Some terms are used in this disclosure in the following manner:
an "area" of an on-board network may be any portion of the on-board network formed by a set of components of the on-board network according to functional, regional, or other criteria. These areas of the on-board network are mapped (abbilden) in the hardware and/or software of the on-board network (i.e., the components of the area may be identified as belonging to the area due to its design). For example, an area may include one or more area coordinator components (Zonen-Koordinator-Komponenten) that coordinate or control flow within the area. In some examples, the conveyance may be divided into different spatial regions. The spatial region may include various components of the vehicle that are physically disposed within a particular region of the vehicle (e.g., "rear right", "front left", "front interior", etc.). Additionally or alternatively, the vehicle may be divided into different functional areas. The functional areas may include various components of the vehicle that participate in providing specific functions of the vehicle (e.g., engine control, drive train control, infotainment, air conditioning, communication, etc.). Additionally or alternatively, the vehicle may be divided into areas with various protective measures (e.g., the use of firewalls or specific encryption techniques). In this case, the first region may include components (according to a predetermined metric) that are protected from intrusion (eingliffe) with a lesser strength than components of the second region.
A "component" in this disclosure (of an on-board network) has its own hardware resources including at least a processor for executing instructions and a memory for holding at least one software component. The term "processor" also includes a multi-core processor or a plurality of separate components that take on (and may share) the tasks of the central processing unit of the electronic device. The components may independently perform tasks (e.g., measurement tasks, monitoring tasks, control tasks, communication tasks, and/or other work tasks). However, in some examples, one component may also be controlled by another component. The components may be physically defined (e.g., having their own housing) or integrated into a higher level system. The component may be a control device or a communication device of the vehicle. The component may be an embedded system.
An "embedded system" is a component that is incorporated (embedded) into a technical environment. In this case, the component takes on the form of monitoring tasks or regulation functions and/or is responsible for data or signal processing.
A "(dedicated) control device" is a component that (exclusively) controls the functions of the vehicle. For example, the control device may take over engine control, brake system control or auxiliary system control. Here, "functions" may be defined on different levels of the vehicle (e.g., a single sensor or actuator may be used for one function, but a large number of assemblies combined into a larger functional unit may also be used).
The term "software" or "software component" may in principle be any part of the software of the components of the present disclosure (e.g. the control device). In particular, the software component may be a firmware component of the components of the present disclosure. "firmware" is software that is embedded in (electronic) components and performs the basic functions there. The firmware is functionally fixedly associated with the corresponding hardware of the component (such that either firmware cannot be used without the other hardware). It may be stored in a non-volatile memory, such as a flash memory or EEPROM.
The term "update information" or "software update information" includes any data of a software component forming a component according to the present disclosure, either directly or after a corresponding processing step. The update information may include executable code or code that has not yet been compiled. Additionally or alternatively, the update information may contain configuration parameters for the component.
The term "manipulation" in this disclosure includes any change in the software of the vehicle components. The change may be the result of an attack (i.e., deliberate influence by a third party) or may be the result of random or unintentional influence.
The term "alleviating" includes all measures that at least alleviate the actual or potential impact of the maneuver. Mitigation may include eliminating the maneuver (i.e., the cause of the maneuver effect). For example, software components suspected of being manipulated may be replaced. Additionally or alternatively, mitigation may also mitigate the impact of mitigation (whether it has occurred or is just worth worrying about). This may include, for example, blocking (abschneide) the components involved to provide a particular function and/or communication.
The term "vehicle" includes any means of transporting passengers and/or cargo. The vehicle may be a motor vehicle (e.g. a passenger car or a truck), but may also be a rail vehicle. However, the floating and flying device may also be a vehicle. The vehicle may operate or be assisted at least in part autonomously.
An "on-board network" may be any in-vehicle network through which components of a vehicle communicate. The on-board network includes components (e.g., control devices and other components) networked within it. In some examples, the on-board network is a local area network. The on-board network may employ one or more short-range communication protocols (e.g., two or more short-range communication protocols). The short-range communication protocol may be a wireless or wired communication protocol. The short-range communication protocol may include a bus protocol (e.g., CAN, LIN, MOST, flexRay or ethernet). The short-range communication protocol may include a bluetooth protocol (e.g., bluetooth 5 or higher version) or a WLAN protocol (e.g., IEEE802.11 family protocol, such as 802.11h or higher version protocol). The on-board network may contain interfaces for communication with systems external to the vehicle and may therefore also be incorporated into other networks. However, systems and other networks external to the vehicle are not part of the on-board network.
The expression "recognition possibility … …" refers to interpreting a specific event (e.g. a signal or absence of a signal) according to a predetermined rule in order to recognize a state in which a software manipulation may exist.
Drawings
Fig. 1 is a flow chart illustrating the techniques of the present disclosure.
Fig. 2 illustrates components of an on-board network of a vehicle in which the techniques of this disclosure may be used.
Detailed Description
Fig. 1 is a flow chart illustrating the techniques of the present disclosure. Fig. 2 illustrates components of an on-board network 21 of a vehicle 20 in which the techniques of the present disclosure may be used.
The on-board network 21 of the vehicle 20 comprises means 25 for alleviating and preventing software manipulation. The means 25 for mitigating and preventing software maneuvers are designed to mitigate and prevent maneuvers in each of a plurality of distributed components 27a-m in a plurality of areas 41, 42, 43 of the on-board network 21. The means 25 for mitigating and preventing software manipulation are distributed over a plurality of components 27a, d, m of the on-board network 21. A first component 27a of the plurality of components 27a, d, m is arranged in a first region 41 of a plurality of regions 41, 42, 43 of the on-board network 21. A second component 27d of the plurality of components 27a, d, m is arranged in a second region 42 of the plurality of regions 41, 42, 43 of the on-board network 21. In other words, the tasks of the means 25 for alleviating and preventing software manipulation are performed by the components 27a, d, m distributed over a plurality of areas 41, 42, 43 of the on-board network 21. The extent of tasks and the manner and method in which they are distributed over the different components 27a, d, m in the different areas 41, 42, 43 may be different in different examples. Some exemplary distributions are discussed in more detail below.
In the example of fig. 2, three different areas 41, 42, 43 are shown. On-board network 21 may be divided into any number of zones (e.g., two or more zones, five or more zones, or ten or more zones). The components 27a-m in the different areas 41, 42, 43 are communicatively connected in the on-board network 21.
As described above, these regions may be formed in different ways.
In some examples, the on-board network 21 may be divided into different spatially distinct regions 41, 42, 43. The spatial zones 41, 42, 43 may comprise different components 27a-m of the vehicle physically arranged in a particular zone of the vehicle. For example, the interior space of the vehicle may be divided into one or more areas. One or more additional regions may be located outside of the interior space (e.g., one or more regions of the front side of the vehicle, one or more regions of the rear side of the vehicle, or multiple regions of the side of the vehicle and/or one or more regions of the bottom side of the vehicle). In other examples, the partitioning of the regions in space may also be performed without regard to the partitioning into inner and outer spaces according to the locations in the respective components.
In other examples, the on-board network 21 may be divided into different functional areas 41, 42, 43. The functional areas 41, 42, 43 may comprise different components 27a-m of the vehicle 20 that are involved in providing a specific function of the vehicle. The function may be any function of the vehicle 20. Exemplary functions are engine functions (i.e., engine control and/or monitoring), driveline functions (i.e., control and/or monitoring of the driveline), transmission functions (i.e., transmission control and/or monitoring), brake functions (i.e., brake control and/or monitoring), battery functions (e.g., operation of a battery management system), interface functions (e.g., operation of a human-machine interface), steering functions, door control functions, telematics functions, driving functions (e.g., operation assistance systems or autopilot systems), air conditioning functions, infotainment functions, seat control functions, or door control functions. Two or more of the above functions may also be arranged in one functional area. Additionally or alternatively, one of the above-described functions may also be distributed over multiple areas (e.g., separate areas for controlling each front seat).
In some examples, the plurality of regions 41-43 include not only functional regions but also spatial regions (or additionally other types of regions). Alternatively or additionally, the on-board network 21 may be divided into a plurality of areas 41, 42, 43 according to a plurality of criteria.
One region may be separated from other regions in hardware and/or software (e.g., components of one region are physically separated from components of another region). Additionally or alternatively, an area may communicate with other areas through its own gateway (i.e., a communication interface) (e.g., communications to and from the area are handled via the gateway). Further additionally or alternatively, components of an area may have common safeguards (e.g., a firewall that monitors communications entering the area). In some examples, a component of an area may have dedicated resources that are accessible only to the component of the area (e.g., a computing unit, memory, or a sub-network of the on-board network 21).
The areas 41, 42, 43 may contain components 27a, 27d that serve as central communication nodes for the respective areas 41, 42, 43 and/or take over control functions of the respective areas 41, 42, 43. In the example of fig. 2, component 27a is a central communication node of first region 41. Component 27d is the central communication node of the second area 42. The component 27m is a central communication node of the third area 43.
In some examples, the first component 27a may be designed to perform tasks for mitigating and preventing manipulation in each of the distributed components 27a-c of the first region 41 (e.g., in all components of the first region 41 or in only a portion of the components of the first region 41). In addition, the first component 27a is not designed to perform tasks for mitigating and preventing manipulation in multiple distributed components of the second region 42 (and optionally the third region). In some examples, the first component 27a is not incorporated into the task of mitigating and preventing manipulation in any other area 42, 43 (e.g., the second area 42 or the third area 43) of the on-board network 21. In some examples, the first component 27a is designed only to ease and prevent the task of manipulation in the first region 41. However, this does not necessarily mean that all components 27a, d, m of the means 25 for alleviating and preventing software manipulation can only act on a single area (although this is also possible; in some examples the first component 27a is designed to perform all actions of the central means to alleviate and prevent software manipulation of the components 27a-c relating to the first area 41). In some examples, there may thus be one or more components that participate in performing tasks for mitigating and preventing manipulations in multiple areas. Additionally or alternatively, for certain tasks (e.g., mitigating manipulations with certain patterns), the first component 27a may be designed to perform tasks for mitigating and preventing manipulations in distributed components 27d-m of areas other than the first area 41.
In other words, in some examples, the first component 27a may be the (central) means 25 for alleviating and preventing manipulation of the software of the first area 41 (while other areas also have regional means for alleviating and preventing manipulation of the regional software). In this case, the distributed device 25 for alleviating and preventing manipulation of the software is composed of a plurality of sub-devices that operate at least partially independently.
In some examples, the first component 27a (which performs the task of means for alleviating and preventing software manipulation in the first area 41) may be part of the component 27a acting as a central communication node of the first area 41 and/or part of the component 27a taking over control functions of the first area 41. Alternatively or additionally, the first component 27a may be a separate component (e.g., having its own hardware resources). Further additionally or alternatively, the first components 27a may be distributed over different sub-components in the first region 41.
The second one 27d of the plurality of components may be designed to perform tasks for mitigating and preventing manipulation in each of the plurality of distributed components 27d-f of the second area 42. In addition, the second component 27d may not be designed to perform tasks for mitigating and preventing manipulation in multiple distributed components of the first region 41 (and the third region 43). In some examples, the second component 27d is not incorporated into the task for mitigating and preventing manipulation in the other regions 41, 43 (e.g., the first region 42 or the third region 43). In some examples, the second component 27d is designed only to ease and prevent the task of manipulation in the second region 42. The same applies to the second assembly 27d as described above in relation to the first assembly 27 a. The second component 27d may be designed as described with respect to the first component 27a (in some examples, the first and second components 27a, 27d are designed identically, but in other examples, the first and second components 27a, 27d may also be designed differently).
In a specific example, the first region 41 may include an engine control device. The second region 42 may include control means for the function of the interior space.
The third component 27m of the plurality of components may be designed to perform tasks for mitigating and preventing manipulation in each of the plurality of distributed components 27g-m of the third region 43. In some examples, the same applies to the third component 27m as described above with respect to the first component 27 a. The third component 27m may be designed as described with respect to the first component 27a (in some examples, the first and second components 27a, 27m are designed identically, but in other examples, the first and second components 27a, 27m may also be designed differently). In some examples, the on-board network 21 may also include one or more additional areas (not shown in fig. 2) containing components of the means for mitigating and preventing software manipulation 25, which are designed as described above with respect to the first component 27 a.
In some examples, the third component 27m of the plurality of components is designed to perform tasks for mitigating and preventing manipulation in each of the plurality of distributed components 27g-m of the third region 43, and is additionally designed to undertake further tasks of the apparatus 25 for mitigating and preventing software manipulation. This will be described in more detail below.
Additionally or alternatively, the means for mitigating and preventing software manipulation 25 may be designed such that only one of these distributed components 27a, d, m of the means for mitigating and preventing software manipulation 25 performs the task of mitigating and preventing software manipulation in each area 41, 42, 43. In other words, each region 41, 42, 43 is assigned to only one distributed component 27a, d, m. In some examples, the components 27a, d, m of the apparatus 25 for mitigating and preventing software manipulation may perform tasks for mitigating and preventing software manipulation in multiple areas. In other words, a plurality of areas are allocated to (only) one component 27a, d, m.
In the previous example, the respective components 27a, d, m of the means 25 for alleviating and preventing software manipulations are arranged in the areas 41, 42, 43 of the on-board network 21, respectively, in which the respective components 27a, d, m assume the role of the means 25 for alleviating and preventing software manipulations. As described above, this may in some cases reduce the load on the on-board network 21 (as communication with remote components may be omitted and/or communication over a shorter distance in the on-board network may only be required). Additionally or alternatively, the response time of the means for alleviating and preventing software manipulation 25 may be reduced (because the components performing the tasks of the means for alleviating and preventing software manipulation 25 are arranged at the components involved).
However, in other examples, the components of the means for alleviating and preventing software manipulation 25 may be arranged in a different area than the components for which tasks for alleviating and preventing manipulation are undertaken. This may be advantageous because in some cases the manipulation in the corresponding area is unlikely to also involve components of the device 25 for alleviating and preventing software manipulation in the corresponding area.
In some examples, the means 25 for mitigating and preventing software manipulation is designed to be redundant. For example, one or more components of the apparatus for mitigating and preventing software manipulation may exist multiple times (mehrfach) such that if one of the multiple existing components fails, another of the multiple existing components may take over. In some examples, the first component may also be designed to take over the tasks of the first component in case of failure of the second component. For example, in the example of FIG. 2, in addition to the first component 27a, another component (not shown in FIG. 2) may be designed to perform tasks for mitigating and preventing manipulation in each of these distributed components 27 a-c. For example, if the first component 27a is not ready to operate, the other component may be activated. Additionally or alternatively, the second component 27d or the third component 27m may also be designed to perform tasks for mitigating and preventing manipulation in each of the distributed components 27a-c of the first area 41 (e.g., if the first component 27a fails).
The tasks of the means 25 for mitigating and preventing software manipulation include all tasks directly or indirectly related to mitigating and preventing software manipulation. These tasks include the measures themselves for mitigation or prevention, but also include preparatory measures (e.g., detecting manipulation or providing data required for the measures for mitigation or prevention).
In some examples, tasks for mitigating or preventing manipulation include: the likelihood of manipulation in the remote component is identified. The recognition of the possibility of manipulation can be carried out in a number of ways. In one example, the component may receive a signal from a remote component indicating a likelihood of manipulation. In other examples (or in addition), the identification of the likelihood of manipulation may include: the absence of an expected signal (e.g., a signal sent from a remote component to a component of the apparatus 25 for mitigating and preventing software manipulation) is detected, either periodically or upon the occurrence of a particular event. In still other examples, the likelihood of manipulation may be identified by observing and/or analyzing data traffic into on-board network 21 or in on-board network 21. Additionally or alternatively, the likelihood of manipulation may be identified by observing and/or analyzing the behavior of one or more components 27a-m of on-board network 21. For example, a feature of the manipulation (signature) may be identified.
In some examples, the separate detection of the manipulation possibilities may be performed prior to the identification of the manipulation possibilities by the means 25 for mitigating and preventing software manipulation. In some examples, the detection may be performed locally by corresponding (manipulation) detection means of corresponding components. The (manipulation) detecting means of the component (e.g. the control device) may recognize the manipulation and generate a corresponding signal for the means 25 for alleviating the software manipulation. The signal may then be processed as described above to identify the maneuver (and initiate mitigation if necessary). In other examples or in addition, the (manipulation) detection means of the central communication interface 27m of the vehicle 20 may (remotely) detect the manipulation of a component (e.g. a control device) and generate a signal for the means for mitigating the software manipulation. In some examples, the means for mitigating software manipulation is further designed to detect manipulation of software of a plurality of remote components of the on-board network. In other examples or in addition, the detection means of the remote system 30 (e.g. backend) may (from a remote) detect the manipulation of the component (e.g. the control device) and generate a signal for the means 25 for mitigating the software manipulation. In this example, the signal may be received through an interface of the vehicle . The detection of the manipulation may be performed in any conceivable way. For example, one or more techniques for checking the authenticity and/or non-tamper of software may be used at start-up ("secure start-up") and/or on-the-fly ("run-time manipulation detection")For example, by using one or more digital signatures and/or checking methods for software integrity).
Additionally or alternatively, the tasks for mitigating or preventing manipulation may include providing software components (e.g., update information for software) of remote components in a corresponding area of the on-board network. For example, a software component may be provided for a plurality of components (e.g., control devices). The software components may correspond to particular versions of the software of the respective components (e.g., last versions checked in view of authenticity and/or integrity). In some examples, the software components of the plurality of components may be included in a software package or software container (i.e., the software components are provided in a bundled manner). The software package or software container (typically of a very large size) is transferred to the vehicle 20 at a particular point in time. In the vehicle 20, the transferred software components may be used to update the software of the plurality of components. To this end, the software components obtained from the remote system 30 may undergo one or more preparation steps (e.g., unpacking, signature verification, etc.). The software components (e.g., in a software package or software container) may be received by the remote system 30 via the air interface 24 and/or via the wired interface 28.
The means 25 for alleviating and preventing software manipulation may comprise one or more permanent memories for providing the software components (i.e. memories whose information is stored in the vehicle permanently, for example longer than a day or longer than a week and/or during a stationary state of the vehicle). In some examples, the persistent memory may include flash memory. The persistent memory may be designed to store a software component for each of the plurality of components. For this purpose, the persistent memory may be designed to have a storage capacity of more than 256MB (preferably more than 5 GB).
In some examples, software components for all components covered by the means for mitigating and preventing software manipulation 25 may be provided at a single location in the on-board network. In other examples, software components for those components covered by the means for mitigating and preventing software manipulation 25 may be provided at multiple distributed locations (i.e., among multiple components). For example, software components for components of an area may be provided in corresponding components of the means for mitigating and preventing software manipulation 25 in the area. In other examples, one component of the means for mitigating and preventing software manipulation 25 may provide software components for all components covered by the means for mitigating and preventing software manipulation 25.
Additionally or alternatively, tasks for mitigating or preventing manipulation may include initiating and/or performing measures for mitigating manipulation and/or preventing repeated manipulation. This may include any measure suitable for the purpose.
In some examples, the action may include at least partially disabling or preventing components of the on-board network 21 to which the current maneuver relates. In some examples, only a portion of the components may be disabled or blocked (e.g., in the case of more complex components having multiple sub-components). In other examples, the component may be completely disabled or blocked. In any event, deactivation or blocking may cause the component to no longer perform its intended function and/or to no longer communicate in the on-board network.
Alternatively or additionally, the action may include moving the functionality of the component involved in the current manipulation to another component.
Further alternatively or additionally, the means may comprise: the configuration of the components of the on-board network and/or other components of the on-board network to which the current manipulation relates is changed. For example, the first component may switch from a first configuration with an extended functional range to a second configuration with a limited functional range (e.g., by the first component also only communicating to a limited extent with other components, or by the first component also providing only basic functionality and no longer extended functionality, or the first component no longer providing safety critical functionality but continuing to provide non-safety critical functionality).
Further alternatively or additionally, the means may comprise: changing the mode of operation of the component of the on-board network and/or other components of the on-board network to which the current manipulation relates. For example, the operating mode may change from a first operating mode in which the component performs more complex functions to a second operating mode in which the component performs less complex functions. For example, a component providing assistance or autonomous functionality may switch from a first mode of operation providing a more complex driving maneuver (e.g., driving faster than a bit speed and/or at a particular distance and/or under a particular environmental condition) to a second mode of operation providing a less complex driving maneuver.
Further alternatively or additionally, the means may include sending a warning to one or more interfaces (e.g., a user interface of the vehicle) that the maneuver has been detected. For example, the passenger may be required to take over at least partially the control function of the vehicle.
Further alternatively or additionally, the action may include resetting software of the component of the on-board network involved and/or software of other components of the on-board network (e.g., resetting the software of the component to a last authenticated and/or complete state that corresponds to a version of the software used prior to detecting the manipulation). The software components for resetting may be stored in a memory of the means for mitigating manipulation. In other examples, the software for resetting may be obtained from the remote system 30 (e.g., via the air interface 24 of the vehicle).
Additionally or alternatively, the action may include updating software that currently manipulates components of the on-board network involved. Additionally or alternatively, the means may include updating software of other components of the on-board network (i.e., in addition to or instead of the first component). The further component may for example be a component (e.g. a communication interface of a vehicle or a central communication node) that establishes a communication path to the first component. Updating the software may include: the software used before the manipulation was detected is replaced with the latest version of the software. The software for updating may be provided in a central device for mitigating manipulations. In other examples, the software for resetting may be obtained from the remote system 30 (e.g., via the air interface 24 of the vehicle).
The above measures may also be combined. For example, two of the described first measures may be performed in parallel or one after the other.
As described above, the means for mitigating and preventing software manipulation 25 may comprise a central component (or components) designed to orchestrate (or orchestrate) the operation of the other components of the means for mitigating and preventing software manipulation 25. For example, the central component may instruct and/or coordinate other components within the scope of the particular task (e.g., to perform measures for mitigating manipulation and/or preventing repetitive manipulation, wherein multiple other components of the apparatus 25 for mitigating and preventing software manipulation are incorporated).
Additionally or alternatively, the means for mitigating and preventing software manipulation 25 may comprise one or more components designed to send data required for operation to other components of the means for mitigating and preventing software manipulation 25. Additionally or alternatively, the means 25 for mitigating and preventing software manipulation may comprise a component (or components) designed to perform a trans-regional task.
In the example of fig. 2, the third component 27m may be designed to orchestrate the operation of the first and second components 27a, d and/or to send data required for their operation to the first and second components 27a, d.
The central component (e.g., the third component in fig. 2) may additionally or alternatively be designed to act as a trust anchor for other components of the means for mitigating and preventing software manipulation (e.g., for the first and second components 27a, d).
In some examples, the means for mitigating and preventing software manipulation may also operate without a central component. In these examples, the means for mitigating and preventing software manipulation is made up of multiple parts that themselves constitute the means for mitigating and preventing software manipulation in multiple distributed components, respectively (as described above). In other words, each of these parts works independently (i.e., independent of the other parts). For example, each of the first and second components 27a, d described above may perform all of the tasks of the means for mitigating and preventing software manipulation with respect to the first or second regions 41, 42 (without the other components of the means for mitigating and preventing software manipulation being used herein). In this way, the means for alleviating and preventing software manipulation may also be prevented from being entirely shut down by a central attack in some cases.
In the preceding paragraphs, in some examples, a distribution of means for mitigating and preventing manipulation of software is shown, wherein components of the means for mitigating and preventing manipulation of software (covered by components of those regions) are arranged in different regions of an on-board network. The components of the respective regions. However, the distribution of the components of the apparatus for alleviating and preventing software manipulation may also be performed in another way.
In some examples, the first component 27a is designed to perform a first task for mitigating or preventing manipulation for the plurality of components 27a-c in the first region 41 and the plurality of components 27d-f in the second region 42, and the second component 27d is designed to perform a second task (different from the first task) for mitigating or preventing manipulation for the plurality of components 27a-c in the first region 41 and the plurality of components 27d-f in the second region 42. In other words, the first and second assemblies 27a, d work together to mitigate or prevent manipulation. For example, the first component 27a may be designed to perform a first one of the above-described tasks, and the second component 27d may be designed to perform a second one of the above-described tasks. For example, the first component 27a may be designed to provide software components for all components 27a-m covered by the means 25 for mitigating and preventing software manipulation. Additionally or alternatively, the second component 27d may be designed to initiate and/or perform measures for alleviating or preventing repetitive manipulation in all components 27a-m covered by the means 25 for alleviating and preventing software manipulation. Additionally or alternatively, the third component 27m may be designed to recognize manipulations in all components 27a-m covered by the means 25 for mitigating and preventing software manipulations. In other examples, tasks may be distributed over the first through third components in another manner or may be distributed over the first and second components as well.
As mentioned above, the means 25 for mitigating and preventing manipulation may thus comprise a plurality of components distributed in the on-board network, which are designed to perform one or more specific tasks for mitigating and preventing manipulation (only) respectively for all covered components (but not for performing other tasks for mitigating and preventing manipulation). Thus, the distributed components together provide the functionality of the device for mitigating and preventing manipulation. In these examples, components may also be provided that orchestrate the operation of other components. In some examples, multiple components distributed in the on-board network may also be provided redundantly, each of which is designed to perform one or more specific tasks for alleviating and preventing manipulation of all components covered.
In the preceding paragraphs, the components of the apparatus for mitigating and preventing software manipulation are discussed several times. These components may be implemented in any suitable manner. In some examples, the components of the apparatus for mitigating and preventing software manipulation may be stand-alone devices (i.e., dedicated modules with their own hardware and software resources that are part of the on-board network and that may communicate with other components of the on-board network). In other examples, components of the apparatus for mitigating and preventing software manipulation may be integrated into another (already existing) component of the on-board network. The components of the device for alleviating and preventing software manipulation can be designed here as software modules (which are inserted into the software of the components). In other cases, components of the apparatus for mitigating and preventing software manipulation may have at least some dedicated hardware components (which concurrently use other hardware components of the assembly integrated therein). As already mentioned, the other component may be any component of the vehicle. Examples are a central communication interface of the on-board network (e.g. in particular a component in which the operation of the other components of the device can be arranged), a central computer of the vehicle ("vehicle computer"), a host unit of the infotainment system or a central component in the area of the on-board network. In some examples, the other component may be an embedded system in an on-board network.
In some examples, an existing component of the on-board network (e.g., a central communication interface of the vehicle or an area of the vehicle, or a central computer of the vehicle, or a host unit of the infotainment system) may be provided as a component of the apparatus for mitigating software manipulation by updating software of the component of the on-board network.
The components of the apparatus for mitigating software manipulation or other components integrated with the apparatus may include at least a processor (possibly having multiple cores) and a memory including instructions that, when executed by the processor, perform the steps of the techniques of the present disclosure.
The present disclosure also relates to a vehicle comprising an on-board network according to one of the present disclosure.
In the preceding paragraphs, the techniques of the present disclosure are explained primarily in terms of the apparatus of fig. 2. The present disclosure also relates to a method for mitigating or preventing manipulation of software in an on-board network of a vehicle (see fig. 1). The on-board network includes a plurality of distributed components arranged in a plurality of regions. The method may include each of the steps described in this disclosure with respect to techniques for mitigating or preventing software manipulation in an on-board network.
The method of fig. 1 includes executing 111, in a first component of an apparatus for mitigating and preventing software manipulations, tasks for mitigating or preventing manipulations. The means for mitigating and preventing software manipulation is designed to mitigate and prevent manipulation in each of a plurality of components of the on-board network. The first component of the means for mitigating and preventing software manipulation is arranged in a first one of a plurality of areas of the on-board network. The second component of the means for mitigating and preventing software manipulation is arranged in a second one of the plurality of areas of the on-board network.
As shown in fig. 1, in some examples, a dedicated first component of an apparatus for mitigating and preventing software manipulation may perform 101, 103, 105 tasks for mitigating or preventing manipulation in a first region, and a dedicated second component performs 101a, 103a, 105a tasks for mitigating or preventing manipulation in a second region.
These tasks may include, for example: a plurality of remote components in respective areas of the on-board network are provided 101, 101a software components. The possibility of manipulation 103, 103a in one of the plurality of remote components in the respective area of the on-board network is identified and measures for mitigating the manipulation and/or preventing repeated manipulation are initiated and/or performed 105, 105 a.
The present disclosure also relates to a computer program designed to perform the techniques of the present disclosure (which contains instructions which, when executed by a system, cause the system to perform the methods of the present disclosure).
The present disclosure also relates to a computer readable medium (e.g., DVD or solid state memory) containing the computer program of the present disclosure.
The present disclosure also relates to signals encoding the computer program of the present disclosure (e.g., electromagnetic signals according to a wireless or wired communication protocol).
Claims (13)
1. An on-board network (21) of vehicles (20) having means (25) for mitigating and preventing software manipulation,
wherein the means (25) for mitigating and preventing software manipulation is designed to mitigate and prevent manipulation in each of a plurality of distributed components (27 a-m) in a plurality of areas (41, 42, 43) of the on-board network,
wherein the means (25) for mitigating and preventing software manipulation are distributed over a plurality of components (27 a, d, m) of the on-board network (21),
wherein a first component (27 a) of the plurality of components (27 a, d, m) is arranged in a first region (41) of a plurality of regions (41, 42, 43) of the on-board network (21), and
wherein a second component (27 d) of the plurality of components (27 a, d, m) is arranged in a second region (42) of a plurality of regions (41, 42, 43) of the on-board network (21).
2. The on-board network (21) according to claim 1,
wherein the first component (27 a) is designed to perform tasks for alleviating and preventing manipulation in each of the distributed components (27 a-c) of the first region (41), and
wherein the first component (27 a) is not designed to perform tasks for alleviating and preventing manipulation in a plurality of distributed components (27 d-f) of the second region (42).
3. An on-board network according to claim 1 or claim 2,
wherein the first component (27 a) is designed to perform a first task for alleviating or preventing manipulation for a plurality of components (27 a-c) in the first region (41) and a plurality of components (27 d-f) in the second region (42), and
wherein the second component (27 d) is designed to perform a second task for alleviating or preventing manipulation for a plurality of components (27 a-c) in the first region (41) and a plurality of components (27 d-f) in the second region (42).
4. An on-board network (21) according to any one of claims 1 to 3, wherein the first and second areas (41, 42) are different spatial and/or different functional areas in the on-board network (21).
5. An on-board network (21) according to any one of claims 1 to 3, wherein the tasks for mitigating or preventing manipulation comprise one or more of:
identifying (103; 103 a) a possibility of manipulation in the remote component (27 a-k);
providing (101; 101 a) a software component for the remote component (27 a-k);
measures for alleviating the manoeuvres and/or preventing repeated manoeuvres are initiated and/or performed (105; 105 a).
6. The on-board network (21) according to any one of claims 1 to 5, wherein a third component (27 m) of the plurality of components (27 a, d, m) is designed to orchestrate the operation of the first component (27 a) and the second component (27 d) and/or to send data required for the operation of the first component and the second component to the first component and the second component (27 a, d).
7. The on-board network (21) according to claim 6, wherein the third component (27 m) is designed to act as a trust anchor for the first and second components (27 a, d).
8. The on-board network (21) as claimed in claim 6 or claim 7, wherein the third component (27 m) of the plurality of components (27 a, d, m) is designed to perform tasks for mitigating and preventing manipulation in each of a plurality of distributed components (27 g-m) of a third region (43) of the plurality of regions (41, 42, 43).
9. The on-board network (21) according to any one of claims 1 to 7, wherein the first component (27 a) and the second component (27 d) are designed to perform all actions of the components (27 a-f) of the central device (25 a) relating to the respective area (41; 42) for alleviating and preventing software manipulations.
10. A vehicle (20) comprising an on-board network (21) according to any one of claims 1 to 9.
11. A method for mitigating or preventing software manipulation in an on-board network (21) of a vehicle (20),
wherein the on-board network (21) comprises a plurality of distributed components (27 a-m) arranged in a plurality of areas (41, 42, 43), the method comprising:
the task for alleviating or preventing manipulation is performed (111) by a first component (27 a) of the device for alleviating and preventing software manipulation (25),
wherein the means (25) for mitigating and preventing software maneuvers are designed for mitigating and preventing maneuvers in each of a plurality of components (27 a-m) of the on-board network (21),
wherein the first component (27 a) is arranged in a first region (41) of a plurality of regions (41, 42, 43) of the on-board network (21), and
wherein a second component (27 d) of the means (25) for mitigating and preventing software manipulation is arranged in a second one of a plurality of areas (41, 42, 43) of the on-board network (21).
12. A computer program comprising instructions which, when executed by a computer system, cause the computer system to perform the method of claim 11.
13. A computer readable medium or signal embodying the computer program of claim 12.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102022209778.5 | 2022-09-16 | ||
| DE102022209778.5A DE102022209778A1 (en) | 2022-09-16 | 2022-09-16 | TECHNIQUES FOR MITIGATION OF MANIPULATION OF AN ONBOARD NETWORK |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117728970A true CN117728970A (en) | 2024-03-19 |
Family
ID=90062291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311206175.3A Pending CN117728970A (en) | 2022-09-16 | 2023-09-18 | Technique for mitigating on-board network maneuvers |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117728970A (en) |
| DE (1) | DE102022209778A1 (en) |
-
2022
- 2022-09-16 DE DE102022209778.5A patent/DE102022209778A1/en active Pending
-
2023
- 2023-09-18 CN CN202311206175.3A patent/CN117728970A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| DE102022209778A1 (en) | 2024-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11934520B2 (en) | Detecting data anomalies on a data interface using machine learning | |
| EP3923550A1 (en) | In-vehicle communication system and method, and device | |
| JP7231559B2 (en) | Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method | |
| US9560061B2 (en) | Motor vehicle with a driving behavior which can be modified at a later stage using an application program | |
| US9710290B2 (en) | Device for the reliable integration of a software component into a motor vehicle | |
| CN103661378A (en) | Active safety systems of vehicles with graphical microprocessors | |
| US9434391B2 (en) | Braking system | |
| WO2012105215A1 (en) | Vehicle control device | |
| JP2019008618A (en) | Information processing apparatus, information processing method, and program | |
| CN112537318A (en) | Method for remotely controlling a motor vehicle | |
| US20230365162A1 (en) | Computer system for providing a plurality of functions for a device, in particular for a vehicle, by separation of a plurality of zones | |
| US20210086790A1 (en) | Method for driving a motor vehicle in at least partially automated fashion | |
| CN109005147A (en) | The method for protecting vehicle network for avoiding the data being manipulated from transmitting | |
| CN117728970A (en) | Technique for mitigating on-board network maneuvers | |
| US20230052852A1 (en) | Method for Authentic Data Transmission Between Control Devices of a Vehicle, Arrangement with Control Devices, Computer Program, and Vehicle | |
| US20230267213A1 (en) | Mitigation of a manipulation of software of a vehicle | |
| JP2023122636A (en) | Reduction in manipulation of vehicle software | |
| US20230267204A1 (en) | Mitigating a vehicle software manipulation | |
| CN116639139A (en) | Mitigating manipulation of vehicle software | |
| US20240061934A1 (en) | Techniques for mitigating manipulations of an onboard network of a vehicle | |
| CN115623023A (en) | Mitigating manipulation of software for a vehicle | |
| JP2023122639A (en) | Reduction in manipulation of vehicle software | |
| US20220185328A1 (en) | Control device and control method for vehicle | |
| CN117724734A (en) | Computer-implemented method for updating software in a device for mitigating software manipulation | |
| KR20240010427A (en) | Notification apparatus, notification method, and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |