DE102022209778A1 - TECHNIQUES FOR MITIGATION OF MANIPULATION OF AN ONBOARD NETWORK - Google Patents

Abstract

One aspect of the present disclosure relates to an on-board network of a vehicle with a device for mitigating and preventing manipulation of software. The software mitigation and manipulation prevention device is designed to mitigate and prevent manipulation in each of a plurality of distributed components in a plurality of zones of the on-board network. The device for mitigating and preventing software manipulation is distributed across several components of the on-board network. A first component of the plurality of components is arranged in a first zone of the plurality of zones of the on-board network. A second component of the plurality of components is arranged in a second zone of the plurality of zones of the on-board network.

Description

State of the art

Vehicles are increasingly being integrated into open contexts (e.g. vehicles communicate with other vehicles, infrastructure components or a backend). At the same time, the vehicle software is becoming increasingly more complex and should also be updated in the field (e.g. through over-the-air updates). These developments make vehicles more vulnerable to attacks that manipulate the vehicle's software. These attacks can limit the functionality of the vehicles and in some cases even endanger operational safety. It is therefore desirable to protect vehicles against manipulation of their software.

Disclosure of the invention

A first general aspect of the present disclosure relates to an on-board network of a vehicle with a device for mitigating and preventing manipulation of software. The software mitigation and manipulation prevention device is designed to mitigate and prevent manipulation in each of a plurality of distributed components in a plurality of zones of the on-board network. The device for mitigating and preventing manipulation of software is distributed across several components of the on-board network. A first component of the plurality of components is arranged in a first zone of the plurality of zones of the on-board network. A second component of the plurality of components is arranged in a second zone of the plurality of zones of the on-board network.

A second general aspect of the present disclosure relates to a method for mitigating or preventing manipulation of software in an onboard network of a vehicle. The onboard network includes a plurality of distributed components arranged in a plurality of zones. The method includes executing tasks for mitigating or preventing manipulation by a first component of the plurality of components of a device for mitigating and preventing manipulation of software. The device for mitigating and preventing manipulation of software is designed for mitigating and preventing manipulation in each of the plurality of components of the on-board network. A first component of the plurality of components is arranged in a first zone of a plurality of zones of the on-board network. A second component of the device for mitigating and preventing manipulation of software is arranged in a second zone of the plurality of zones of the on-board network.

The techniques of the first and second general aspects may, in some examples, have one or more of the following advantages.

First, in the techniques of the present disclosure, various distributed components of an onboard network are covered by a software mitigation and tampering prevention device (eg, the components of the onboard network in a zone each covered by a component of the software mitigation and tampering prevention device). This means that one or more of the following advantages can be realized for each of these components. In some cases, compared to prior art techniques, a time to mitigation of a manipulation can be reduced (in some situations, drastically reduced). The (central) device for mitigation and prevention of manipulation, as part of the on-board network, can initiate the mitigation procedures immediately (e.g. within five minutes or within one minute) (e.g. essentially without the aid of systems outside the vehicle). In some examples, the device for mitigating and preventing manipulation can not only initiate a measure, but also carry it out. In other examples, other components of the on-board network can (also) be involved in carrying out the measure. As a result, the mitigation procedures can also be carried out immediately (e.g. within five minutes or within one minute) and the vehicle can be brought into a defined state (e.g. into a safe state according to a predetermined safety criterion). Additionally, the techniques of the present disclosure may be more resource efficient than other approaches. A device for mitigating and preventing manipulation can therefore replace several devices, each of which only covers a part of the components or even just a single component. Additionally, in some cases, existing components may be reused for the techniques of the present disclosure. For example, a persistent memory that is (also) used to update the software (e.g. to store a large update package) of the majority of components of the vehicle can be “reused” to reset the software of a component and to allow manipulation with it remedy. In some cases, no new memory needs to be provided for this purpose. Providing the software for resetting in each of the majority of components significantly increased the design effort of these components (e.g. control units). The techniques can also The present disclosure can be more easily scaled and/or used in older vehicles (not designed to the latest standard) compared to some prior art techniques. For example, the mitigation and tampering prevention device can be relatively easily modified to “maintain” additional components. In some cases, the “supported” components require little or no modification, which makes their use in older vehicles easier. In some cases, the central device for mitigating manipulation itself can also be retrofitted with a software update. For example, an existing component of a vehicle (e.g. a central communication interface of the vehicle or a central computer of the vehicle) can be provided with the (additional) function of a device for mitigation and prevention of manipulation by means of a software update.

Second, the software mitigation and tamper prevention device may centralize the mitigation and tamper prevention tasks to a certain extent (e.g. compared to a software mitigation and tamper prevention device in each component of an on-board network). Nevertheless, the components of the device for mitigating and preventing manipulation of the present disclosure are distributed in the on-board network. This distribution can take place from different points of view and therefore have different advantages. In some cases, the software mitigation and tamper prevention device may be arranged so that the mitigation and tamper prevention tasks are performed in different zones by different components. The components can be arranged in a respective zone that they cover. In this way, the on-board network can be relieved in some cases because a locally located component takes over the tasks of mitigation and prevention of manipulation (compared to a case where only a centrally located component is provided). In this case, communication volume between remote components can be reduced. Additionally or alternatively, a load on communication paths of the on-board network can be reduced, since messages from the device for mitigation and prevention of manipulation are processed at an earlier point in time and are not first transmitted over long distances of the on-board network (e.g. along a CAN or Ethernet bus). must become. Further additionally or alternatively, a local component may reduce a response time of the software mitigation and prevention device (e.g., compared to a central software mitigation and prevention device, which may be located relatively far away from some zones of the vehicle ). Further additionally or alternatively, in some cases the distributed components may provide greater security against attacks on the device itself to mitigate and prevent manipulation of software. Even if one of the components in a particular zone is affected, the other distributed components of the device can remain operational to mitigate and prevent software manipulation. Additionally or alternatively, each of the components in the individual zones can be tailored to the needs of the respective zone. This can increase the performance of the device for mitigating and preventing software manipulation without at the same time unduly increasing the complexity of the individual components. In other cases, the device for mitigating and preventing software manipulation can be distributed across various components that are remote from one another (e.g. in different zones of the vehicle), each of which performs different tasks for mitigating and preventing software manipulation. For example, a first component can be designed to detect the possibility of manipulation in remote components in several zones of the on-board network. A second component (remote from the first) can be designed to provide software components for remote components in several zones of the on-board network. A third component (remote from the first and second) may be designed to initiate measures to mitigate the manipulation and/or prevent a repetition of the manipulation. By distributing the software mitigation and tampering prevention device by task, in some cases the software mitigation and tampering prevention device can be integrated into existing on-board networks without the need to overload and therefore (excessively) increase the existing resources. For example, the computing operations that occur when operating the device for mitigating and preventing manipulation of software can be carried out by several different components of the on-board network. This can prevent a single component of the on-board network from being heavily loaded, so that, for example, considerably more powerful hardware must be provided in order to process the tasks of the device for mitigating and preventing manipulation of software. For example, maintaining a software container for the entire vehicle or large parts of the vehicle can impose significant storage space requirements that are only implemented in certain components of the vehicle. In these particular ones Components may not have enough computing capacity to carry out other tasks of the device to mitigate and prevent manipulation of software. Additionally or alternatively, distributing the device for mitigating and preventing software manipulation according to tasks across different distributed components can also increase security against attacks, since after a successful attack on one component of the device for mitigating and preventing manipulation of software, the others are removed Components can remain operational.

• Eine „Zone“ eines Bordnetzwerks kann jeder Teil des Bordnetzwerks sein, der nach funktionalen, örtlichen oder anderen Kriterien durch eine Gruppe von Komponenten des Bordnetzwerks gebildet ist. Die Zonen des Bordnetzwerks sind in der Hardware und/oder der Software des Bordnetzwerkes abgebildet (d.h. die Komponenten einer Zone sind aufgrund ihrer Ausgestaltung als dieser Zone zugehörig erkennbar). Zum Beispiel kann eine Zone einen oder mehrere Zonen-Koordinator-Komponenten umfassen, die Abläufe innerhalb der Zone koordinieren oder steuern. In manchen Beispielen kann das Fahrzeug in verschiedene räumliche Zonen aufgeteilt sein. Eine räumliche Zone kann verschiedene Komponenten eines Fahrzeugs umfassen, die physikalisch in einem bestimmten Bereich des Fahrzeugs angeordnet sind (z.B. „hinten rechts“, „vorne links“, „Innenraum vorne“ usw.). Zusätzlich oder alternativ kann das Fahrzeug in verschiedene funktionale Zonen aufgeteilt sein. Eine funktionale Zone kann verschiedene Komponenten eines Fahrzeugs umfassen, die an der Bereitstellung einer bestimmten Funktion des Fahrzeugs teilhaben (z.B. Motorsteuerung, Steuerung des Antriebsstranges, Infotainment, Klimatisierung, Kommunikation usw.). Zusätzlich oder alternativ kann das Fahrzeug in Zonen mit verschiedenen Absicherungsmaßnahmen eingeteilt sein (z.B. eine Firewall oder der Einsatz bestimmter Verschlüsselungstechniken). In diesem Fall kann eine erste Zone Komponenten umfassen, die weniger stark gegen Eingriffe abgesichert sind als die Komponenten einer zweiten Zone (gemäß einer vorbestimmten Metrik).
• Eine „Komponente“ (eines Bordnetzwerks) in der vorliegenden Offenbarung verfügt über eigene Hardwareressourcen, die zumindest einen Prozessor zum Ausführen von Befehlen und Speicher zum Ablegen zumindest einer Software-Komponente umfassen. Der Begriff „Prozessor“ umfasst auch Mehr-Kern-Prozessoren oder mehrere separate Bauteile, die die Aufgaben einer zentralen Verarbeitungseinheit eines elektronischen Geräts übernehmen (und sich diese ggf. teilen). Eine Komponente kann eigenständig Aufgaben ausführen (z.B. Messaufgaben, Überwachungsaufgaben, Steueraufgaben, Kommunikationsaufgaben und/oder andere Arbeitsaufgaben). Eine Komponente kann aber in manchen Beispielen auch von einer anderen Komponente gesteuert werden. Eine Komponente kann physisch abgegrenzt sein (z.B. mit einem eigenen Gehäuse) oder aber in ein übergeordnetes System integriert sein. Eine Komponente kann ein Steuergerät oder ein Kommunikationsgerät des Fahrzeugs sein. Eine Komponente kann ein eingebettetes System sein.
• Ein „eingebettetes System“ ist eine Komponente, die in einen technischen Kontext eingebunden (eingebettet) ist. Dabei übernimmt die Komponente Überwachungs-, Steuerungs- oder Regelfunktionen und/oder ist für eine Form der Daten- bzw. Signalverarbeitung zuständig.
• Ein „(dediziertes) Steuergerät“ ist eine Komponente, das (ausschließlich) eine Funktion eines Fahrzeugs steuert. Ein Steuergerät kann zum Beispiel eine Motorsteuerung, einer Steuerung eines Bremssystems oder eine Steuerung eines Assistenzsystems übernehmen. Eine „Funktion“ kann dabei auf verschiedenen Ebenen des Fahrzeugs definiert sein (z.B. kann für eine Funktion einen einzelnen Sensor oder Aktor, aber auch eine Vielzahl von Baugruppen, die zu einer größeren funktionalen Einheit zusammengefasst sind, eingesetzt werden).
• Der Begriff „Software“ oder „Software-Komponente“ kann grundsätzlich jeder Teil einer Software einer Komponente (z.B. eines Steuergeräts) der vorliegenden Offenbarung sein. Insbesondere kann eine Software-Komponente eine Firmware-Komponente einer Komponente der vorliegenden Offenbarung sein. „Firmware“ ist eine Software, die die in (elektronischen) Komponenten eingebettet ist und dort grundlegende Funktionen leistet. Firmware ist funktional fest mit der jeweiligen Hardware der Komponente verbunden (so dass das eine nicht ohne das andere nutzbar ist). Sie kann in einem nicht-flüchtigen Speicher wie einem Flash-Speicher oder einem EEPROM gespeichert sein.
• Der Begriff „Update-Information“ oder „Software-Update-Information“ umfasst jedwede Daten, die direkt oder nach entsprechenden Verarbeitungsschritten eine Software-Komponente einer Komponente gemäß der vorliegenden Offenbarung bilden. Die Update-Information kann lauffähigen Code enthalten oder noch zu kompilierenden Code. Zusätzlich oder alternativ kann die Update-Information Konfigurationsparameter für eine Komponente enthalten.
• Der Begriff „Manipulation“ umfasst in der vorliegenden Offenbarung jede Veränderung einer Software einer Komponente eines Fahrzeugs. Die Veränderung kann die Folge eines Angriffs sein (d.h. der bewussten Einflussnahme eines Dritten), aber auch Folge einer zufälligen oder unbeabsichtigten Einwirkung.
• Der Begriff „Mitigation“ umfasst alle Maßnahmen, die eine eingetretene oder potentielle Auswirkung einer Manipulation zumindest abmildert. Eine Mitigation kann eine Behebung der Manipulation (d.h. einer Ursache der Auswirkungen der Manipulation) umfassen. Zum Beispiel kann eine vermutlich manipulierte Software-Komponente ersetzt werden. Zusätzlich oder alternative kann eine Mitigation aber auch eine Auswirkung einer Mitigation (sei sie nun bereits eingetreten oder nur zu befürchten) abmildern. Das kann zum Beispiel ein Abschneiden einer betroffenen Komponente von der Bereitstellung bestimmter Funktionen und/oder der Kommunikation umfassen.
• Der Begriff „Fahrzeug“ umfasst jegliche Vorrichtungen, die Passagiere und/oder Fracht transportieren. Ein Fahrzeug kann ein Kraftfahrzeug (zum Beispiel ein PKW oder ein LKW) sein, aber auch ein Schienenfahrzeug. Allerdings können auch schwimmende und fliegende Vorrichtungen Fahrzeuge sein. Fahrzeuge können zumindest teilautonom operierend oder assistiert sein.
• Ein „Bordnetzwerk“ kann jedes interne Netzwerk eines Fahrzeugs sein, über das Komponenten des Fahrzeugs kommunizieren. Das Bordnetzwerk umfasst die Komponenten, die in ihm vernetzt sind (z.B. Steuergeräte und andere Komponenten). In manchen Beispielen ist ein Bordnetzwerk ein Nahbereichsnetzwerk. Ein Bordnetzwerk kann ein oder mehrere Nahbereichs-Kommunikationsprotokolle einsetzen (z.B. zwei oder mehr Nahbereichs-Kommunikationsprotokolle). Die Nahbereichs-Kommunikationsprotokolle können drahtlose oder drahtgebundene Kommunikationsprotokolle sein. Die Nahbereichs-Kommunikationsprotokolle können ein Bus-Protokoll umfassen (bspw. CAN, LIN, MOST, FlexRay oder Ethernet). Die Nahbereichs-Kommunikationsprotokolle können ein Bluetooth-Protokoll (z.B. Bluetooth 5 oder später) oder ein WLAN-Protokoll (z.B. ein Protokoll der IEEE-802.11-Familie, z.B. 802.11h oder ein späteres Protokoll) umfassen. Ein Bordnetzwerk kann Schnittstellen zur Kommunikation mit Systemen außerhalb des Fahrzeugs enthalten und somit auch in andere Netzwerke eingebunden sein. Die Systeme außerhalb des Fahrzeugs und die anderen Netzwerke sind jedoch nicht Teil des Bordnetzwerks.
• Der Ausdruck „Erkennen einer Möglichkeit...“ besagt, dass bestimmte Begebenheiten (z.B. Signale oder deren Ausbeleiben) nach vorbestimmten Regeln interpretiert werden, um einen Zustand zu erkennen, in dem eine Manipulation der Software vorliegen kann.

Some terms are used in the present disclosure in the following ways:

• A “zone” of an on-board network can be any part of the on-board network that is formed by a group of components of the on-board network according to functional, local or other criteria. The zones of the on-board network are mapped in the hardware and/or software of the on-board network (ie the components of a zone can be recognized as belonging to this zone due to their design). For example, a zone may include one or more zone coordinator components that coordinate or control operations within the zone. In some examples, the vehicle may be divided into different spatial zones. A spatial zone may include various components of a vehicle that are physically located in a specific area of the vehicle (e.g., “rear right,” “front left,” “front interior,” etc.). Additionally or alternatively, the vehicle can be divided into different functional zones. A functional zone may include various components of a vehicle that participate in providing a specific function of the vehicle (e.g. engine control, powertrain control, infotainment, climate control, communication, etc.). Additionally or alternatively, the vehicle can be divided into zones with various security measures (e.g. a firewall or the use of certain encryption techniques). In this case, a first zone may include components that are less secure against tampering than the components of a second zone (according to a predetermined metric).
• A “component” (of an on-board network) in the present disclosure has its own hardware resources that include at least a processor for executing instructions and memory for storing at least one software component. The term “processor” also includes multi-core processors or several separate components that perform (and possibly share) the tasks of a central processing unit of an electronic device. A component can independently perform tasks (e.g. measurement tasks, monitoring tasks, control tasks, communication tasks and/or other work tasks). However, in some examples, a component can also be controlled by another component. A component can be physically separated (e.g. with its own housing) or integrated into a higher-level system. A component can be a control unit or a communication device in the vehicle. A component can be an embedded system.
• An “embedded system” is a component that is integrated (embedded) in a technical context. The component takes on monitoring, control or regulation functions and/or is responsible for some form of data or signal processing.
• A “(dedicated) control unit” is a component that (exclusively) controls one function of a vehicle. A control device can, for example, control an engine, control a braking system or control an assistance system. A “function” can be defined at different levels of the vehicle (e.g. a single sensor or actuator, but also a large number of assemblies that are combined to form a larger functional unit, can be used for a function).
• The term “software” or “software component” can in principle be any part of the software of a component (e.g. a control device) of the present disclosure. In particular, a software component may be a firmware component of a component of the present disclosure. “Firmware” is software that is embedded in (electronic) components and provides basic functions there. Firmware is functionally firmly linked to the respective hardware of the component (so that one cannot be used without the other). It may be stored in non-volatile memory such as flash memory or EEPROM.
• The term “update information” or “software update information” includes any data that forms a software component of a component according to the present disclosure, directly or after appropriate processing steps. The update information can contain executable code or Code still to be compiled. Additionally or alternatively, the update information may contain configuration parameters for a component.
• The term “manipulation” in the present disclosure includes any change to software of a component of a vehicle. The change can be the result of an attack (ie the deliberate influence of a third party), but also the result of accidental or unintentional influence.
• The term “mitigation” includes all measures that at least mitigate the actual or potential impact of manipulation. Mitigation may include eliminating the manipulation (i.e., a cause of the manipulation's effects). For example, a suspected manipulated software component can be replaced. Additionally or alternatively, mitigation can also mitigate the effects of mitigation (whether it has already occurred or is only to be feared). This may include, for example, stopping an affected component from providing certain functions and/or communication.
• The term “vehicle” includes any device that transports passengers and/or cargo. A vehicle can be a motor vehicle (for example a car or a truck), but also a rail vehicle. However, floating and flying devices can also be vehicles. Vehicles can operate at least partially autonomously or be assisted.
• An “onboard network” can be any internal network of a vehicle through which components of the vehicle communicate. The on-board network includes the components that are networked within it (e.g. control units and other components). In some examples, an onboard network is a short-range network. An on-board network may employ one or more short-range communication protocols (eg, two or more short-range communication protocols). The short-range communication protocols can be wireless or wired communication protocols. The short-range communication protocols can include a bus protocol (e.g. CAN, LIN, MOST, FlexRay or Ethernet). The short-range communication protocols may include a Bluetooth protocol (e.g., Bluetooth 5 or later) or a WLAN protocol (e.g., a protocol of the IEEE 802.11 family, e.g., 802.11h or a later protocol). An on-board network can contain interfaces for communication with systems outside the vehicle and can therefore also be integrated into other networks. However, the systems outside the vehicle and the other networks are not part of the onboard network.
• The expression "recognizing a possibility..." means that certain events (e.g. signals or their absence) are interpreted according to predetermined rules in order to recognize a condition in which manipulation of the software may occur.

Short description of the characters

• 1 is a flowchart illustrating the techniques of the present disclosure.
• 2 shows components of an onboard network of a vehicle in which the techniques of the present disclosure can be used.

Detailed description

1 is a flowchart illustrating the techniques of the present disclosure. 2 shows components of an on-board network 21 of a vehicle 20 in which the techniques of the present disclosure can be used.

The onboard network 21 of the vehicle 20 includes a software mitigation and tamper prevention device 25. The software mitigation and tamper prevention device 25 is for mitigation and tamper prevention in each of a plurality of distributed components 27a-m in a plurality of zones 41, 42, 43 of the on-board network 21. The device for mitigating and preventing manipulation of software 25 is distributed over several components 27a, d, m of the on-board network 21. A first component 27a of the plurality of components 27a, d, m is arranged in a first zone 41 of the plurality of zones 41, 42, 43 of the on-board network 21. A second component 27d of the plurality of components 27a, d, m is arranged in a second zone 42 of the plurality of zones 41, 42, 43 of the on-board network 21. In other words, the tasks of the device for mitigating and preventing manipulation of software 25 are carried out by components 27a, d, m distributed over several zones 41, 42, 43 of the on-board network 21. The scope of the tasks and the manner in which they are distributed among the various components 27a, d, m in the various zones 41, 42, 43 may be different in different examples. Some exemplary distributions are discussed in more detail below.

In the example of 2 three different zones 41, 42, 43 are shown. The on-board network 21 can be divided into any number of zones (e.g. two or more zones, five or more zones or ten or more zones). The components 27a-m in the different zones 41, 42, 43 are communicatively connected in the on-board network 21.

As described above, the zones can be formed in various ways.

In some examples, the onboard network 21 may be divided into different spatial zones 41, 42, 43. A spatial zone 41, 42, 43 may include various components 27a-m of a vehicle that are physically located in a specific area of the vehicle. For example, the interior of a vehicle can be divided into one or more zones. One or more additional zones may be located outside of the interior (e.g. one or more zones at the front of the vehicle, one or more zones at the rear of the vehicle, or multiple zones at the sides of the vehicle and/or one or more zones at the underside of the vehicle). In other examples, a division into spatial zones can also be carried out without taking into account a division into interior and exterior space according to the location in the respective component.

In other examples, the on-board network 21 can be divided into different functional zones 41, 42, 43. A functional zone 41, 42, 43 may include various components 27a-m of a vehicle 20 that participate in providing a specific function of the vehicle. The function can be any function of the vehicle 20. Example functions are an engine function (e.g. engine control and/or monitoring), a drive train function (i.e. control and/or monitoring of the drive train), a transmission function (i.e. transmission control and/or monitoring), a brake function (i.e. brake control and/or - monitoring), a battery function (e.g. operating a battery management system), an interface function (e.g. operating a human-machine interface), a steering function, a door control function, a telematics function, a driving function (e.g. operating assistance systems or systems for autonomous driving), a climate control function, an entertainment function, a seat control function or a door control function. Two or more of the functions described above can also be accommodated in a functional zone. Additionally or alternatively, one of the functions described above can also be distributed across multiple zones (e.g. a separate zone for controlling each front seat).

In some examples, the majority of zones 41-43 include both functional and spatial zones (or additional types of zones). Alternatively or additionally, the on-board network 21 can be divided into zones 41, 42, 43 according to several criteria.

A zone can be separated from the other zones on the hardware and/or software side (e.g. the components of one zone are physically separated from the components of another zone). Additionally or alternatively, a zone can communicate with the other zones through its own gateway (i.e. a communication interface) (e.g. communication into or out of the zone is handled via the gateway). Additionally or alternatively, the components of a zone can have common security measures (e.g. a firewall that monitors communication into the zone). In some examples, the components of a zone may have dedicated resources that only the components of the zone can access (e.g. computing units, storage or sub-networks of the on-board network 21).

A zone 41, 42, 43 can contain a component 27a, 27d, which functions as a central communication node for the respective zone 41, 42, 43 and/or takes over control functions for the respective zone 41, 42, 43. In the example of 2 the component 27a is a central communication node of the first zone 41. The component 27d is a central communication node of the second zone 42. The component 27m is a central communication node of the third zone 43.

In some examples, the first component 27a may be configured to perform mitigation and tamper prevention tasks in each of distributed components 27a-c of the first zone 41 (e.g., in all components of the first zone 41 or only a portion of the components of the first zone 41). In addition, the first component 27a is not designed to perform mitigation and tamper prevention tasks in the multiple distributed components of the second zone 42 (and optionally the third zone). In some examples, the first component 27a is not involved in tasks for mitigating and preventing manipulation in any other zone 42, 43 (eg the second zone 42 or the third zone 43) of the on-board network 21. In some examples, the first component 27a is designed only for mitigation and tamper prevention tasks in the first zone 41. However, this does not necessarily mean that all components 27a, d, m of the device for mitigating and preventing manipulation of software 25 can only act on a single zone (this one However, in some examples the first component 27a is designed to carry out all actions of the central device for mitigating and preventing manipulation of software that affect the components 27a-c of the first zone 41). In some examples, there may be one or more components involved in performing mitigation and tamper prevention tasks in multiple zones. Additionally or alternatively, for certain tasks (e.g. mitigation of manipulations with a certain pattern), the first component 27a can be designed to carry out tasks for mitigating and preventing manipulations in distributed components 27d-m of a zone other than the first zone 41.

In other words, in some examples, the first component 27a may be a (central) software mitigation and tampering prevention device 25 of the first zone 41 (while the other zones also have zonal software mitigation and tampering prevention devices). In this case, the distributed device for mitigating and preventing manipulation of software 25 consists of several sub-devices that work at least partially independently.

In some examples, a first component 27a (which performs the tasks of the device for mitigating and preventing software tampering in the first zone 41) may be part of a component 27a that functions as a central communication node for the first zone 41 and/or control functions for the first zone 41 takes over. Alternatively or additionally, the first component 27a can be a separate component (e.g. with its own hardware resources). Further additionally or alternatively, the first component 27a can be distributed over various sub-components in the first zone 41.

The second component 27d of the plurality of components may be configured to perform mitigation and tamper prevention tasks in each of a plurality of distributed components 27d-f of the second zone 42. Additionally, the second component 27d may not be configured to perform mitigation and tamper prevention tasks in the multiple distributed components of the first zone 41 (and the third zone 43). In some examples, the second component 27d is not involved in mitigation and tamper prevention tasks in another zone 41, 43 (e.g. the first zone 41 or the third zone 43). In some examples, the second component 27d is designed only for mitigation and tamper prevention tasks in the second zone 42. What was said above with regard to the first component 27a applies equally to the second component 27d. The second component 27d can be designed as described in relation to the first component 27a (in some examples the first component 27a and the second component 27d are designed the same, but in other examples the first component 27a and the second component 27d can also be designed differently be).

In a specific example, the first zone 41 may include a motor control. The second zone 42 may include control of interior functions.

The third component 27m of the plurality of components may be configured to perform mitigation and tamper prevention tasks in each of a plurality of distributed components 27g-m of the third zone 43. In some examples, what was said above with regard to the first component 27a applies equally to the third component 27m. The third component 27m can be designed as described in relation to the first component 27a (in some examples the first component 27a and the second component 27m are designed the same, but in other examples the first component 27a and the second component 27m can also be designed differently be). In some examples, the on-board network 21 can also have one or more additional zones (not in 2 shown) which include components of the software mitigation and prevention device 25 which are designed as those described above with respect to the first component 27a.

In some examples, the third component 27m of the plurality of components is configured to perform mitigation and tamper prevention tasks in each of a plurality of distributed components 27g-m of the third zone 43, in addition to additional tasks of the device to mitigate and prevent tampering from Software 25. This is described in more detail below.

Additionally or alternatively, the device for mitigating and preventing manipulation of software 25 can be designed so that only one of the distributed components 27a, d, m of the device for mitigating and preventing manipulation of software 25 performs tasks for mitigating and preventing manipulation of software each zone 41, 42, 43. In other words, each zone 41, 42, 43 is assigned to only one distributed component 27a, d, m. In some examples, a component 27a,d,m of the software mitigation and prevention device 25 may perform mitigation and prevention tasks carry out manipulation of software in several zones. In other words, several zones are assigned to (only) one component 27a, d, m.

In the preceding examples, the respective component 27a, d, m of the device for mitigating and preventing manipulation of software 25 is in the zone 41, 42, 43 of the on-board network 21, in the components 27a-k of which the respective component 27a, d, m Tasks of the device for mitigation and prevention of manipulation of software 25 takes over, arranged. This can - as described above - in some cases reduce the load on the on-board network 21 (since communication to remote components is no longer necessary and/or only communication over shorter distances in the on-board network may be necessary). Additionally or alternatively, a response time of the software mitigation and tamper prevention device 25 may be reduced (since the component that performs tasks of the software mitigation and tamper prevention device 25 is located close to the affected components).

In other examples, however, a component of the device for mitigating and preventing manipulation of software 25 can be arranged in a different zone than the components for which this component performs tasks for mitigating and preventing manipulation. This can be advantageous because, in some cases, manipulation in the corresponding zone is less likely to also affect the component of the device for mitigating and preventing manipulation of software 25 in the corresponding zone.

In some examples, the device for mitigating and preventing manipulation of software 25 is designed to be redundant. For example, one or more components of the device for mitigating and preventing software manipulation can be multiple in nature, so that if one of the multiple components fails, another of the multiple components can take over. In some examples, a first component can also be designed to take over the tasks of the first component in the event of a failure of a second component. In the example of 2 For example, in addition to the first component 27a, another component (not in 2 shown) may be designed to perform mitigation and tamper prevention tasks in each of the distributed components 27a-c of the first zone 41. This further component can be activated, for example, if the first component 27a is not ready for operation. Additionally or alternatively, the second component 27d or the third component 27m may also be designed to perform mitigation and tamper prevention tasks in each of the distributed components 27a-c of the first zone 41 (eg if the first component 27a fails).

The tasks of the device for mitigating and preventing manipulation of software 25 include all tasks that are directly or indirectly related to mitigating and preventing manipulation of software. The tasks include the mitigation or prevention measures themselves, but also preparatory measures (such as recording the manipulations or providing the data required for the mitigation or prevention measures).

In some examples, the tasks of mitigating or preventing tampering include detecting the possibility of tampering in a remote component. Recognizing the possibility of manipulation can take place in various ways. In one example, the component may receive a signal from a remote component indicating the possibility of tampering. In other examples (or in addition), detecting the possibility of tampering may include detecting the absence of an expected signal (e.g., a signal that periodically or upon the occurrence of certain events from the remote component to the component of the device for mitigating and preventing tampering of software 25 is sent). In yet other examples, the possibility of manipulation can be detected by observing and/or analyzing data traffic in the on-board network 21 or in the on-board network 21. Additionally or alternatively, the possibility of manipulation can be recognized by observing and/or analyzing the behavior of one or more components 27a-m of the on-board network 21. For example, a signature of a manipulation can be recognized.

In some examples, a separate detection of the possibility of tampering may precede detection of the possibility of tampering by the software tampering and prevention device 25. In some examples, the detection can take place locally using corresponding (manipulation) detection devices of the corresponding component. A (manipulation) detection device of a component (eg a control device) can detect manipulation and generate a corresponding signal for the device for mitigating manipulation of software 25. This signal can then be processed as discussed above to detect tampering (and to initiate mitigation if necessary). In other examples or in addition, a (tampering) detection device of a central communication interface 27m of the vehicle 20 can detect the manipulation of the component (e.g. a control device) (from a distance) and generate the signal for the device to mitigate software manipulation. In some examples, the device for mitigating software manipulation is also designed to detect manipulation of the software of a plurality of remote components of the on-board network. In other examples or in addition, a detection device of a remote system 30 (e.g., a backend) may detect the tampering of the component (e.g., a controller) (remotely) and generate the signal for the device to mitigate software tampering 25. In this example, the signal can be received via an interface on the vehicle. Manipulation can be detected in any conceivable way. For example, software can be checked when starting (“secure boot”) and/or during operation (“run-time manipulation detection”) using one or more methods for checking the authenticity and/or authenticity of the software (e.g. using one or multiple digital signatures and/or verification methods for the integrity of the software).

Additionally or alternatively, the tasks for mitigating or preventing manipulation can include maintaining software components for a remote component in the respective zone of the on-board network (e.g. update information for the software). For example, software components can be kept for a number of components (e.g. control units). The software components can correspond to a specific version of the software of the respective component (e.g. a last version checked for authenticity and/or integrity). In some examples, the software components for multiple components may be included in a software bundle or software container (i.e., the software components are provided in a bundled manner). The software bundle or software container (often of significant size) is delivered to the vehicle 20 at a specific time. In the vehicle 20, the transmitted software components can be used to update the software of a plurality of components. For this purpose, the software components received from the remote system 30 can go through one or more preparation steps (e.g., unpacking, verification of a signature, etc.). The software components (e.g. in a software bundle or software container) can be received by the remote system 30 via an air interface 24 and/or via a wired interface 28.

The device for mitigating and preventing manipulation of software 25 can include one or more persistent memories for storing the software components (i.e. a memory that stores its information in the vehicle permanently - e.g. longer than a day or longer than a week and / or during when the vehicle is in idle state). In some examples, persistent memory may include flash memory. A persistent memory may be configured to store software components for each of a plurality of components. For this purpose, the persistent memory can be designed with a storage capacity of more than 256MB (preferably more than 5GB).

In some examples, the software components for all components covered by the software mitigation and tamper prevention device 25 may be maintained at a single location in the on-board network. In other examples, the software components for the components covered by the software mitigation and tamper prevention device 25 may be maintained in multiple distributed locations (i.e., in components). For example, software components for the components of a zone can be kept in the respective component of the device for mitigating and preventing manipulation of software 25 in this zone. In other examples, a component of the software mitigation and tamper prevention device 25 may maintain the software components for all components covered by the respective component of the software mitigation and tamper prevention device 25.

Additionally or alternatively, the tasks for mitigating or preventing manipulation may include initiating and/or carrying out a measure for mitigating the manipulation and/or preventing a repetition of the manipulation. This may include any measure suitable for this purpose.

In some examples, the measure may include at least partially deactivating or blocking a component of the on-board network 21 that is affected by the current manipulation. In some examples, only part of the component can be disabled or blocked (e.g. in the case of a more complex component with multiple sub-components). In other examples, the component may be disabled or blocked entirely. In any case, this can be disabled or blocked ckations cause the component to no longer perform its intended function and/or no longer communicate in the on-board network.

Alternatively or additionally, the measure may include moving a function of the component that is affected by the current manipulation to another component.

Further alternatively or additionally, the measure can include changing a configuration of the component of the on-board network that is affected by the current manipulation and/or other components of the on-board network. For example, the first component can be switched from a first configuration with an extended range of functions to a second configuration with a limited range of functions (e.g. by the first component only communicating with other components to a limited extent, or by the first component only providing a basic function and no longer provides extended functions, or by the first component no longer providing a safety-critical function but continuing to provide a non-safety-critical function).

Further alternatively or additionally, the measure can include changing an operating mode of the component of the on-board network that is affected by the current manipulation and/or other components of the on-board network. For example, an operating mode may be changed from a first operating mode in which the component performs more complex functions to a second operating mode in which the component performs less complex functions. For example, a component that provides an assisted or autonomous function can switch from a first operating mode with the provision of more complex driving maneuvers (e.g. driving faster than a certain speed and/or at a certain distance and/or under certain environmental conditions) to a second operating mode to provide less complex driving maneuvers.

Further alternatively or additionally, the measure may include sending a warning that a manipulation has been detected to one or more interfaces (e.g. a user interface of the vehicle). For example, a passenger can be asked to at least partially take over a control function of the vehicle.

Further alternatively or additionally, the measure can include resetting a software of the component of the on-board network that is affected by the current manipulation and/or other components of the on-board network (e.g., the software of the components is reset to a last authenticated and/or integrity status , which corresponds to a version of the software used before the manipulation was detected). The software component for resetting can be stored in a memory of the device to mitigate manipulation. In other examples, the reset software may be obtained from a remote system 30 (e.g., via a vehicle air interface 24).

Additionally or alternatively, the measure may include updating software of the component of the on-board network that is affected by the current manipulation. Additionally or alternatively, the measure may include updating the software of further components of the on-board network (i.e. in addition to or instead of the first component). The further components can, for example, be components that establish a communication path to the first component (e.g. a communication interface or a central communication node of the vehicle). Updating the software may include replacing software used before the tampering was detected with a more current version of the software. The software for updating can be kept in the central device for mitigating manipulation. In other examples, the reset software may be obtained from a remote system 30 (e.g., via a vehicle air interface 24).

The measures described above can also be combined. For example, two of the first measures described can be carried out in parallel or one after the other.

As discussed above, the software mitigation and prevention device 25 may include a central component (or multiple components) designed to orchestrate the operation of other components of the software mitigation and prevention device 25 . For example, the central component can instruct and/or coordinate the other components within the scope of a specific task (e.g. for carrying out a measure to mitigate the manipulation and/or prevent a repetition of the manipulation, in which several other components of the device for mitigation and prevention a manipulation of software 25).

Additionally or alternatively, the device for mitigating and preventing manipulation of software 25 may include one or more components designed for to send data required for operation to the other components of the device to mitigate and prevent manipulation of software 25. Additionally or alternatively, the software mitigation and tampering prevention device 25 may include a component (or multiple components) designed to perform cross-zone tasks.

In the example of 2 The third component 27m can be designed to orchestrate operations of the first component and the second component 27a, d and / or to send data required for their operation to the first and second components 27a, d.

The central component (e.g. the third component in 2 ) can additionally or alternatively be designed to act as a trust anchor for other components of the device for mitigating and preventing manipulation of software (eg for the first and second components 27a, d).

In some examples, the device for mitigating and preventing software manipulation can also work without a central component. In these examples, the software mitigation and tampering prevention device consists of multiple parts, each of which constitutes a software mitigation and tampering prevention device in multiple distributed components (as described above). In other words, each of the parts works independently (i.e. without relying on the other parts). For example, each of the first and second components 27a, d described above can perform all tasks of the software mitigation and prevention device for the first and second zones 41, 42, respectively (without affecting other components of the software mitigation and prevention device manipulation of software). In this way, it can also be prevented in some cases that the device for mitigating and preventing manipulation of software is switched off altogether by a central attack.

In the previous sections, in some examples, a distribution of the device for mitigating and preventing software manipulation was shown, in which components of the device for mitigating and preventing software manipulation are arranged in different zones of the on-board network, which cover the components of the respective zone . However, the components of the device for mitigating and preventing manipulation of software can also be distributed differently.

In some examples, the first component 27a is configured to perform a first task of mitigating or preventing tampering for the plurality of components 27a-c in the first zone 41 and the plurality of components 27d-f in the second zone 42 and the second component 27d designed to perform a second task (different from the first task) to mitigate or prevent tampering for the plurality of components 27a-c in the first zone 41 and the plurality of components 27d-f in the second zone 42. In other words, the first ones operate and second components 27a, d to mitigate or prevent manipulation. For example, the first component 27a may be configured to perform a first of the tasks described above and the second component 27d may be configured to perform a second of the tasks described above. For example, the first component 27a can be designed to hold the software components for all components 27a-m covered by the device for mitigating and preventing manipulation of software 25. Additionally or alternatively, the second component 27d can be designed to initiate and/or carry out measures to mitigate or prevent the repetition of manipulations in all components 27a-m covered by the device for mitigating and preventing manipulation of software 25. Additionally or alternatively, the third component 27m can be designed to detect manipulation in all components 27a-m covered by the device for mitigating and preventing manipulation of software 25. In other examples, the tasks may be distributed in a different way across the first to third components or even across the first and second components.

As described above, the device for mitigation and prevention of manipulation 25 can therefore comprise several components distributed in the on-board network, each of which is designed (only) to carry out one or more specific tasks for mitigation and prevention of manipulation for all covered components (but not for performing other tasks to mitigate and prevent manipulation). The distributed components together thus provide the function of the device for mitigation and prevention of manipulation. In these examples too, a component can be provided that orchestrates the operation of the other components. In some examples, the multiple components distributed in the on-board network, each of which is (only) designed to carry out one or more specific tasks for mitigation and prevention of manipulation All covered components are designed to be redundant.

In the previous sections, components of the device for mitigating and preventing manipulation of software were discussed many times. These components can be implemented in any suitable manner. In some examples, a component of the software mitigation and tampering prevention device may be a stand-alone device (i.e., a dedicated module with its own hardware and software resources that is part of the on-board network and can communicate with the other components of the on-board network). . In other examples, a component of the device for mitigating and preventing manipulation of software can be integrated into another (already existing) component of the on-board network. The component of the device for mitigating and preventing manipulation of software can be designed as a software module (which is inserted into the software of the component). In other cases, the component of the software mitigation and tampering prevention device may have at least some dedicated hardware components (while sharing other hardware components of the component with which it is integrated). As already mentioned, the other component can be any component of the vehicle. Examples are a central communication interface of the on-board network (in which, for example, a component can be arranged that orchestrates the operation of other components of the device), a central computer ("vehicle computer") of the vehicle, a head unit of an infotainment system or central components in zones of the on-board network. In some examples, the other component may be an embedded system in the onboard network.

In some examples, an existing component of the on-board network (e.g. a central communication interface of the vehicle or a zone of the vehicle, or a central computer of the vehicle, or a head unit of an infotainment system) can be activated by updating the software of the component of the on-board network as Component of the device can be set up to mitigate manipulation of software.

The components of the software tampering mitigation device or the other component in which it is integrated may include at least a processor (possibly with multiple cores) and memory that includes instructions that, when executed by the processor, perform the steps of the techniques of the present disclosure.

The present disclosure also relates to a vehicle that includes an on-board network according to one of the present disclosure.

In the preceding sections, the techniques of the present disclosure have been largely based on the device of 2 explained. The present disclosure also relates to methods for mitigating or preventing manipulation of software in an on-board network of a vehicle (see. 1 ). The onboard network includes a plurality of distributed components arranged in a plurality of zones. The method may include any of the steps described in the present disclosure regarding techniques for mitigating or preventing tampering with software in an on-board network.

The procedure of 1 includes executing 111 tasks for mitigating or preventing manipulation in a first component of a device for mitigating and preventing manipulation of software. The device for mitigating and preventing software manipulation is designed for mitigating and preventing manipulation in each of the plurality of components of the on-board network. The first component of the device for mitigating and preventing manipulation of software is arranged in a first zone of a plurality of zones of the on-board network. A second component of the device for mitigating and preventing manipulation of software is arranged in a second zone of a plurality of zones of the on-board network.

As in 1 shown, in some examples, a dedicated first component of the software mitigation and tamper prevention device may perform mitigation or tamper prevention tasks in a first zone 101, 103, 105 and a dedicated second component may perform mitigation or tamper prevention tasks in a second zone Prevent manipulation 101a, 103a, 105a.

The tasks can include, for example: providing 101, 101a of software components for several remote components in the respective zone of the on-board network. Detecting 103, 103a the possibility of manipulation in one of the several remote components in the respective zone of the on-board network, and initiating and/or implementing 105, 105a a measure to mitigate the manipulation and/or prevent a repetition of the manipulation.

The present disclosure further relates to a computer program designed to carry out the techniques of the present disclosure (containing instructions that, when executed by a system, cause the system to carry out the methods of the present disclosure.

The present disclosure further relates to a computer-readable medium (e.g., a DVD or solid state memory) that contains a computer program of the present disclosure.

The present disclosure further relates to a signal (e.g., an electromagnetic signal according to a wireless or wired communication protocol) that a computer program of the present disclosure encodes.

Claims (13)

On-board network (21) of a vehicle (20) with a device for mitigating and preventing manipulation of software (25), wherein the device for mitigating and preventing manipulation of software (25) is designed for mitigating and preventing manipulation in each of a plurality of distributed components (27a-m) in a plurality of zones (41, 42, 43) of the on-board network, wherein the device for mitigating and preventing manipulation of software (25) is distributed over several components (27a, d, m) of the on-board network (21), wherein a first component (27a) of the plurality of components (27a, d, m) is arranged in a first zone (41) of the plurality of zones (41, 42, 43) of the on-board network (21), and wherein a second component (27d) of the plurality of components (27a, d, m) is arranged in a second zone (42) of the plurality of zones (41, 42, 43) of the on-board network (21). On-board network (21) according to Claim 1 , wherein the first component (27a) is designed to perform mitigation and tamper prevention tasks in each of distributed components (27a-c) of the first zone (41), and wherein the first component (27a) is not designed to To carry out tasks to mitigate and prevent manipulation in the multiple distributed components (27d-f) of the second zone (42). On-board network according to Claim 1 or Claim 2 , wherein the first component (27a) is designed to carry out a first task for mitigating or preventing manipulation for several components (27a-c) in the first zone (41) and several components (27d-f) in the second zone (42 ), and wherein the second component (27d) is designed to perform a second task of mitigating or preventing manipulation for the plurality of components (27a-c) in the first zone (41) and the plurality of components (27d-f) in the second zone (42). On-board network (21) according to one of the Claims 1 until 3 , wherein the first and second zones (41, 42) are different spatial and / or different functional zones in the on-board network (21). On-board network (21) according to one of the Claims 1 until 3 , wherein tasks for mitigating or preventing tampering include one or more of: detecting (103; 103a) the possibility of tampering in a remote component (27a-k); Providing (101; 101a) software components for a remote component (27a-k); Initiating and/or carrying out (105; 105a) a measure to mitigate the manipulation and/or prevent a repetition of the manipulation. On-board network (21) according to one of Claims 1 until 5 , wherein a third component (27m) of the plurality of components (27a, d, m) is designed to orchestrate operations of the first component (27a) and the second component (27d) and / or to send data required for their operation to the first and to send the second component (27a, d). On-board network (21) according to Claim 6 , where the third component (27m) is designed to act as a trust anchor for the first and second components (27a, d). On-board network (21) according to Claim 6 or Claim 7 , wherein the third component (27m) of the plurality of components (27a, d, m) is designed to perform mitigation and prevention of manipulation tasks in each of several distributed components (27g-m) of a third zone (43) of the plurality of zones (41, 42, 43). On-board network (21) according to one of the Claims 1 until 7 , wherein the first component (27a) and the second components (27d) are designed to monitor all actions of the central device for mitigating and preventing manipulation of software (25a) that controls the components (27a-f) of the respective zone (41; 42) concern to carry out. Vehicle (20) that has an on-board network (21) according to one of Claims 1 until 9 includes. Method for mitigating or preventing manipulation of software in an on-board network (21) of a vehicle (20), the on-board network (21) comprising a plurality of distributed components (27a-m) which are in a plurality of zones (41, 42, 43) are arranged, the method comprising: executing (111) tasks for mitigating or preventing manipulation by a first component (27a) of a device for mitigating and preventing manipulation of software (25), wherein the device for mitigating and preventing a Manipulation of software (25) is designed to mitigate and prevent manipulation in each of the plurality of components (27a-m) of the on-board network (21), the first component (27a) being in a first zone (41) of a plurality of zones ( 41, 42, 43) of the on-board network (21) is arranged, and wherein a second component (27d) of the device for mitigating and preventing manipulation of software (25) is located in a second zone of a plurality of zones (41, 42, 43) of the on-board network (21) is arranged. Computer program that contains instructions that, when executed by a computer system, cause the computer system to carry out the procedure according to Claim 11 to carry out. Computer-readable medium or signal that corresponds to the computer program Claim 12 contains.

Images