JP2015112963A - On-vehicle network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve security in an on-vehicle network system.SOLUTION: A first communication node includes: a control part that, in generating a frame to request for rewriting data of a second communication node, attaches an identification code of the first communication node, and authentication frame count information indicating the number of times of transmissions for a reception side to determine that the frame is a legitimate frame, and performs control for transmitting the same number of frames as the number of times of transmissions; and a transmission part for transmitting the frames. Further, the second communication node includes: a reception part for receiving a frame transmitted from the first communication node; and a control part that authenticates the identification code attached to the received frame, counts a frame of which data is same as data of a frame to which the same identification code is attached, and, in a case where the counted value is the same as that of the authentication frame count information, rewrites data of the second communication node in accordance with the data attached to the frame.

Description

  The present invention relates to an in-vehicle network system.

  An electronic control unit (ECU) is mounted on the vehicle, and each function of the vehicle is controlled by the electronic control unit. Each ECU is connected to each other via an in-vehicle network and operates in cooperation.

  Control of the vehicle is realized by operating the electronic control unit based on a frame that multiplex-transmits the in-vehicle network.

  An abnormal control frame is transmitted to the in-vehicle network at a predetermined cycle. By detecting the disturbance of the cycle of the abnormal control frame, it is possible to grasp that some frame has entered the in-vehicle network from the outside.

  When issuing a read request or a write request for data held by the in-vehicle control device, the communication device receives authentication permission from the authentication device in advance, thereby reducing the processing load on each in-vehicle control device and reducing the processing load on each in-vehicle control device. A technique for improving the security of the system is known (see, for example, Patent Document 1).

JP 2012-104049 A

  When frames are transmitted through the in-vehicle network according to the priority of data such as CAN (Controller Area Network) -ID, even if the frame enters the in-vehicle network from the outside, the disturbance of the cycle of the abnormal control frame may not be detected. is there. In this case, even if some frame enters from the outside, an abnormality due to the frame cannot be detected.

  On the other hand, in order to facilitate the repair of the vehicle, it is obliged by the standard of the fault diagnosis to install the diagnostic connector at a position that is easily accessible by the repair person. Access to the in-vehicle network is possible by transmitting a frame from this diagnostic connector.

  When access is performed from the diagnostic connector by an external connection tool that is not recognized by the vehicle manufacturer, the control information in the vehicle is rewritten and altered by the external connection tool, or the control information in the vehicle is May be obtained and analyzed.

  In addition, there is a concern that normal operation of the vehicle may be hindered by inputting a large number of frames attached with imitating data priority such as CAN-ID from an external connection tool.

  An object of the present invention is to improve security in an in-vehicle network.

A vehicle control device according to an embodiment of the disclosure is:
An in-vehicle network system having a first communication node and a second communication node,
The first communication node is
When creating a frame that requests rewriting of data stored in the second communication node, the identification code of the first communication node and the number of transmissions for the receiver to determine that the frame is genuine An authentication frame number information indicating, and a control unit that executes control to transmit the same number of frames as the number of transmissions;
A transmission unit that transmits the same number of frames as the number of transmissions according to control by the control unit,
The second communication node is
A receiving unit for receiving a frame transmitted from the first communication node;
The identification code attached to the frame received by the receiving unit is authenticated, the frames having the same data attached to the frame attached with the same identification code are counted, and the counted value is attached to the frame. A control unit that rewrites data stored in the second communication node according to data attached to the frame when the authentication frame number information is the same as the information.

  According to the disclosed embodiment, security in the in-vehicle network can be improved.

It is a figure which shows one Example of a communication system. It is a figure which shows one Example of the flame | frame transmitted / received between communication nodes. It is a figure which shows one Example of operation | movement of a communication system. It is a figure which shows an example of the flame | frame transmitted / received between communication nodes.

Next, the form for implementing this invention is demonstrated, referring drawings based on the following Examples. Examples described below are merely examples, and embodiments to which the present invention is applied are not limited to the following examples.
In all the drawings for explaining the embodiments, the same reference numerals are used for those having the same function, and repeated explanation is omitted.

<Example>
<Communication system>
FIG. 1 shows an embodiment of a communication system as an in-vehicle network system.

  The communication system includes a first communication node 100, a second communication node 200, a third communication node 300, a fourth communication node 400, and a fifth communication node 500.

  The first communication node 100 and the second communication node 200 are connected by wire through the first communication bus 10. The fourth communication node 400 to the fifth communication node 500 are connected by wire through the second communication bus 20. An example of the first communication bus 10 and the second communication bus 20 is a CAN bus, and a multiplex communication network is configured by connecting communication nodes in a vehicle. There may be a plurality of multiple communication networks in a vehicle. Data can be relayed between communication nodes via the CAN bus. The third communication node 300 is interposed between the first communication bus 10 and the second communication bus 20. The third communication node 300 functions as a gateway device that relays communication between the communication node connected to the first communication bus 10 and the communication node connected to the second communication bus 20.

  Further, a diagnostic connector 600 is connected to the first communication bus 10. A failure diagnosis of the first communication node 100 to the fifth communication node 500 can be performed by accessing the diagnosis connector 600 via the tool 30 and transmitting / receiving data. However, there is a possibility that the diag connector 600 may be accessed via an unauthorized tool to transmit / receive unauthorized data.

  Although FIG. 1 shows a case where a communication system is configured by five communication nodes, it may be configured by 2-4 communication nodes, or may be configured by six or more communication nodes. A communication node connected to the first communication bus 10, a communication node connected to the second communication bus 20, and communication interposed between the first communication bus 10 and the second communication bus 20. A communication system can be configured by nodes. In addition, a communication system may be configured by a plurality of communication nodes connected to the first communication bus 10.

  The first communication node 100 to the fifth communication node 500 are mounted on a moving body such as a vehicle, for example. One embodiment of a communication system as an in-vehicle network system is mounted on a vehicle. A LAN such as CAN or LIN (Local Interconnect Network) is applied to an embodiment of the communication system. An embodiment of the communication system may be applied to an information LAN, a powertrain LAN, a body LAN, and the like. An embodiment of the communication system may perform communication according to FlexRay (registered trademark).

  Each communication node is realized by an electronic control unit or the like. Moreover, a sensor, an actuator, etc. may be mounted in each communication node.

  An example of a communication node is various control computers, which receives a communication message from a failure diagnosis tool via an in-vehicle network such as a multiplex communication network, and uses data attached to the communication message as control data. Judge whether or not.

  As an example, a case where a frame is transmitted from the first communication node 100 will be described. An example of a frame transmitted from the first communication node 100 is accompanied by control data such as a rewrite request for rewriting data stored in another communication node. From the first communication node, a frame other than the frame attached with the rewrite request, for example, a frame attached with control data such as a read request may be transmitted. Not only the first communication node 100 but also the second communication node 200 to the fifth communication node 500 may transmit a frame attached with control data such as a rewrite request or a read request. When the first communication node 100 transmits a frame attached with a rewrite request, the first communication node 100 functions as a rewrite device.

  The frame transmitted from the first communication node 100 is received by the fourth communication node 400 via the third communication node 300.

<First communication node 100>
An embodiment of the first communication node 100 will be described. The first communication node 100 can also be applied to the second communication node 200 to the fifth communication node 500.

  The first communication node 100 includes a microcontroller (not shown) and a transceiver (not shown).

  The microcontroller includes hardware such as a CPU, ROM, and RAM.

  The CPU controls the first communication node 100. Specifically, the CPU executes control for creating and transmitting a frame destined for the fourth communication node 400 as a communication partner. As described above, an example of a frame is a frame attached with control data such as a rewrite request. In addition, when receiving a frame transmitted from another communication node, the CPU authenticates the frame and determines whether or not data attached to the frame is used as control data.

  The ROM is a memory for storing a program for the CPU to execute control of the first communication node 100.

  The RAM is a memory for temporarily storing data when the CPU executes control of the first communication node 100.

  The transceiver is connected to the microcontroller, the first communication bus 10. The transceiver transmits a frame from the CPU. The transceiver inputs a frame transmitted from another communication node to the microcontroller.

<Function of First Communication Node 100>
An example of the function of the first communication node 100 will be described. Here, the process of transmitting a frame to another communication node is mainly shown. Regarding the process of transmitting a frame to another communication node, the functions of the first communication node 100 can be applied to the functions of the second communication node 200 to the fifth communication node 500 as well.

  When the microcontroller controls other communication nodes, it creates a frame with accompanying control data. The microcontroller inputs the frame to the transceiver.

  One example of the frame format is the CAN frame format. The frame is attached with authentication frame number information representing the number of authentication frames as a reference for determining whether or not to use the data attached to the frame as control data on the receiving side.

  The CAN frame consists of a start of frame (SOF) bit, an ID, a remote transmission request (RTR) bit, a data length code (DLC), a data field, and a CRC. The slot includes an ACK (acknowledge) slot and an end of frame (EOF).

  The start of frame bit indicates the beginning of the message and is indicated by a dominant (logic 0) bit.

  The ID identifies the message and indicates the priority of the message. The ID may be represented by 11 bits (standard frame) or 29 bits (extended frame). The ID is also called a data ID.

  The remote transmission request bit is used to distinguish between a remote frame and a data frame. The dominant (logic 0) remote transmission request bit indicates a data frame. The recessive (logic 1) remote transmission request bit indicates a remote frame.

  The data length code indicates the number of bytes in the data field.

  Data of 0 to 8 bytes is attached to the Data field.

  CRC indicates a cyclic redundancy check. The CRC is accompanied by a 15-bit cyclic redundancy check code and a recessive delimiter bit. The CRC field is used for error detection.

  The ACK (acknowledge) slot is transmitted at the end of the message when the message is correctly received. The transmitting node preferably checks the presence or absence of an ACK bit on the communication bus, and if no ACK is detected, attempts to transmit again.

  The end of frame indicates the end position of the data frame or the remote frame. The end-of-frame is composed of 7 bits, and all bit levels are “recessive”.

  The microcontroller designates the destination communication node by the ID and designates the authentication frame number information by the data field. In addition, the microcontroller may specify the destination communication node and authentication frame number information by ID or by a data field.

  FIG. 2 shows an embodiment of a frame transmitted and received between communication nodes. FIG. 2 shows an example of the frame ID transmitted by the first communication node 100 and the Data field.

  The microcontroller of the first communication node 100 creates a frame with control data such as a rewrite request for requesting the fourth communication node 400 to rewrite data and authentication frame number information. The number of authentication frames is set to a random value, and authentication frame number information indicating a random value is attached to the frame.

  In the example shown in FIG. 2, “100” is attached as an ID, “3” is attached as authentication frame number information, and “1,2,3,4,5,6,7” as data. Is attached. The microcontroller creates the same number of frames as the number of authentication frames and inputs it to the transceiver. In the example shown in FIG. 2, the microcontroller creates three frames and inputs them to the transceiver.

  The transceiver transmits the frame from the microcontroller to the fourth communication node 400. In the example shown in FIG. 2, the transceiver transmits three frames to the fourth communication node 400. From the viewpoint of preventing transmission of frames with illegal data in the middle of transmission of three frames, the transceiver preferably transmits three frames in succession.

<Fourth communication node 400>
An embodiment of the fourth communication node 400 will be described.

  Similar to the first communication node 100, the fourth communication node 400 includes a microcontroller (not shown) and a transceiver (not shown).

  The microcontroller includes hardware such as a CPU, ROM, and RAM.

  The CPU controls the fourth communication node 400. Specifically, the CPU receives and authenticates the frame transmitted from the first communication node 100 as the communication partner. When the authentication of the frame is successful, the CPU executes control for determining whether to use the data attached to the frame as control data based on the authentication frame number information attached to the frame.

  In addition, the CPU executes control for creating and transmitting a frame destined for another communication node.

  The ROM is a memory for storing a program for the CPU to execute control of the fourth communication node 400.

  The RAM is a memory for temporarily storing data when the CPU executes control of the fourth communication node 400.

  The transceiver is connected to the microcontroller, the second communication bus 20. The transceiver transmits a frame from the microcontroller. The transceiver inputs a frame transmitted from another communication node to the microcontroller.

<Function of Fourth Communication Node 400>
An example of the function of the fourth communication node 400 will be described. Here, the process of receiving a frame transmitted from another communication node is mainly shown. For the process of receiving frames transmitted from other communication nodes, the functions of the first communication node 100 to the third communication node 300 and the fifth communication node 500 are also applied to the function of the fourth communication node 400. it can.

  The frame transmitted from the first communication node 100 is received by the transceiver and input to the microcontroller.

  The microcontroller includes a counter that counts (counts) the number of authentication frames. The microcontroller authenticates the frame from the transceiver. Specifically, the microcontroller determines whether or not the frame is an illegal frame by authenticating an ID attached to the frame. If the microcontroller determines that the frame is invalid, it does not use the data attached to the frame as control data. If the microcontroller determines that the frame is invalid, the microcontroller may discard the frame.

  When determining that the frame is not an illegal frame, the microcontroller holds the frame and acquires authentication frame number information attached to the frame. The microcontroller holds the frame attached with the same ID as the held frame among the frames input from the transceiver, and the data attached to the frame held by the data attached to the frame. It is determined whether or not they are the same.

  When the data attached to the frame attached with the same ID as the held frame is the same as the data attached to the held frame, the microcontroller counts up the counter. After counting up the counter, the microcontroller determines whether or not the value of the counter is the same as the number of authentication frames indicated by the authentication frame number information. If the microcontroller determines that the counter value is the same as the number of authentication frames indicated by the authentication frame number information, it determines that no abnormal data is recognized during the counting time interval. The microcontroller uses data attached to the frame received in the counting time interval as control data.

  The microcontroller resets the counter when the data attached to the frame attached with the same ID as the held frame is different from the data attached to the held frame. If the value of the counter does not satisfy the number of authentication frames indicated by the authentication frame number information even after a predetermined time has elapsed, the microcontroller determines that abnormal data has been received during the counting time interval. The microcontroller does not use the data attached to the frame received in the counting time interval as control data.

  Returning to FIG. 2, the description will be continued.

  The frame transmitted from the first communication node 100 is transmitted to the fourth communication node 400.

  The transceiver of the fourth communication node 400 receives the frame transmitted from the first communication node 100 and inputs it to the microcontroller. The microcontroller authenticates the ID (CAN-ID) attached to the frame from the transceiver. In the example shown in FIG. 2, “100” is added to the ID and authenticated as a normal frame. Further, the microcontroller obtains authentication frame number information attached to the frame. In the example illustrated in FIG. 3, the microcontroller acquires “3” as the authentication frame number information and counts up the counter to “1”.

  The microcontroller then holds the frame that is authenticated by attaching the same ID as the held frame among the frames that are input from the transceiver, and holds the data that is attached to the frame. It is determined whether the data is the same as the data attached to the frame.

  The microcontroller counts up the counter when the data attached to the frame authenticated by attaching the same ID as the holding frame is the same as the data attached to the holding frame. Then, it is determined whether or not the value of the counter is the same as the number of authentication frames indicated by the authentication frame number information.

  In the example shown in FIG. 2, a case where the microcontroller determines that the value of the counter is the same as the number of authentication frames indicated by the authentication frame number information is shown. in this case. The microcontroller uses data attached to the frame received in the counting time interval as control data.

<Operation of communication system>
FIG. 3 shows an embodiment of the operation of the communication system. FIG. 3 mainly shows the operation of the receiving communication node that receives a frame transmitted from the transmitting communication node. The communication node on the transmission side transmits a frame with authentication frame number information.

  Also, FIG. 3 mainly shows the operation after authentication of an ID attached to a frame as a result of authentication of a regular frame.

  In step S302, the communication node on the receiving side holds the authenticated frame transmitted from the communication node on the transmitting side, and sets authentication frame number information attached to the frame. After setting the authentication frame number information, the communication node on the receiving side counts up the count number of the counter. In the example shown in FIG. 3, “3” is set as the authentication frame number information, and “1” is set by counting up the count number of the counter.

  In step S304, when the receiving communication node holds the frame transmitted from the transmitting communication node and the received frame has the same ID and data attached to the held frame, the counter Count up the count. In other words, the communication node on the receiving side has the same data attached to the authenticated frame as the data attached to the held frame because it is the same as the ID attached to the held frame. If so, the counter counts up.

  In step S306, the reception side communication node counts up the count number of the counter when the ID and data attached to the held frame are the same, and the count value is indicated by the authentication frame number information. It is determined whether the number of authentication frames has been reached.

  In step S308, when it is determined that the count value has reached the number of authentication frames indicated by the authentication frame number information, the receiving communication node uses data attached to the held frame as control data. On the other hand, when it is determined that the count value does not reach the number of authentication frames represented in the authentication frame number information, data attached to the held frame is not used as control data. When data attached to the held frame is not used as control data, the control data used for the previous control may be used.

  According to one embodiment of the communication system, the communication node on the transmission side uses the authentication frame representing the number of authentication frames as a reference for determining whether or not the data attached to the frame is used as control data on the reception side. A frame with number information is transmitted a number of times represented by the number of authentication frames. The receiving communication node authenticates based on the ID attached to the frame transmitted from the transmitting communication node, and is represented by the number of authentication frames from the transmitting communication node based on the authentication frame number information. Count frames that are sent a number of times. The receiving communication node determines whether or not the frame from the transmitting communication node is a regular frame based on the ID and the authentication frame number information, whereby security in the in-vehicle network can be improved.

  FIG. 4 shows an example in which an illegal frame with the same ID as that of a regular frame and the data falsified is transmitted from the outside at the same timing as the regular frame is transmitted. In FIG. 4, the data attached to the regular frame is “1,2,3,4,5,6,7”, and the data attached to the illegal frame is “9,9,9,9,9, 9,9,9,9 ".

  In the method of determining whether or not the frame is a legitimate frame by authenticating the ID attached to the frame, when such an illegal frame is transmitted from the outside, the receiving communication node can detect the illegal frame. In some cases, an illegal frame is processed as a regular frame. This is because in the CAN protocol, the communication node on the receiving side cannot determine whether or not a frame has been received illegally, and the determination of the communication node on the transmitting side is performed based on the ID. Further, this is because whether or not the data has been falsified is determined by whether or not the cycle of the abnormal control frame is disturbed. When an illegal frame is processed as a regular frame, if there is no fail-safe mechanism, abnormal control may be performed.

  In one embodiment of the communication system, based on the authentication frame number information in addition to the ID attached to the frame, it is determined whether or not the data attached to the frame is regular data. Since it uses as control data when it determines, the security in a vehicle-mounted network can be improved.

  In addition, by detecting that an external tool user attempts to exploit data illegally, it is possible to limit the data being transmitted and to warn unauthorized users, thereby improving security. be able to.

  Moreover, since it can detect that the user of an external tool transmits data illegally, a fail-safe measure for operating safely can be taken, which can contribute to ensuring the safety of the vehicle.

  Although the present invention has been described with reference to specific embodiments, the embodiments are merely illustrative, and those skilled in the art will appreciate various variations, modifications, alternatives, substitutions, and the like. Let's go. For convenience of explanation, an apparatus according to an embodiment of the present invention has been described using a functional block diagram, but such an apparatus may be implemented in hardware, software, or a combination thereof. The present invention is not limited to the above-described embodiments, and various variations, modifications, alternatives, substitutions, and the like are included without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 10 1st communication bus 20 2nd communication bus 30 Tool 40 Data access 100 1st communication node 200 2nd communication node 300 3rd communication node 400 4th communication node 500 5th communication node 600 Diag connector

Claims (1)

An in-vehicle network system having a first communication node and a second communication node,
The first communication node is
When creating a frame that requests rewriting of data stored in the second communication node, the identification code of the first communication node and the number of transmissions for the receiver to determine that the frame is genuine An authentication frame number information indicating, and a control unit that executes control to transmit the same number of frames as the number of transmissions;
A transmission unit that transmits the same number of frames as the number of transmissions according to control by the control unit,
The second communication node is
A receiving unit for receiving a frame transmitted from the first communication node;
The identification code attached to the frame received by the receiving unit is authenticated, the frames having the same data attached to the frame attached with the same identification code are counted, and the counted value is attached to the frame. And a controller that rewrites data stored in the second communication node according to data attached to the frame when the authentication frame number information is the same.

Images