JP2018023023A - Vehicle control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To secure the safety of a vehicle even if a message exchanged between on-vehicle control devices via a bus communication path is altered.SOLUTION: In a vehicle control system according to the present invention, at least one on-vehicle control device of on-vehicle control devices includes: a transmission unit for transmitting a message including a transmission object value to a bus communication path; a holding unit for holding the transmission object value; an alteration determination unit for obtaining the message transmitted to the bus communication path, and determining whether the transmission object value transmitted to the bus communication path is altered or not on the basis of comparison of the transmission object value included in the obtained message with the transmission object value held by the holding unit; and a first notification unit for transmitting a first notification message to the bus communication path in response to a determination indicating alteration by the alteration determination unit.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a vehicle control system in which a plurality of vehicle-mounted control devices are communicably connected via a bus communication path, and in particular, deals with falsification of a transmission target value transmitted via a bus communication path. For control technology.

  In general, a vehicle control system in which a plurality of control units (in-vehicle control devices) that perform various types of control related to the vehicle are communicably connected via a bus communication path is constructed in a vehicle such as an automobile. As a communication method between the control units, for example, a CAN (Controller Area Network) communication method is adopted.

  For example, in a vehicle control system employing a CAN communication system, a checksum is included in a message (frame) exchanged via a bus communication path, and the control unit that has received the message uses the checksum to It is possible to confirm correctness.

  In addition, regarding the related prior art, the following patent documents 1 and 2 can be mentioned, for example.

JP 2004-350137 A JP 2007-38904 A

Here, the checksum is suitable for detecting the presence / absence of a change between transmitted and received data due to communication failure due to noise or the like, but the message on the bus communication path is falsified (spoofed) by so-called hacking action. If the message is rewritten with the checksum, the correctness of the received message may not be confirmed.
In the vehicle control system, vehicle information such as the accelerator opening and the engine speed is exchanged between the control units by the above message. However, if the tampering is performed to rewrite the checksum as described above, the receiving unit Control based on incorrect vehicle information is performed on the side, and there is a possibility that sufficient safety of the vehicle cannot be secured.

  Therefore, an object of the present invention is to ensure vehicle safety even when a message exchanged between in-vehicle control devices via a bus communication path is falsified.

  The vehicle control system according to the present invention is a vehicle control system in which a plurality of vehicle-mounted control devices are communicably connected via a bus communication path, and at least one of the vehicle-mounted control devices transmits A sending unit that sends a message including a target value to the bus communication path, a holding unit that holds the transmission target value, and the message sent to the bus communication path are acquired, and the message included in the acquired message Based on the result of comparing the transmission target value with the transmission target value held by the holding unit, the falsification determination unit that determines whether or not the transmission target value sent to the bus communication path is falsified, and the falsification determination unit And a first notification unit that sends a first notification message to the bus communication path when it is determined that there is falsification.

  The falsification determining unit can appropriately determine whether or not the message to be rewritten with the checksum is falsified. Then, the first notification unit described above can notify the other vehicle-mounted control device connected to the bus communication path that the message has been tampered with. It is possible to take measures not to perform vehicle control using the falsified value, such as shifting to.

In the vehicle control system according to the present invention described above, the in-vehicle control device including the sending unit, the holding unit, the falsification determining unit, and the first notification unit has the transmission target value of a specific type. A first target value determination unit that determines whether or not, and a control unit that executes the determination by the falsification determination unit only on the transmission target value determined as the specific type of value by the first target value determination unit Can be provided.
This eliminates the need to hold the transmission target value or perform falsification determination for all transmission target values.

In the vehicle control system according to the present invention described above, the first notification unit sends a message including identification information of the transmission target value determined to be falsified by the falsification determination unit as the first notification message. The at least one in-vehicle control device among the in-vehicle control devices is identified based on the receiving unit that receives the first notification message sent to the bus communication path and the first notification message received by the receiving unit. And a second target value determination unit that determines whether or not the transmission target value is a specific type of value.
This eliminates the need for the vehicle-mounted control device that is the transmission source of the transmission target value to determine whether the value is a specific type.

In the vehicle control system according to the present invention described above, the first notification unit sends a message including identification information of the transmission target value determined to be falsified by the falsification determination unit as the first notification message. And at least one of the in-vehicle control devices, wherein the in-vehicle control device receives the first notification message sent to the bus communication path, and the first of the transmission target values different depending on the receiving unit. Target combination determination for determining whether or not the combination of the transmission target values determined to be falsified identified based on each received first notification message is a specific combination when a notification message is received And a second notification different from the first notification message in response to the determination that the specific combination is determined by the target combination determination unit A second notifying unit for sending a message to the bus communication line, it is possible to provide a.
As a result, it is possible to secure safety against various alterations other than the alteration of the transmission target value, which is predicted to be difficult to ensure the safety by a single alteration.

In the vehicle control system according to the present invention described above, the first notification unit may send the first notification message including the true value of the transmission target value determined to be falsified to the bus communication path. Is possible.
As a result, when ensuring the safety of the vehicle against tampering, it is possible to continue the appropriate vehicle control based on the true value without interrupting the vehicle control.

  According to the present invention, it is possible to ensure the safety of a vehicle even when a message exchanged between in-vehicle control devices via a bus communication path is falsified.

It is the block diagram which showed the structure of the vehicle control system as embodiment which concerns on this invention. It is the figure which showed the data structure example of the message exchanged via the bus communication path in embodiment. It is a functional block diagram showing the functional structure of the vehicle-mounted control apparatus in the 1st example of embodiment. It is the flowchart which showed the procedure of the process which should be performed in order to implement | achieve each function as a 1st example of embodiment. It is a functional block diagram showing the functional structure of the vehicle-mounted control apparatus in the 2nd example of embodiment. It is the flowchart which showed the procedure of the process which should be performed in order to implement | achieve each function as a 2nd example of embodiment. It is a functional block diagram showing the functional structure of the vehicle-mounted control apparatus in the 3rd example of embodiment. It is a functional block diagram showing the function structure of the vehicle-mounted control apparatus (transmission source value transmission source) in the 4th example of embodiment. It is a functional block diagram showing the functional structure of the vehicle-mounted control apparatus (transmission source of a 2nd notification message) in the 4th example of embodiment. It is the flowchart which showed the procedure of the process which should be performed in order to implement | achieve the function of the vehicle-mounted control apparatus (transmission source value transmission source) in the 4th example of embodiment. It is the flowchart which showed the procedure of the process which should be performed in order to implement | achieve the function of the vehicle-mounted control apparatus (transmission source of a 2nd notification message) in the 4th example of embodiment.

<1. Configuration of vehicle control system>
FIG. 1 is a block diagram showing a configuration of a vehicle control system 1 as an embodiment according to the present invention. In FIG. 1, only the configuration of the main part according to the present invention is extracted and shown from the configuration of the vehicle control system 1.
The vehicle control system 1 is provided in a vehicle as a hybrid vehicle including an engine and an electric machine as a power source for driving wheels, and as a vehicle-mounted control device, a hybrid control unit 2, an engine control unit 3, a running control. A unit 4, a driving support control unit 5, a meter control unit 6, an airbag control unit 7, and a communication control unit 8 are provided. Each of these control units includes, for example, a microcomputer having a central processing unit (CPU), a read only memory (ROM), a random access memory (RAM), and the like, and each is connected via a bus wiring 9. It is possible to communicate with each other.
In this example, communication between the control units via the bus wiring 9 is performed by a method according to a CAN (Controller Area Network) communication standard. Hereinafter, a communication path using the bus wiring 9 is referred to as a “bus communication path”.

The engine control unit 3 performs various operation controls such as fuel injection control, ignition control, and intake air amount adjustment control for an engine provided in the vehicle. The engine control unit 3 includes a vehicle speed sensor 10 that detects the traveling speed of the vehicle as the vehicle speed, an engine speed sensor 11 that detects the engine speed, and an accelerator opening sensor 12 that detects the amount of depression of the accelerator pedal as the accelerator opening. Various sensors related to engine control, such as a throttle opening sensor 13 for detecting the throttle valve opening as the throttle opening, are connected, and the engine control unit 3 uses the values detected by these sensors for engine operation control. Use.
Further, the engine control unit 3 transmits detection values obtained by the various sensors to a required control unit such as the hybrid control unit 2 or the driving support control unit 5 through the bus wiring 9 as necessary.

The hybrid control unit 2 instructs the engine control unit 3, the rotating electrical machine control unit 20, and the charge control unit 21 based on values representing vehicle information such as the driver's operation input and the accelerator opening received from the engine control unit 3. To control the operation of the vehicle.
The rotating electrical machine control unit 20 performs drive control on a traveling rotating electrical machine (for example, a motor / generator) provided in the vehicle based on an instruction from the hybrid control unit 2. Based on an instruction from the hybrid control unit 2, the charging control unit 21 performs charging control of a traveling battery provided in the vehicle as a power source for the rotating electrical machine. In this example, the charging control unit 21 performs control for charging the traveling battery based on the power generated by the regenerative rotation by the rotating electrical machine as the motor / generator.

Based on the accelerator opening value received from the engine control unit 3, the hybrid control unit 2 calculates a required torque T (torque to be output to the wheels) corresponding to the accelerator operation amount by the driver, and corresponds to the required torque T. The engine control unit 3 and the rotating electrical machine control unit 20 execute operation control of the engine and the rotating electrical machine for running the vehicle with the requested driving force. Moreover, based on SOC (State Of Charge: charging rate) of the battery for driving | running | working, the control which makes the charge control part 21 charge a battery for driving | running | working is performed.
As a driving mode in the hybrid vehicle, there are an EV (Electric Vehicle) driving mode and a hybrid driving mode, and the hybrid control unit 2 switches between these driving modes according to the state of the vehicle. In the EV travel mode, the hybrid control unit 2 calculates a torque required for the rotating electrical machine (denoted as “requested torque Tb”) based on the required torque T calculated based on the accelerator opening value, and rotates the required torque Tb. The electric machine control unit 20 is instructed to control the operation of the rotating electric machine.
In the hybrid travel mode, the hybrid control unit 2 calculates a torque required for the engine (denoted as “requested torque Te”) and a required torque Tb of the rotating electrical machine based on the required torque T, and uses the required torque Te as the engine. The control unit 3 is instructed with the required torque Tb to the rotating electrical machine control unit 20 to control the operation of the engine and the rotating electrical machine.

  The running control unit 4 is a control unit that performs control related to running stability of the vehicle, such as VDC (Vehicle Dynamics Control). For example, a predetermined sensor such as a yaw rate sensor 14 is connected to the running safety control unit 4, and a control related to running stability is executed based on a detection value by the connected sensor.

The driving support control unit 5 performs various driving support controls such as auto cruise control and steering support control. The driving support control unit 5 uses the detection value by the outside environment sensor 15 when performing these driving support controls. The outside environment sensor 15 comprehensively shows sensors such as an image sensor for detecting an object such as a preceding vehicle, a pedestrian, and a lane existing outside the vehicle. The driving support control unit 5 controls each part necessary for driving support control such as an accelerator and a steering on the basis of information on the object detected based on the detection value by the outside environment sensor 15.
The sensor used for object detection is not limited to the image sensor, and other sensors such as a millimeter wave radar can also be used.

  The meter control unit 6 performs display control for various display units provided in a meter panel or the like in the vehicle. Examples of the display unit include various meters such as a speedometer and a tachometer provided in the meter panel, MFD (Multi Function Display), and other display devices for presenting information to the driver. The meter control unit 6 controls the display operation by the speedometer and the tachometer based on the values of the vehicle speed and the engine speed that are appropriately received from the engine control unit 3. The meter control unit 6 is connected to a predetermined sensor such as an outside air temperature sensor 16 for detecting the outside air temperature of the vehicle, and performs display control of the display unit based on a detection value by the connected sensor. The MFD is used to display various information such as the total travel distance of the vehicle, the outside air temperature, and instantaneous fuel consumption.

  The airbag control unit 7 controls the operation of the airbag provided in the vehicle. A predetermined sensor such as a collision sensor 17 that detects an object collision with the vehicle is connected to the airbag control unit 7, and the operation of the airbag is controlled based on a detection value of the connected sensor.

  The communication control unit 8 is a control unit that can communicate with an external device of the vehicle. The communication control unit 8 is provided with an antenna, and wireless communication can be performed with an external device via the antenna.

  In the vehicle control system 1, an external device connector 18 is connected to the bus wiring 9. The external device connector 18 is a connector for connecting an external device as a vehicle failure diagnosis device or the like. By providing the external device connector 18, an external device such as a failure diagnosis device can communicate with each control unit via the bus wiring 9.

<2. About communication data>
Here, in the vehicle control system 1 of this example adopting the CAN communication standard, data exchange between the control units via the bus wiring 9 is performed by a message as a data frame.

FIG. 2 is a diagram showing an example of a data structure of a message as the data frame.
First, the head of the data frame is an SOF (Start Of Frame) indicating the start of the data frame, and the area following the SOF is an ID (Identifier). The ID is composed of 11 bits, for example, and is mainly used for identifying the data contents and the transmission source node. As another function, it is also used to determine the priority order of communication arbitration. With an ID consisting of 11 bits, 2048 types of data frames can be identified. Based on the ID, each node can determine whether or not to receive transmission data (data to be transmitted in a data field described later) based on the data frame.

  The area following the ID is RTR (Remote Transmission Request) and is used to identify the data frame and the remote frame. In the case of a data frame, RTR is dominant. An area following RTR is used as a control field. The control field includes a DLC (Data Length Code), which indicates how many bytes of data are transmitted in the subsequent data field.

  The data field following the control field is an area in which data (value) to be transmitted is stored. In the control field, data of 0 to 8 bytes (0 to 64 bits) can be transmitted in units of 1 byte.

  The area following the data field is a CRC (Cyclic Redundancy Check) field, which functions as a checksum for checking whether or not the receiving node has correctly received the transmission data in the data frame.

  The area following the CRC field is an ACK (Acknowledgement) field for returning an acknowledgment value as to whether or not the receiving node has received the transmission data correctly, and the area following the ACK field indicates the end of the data frame. EOF (End Of Frame) is expressed.

<3. Falsification control of embodiment>
[3-1. First example]
Here, as described above, the checksum is suitable for detecting whether or not there is a change between transmitted and received data due to communication failure due to noise or the like, but the message on the bus communication path is rewritten together with the checksum by a so-called hacking action. If such tampering is performed, it may be impossible to confirm the correctness of the received message. Such tampering can be continuously performed, for example, via the communication control unit 8 or the external device connector 18.
In the vehicle control system 1, vehicle information such as the accelerator opening and the engine speed is exchanged between the control units by a message. However, if the falsification is performed as described above, the receiving unit side performs control based on incorrect vehicle information. It is possible that the safety of the vehicle cannot be ensured.

  For this reason, in the vehicle control system 1 of the embodiment, the function described below is added to at least one control unit connected via the bus communication path. Hereinafter, the engine control unit 3 will be described as an example of a control unit to which the function is added.

  FIG. 3 is a functional block diagram showing a functional configuration of the engine control unit 3 in the first example. As shown in the figure, the engine control unit 3 can be expressed as having a transmission processing unit F1, a holding processing unit F2, a tampering determination processing unit F3, and a first notification processing unit F4.

  The transmission processing unit F1 transmits a message including a transmission target value to the bus communication path. The transmission target value is a value to be transmitted in the “data field” of the message exchanged via the bus communication path. For the engine control unit 3, for example, the accelerator opening value and the engine speed This value corresponds to a value detected by a connected sensor. The sending processing unit F1 sends a message including the transmission target value in the “data field” to the bus communication path in response to the transmission target value transmission task.

  The holding processing unit F2 performs a process of holding the transmission target value in a memory such as a RAM (RAM of the engine control unit 3). The holding processing unit F2 in this example performs processing for holding the same value as the transmission target value included in the message sent by the sending processing unit F1.

  The falsification determination processing unit F3 acquires the message sent to the bus communication path by the transmission processing unit F1, and transmits the transmission target value (“acquired value”) included in the acquired message and the holding processing unit F2. Based on the comparison result with the target value (“holding value”), it is determined whether or not the transmission target value sent to the bus communication path is falsified. Specifically, it is determined whether or not the acquired value matches the held value. If the acquired value matches, a determination result is obtained that there is no falsification, and if there is no match, a determination result that falsification is present is obtained.

  The first notification processing unit F4 sends a first notification message to the bus communication path when the falsification determination processing unit F3 determines that falsification has occurred. Specifically, a message including a value indicating that the “ID” has been falsified is transmitted as the first notification message.

  Here, in the vehicle control system 1 of this example, a type of “message notifying that the message has been tampered with (noted as“ first notification message ”)” is defined as the type of message. A value of “ID” corresponding to the “first notification message” is determined in advance. In this way, the first notification processing unit F4 sends a message including “ID” with a predetermined value for the “first notification message” to the bus communication path.

In the vehicle control system 1, among the control units connected to the bus wiring 9, each control unit excluding at least the engine control unit 3 (that is, the transmission side unit) is sent to the bus communication path as described above. Receive notification messages. And the control unit which received this 1st notification message transfers to fail safe mode.
Thereby, it is possible to prevent the vehicle control using the falsified value from being executed, and to ensure the safety of the vehicle.

  Of the control units connected to the bus wiring 9, for example, the control unit that controls the notification means for the driver, such as the meter control unit 6, is notified by the notification means in response to the reception of the first notification message. It is possible to perform control for notifying the driver that falsification has occurred. By performing such notification, it can be expected that the driver will take safety measures such as stopping the vehicle, and safety performance against tampering can be improved.

FIG. 4 is a flowchart showing a procedure of processes to be executed to realize each function as the first example described with reference to FIG.
In FIG. 4, the engine control unit 3 waits for transmission task generation of a transmission target value in step S101, and in response to the generation of the transmission task, in step S102 transmission processing of the transmission target value, that is, a message including the transmission target value. Performs processing to send to the bus communication path.

  In step S103 following step S102, the engine control unit 3 performs transmission value holding processing. That is, a process of holding the same value as the transmission target value included in the message sent in step S102 in a memory such as a RAM is performed.

  In step S104 following step S103, the engine control unit 3 acquires the message sent to the bus communication path (the message sent in step S102). Furthermore, in subsequent step S105, the engine control unit 3 determines whether or not the transmission target value (acquired value) included in the message acquired in step S104 matches the transmission target value held in step S103. If so, the process shown in FIG. 4 is terminated. If not, the process proceeds to step S106 to send the first notification message described above to the bus communication path, and the process shown in FIG. 4 is terminated.

In the above, as an example of holding the transmission target value, an example of holding the same value as the transmission target value (hereinafter referred to as “transmission value”) included in the transmitted message is given. It is not essential to be identical. For example, when the transmission target value is a detection value of a sensor, it is possible to acquire the detection value of the sensor immediately after sending the message in step S102 and hold the acquired detection value. There is no guarantee that the transmission value (acquired value) and the retained value are the same. When the transmission value and the hold value can be different as described above, as the determination process in step S105, for example, it is determined whether or not the difference between the acquired value and the hold value is equal to or less than a certain value.
The transmission target value can be held in advance before sending the message in step S102.

[3-2. Second example]
Subsequently, the second example will be described. In the following description, parts that are the same as the parts that have already been described are assigned the same reference numerals and step numbers to avoid redundant description.

In the previous first example, the control unit that is the transmission source of the transmission target value performs holding determination of the transmission target value and falsification using the holding value for all transmission target values. The target value (hereinafter referred to as “required measure value”) that is predicted to be difficult to ensure safety when it is performed is divided in advance from the target value that is not, and only the required measure value is targeted. Holding of the transmission target value and falsification determination using the holding value are performed.
As in the case of the first example, the function of the second example may be added to at least one control unit among the control units. Also in this case, the engine control unit 3 is given as an example of a control unit to which the corresponding function is added.

  FIG. 5 is a functional block diagram showing a functional configuration of the engine control unit 3 in the second example. The engine control unit 3 in this case includes the transmission processing unit F1, the holding processing unit F2, the falsification determination processing unit F3, and the first notification processing unit F4, and the first target value determination processing unit F5 and the control processing unit. F6.

  The first target value determination processing unit F5 determines whether or not the transmission target value is a specific type of value. Specifically, it is determined whether or not the transmission target value transmitted by the message is the above-described countermeasure required value. In this case, the memory information such as the ROM in the engine control unit 3 stores the list information of the countermeasure required value, and the engine control unit 3 determines whether or not the countermeasure required value is based on the list information. As an example of the countermeasure required value, in the case of the engine control unit 3, a vehicle speed, an engine speed value, a throttle opening value, and the like can be exemplified. Alternatively, in the case of the hybrid control unit 2, the value of the required torque Te described above can be exemplified.

  The control processing unit F6 performs the determination by the falsification determination processing unit F3 only on the transmission target value determined as the specific type of value by the first target value determination processing unit F5. That is, the falsification determination by the falsification determination processing unit F3 is executed only for the transmission target value determined to be a countermeasure required value.

  With such a function as the second example, the control unit that is a transmission source of the transmission target value does not need to hold the transmission target value or perform falsification determination for all transmission target values that can be transmitted by the control unit. Therefore, the processing burden can be reduced.

FIG. 6 is a flowchart showing a procedure of processes to be executed to realize each function as the second example.
In this case, the engine control unit 3 determines whether or not the transmission value is a specific type value in step S201 in response to the transmission processing of the transmission target value in step S102. That is, it is determined whether or not the transmission target value included in the message sent in step S102 is a countermeasure required value. In step S201, if the transmission value is not a specific type of value, the engine control unit 3 returns to step S101. On the other hand, if the transmission value is a specific type of value, the engine control unit 3 advances the process to step S104. That is, only when the transmission target value is a countermeasure required value, the holding process in step S103 and the falsification determination process in step S105 are executed.

[3-3. Third example]
In the second example, it is determined whether or not the control unit that is the transmission source of the transmission target value is a countermeasure value, but in the third example, whether the countermeasure value is a countermeasure value is determined in the first notification message. This is done in the control unit on the receiving side.
Here, as a premise, in the third example, a change is made to the first notification message transmitted by the first notification processing unit F4 in the control unit that is the transmission source of the transmission target value. That is, the first notification message in the third example includes the identification information of the transmission target value determined to be falsified by the falsification determination processing unit F3, together with the notification information indicating that falsification has occurred.
In the third example, as the value of “ID” in the message, a value that can identify not only individual transmission target values but also whether or not the transmission target values have been tampered with is defined in advance. Has been. In other words, as the “ID” value corresponding to each transmission target value, two types of values representing “no falsification” and “falsification present” are defined.
In the third example, the first notification processing unit F4 indicates that the transmission target value is falsified from the two types of “ID” values corresponding to the transmission target value when it is determined that the transmission target value is falsified. Is sent to the bus communication path as a first notification message.

  Based on the above assumption, the function as the third example will be described. The function as the third example may be added to at least one control unit among the control units. In the following description, the hybrid control unit 2 will be described as an example of the control unit to which the function is added.

FIG. 7 is a functional block diagram showing a functional configuration of the hybrid control unit 2 in the third example.
The hybrid control unit 2 in the third example includes a reception processing unit F7 and a second target value determination processing unit F8. The reception processing unit F7 receives the first notification message sent to the bus communication path. The second target value determination processing unit F8 determines whether or not the transmission target value identified based on the first notification message received by the reception processing unit F7 is a specific type of value. That is, it is determined whether the transmission target value identified based on the value of “ID” included in the first notification message is a countermeasure required value set for the hybrid control unit 2.
In the hybrid control unit 2 in this case, as the list information of countermeasure required values, values that are predicted to be difficult to ensure safety when tampering is performed among values that can be received from other control units and used for their own control. Is stored in a memory such as a ROM, and the second target value determination processing unit F8 determines whether the transmission target value identified from the first notification message is a countermeasure required value based on the list information. Determine.

  The hybrid control unit 2 shifts to the fail-safe mode in response to the second target value determination processing unit F8 determining that the value is a countermeasure required value. As a result, the safety of the vehicle can be ensured.

  The function as the third example as described above eliminates the need for the control unit that is the transmission source of the transmission target value to determine whether or not the value is a specific type (determination by the first determination processing unit F3). . For this reason, in particular, the control unit such as the engine control unit 3 that has a relatively large number of types of transmission target values to be transmitted (that is, a relatively large transmission processing load) does not have to impose the processing load associated with the determination, and the bus communication. It is possible to facilitate communication between the control units via the path.

  The case where the function of the third example is applied to the engine control unit 3 will be described as an application example other than the hybrid control unit 2. In this case, it is assumed that the countermeasure required value set in the engine control unit 3 includes the value of the collision detection signal transmitted by the airbag control unit 7. When the engine control unit 3 receives the collision detection signal, it cuts the fuel and stops the engine. However, when the collision detection signal is falsified, the fuel cut according to the falsified value is not performed by the function as the third example, and the mode shifts to the fail safe mode. Thereby, it is possible to prevent the engine from being forcibly stopped against the intention of the driver, and to ensure the safety of the vehicle.

[3-4. Fourth example]
The fourth example is a countermeasure for a case where there is a combination of transmission target values that do not affect safety by tampering alone but are predicted to be difficult to ensure safety if tampered with other values. is there. For example, on the assumption that the hybrid control unit 2 performs control using the A value transmitted by the engine control unit 3 and the B value transmitted by the driving support control unit 5, depending on the alteration of the A value alone or the B value alone, Each of these measures does not affect safety, but is a countermeasure for a case in which it is difficult to ensure safety by performing control using the altered A value and B value.
In the following description, the engine control unit 3 is exemplified as a representative control unit that is a transmission source of the transmission target value.

FIG. 8 is a functional block diagram showing a functional configuration of the engine control unit 3 in the fourth example.
The engine control unit 3 in the fourth example includes a transmission processing unit F1, a holding processing unit F2, and a falsification determination processing unit F3, and also includes a first notification processing unit F4 ′. Similar to the first notification processing unit F4 described in the third example, the first notification processing unit F4 ′ sets the transmission target value to the transmission target value in response to the determination that the transmission target value is falsified by the falsification determination processing unit F3. A message including a value indicating the presence of tampering is sent out of the corresponding two types of “ID” values. In the fourth example, the first notification message sent by the first notification processing unit F4 ′ as described above, that is, includes information indicating that the single transmission target value has been falsified and the transmission target value is different. The message is referred to as a “provisional notification message”.

  In the fourth example, at least one control unit among the control units connected to the bus communication path receives the temporary notification message, and executes a process for realizing each function shown in FIG. Here, the meter control unit 6 is given as an example of the corresponding control unit.

In FIG. 9, the meter control unit 6 includes a target combination determination processing unit F9 and a second notification processing unit F10 together with the reception processing unit F7.
In this case, the reception processing unit F7 receives the first notification message as the temporary notification message sent by the first notification processing unit F4 ′ in a certain control unit such as the engine control unit 3. If there are a plurality of control units having the first notification processing unit F4 ′, the reception processing unit F7 receives the temporary notification messages transmitted by the first notification processing unit F4 ′ of the control units.

The target combination determination processing unit F9 transmits a transmission target value that is determined to be falsified and is identified based on each received temporary notification message when a temporary notification message about a different transmission target value is received by the reception processing unit F7. It is determined whether or not the combination is a specific combination.
In the meter control unit 6 in this case, a combination of transmission target values predicted to be difficult to ensure safety when tampering is performed, such as the combination of the A value and the B value described above (hereinafter referred to as “required combination”). Is stored in a memory such as a ROM, and the target value determination processing unit F8 uses a combination of transmission target values identified from each received temporary notification message based on the list information as a combination of countermeasures required. It is determined whether or not.

The second notification processing unit F10 transmits a second notification message different from the temporary notification message to the bus communication path in response to the target combination determination processing unit F9 determining that the specific combination is set. In other words, when it is determined that the combination of transmission target values identified based on each received temporary notification message is a combination requiring countermeasures, this notification message different from the temporary notification message is sent to the bus communication path. .
In the fourth example, for each combination of transmission target values as a combination requiring countermeasures, a value of “ID” indicating that each transmission target value included in the combination and that the transmission target value has been falsified is defined Has been. For example, in the example of the A value and the B value described above, a value of “ID” indicating that falsification has been performed is defined together with the distinction between the A value and the B value.
The second notification processing unit F10 corresponds to the “ID” value defined for each countermeasure combination as described above, when the target combination determination processing unit F9 determines that the countermeasure combination is required. A message including the value of “ID” corresponding to the combination requiring countermeasures to be sent is sent as the notification message.

  The sent notification message is received by the control unit that is supposed to receive the notification message. Specifically, in the fourth example, for each control unit, the “ID” value that can be included in the notification message, that is, the “ID” that should be received among the “ID” values defined for each combination requiring countermeasures. Value is set. For example, in the case of the above A value and B value, the hybrid control unit 2 receives the “ID” value (“ID” value corresponding to the combination of these A value and B value) as the “ID” value of this notification message to be received ( "Vab") is set. If the value of “ID” included in the notification message is “Vab”, the hybrid control unit 2 receives the notification message.

  In the fourth example, the control unit that has received this notification message shifts to the fail-safe mode. As a result, even if each transmission target value corresponding to the combination requiring countermeasures is falsified, it is possible to prevent the control unit that performs control using those transmission target values from performing control based on the falsified value. Can be secured. That is, as the transmission target value, it is possible to ensure the safety against various alterations other than the transmission target value, which is predicted to be difficult to secure due to the single alteration.

  Also in the fourth example, as in the case of the first example and the second example, it is difficult to ensure the safety of the control unit that is the transmission source of the transmission target value due to the required countermeasure value, that is, the single alteration. It is determined whether or not the transmission target value predicted to be falsified. The first notification processing unit F4 ′ in the fourth example determines whether or not the transmission target value determined to be falsified is a transmission target value as a countermeasure required value, and the transmission target value determined to be falsified. If is not a required countermeasure value, a notification message as the temporary notification message described above is sent, and if the transmission target value determined to be falsified is a required countermeasure value, it indicates that the required countermeasure value has been falsified. A notification message including the value of “ID” is transmitted. Hereinafter, the above notification message transmitted when the transmission target value determined to be falsified is a countermeasure required value will be referred to as a “countermeasure required falsification notification message” for convenience.

In the fourth example, the countermeasure required falsification notification message is received by the control unit that should receive the countermeasure required falsification notification message. Specifically, in the fourth example, for each control unit, the “ID” value that can be included in the countermeasure required falsification notification message, that is, the “ID” value defined for each countermeasure required value is to be received “ The value of “ID” is set.
The control unit that has received the countermeasure falsification notification message shifts to fail-safe mode. Thereby, when the transmission target value corresponding to the countermeasure required value is falsified, it is possible to prevent the control based on the transmission target value from being performed, and to ensure the safety of the vehicle.

  The flowchart of FIG. 10 illustrates a procedure of processing to be executed for realizing the function of the control unit that is the transmission source of the transmission target value among the functions as the fourth example. Further, the flowchart of FIG. 11 shows a procedure of processing to be executed for realizing the function of the control unit that is the transmission source of the second notification message (this notification message) among the functions as the fourth example. Yes. In this case as well, the engine control unit 3 is illustrated as a representative control unit that is the transmission source of the transmission target value, and the meter control unit 6 is an example of the control unit that is the transmission source of the notification message.

First, the processing shown in FIG. 10 is the same as the processing described in FIG. 4 with respect to the processing in steps S101 to S105. In this case, the engine control unit 3 proceeds to step S301 in response to determining that the acquired value and the held value do not match in step S105, specifically, whether the value to be transmitted is a specific value. It is determined whether or not the countermeasure value is required. If it is determined in step S301 that the value is of a specific type, the engine control unit 3 proceeds to step S302, sends a countermeasure required falsification notification message to the bus communication path, and ends the processing shown in FIG.
As described above, the countermeasure required falsification notification message is received by the control unit that is supposed to receive the message, and the control unit that has received the message shifts to the fail-safe mode, thereby ensuring the safety of the vehicle. .

  On the other hand, if it is determined in step S301 that the value is not of a specific type, the engine control unit 3 proceeds to step S303, sends a temporary notification message to the bus communication path, and ends the process shown in FIG.

Next, the process of FIG. 11 will be described.
In FIG. 11, the meter control unit 6 waits until a provisional notification message is received in step S401. When a provisional notification message is received, the meter control unit 6 determines whether or not a plurality of types of provisional notification messages have been received in step S402. Specifically, it is determined whether or not provisional notification messages for different transmission target values have been received within the past predetermined time.
If it is determined that a plurality of types of provisional notification messages have not been received, the meter control unit 6 ends the process shown in FIG. That is, even if the transmission target value other than the countermeasure required value is falsified alone, this notification message is not transmitted.

On the other hand, if it is determined that a plurality of types of provisional notification messages have been received, the meter control unit 6 proceeds to step S403 and determines whether or not the received combination matches the specific combination. That is, it is determined whether or not a combination of transmission target values determined to be falsified identified based on each received temporary notification message matches a specific transmission target value combination determined as a countermeasure combination .
If it is determined that the received combination does not match the specific combination, the meter control unit 6 ends the process shown in FIG.

If it is determined that the received combination matches the specific combination, the meter control unit 6 proceeds to step S404, sends this notification message for each corresponding value to the bus communication path, and ends the process shown in FIG. That is, this notification message including the value of “ID” indicating that each transmission target value identified based on each provisional notification message has been tampered with as the value of “ID” is sent to the bus communication path.
As described above, the notification message is received by the control unit that is supposed to receive the message, and the control unit that has received the message shifts to the fail-safe mode, thereby ensuring the safety of the vehicle.

[3-5. Fifth example]
In the above, an example has been given in which the control unit that has received the falsification notification message shifts to the fail-safe mode. ) Can be sent to the bus communication path so that control based on the true value can be performed.
For example, in the case of the first example and the second example described above, the control unit that performs the falsification determination of the transmission target value determines that the falsification is present in the first notification message in response to the determination that the falsification is present. A configuration can be adopted in which the true value of the target value is stored and transmitted to the bus communication path. At this time, if the transmission target value is a sensor detection value, the corresponding sensor detection value is stored as a true value in the first notification message.

  Here, according to the message transmission including the true value as described above, when the message is falsified with respect to a certain transmission target value (hereinafter referred to as “transmission target value X”), the bus communication is performed. The falsification message including the falsification value of the transmission target value X and the first notification message including the true value of the transmission target value X are transmitted to the path. In this case, as the value of the “ID” of the message, two types of values each representing “no falsification” and “with falsification” are defined as the “ID” value corresponding to each transmission target value. Includes a value indicating the presence of falsification among the values corresponding to the transmission target value X as the value of “ID”. In the first notification message in this case, the “data field” includes the true value of the transmission target value X. At this time, since the falsification message is obtained by falsifying the values of the “data field” and “CRC field”, the value of “ID” is the one that indicates no falsification among the values corresponding to the transmission target value X. The value is included.

In this case, the control unit that receives and controls the transmission target value X from the other unit receives the falsification message and the first notification message based on the value of “ID” in the message. In the fifth example, after receiving the first notification message, the control unit does not use the transmission target value X in the falsification message, and performs control using the transmission target value X as the true value in the first notification message. Configure to do.
Thereby, appropriate vehicle control can be continuously performed based on the true value without interrupting vehicle control for tampering.

  When applied to the third example, the control unit that has received the first notification message including the true value determines whether or not the transmission target value identified based on the first notification message is a countermeasure required value. The control using the true value in the first notification message may be performed only when it is determined and the countermeasure value is required.

Further, even when measures are taken for combination falsification of transmission target values as in the fourth example, transmission of true values as described above can be performed.
In the case of the fourth example, the control unit that is the source of the temporary notification message includes a true value in the data field in the temporary notification message. The control unit that is the transmission source of this notification message determines that the combination of transmission target values identified based on the provisional notification message is a combination that requires countermeasures. Each time, this notification message including each true value is sent to the bus communication path. In this case, the control unit that has received the notification message does not use the transmission target value in the falsification message, and performs control using the true value in the received notification message.

In the case of application to the fourth example as described above, it is not essential to include a true value in the provisional notification message. In that case, the control unit that receives the temporary notification message determines that the combination of the transmission target values identified based on the received multiple types of temporary notification messages is a combination requiring countermeasures, and that the tampering is present. A request message for requesting transmission of a true value message (details will be described later) is transmitted to the control unit that is a transmission source of the transmission target value. The control unit that has received the request message transmits a true value message including a true value in the “data field” and a value of “ID” indicating that the corresponding transmission target value has been falsified. This true value message is received by the control unit that performs control using the corresponding transmission target value according to the definition of “ID”. The control unit that has received the true value message subsequently performs control using the true value included in the received true value message.
For example, such a technique eliminates the need to include a true value in the provisional notification message in order to ensure safety without interrupting vehicle control against tampering.

<4. Summary of Embodiment>
As described above, the vehicle control system (1) according to the embodiment is a vehicle control system in which a plurality of vehicle-mounted control devices (control units) are communicably connected via a bus communication path. At least one vehicle-mounted control device includes the following units.
That is, a sending unit (sending processing unit F1) that sends a message including a transmission target value to the bus communication path, a holding unit (holding processing unit F2) that holds the transmission target value, and a message sent to the bus communication path. A falsification determination unit that determines whether or not the transmission target value sent to the bus communication path has been falsified based on a result obtained by comparing the transmission target value included in the acquired message with the transmission target value held by the holding unit (A falsification determination processing unit F3), and a first notification unit (first notification processing unit F4, F4 ′) that sends a first notification message to the bus communication path in response to the falsification determination unit determining that there is falsification. It is equipped with.

The falsification determining unit can appropriately determine whether or not the message to be rewritten with the checksum is falsified. Then, the first notification unit described above can notify the other vehicle-mounted control device connected to the bus communication path that the message has been tampered with. It is possible to take measures not to perform vehicle control using the falsified value, such as shifting to.
Therefore, it is possible to ensure the safety of the vehicle even when the message is falsified.

  In the vehicle control system of the embodiment, the in-vehicle control device including the sending unit, the holding unit, the tampering determination unit, and the first notification unit determines whether the transmission target value is a specific type of value. A first target value determination unit (first target value determination processing unit F5), and a control unit that performs determination by the falsification determination unit only on transmission target values determined as a specific type of value by the first target value determination unit (Control processing unit F6).

  This eliminates the need to hold the transmission target value or perform falsification determination for all transmission target values, thereby reducing the processing load.

  Furthermore, in the vehicle control system of the embodiment, the first notification unit sends a message including identification information of the transmission target value determined to be falsified by the falsification determination unit as the first notification message, and the in-vehicle control device At least one in-vehicle control device receives a first notification message sent to the bus communication path, and a transmission target value identified based on the first notification message received by the receiving unit is a value of a specific type A second target value determination unit (second target value determination processing unit F8).

This eliminates the need for the vehicle-mounted control device that is the transmission source of the transmission target value to determine whether the value is a specific type.
Therefore, it is possible to prevent the vehicle-mounted control device having many types of transmission target values to be transmitted from being burdened with the processing burden associated with the determination of whether or not the value is a specific type, and the vehicle-mounted control device via the bus communication path. Communication between them can be facilitated.

  Furthermore, in the vehicle control system of the embodiment, the first notification unit includes, as the first notification message, a message (temporary notification message) including identification information of a transmission target value determined to be falsified by the falsification determination unit. At least one in-vehicle control device out of the in-vehicle control device receives the first notification message sent to the bus communication path, and the first notification message about the transmission target value that varies depending on the reception unit. A target combination determination unit (target combination determination processing unit F9) that determines whether or not the combination of transmission target values determined to be falsified identified based on each received first notification message is a specific combination ) And a second notification message (main communication) different from the first notification message in response to the target combination determination unit determining that the combination is a specific combination. A message) includes a second notifying unit for sending the bus communication line and a (second notification processing unit F10).

  Thereby, it is possible to ensure safety against various alterations other than the alteration of the transmission target value, which is predicted to be difficult to ensure the safety by the single alteration.

  Further, in the vehicle control system of the embodiment, the first notification unit transmits a first notification message including the true value of the transmission target value determined to be falsified to the bus communication path.

  Thereby, when ensuring the safety of the vehicle against tampering, appropriate vehicle control can be continuously performed based on the true value without interrupting the vehicle control.

<5. Modification>
The present invention is not limited to the specific examples described above, and various modifications can be considered.
For example, in the above description, an example in which “ID” in a message exchanged on the bus communication path is used as notification information on the presence / absence of falsification is provided. It can also function as notification information. This is an effective method when the number of bits of “ID” is relatively small.
When a true value is used as in the fifth example, the true value may be stored in a message with flag = “1” (with tampering) and transmitted.

  DESCRIPTION OF SYMBOLS 1 Vehicle control system, 2 Hybrid control unit, 3 Engine control unit, 6 Meter control unit, 9 Bus wiring, 10 Vehicle speed sensor, 11 Engine speed sensor, 12 Accelerator opening sensor, 13 Throttle opening sensor, 15 Outside vehicle environment sensor , F1 transmission processing unit, F2 holding processing unit, F3 falsification determination processing unit, F4, F4 ′ first notification processing unit, F5 first target value determination processing unit, F6 control processing unit, F7 reception processing unit, F8 second target Value determination processing unit, F9 target combination determination processing unit, F10 second notification processing unit

Claims (5)

A vehicle control system in which a plurality of in-vehicle control devices are communicably connected via a bus communication path,
At least one in-vehicle control device among the in-vehicle control devices,
A sending unit for sending a message including a transmission target value to the bus communication path;
A holding unit for holding the transmission target value;
The message sent to the bus communication path is acquired, and based on the result of comparing the transmission target value included in the acquired message with the transmission target value held by the holding unit, the bus communication path A falsification determination unit that determines whether or not the transmitted transmission target value is falsified;
A vehicle control system comprising: a first notification unit that sends a first notification message to the bus communication path when it is determined by the falsification determination unit that falsification has occurred. The in-vehicle control device including the sending unit, the holding unit, the falsification determining unit, and the first notification unit,
A first target value determination unit that determines whether or not the transmission target value is a specific type of value;
The vehicle control system according to claim 1, further comprising: a control unit that executes the determination by the falsification determination unit for only the transmission target value determined as the specific type of value by the first target value determination unit. The first notification unit
As the first notification message, a message including identification information of the transmission target value determined to be falsified by the falsification determination unit is sent.
At least one in-vehicle control device among the in-vehicle control devices,
A receiving unit for receiving the first notification message sent to the bus communication path;
The vehicle according to claim 1, further comprising: a second target value determination unit that determines whether or not the transmission target value identified based on the first notification message received by the reception unit is a specific type of value. Control system. The first notification unit
As the first notification message, a message including identification information of the transmission target value determined to be falsified by the falsification determination unit is sent.
At least one in-vehicle control device among the in-vehicle control devices,
A receiving unit for receiving the first notification message sent to the bus communication path;
The combination of transmission target values determined to be falsified identified based on each received first notification message when the first notification message for the different transmission target values is received by the receiving unit A target combination determination unit that determines whether or not is a specific combination;
A second notification unit configured to send a second notification message different from the first notification message to the bus communication path when the target combination determination unit determines that the specific combination is determined. The vehicle control system according to any one of claims 1 to 3. The first notification unit
The vehicle control system according to any one of claims 1 to 4, wherein the first notification message including a true value of the transmission target value determined to be falsified is transmitted to the bus communication path.

Images