JP6483461B2 - Management method, management program, management device, management system, and information processing method - Google Patents

Description

  The present invention relates to a management method, a management program, a management device, a management system, and an information processing method.

  There is a system in which a management device remotely monitors the status of a device to be managed. As a related technique, a technique for automatically adjusting a data transmission level when a remote monitoring terminal connected to an elevator transmits data to a public line network has been proposed. In this technique, the above data transmission level is set to a value having a margin on either the high or low level within a stable transmission level range in which communication with the monitoring center can be performed stably (see, for example, Patent Document 1). ).

JP 2012-142731 A

  When the management apparatus manages the state of the management target apparatus, the management target apparatus transmits information about the state to the management apparatus. When some kind of fraud is performed on a managed device, the reliability of information transmitted by the managed device is lowered. When the reliability of the information transmitted by the management target becomes low, it is difficult for the management apparatus to manage the management target apparatus with high reliability.

  Therefore, in one aspect, an object of the present invention is to manage a management target with high reliability.

  In one aspect, the management method is a management method in which one or more control devices and a management device communicate with each other, and the management device manages the control device. The control device transmits transmission information including a record related to execution of transmission processing to the management device at a predetermined timing, and the management device returns a receipt notification to the control device in response to the reception of the transmission information. When the control device does not receive the receipt notification from the management device after executing the transmission processing, the control device stores a record relating to the execution of the transmission processing in the storage unit, and transmits the transmission from the control device. Whether or not the control device is abnormal is determined based on a period during which no information is received and the number of executions of the transmission process included in the recording of the storage unit received from the control device. Serial management device is determined.

  According to one aspect, the management target can be managed with high reliability.

It is a figure which shows an example of a management system. It is a figure which shows an example of ECU. It is a figure which shows an example of a test | inspection agent and a security chip. It is a figure which shows an example of a management server. It is a flowchart which shows an example of a process of a test | inspection agent. It is a flowchart (the 1) which shows an example of a process of an inspection engine. It is a flowchart (the 2) which shows an example of a process of an inspection engine. It is a flowchart which shows an example of the process of whether a summary value is an assumed value. 10 is a flowchart illustrating an example of processing of Modification Example 1. 10 is a flowchart illustrating an example of processing of Modification Example 2. 10 is a flowchart illustrating an example of processing of Modification 3. It is a figure which shows an example of the hardware constitutions of a control apparatus. It is a figure which shows an example of the hardware constitutions of a management apparatus.

<Example of overall system configuration>
Embodiments will be described with reference to the drawings. In the following embodiment, an example of a control device provided in an automobile will be described, but the control device may be provided in any vehicle other than the automobile. For example, the control device may be provided in a transport vehicle such as a dump truck.

  In the embodiment, an example in which the control device is provided in a movable object such as an automobile will be described. However, the control device may be provided in a fixed object other than the movable object. An example in which the control device is provided on a fixed object will be described later.

  FIG. 1 shows an example of the management system 1. The management system 1 includes an automobile 2 and a management server 3. The automobile 2 includes an in-vehicle device 4, an in-vehicle network 5, and engine control units (ECU) 6 </ b> A to 6 </ b> C (hereinafter collectively referred to as an ECU 6). Although FIG. 1 illustrates one automobile 2, a plurality of automobiles 2 to be managed by the management server 3 may be provided. The management server 3 is an example of a management device.

  The vehicle-mounted device 4 has a function of communicating with the management server 3. Moreover, the vehicle-mounted device 4 is connected to each ECU 6 via the in-vehicle network 5. The in-vehicle device 4 transmits information regarding each ECU 6 connected via the in-vehicle network 5 to the management server 3. The vehicle-mounted device 4 may collect and transmit information regarding each ECU 6 to the management server 3 or may be transmitted to the management server 3 individually.

  The vehicle-mounted device 4 may have a function other than the function of communicating with the management server 3. For example, the vehicle-mounted device 4 may have a function of comprehensively controlling each ECU 6. Moreover, the onboard equipment 4 may transmit the information regarding this onboard equipment 4 to the management server 3. The vehicle-mounted device 4 is an example of a first control device.

  The in-vehicle network 5 may be, for example, a controller area network (CAN) or a Flex Ray. An arbitrary control device other than the ECU 6 may be connected to the in-vehicle network 5.

  The ECU 6 controls various mechanisms provided in the automobile 2. For example, the ECU 6 controls a sensor system including various sensors used in engine control, engine operation, and the like. Although three ECUs 6 are illustrated in FIG. 1, the number of ECUs 6 included in the automobile 2 is not limited. The ECU 6 is an example of a second control device or information processing device.

  The first control device having a communication function and the second control device that processes predetermined information are collectively referred to as a control device. The control device 3 is a management target managed by the management server 3. The first control device may be other than the vehicle-mounted device 4. Further, the second control device may be other than the ECU 6.

  As illustrated in the example of FIG. 1, the management server 3 can acquire information on each ECU 6 and information on the vehicle-mounted device 4 by performing wireless communication with the vehicle-mounted device 4. For example, when the automobile 2 includes many parts that operate by electronic control, the number of ECUs 6 also increases.

  The management server 3 periodically acquires information on each ECU 6 or both of the ECU 6 and the vehicle-mounted device 4 from the vehicle-mounted device 4 of the automobile 2, grasps the state of the vehicle-mounted device 4 or each ECU 6, and manages based on it. . The management server 3 may perform remote maintenance when it is recognized that there is software to be updated in the vehicle-mounted device 4 or the ECU 6 or when there is an abnormality.

  For example, when the software version of the vehicle-mounted device 4 or the ECU 6 is old, the management server 3 transmits a new version of the software to the vehicle-mounted device 4, and the vehicle-mounted device 4 or the ECU 6 is updated to the new version of software.

  For example, when the software of the vehicle-mounted device 4 or the ECU 6 is defective or software other than what the management server recognizes as valid, the management server 3 transmits a correction program to the vehicle-mounted device 4. As a result, the vehicle-mounted device 4 or the ECU 6 is free from problems due to the correction program. As described above, remote maintenance can be performed.

<Example of ECU>
Next, an example of the ECU 6 will be described with reference to FIG. The ECU 6 includes an ECU software 11 and a security chip 12. The ECU software 11 includes system software 13, one or more applications 14, and an inspection agent 15.

  The system software 13 is basic software of ECU software. For example, the system software 13 may be an operating system (OS), a boot program, or the like.

  The application 6 is an existing application, and may be software that controls the function of a target component controlled by the ECU 6. The ECU software 11 may have a plurality of applications.

  The inspection agent 15 collects information regarding the ECU 6 at a predetermined timing, and transmits transmission information including the collected information to the management server 3. Further, the inspection agent 15 has a function of inspecting whether or not the ECU 6 has a problem. The inspection agent 15 periodically transmits transmission information to the management server 3.

  When the ignition of the automobile 2 is turned on, the state before the ignition is turned off is maintained. For example, even if the ignition of the automobile 2 is turned off, the CPU register value of the ECU 6 and information such as the random access memory (RAM) are not lost. As a result, the inspection agent 15 can continue to use the values of the register, RAM, etc. immediately before the ignition is turned off.

  For this reason, for example, even if the ignition of the automobile 2 is turned off, the battery of the automobile 2 may continue to supply a small amount of power to the ECU 6. Alternatively, information such as the RAM of the ECU 6 and information on register values of the Central Processing Unit (CPU) may be stored in a nonvolatile memory.

  The security chip 12 will be described. The security chip 12 has tamper resistance. Therefore, the information held by the security chip 12 is highly confidential. An example of a security chip is a chip called a Trusted Platform Module (TPM). This TPM is a module with specifications formulated by the Trusted Computing Group (TCG), an international industry group.

  The security chip 12 is hardware serving as a reliability base point. The security chip 12 confirms the authenticity of various software inside the ECU 6. Software whose authenticity is confirmed by the security chip 12 is highly reliable.

  An example of functional blocks of the inspection agent 15 and the security chip 12 will be described with reference to FIG. The inspection agent 15 includes an information collection unit 21, a first timer 22, a second timer 23, a first storage unit 24, a transmission control unit 25, an environment information acquisition unit 26, and an engine control unit 27. The security chip 12 includes a summary value generating unit 31 and an electronic signature adding unit 32.

  The information collection unit 21 collects information related to the ECU 6. For example, the information collecting unit 21 collects software configuration information of the ECU 6. Further, the information collecting unit 21 may collect information on the state of the circuit of the ECU 6 and the like.

  Each of the first timer 22 and the second timer 23 is a timer that measures time. The first timer 22 and the second timer 23 measure different times. In the example of FIG. 3, the first timer 22 and the second timer 23 are independent timers, but one timer may measure two types of time.

  In the embodiment, the inspection agent 15 is activated at a predetermined timing and transmits the transmission information to the management server 3. Therefore, when the time measured by the first timer 22 reaches the above timing, the inspection agent 15 transmits transmission information to the management server 3.

  The first storage unit 24 stores information collected by the information collection unit 21, environment information acquired by the environment information acquisition unit 26, and the like. The transmission control unit 25 performs control to transmit predetermined information to the management server 3.

  In the embodiment, the transmission information that the transmission control unit 25 transmits to the management server 3 includes configuration information and a transmission execution record. The configuration information is information related to the software state of the ECU 6. The transmission execution record is a record indicating that the transmission control unit 25 failed to execute the process of transmitting the transmission information.

  When the inspection agent 15 transmits the transmission information to the management server 3, the management server 3 returns a receipt notification indicating that the transmission information has been received to the inspection agent 15 within a predetermined time. Therefore, even if the transmission control unit 25 executes the transmission process, if the receipt notification is not received from the management server 3 within a predetermined time, the transmission process has failed.

  The second timer 23 measures time after executing the transmission process. When the time measured by the second timer 23 exceeds the predetermined time, the inspection agent 15 stores a transmission execution record indicating transmission failure in the first storage unit 24.

  The transmission control unit 25 transmits the transmission information including the configuration information and the transmission execution record to the management server 3. An electronic signature is assigned to the configuration information and the transmission execution record. The transmission information may include information other than the configuration information and the transmission execution record. For example, the transmission information may include information related to the state of the circuit of the ECU 6 and environmental information described later.

  The environment information acquisition unit 26 acquires environment information regarding the environment of the automobile 2 when the transmission control unit 25 performs control to transmit the transmission information. The environmental information may be, for example, position information of the automobile 2. When the automobile 2 includes a global positioning system (GPS) (not shown), the environment information acquisition unit 26 acquires position information from the GPS.

  The environmental information is used to determine the communication status between the automobile 2 and the management server 3. For example, even if the transmission control unit 25 transmits transmission information to the management server 3 while the automobile 2 is passing through a tunnel, the management server 3 does not receive the transmission information. The management server 3 can recognize the cause of not receiving the transmission information based on the environment information.

  The engine control unit 27 suppresses activation of the engine of the automobile 2 under a predetermined condition. In this case, for example, even if an engine start operation is performed, if a predetermined condition is satisfied, the engine control unit 27 suppresses the engine start.

  Next, the summary value generation unit 31 of the security chip 12 will be described. The information collecting unit 21 collects software configuration information of the ECU 6. The information collection unit 21 outputs the collected software configuration information to the summary value generation unit 31.

  The summary value generation unit 31 generates a summary value of the software configuration information. The summary value is a hash value calculated using, for example, a hash function. The summary value is not limited to a hash value as long as it is a summary value based on software configuration information.

  The electronic signature attaching unit 32 assigns an electronic signature to the summary value and the transmission execution record of the configuration information generated by the summary value generating unit 31. For giving and verifying the electronic signature, a public key cryptosystem using a key pair of a public key and a secret key may be used.

  When the electronic signature is assigned and verified using the public key cryptosystem, key information necessary for giving the electronic signature may be set in advance in the electronic signature giving unit 32 before the automobile 2 is shipped. Alternatively, as necessary, the electronic signature assigning unit 32 may generate a key pair of a public key and a private key. The addition and verification of the electronic signature is not limited to the public key cryptosystem.

  Since the inspection agent 15 is software, there is a possibility that the inspection agent 15 may be subjected to communication interruption or the like by receiving falsification of the program. Therefore, the inspection agent 15 may store information regarding the communication status in the first storage unit 24. In this case, the electronic signature adding unit 32 may add an electronic signature to the information regarding the communication status, and the transmission control unit 25 may transmit the information regarding the communication status to the management server 3.

  Further, there is a possibility that the inspection agent 15 is not authentic because the program is falsified. The security chip 12 has a function of verifying the authenticity of software. The security chip 12 may verify that the inspection agent 15 is authentic.

  As described above, since the security chip 12 has tamper resistance, the reliability of the electronic signature generated by the security chip 12 is high. Therefore, the summary value and the transmission result record to which the electronic signature is attached by the electronic signature attaching unit 32 have high reliability.

<Example of management server>
Next, an example of the management server 3 will be described. FIG. 4 shows an example of the management server 3. The inspection engine 40 of FIG. 4 includes a reply control unit 41, an electronic signature verification unit 42, a comparison unit 43, a determination unit 44, a second storage unit 45, a third timer 46, a counter 47, and a communication unit 48. Yes.

  When the communication unit 48 receives the transmission information transmitted by the transmission control unit 25 of the inspection agent 15 at a predetermined timing, the reply control unit 41 returns a receipt notification indicating that the information has been received to the inspection agent 15.

  The electronic signature verification unit 42 verifies the electronic signature given to the summary value. In the embodiment, the electronic signature verification unit 42 verifies the electronic signature using the public key information in the key pair of the public key and the private key described above.

  The comparison unit 43 performs various comparisons when performing the processing of the embodiment. The determination unit 44 performs various determinations when performing the processing of the embodiment. The second storage unit 45 stores a reception history of receiving transmission information, information on whether the ECU 6 is abnormal, information on whether old software is included, and the like.

  The second storage unit 45 stores a white list. The white list will be described. The white list is information serving as a reference for determining whether transmission information transmitted by the transmission control unit 25 of the inspection agent 15 is valid information or whether the software of the ECU 6 is the latest. is there.

  The white list includes the correct value of the summary value for each software of each ECU 6. When the summary value is a hash value, the correct answer value is also a hash value corresponding to the summary value. If the correct value included in the transmission information matches any correct value included in the white list, the summary value becomes the correct information held by the white list.

  As an example, assume that the white list has summary values of the old version and the latest version as software of the ECU 6. If the correct value included in the transmission information matches the correct value of the old version, it is determined that the old version of software is installed in the ECU 6 in the current state. If the correct value included in the transmission information matches the correct value of the latest version, it is determined that the latest version of software is installed in the ECU 6 in the current state. If the correct value included in the transmission information does not match the correct value of the old version with the correct value of the latest version, it is determined that unknown software is installed in the ECU 6 in the current state.

  The white list may include information other than the correct answer value. For example, the white list may include information such as software name, manufacturer, type, hash value acquisition method, software binary data, and registration date.

  The third timer 46 measures time. In the embodiment, the third timer 46 measures the interval time for receiving the transmission information transmitted by the transmission control unit 25 of the inspection agent 15.

  The counter 47 is a counting unit whose initial value is zero. The counter 47 increments the value when the time measured by the third timer 46 exceeds a predetermined time set in advance. The predetermined time may be arbitrarily set.

  The counter 47 resets the measurement time of the third timer 46 when the value is incremented. The counter 47 is set with a counter threshold value for determining that the ECU 6 is abnormal. The counter 47 returns the value to zero when its value exceeds the counter threshold.

  The inspection engine 40 periodically receives transmission information from the inspection agent 15. At this time, when the inspection engine 40 does not receive transmission information from the inspection agent 15, the counter 47 increments the counter value. For this reason, the counter 47 may be referred to as an unreceived counter. The communication unit 48 communicates with the ECU 6 via the in-vehicle device 4 and the in-vehicle network 5.

  Here, the relationship between the inspection agent 15 and the inspection engine 20 and Trusted Network Connect (TNC) which is a communication protocol formulated by the above-described TCG will be described. In TNC, the inspection agent 15 is referred to as an Integrity Measurement Collector (IMC). The inspection engine 20 is referred to as Integrity Measurement Verifier (IMV) in TNC.

  The IMC collects configuration information of the ECU 6 and transmits it to the IMV. The IMV analyzes the state of the ECU 6 by comparing the summary value included in the transmission information transmitted from the IMC with the white list. Thereby, the management server 3 can perform a remote diagnosis of the state of the automobile 2.

<Example of inspection agent processing>
Next, an example of processing of the inspection agent 15 will be described with reference to FIG. When the time measured by the first timer 22 reaches a predetermined timing, the inspection agent 15 is activated (step S1). The inspection agent 15 is activated at a predetermined timing regardless of whether the automobile 2 is traveling or stopped.

  The information collecting unit 21 collects information from the ECU 6 (step S2). Information collected by the ECU 6 includes software configuration information. The information collection unit 21 of the inspection agent 15 outputs the software configuration information to the summary value generation unit 31 of the security chip 12.

  The summary value generation unit 31 generates a summary value of the software configuration information using a hash function. Then, the electronic signature assigning unit 32 assigns an electronic signature to the summary value. As a result, a summary value with an electronic signature is generated (step S3).

  The first storage unit 24 stores a transmission execution record indicating a failure in transmission execution when the transmission control unit 25 performs transmission processing of transmission information but does not receive a reception notification from the management server 3. doing.

  The inspection agent 15 outputs the transmission execution record stored in the first storage unit 24 to the electronic signature adding unit 32 of the security chip 12. The digital signature giving unit 32 gives a digital signature to the transmission execution record, thereby generating a transmission execution record with the digital signature (step S4).

  The transmission control unit 25 acquires the summary value and the transmission execution record from the security chip 12. The summary value and the transmission execution record are highly reliable because the digital signature is given by the security chip 12 having tamper resistance.

  The transmission control unit 25 performs control to transmit transmission information including the summary value acquired from the security chip 12 and the transmission execution record to the management server 3 (step S5). Thereby, the transmission information is transmitted to the management server 3. The reply control unit 41 of the inspection engine 40 returns a receipt notification when receiving the transmission information.

  The second timer 23 measures time. After transmitting the transmission information, the inspection agent 15 determines whether or not a receipt notification has been received from the management server 3 within a predetermined time based on the time measured by the second timer 23 (step S6).

When the inspection agent 15 does not receive the reception notification until the reception notification reaches a predetermined time (NO in step S6), the inspection agent 15 stores a transmission execution record indicating a failure in transmission execution in the first storage unit 24 ( Step S7). Thereafter, the processing of the inspection agent ends.
On the other hand, when the inspection agent 15 receives the receipt notice before the receipt notice has not reached the predetermined time (YES in step S6), the processing is ended as it is. In this case, the management server 3 receives the transmission information normally within a predetermined time.

  The inspection agent 15 enters an inactive state when the process is completed. At this time, the inspection agent 15 resets the first timer 22. When the time measured by the first timer 22 reaches a predetermined timing, the inspection agent 15 is activated again.

  The transmission control unit 25 may store a transmission execution record including a record of failed transmission in the first storage unit 24. For example, the inspection agent 15 associates the transmission execution record with the time at which the transmission was performed and stores it in the first storage unit 24, so that the transmission is performed later based on the information stored in the first storage unit 24. Information about processing can be verified.

  Further, for example, the inspection agent 15 verifies whether or not unauthorized tampering has been performed by storing the transmission execution record, the transmission execution time, and the environment information in the first storage unit 24 in association with each other. Can do.

  If the environment information indicates that communication with the management server 3 was possible at the time when the transmission process was performed, the transmission process failed due to the environment in which the automobile 2 was located. It can be recognized that it is not.

  Therefore, in this case, it can be verified later that there is a possibility that the software of the ECU 6 has been tampered with. That is, since the information stored in the first storage unit 24 includes information related to the transmission process, the information can be a part of verification evidence in later verification.

<Example of inspection engine processing>
Next, processing of the inspection engine 40 will be described with reference to FIG. The third timer 46 of the inspection engine 40 measures time. When the communication unit 48 does not receive transmission information from the inspection agent 15 and when the time measured by the third timer 46 has passed a predetermined time, the inspection engine 40 is activated (step S11).

  The inspection engine 40 determines whether or not it has been activated when a predetermined time has elapsed as measured by the third timer 46 (step S12). The predetermined time may be set to the above-described interval.

  When the trigger of the inspection engine 40 is due to the time measured by the third timer 46 (YES in step S12), the counter 47 increments its value (step S13). As described above, the initial value of the counter 47 is zero.

  The determination unit 44 determines whether or not the value of the counter 47 (hereinafter referred to as a counter value) is greater than or equal to a preset threshold value (step S14). If the counter value is greater than or equal to the threshold value (YES in step S14), the determination unit 44 determines that the target ECU 6 is abnormal (step S15). At this time, the determination unit 44 returns the counter value of the counter 47 to zero. Then, the processing of the inspection engine 40 ends.

  On the other hand, when the counter value is less than the threshold value (NO in step S14), the processing of the inspection engine 40 is finished as it is. When the processing of the inspection engine 40 ends, the inspection engine 40 becomes inactive.

  The inspection engine 40 becomes inactive, but the third timer 46 starts measuring time again. The inspection engine 40 is activated when the communication unit 48 does not receive the transmission information and when the time measured by the third timer 46 has passed a predetermined time.

  Next, the case where it is determined NO in step S12 will be described. The inspection engine 40 is activated even when the transmission information is received from the inspection agent 15. In this case, the determination in step S12 is NO, and the process proceeds to “A”.

  The processing after “A” will be described with reference to FIG. FIG. 7 shows an example of processing after “A”. When it determines with NO by step S12, the communication part 48 has received transmission information. The transmission information includes a summary value to which an electronic signature is attached and a transmission execution record.

  At this time, the inspection engine 40 may store the reception history of receiving the transmission information in the second storage unit 45. The inspection engine 40 may store the reception history in the second storage unit 45 in time series.

  The electronic signature verification unit 42 has public key information in a key pair corresponding to the electronic signature giving unit 32 of the inspection agent 15. Therefore, the electronic signature verification unit 42 verifies the summary value and the electronic signature of the transmission execution record using the public key information (step S16). When the electronic signature verification unit 42 verifies that the electronic signature is not valid, the determination unit 44 determines that there is a possibility that the software of the ECU 6 has been tampered with or impersonated.

  When the electronic signature verification unit 42 verifies that the electronic signature is valid, the comparison unit 43 compares the number of transmission executions (also referred to as the number of executions) included in the transmission execution record with the counter value of the counter 47 ( Step S17). The transmission execution count indicates the number of times that the transmission processing by the inspection agent 15 has failed.

  The counter 47 increments the counter value based on the time measured by the third timer 46. In the example of FIG. 6, when the communication unit 48 receives transmission information from the inspection agent 15, the determination in step S12 is NO.

  Therefore, the counter 47 increments the counter value during a period when the transmission information is not received. That is, the counter value of the counter 47 indicates a period during which the inspection engine 40 has not received transmission information from the inspection agent 15.

  On the other hand, if the first timer 22 of the inspection agent 15 is normal, the transmission control unit 25 periodically transmits transmission information to the management server 3. Therefore, if the software of the ECU 6 is normal, the number of transmission executions included in the transmission execution record included in the transmission information matches the counter value of the counter 47.

  For example, it is assumed that the inspection agent 15 transmits the transmission information three times during the period in which the automobile 2 passes through the tunnel. In this case, the transmission information transmitted by the inspection agent 15 does not reach the inspection engine 40.

  Accordingly, the counter 47 of the inspection engine 40 increments the counter value. The period during which the inspection engine 40 does not receive transmission information corresponds to the period during which the inspection agent 15 transmits transmission information.

  Therefore, the counter value of the counter 47 is 3, and the counter value of the counter 47 and the number of transmission executions included in the transmission execution record are 3, so that the two values coincide. On the other hand, when some illegal act is performed on the software of the ECU 6, the counter value may not match the number of times of transmission execution.

  For example, it is assumed that a third party has tampered with software of the ECU 6, for example, software of the inspection agent 15. In this case, it is assumed that the inspection agent 15 did not transmit the transmission information because the transmission function of the inspection agent 15 was compromised while the software was being tampered with.

  Therefore, when the number of transmission executions included in the transmission execution record and the counter value of the counter 47 do not match, the inspection engine 40 determines that there has been a possibility that some alteration has been made to the software of the ECU 6. be able to.

  As described above, the determination unit 44 determines whether or not the counter value matches the transmission execution count (step S18). If the counter value matches the transmission execution count (YES in step S19), the comparison unit 43 compares the summary value included in the transmission information with the white list stored in the second storage unit 45. (Step S19).

  When the comparison unit 43 compares the summary value with the white list, the determination unit 44 determines whether the summary value is an assumed value (step S20). Processing for determining whether or not the summary value is an assumed value will be described with reference to an example of FIG. However, the process for determining whether or not the summary value is an assumed value is not limited to the example of FIG.

  The white list includes correct values for each software. The determination unit 44 determines whether or not the summary value matches any correct value in the white list (step S31). When the summary value does not match the correct value of the white list (NO in step S32), the determination unit 44 determines that the summary value is not an assumed value (step S32).

  On the other hand, when the summary value matches any correct value in the white list (YES in step S32), the determination unit 44 determines whether or not the software version is allowed (step S33).

  The software version is not allowed if the software version is old or if it is to be modified. Therefore, in this case (NO in step S33), the determination unit 44 determines that the summary value is not an assumed value.

  On the other hand, when the software version is allowed (YES in step S33), the determination unit 44 determines that the summary value is an assumed value (step S34). Accordingly, whether or not the summary value in step S20 is an assumed value is determined in steps S31 to S34.

  When the determination unit 44 determines that the summary value of each software of the ECU 6 is an assumed value (YES in step S34), the inspection engine 40 determines that the target ECU 6 is normal (step S21). The second storage unit 45 may store information on whether each ECU 6 is normal or abnormal.

The determination unit 44 determines whether or not the information of the target ECU 6 is abnormal among the information stored in the second storage unit 45 (step S22). In step S21, it is determined that the target ECU 6 is normal.
Therefore, when it is stored in the second storage unit 45 that the target ECU 6 is abnormal (YES in step S22), the information of the target ECU 6 is reset from the second storage unit 45 (step S23). .

  If it is not stored that the information of the target ECU 6 is abnormal (NO in step S22), the process of step S23 is not performed. When the processing after “A” in the example of FIG. 7 is being performed, the communication unit 48 of the inspection engine 40 receives transmission information from the inspection agent 15.

  Therefore, the counter 47 resets the counter value (step S24). Since the inspection engine 40 has received the transmission information, the communication unit 48 returns a receipt notification to the inspection agent 15 (step S25). Thereafter, the process ends via “B”, and the process of the inspection engine ends.

  In step S20, when one of the summary values of the software of each ECU 6 is not an assumed value (NO in step S20), the determination unit 44 determines that the target ECU 6 is abnormal (step S26). In step S18, if the counter value does not match the transmission execution count (NO in step S18), the determination unit 44 determines that the target ECU 6 is abnormal.

  The determination unit 44 determines whether or not the counter value is greater than the number of transmission executions (step S27). If the counter value is greater than the number of transmission executions (YES in step S27), the determination unit 44 determines that there is a possibility that the target ECU 6 has a timer abnormality, alteration, or tampering (step S27).

  That is, in this case, the number of transmission executions included in the transmission execution record is less than a normal value. For example, if a third party has modified or altered the software of the ECU 6 at the timing when the transmission control unit 25 transmits transmission information, the transmission process is not executed. For this reason, the number of transmission executions is less than a normal value.

  Therefore, in the case of YES in step S27, there is a possibility that the software of the target ECU 6 has been altered or tampered. When the first timer 22 is abnormal, the transmission process is not executed at a normal timing, so there is a possibility that the first timer 22 is abnormal.

  For example, when the determination unit 44 determines that there is a possibility that the target ECU 6 has a timer abnormality, alteration, or tampering, the inspection engine 40 may transmit to the inspection agent 15 that an abnormality has occurred in the target ECU 6. .

  The inspection agent 15 may display an abnormality of the ECU 6 on a display device (not shown) provided in the automobile 2 (for example, car navigation). Thereby, the display device can prompt the owner of the automobile 2 to request the business operator handling the automobile 2 to investigate the cause of the abnormality of the ECU 6.

  Further, the inspection engine 40 may transmit a command for performing a special inspection to the inspection agent 15. As described above, the inspection agent 15 has a function of inspecting the ECU 6. Therefore, the inspection agent 15 may inspect a portion where a trace of alteration or tampering may remain, and transmit the inspection result to the inspection engine 40.

  Further, when a third party is modifying the automobile 2, the inspection agent 15 may generate transmission information. In this case, the third party may delete the generated transmission information and tamper with the transmission information. On the other hand, for example, by assigning a serial number to each piece of transmission information, it is possible to verify that the transmission information has been tampered with.

  When the determination unit 44 determines that the counter value is less than the number of transmission executions (NO in step S27), the determination unit 44 determines that there is a possibility of timer abnormality or impersonation (step S29).

  If the counter value does not match the transmission execution count and the counter value is not greater than the transmission execution count, the counter value is less than the transmission execution count. Therefore, the number of transmission executions is greater than the normal value.

  In this case, it is considered that an abnormality has occurred in the first timer 22. It is also conceivable that a third party impersonates the inspection agent 15 and transmits a large amount of transmission information to the inspection engine 40. Therefore, the inspection agent 15 may display the abnormality of the ECU 6 on the display device.

  After the process of step S28 or step S29 is performed, the process proceeds to step S24. If the target ECU 6 is not stored as abnormal in the second storage unit 45 (NO in step S22), the process similarly proceeds to step S24.

  Therefore, based on the period during which the inspection engine 40 does not receive transmission information from the inspection agent 15 and the number of executions of transmission processing, it can be determined whether or not an abnormality has occurred in the target ECU 6 with high reliability. .

  That is, if the counter value of the counter 47 does not match the number of transmission executions included in the transmission execution record, the reliability of the transmission information is low. The counter value is the number of times transmission information is normally received if no abnormality has occurred during a period in which no transmission information is received. Therefore, the inspection engine 40 can determine the reliability of the transmission information by determining whether or not the counter value matches the transmission execution count.

  For this reason, since the inspection engine 40 manages the state of the ECU 6 based on the transmission information when the counter value matches the transmission execution count, it is possible to manage the management target with high reliability.

  In the case of the embodiment, the electronic signature providing unit 32 of the security chip 12 having tamper resistance provides an electronic signature to the summary value and the transmission result record. This increases the reliability of the transmission information.

  Therefore, the determination unit 44 determines whether or not the number of transmission executions included in the transmission result record to which the electronic signature is attached matches the counter value of the counter 47, so that the reliability of the transmission information is higher. Become.

<Modification 1>
As described above, the vehicle-mounted device 4 communicates with the management server 3. The automobile 2 may have a plurality of ECUs 6. In this case, for example, as shown in the example of FIG. 9, the vehicle-mounted device 4 collects transmission information of software of each ECU 6 (step S51).

  The vehicle-mounted device 4 collects and transmits the collected software transmission information of each ECU to the management server 3 (step S52). At this time, the vehicle-mounted device 4 may attach a number (for example, a production number) specifying the automobile 2 to the transmission information.

  In this case, the inspection engine 40 of the management server 3 can collectively determine whether or not the software of each ECU 6 provided in one automobile 2 is abnormal. That is, the inspection engine 40 can collectively inspect the state of each ECU 6 of one automobile 2.

<Modification 2>
As described above, the inspection agent 15 of the ECU 6 includes the environment information acquisition unit 26. In the second modification, the environmental information is assumed to be position information, and a GPS (not shown) acquires the position information.

  As shown in the example of FIG. 10, the environment information acquisition unit 26 acquires environment information (step S51). The electronic signature assigning unit 32 assigns an electronic signature to the environment information (Step S52). The transmission control unit 25 transmits the environment information with the electronic signature added to the transmission information to the inspection engine 40 of the management server 3 (step S53).

  The determination unit 44 of the inspection engine 40 determines whether or not the counter value matches the transmission execution count (step S54). As described above, if the counter value does not match the transmission execution count (NO in step S54), the determination unit 44 determines that the target ECU 6 is abnormal (step S55).

  If the counter value matches the transmission execution count (YES in step S54), the determination unit 44 determines whether the cause of the match between the counter value and the transmission execution count is due to the environment (step S56).

  As described above, when the automobile 2 is passing through the tunnel, the transmission information does not reach the management server 3 even if the transmission control unit 25 transmits the transmission information. Therefore, when the environment information included in the transmission information indicates, for example, tunnel passage, the determination unit 44 can determine that the cause that the inspection engine 40 does not receive the transmission information is due to the environment.

  In this case, the determination unit 44 can determine that the target ECU 6 is normal (step S57). On the other hand, if the cause of the coincidence between the counter value and the number of transmission executions is not due to the environment (NO in step S56), it is assumed that the counter value coincides with the number of transmission executions. In this case, the determination unit 44 determines that the target ECU 6 may have an abnormality (step S58).

  Therefore, when the transmission information includes the environment information, the inspection engine 40 can recognize that the target ECU 6 is normal. This improves the reliability that the transmission information is not unauthorized information.

<Modification 3>
Next, an example of remote control will be described with reference to FIG. When the determination unit 44 of the inspection engine 40 determines that the target ECU 6 is abnormal, it instructs the inspection agent 15 to inspect the Read Only Memory (ROM) (step S61).

  The inspection agent 15 inspects the ROM. For example, when a third party tries to modify the software of the ECU 6, if the program developed in the RAM is modified, the system may stop. Therefore, there is a high possibility that a third party tries to modify the ROM software instead of the RAM.

  The inspection agent 15 inspects the ROM (step S62). Next, the inspection agent 15 determines whether or not the operating program has been stopped and modified (Step S63).

  When the operating program is stopped and modified (YES in step S63), the inspection agent 15 executes a boot process (step S64). The inspection agent 15 executes either the first boot process or the second boot process.

  The first boot process is a boot process called Trusted Boot (TB) in the TNC described above. In the first boot process, the inspection engine 40 acquires the state of the ECU 6 from the inspection agent 15 and diagnoses the state. Then, the inspection engine 40 gives an instruction to the inspection agent 15 to perform activation according to the diagnosis result.

  The second boot process is a boot process called Secure Boot (SB) in the TNC described above. The second boot process is a boot process in which the inspection agent 15 diagnoses its own state and starts up according to the diagnosis result.

  For example, when the inspection engine 40 determines an abnormality in the target ECU 6 and the ignition of the automobile 2 is turned off, the inspection engine transmits an instruction to inhibit engine start to the inspection agent 15.

  The inspection agent 15 determines whether or not an engine start inhibition instruction has been received before transitioning from the ignition off state to the ignition on state (step S65). When the inspection agent 15 receives an instruction to inhibit engine activation (YES in step S65), the engine control unit 27 inhibits activation of the engine of the automobile 2 (step S66).

  On the other hand, when the inspection agent 15 has not received an instruction to inhibit engine start (NO in step S65), the process of step S66 is not performed. As a result, the engine is not started when any abnormality occurs in the ECU 6. For example, the engine control unit 27 may inhibit the start of the engine in cooperation with the immobilizer.

  For example, if the control device is a control device that controls the engine, in step S66, the inspection engine 40 may transmit an instruction to stop the function of starting the engine to the control device.

  The inspection engine 40 may transmit an instruction to inhibit the engine from starting when an abnormality occurs during the operation of the inspection agent 15 or when the inspection agent 15 is not in communication with the inspection engine 40.

<Modification 4>
Modification 4 shows a case where the embodiment is applied to Information of Things (IoT). For example, the object managed by the management server 3 may be a house, a building, an infrastructure control system, or the like. In the case of Modification 4, the communication method may be wired communication.

  In the case of a house, for example, the first control device that communicates with the management server 3 may be a home gateway, and the second control device that processes predetermined information may be an air conditioner or the like. In the case of a building, the first control device may be a computer in the control room, and the second control device may be an elevator or the like.

  In the case of an infrastructure system such as water, gas, and electricity, the first control device may be a computer in a control room, and the second control device may be a valve, a switch, or the like. The object of the management server 3 may be a movable object or a fixed object.

  In the case of the modification 4, the inspection engine 40 determines the abnormality of the inspection agent 15 in two. When the first control device cannot collect the configuration information from the second control device, the inspection engine 40 determines the abnormality of the inspection agent 15.

  In this case, the first control device (also referred to as Rich) makes a configuration information retransmission request to the second control device (also referred to as Thin). When the first control device cannot collect information on some of the second control devices within a predetermined time, the first control device informs the inspection engine 40 of the information on the second control device that cannot be collected. Send. Thereby, the inspection engine 40 can recognize information on the second control device that the first control device cannot collect.

  When transmission of transmission information to the management server 3 by the first control device fails, the inspection engine 40 determines an abnormality of the inspection agent 15. The processing at this time is the same processing as in the above-described embodiment.

  When an abnormality occurs between the first control device and the second control device, the inspection engine 40 detects the abnormality. In this case, the second control device gives an electronic signature to information output to the first control device. Then, the first control device verifies the information to which the electronic signature is attached. This makes it possible to detect tampering and the like.

<Example of hardware configuration of control device>
Next, an example of the hardware configuration of the control device will be described with reference to FIG. The control device is, for example, the vehicle-mounted device 4 or the ECU 6. As illustrated in the example of FIG. 12, a CPU 111, a RAM 112, a ROM 113, an auxiliary storage device 114, a medium connection unit 115, an input / output interface 116, and a security chip 12 are connected to the bus 100.

  The CPU 111 is an arbitrary processing circuit. The CPU 111 executes the program expanded in the RAM 112. An information processing program can be applied as the program to be executed. The ROM 113 is a non-volatile storage device that stores programs developed in the RAM 112.

  The auxiliary storage device 114 is a storage device that stores various information. For example, a hard disk drive, a semiconductor memory, or the like can be applied to the auxiliary storage device 114. The medium connection unit 115 is provided so as to be connectable to the portable recording medium 118.

  As the portable recording medium 118, a portable memory or an optical disk (for example, Compact Disk (CD), Digital Versatile Disk (DVD), etc.) can be applied. A program for performing the processing of the embodiment may be recorded on the portable recording medium 118.

  The input / output interface 117 is an interface for controlling input / output with the outside. For example, the input / output interface 117 is connected to the in-vehicle network 5. Each unit other than the first storage unit 24 of the inspection agent 15 may be realized by the CPU 111. The first storage unit 24 may be realized by the RAM 112 or the auxiliary storage device 114.

  The RAM 112, the ROM 113, and the auxiliary storage device 114 are all examples of a tangible storage medium that can be read by a computer. These tangible storage media are not temporary media such as signal carriers.

<Example of hardware configuration of management device>
Next, an example of the hardware configuration of the management apparatus will be described with reference to FIG. As illustrated in the example of FIG. 13, a CPU 211, a RAM 212, a ROM 213, an auxiliary storage device 214, a medium connection unit 215, and a communication interface 216 are connected to the bus 100.

  The CPU 211, RAM 212, ROM 213, auxiliary storage device 214, and medium connection unit 215 are the same as those described above. The program executed by the CPU 211 may be, for example, a management program. The communication interface 216 performs communication with the outside. The communication unit 28 may be realized by the communication interface 216.

  The RAM 212, the ROM 213, and the auxiliary storage device 214 are all examples of a tangible storage medium that can be read by a computer. These tangible storage media are not temporary media such as signal carriers.

<Others>
The present embodiment is not limited to the above-described embodiment, and various configurations or embodiments can be taken without departing from the gist of the present embodiment.

Regarding the above embodiment, the following additional notes are disclosed.
(Appendix 1)
One or more control devices and a management device communicate with each other, and the management device manages the control device,
The control device transmits transmission information including information related to the control device and a record related to execution of transmission processing of the information to the management device at a predetermined timing,
In response to receiving the transmission information, the management device returns a receipt notification to the control device,
When the control device does not receive the receipt notification from the management device after executing the transmission processing, the control device stores a record relating to the execution of the transmission processing in the storage unit,
Whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the recording of the storage unit received from the control device The management device determines whether
Management method.
(Appendix 2)
The management device determines that the control device is abnormal when the number of times the management device should normally receive the transmission information during the period and the number of executions do not match.
The management method according to attachment 1.
(Appendix 3)
An electronic signature is given to the record subjected to the transmission process by software in a tamper-resistant chip,
The management method according to attachment 1.
(Appendix 4)
The management device determines that the control device is normal when the number of times that the management device should normally receive the transmission information in the period matches the number of execution times and the verification of the electronic signature is successful. To
The management method according to attachment 3.
(Appendix 5)
Information regarding the control device is converted into a summary value by performing a predetermined calculation, and an electronic signature is given to the summary value by software in a chip having tamper resistance.
The management method according to attachment 3.
(Appendix 6)
The control device is a first control device that communicates with the management device, or one or more second control devices that are connected to the first control device and process predetermined information;
The first control device collectively transmits information related to the second control device to the management device.
The management method according to attachment 1.
(Appendix 7)
The transmission information includes environmental information, and based on the environmental information, it is determined whether or not the control device is normal.
The management method according to appendix 4.
(Appendix 8)
The software in the chip verifies the authenticity of the software that checks the controller;
The management method according to attachment 3.
(Appendix 9)
When the management device determines that the control device is abnormal, the function of the control device is stopped.
The management method according to attachment 3.
(Appendix 10)
A management method executed by a management device that manages one or more control devices,
Receiving transmission information including information relating to the control device and a record relating to execution of transmission processing indicating that the information has been transmitted to the management device;
Determining whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the received record;
Management method.
(Appendix 11)
Receiving transmission information including information related to a control device to be managed and a record relating to execution of transmission processing indicating that the information has been transmitted;
Determining whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the received record;
A management program that causes a computer to execute processing.
(Appendix 12)
A management device that manages one or more control devices,
A communication unit that receives transmission information including information related to the control device and a record related to execution of transmission processing indicating that the information has been transmitted to the management device;
A determination unit that determines whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the received record;
A management device comprising:
(Appendix 13)
A management system including one or more control devices and a management device that manages the control devices,
The control device includes:
A transmission control unit that performs control to transmit transmission information including information related to the control device and a record related to execution of transmission processing of the information to the management device at a predetermined timing;
When the control device does not receive the receipt notification from the management device after executing the transmission processing, a storage unit that stores a record relating to execution of the transmission processing;
With
The management device
In response to receiving the transmission information, a reply control unit that performs control to return a receipt notification to the control device;
Whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the recording of the storage unit received from the control device A determination unit for determining whether or not
A management system comprising:
(Appendix 14)
An information processing method of a control device that communicates with a management device,
The control apparatus transmits transmission information including information related to the control apparatus and a record related to execution of transmission processing indicating that the information has been transmitted to the management apparatus to the management apparatus at a predetermined timing.
When the control device does not receive the notification of receiving the transmission information from the management device after executing the transmission processing, stores a record relating to the execution of the transmission processing in the storage unit,
Information processing method.
(Appendix 15)
An information processing program for a control device that communicates with a management device,
The control apparatus transmits transmission information including information related to the control apparatus and a record related to execution of transmission processing indicating that the information has been transmitted to the management apparatus to the management apparatus at a predetermined timing.
When the control device does not receive the notification of receiving the transmission information from the management device after executing the transmission processing, stores a record relating to the execution of the transmission processing in the storage unit,
An information processing program for causing a computer to execute processing.
(Appendix 16)
An information processing device of a control device that communicates with a management device,
A transmission control unit that performs control to transmit transmission information including information related to the control device and a record related to execution of transmission processing indicating that the information has been transmitted to the management device to the management device;
When the control device does not receive the receipt notification from the management device after executing the transmission processing, a storage unit that stores a record relating to execution of the transmission processing;
An information processing apparatus comprising:

DESCRIPTION OF SYMBOLS 1 Management system 2 Car 3 Management server 4 Onboard equipment 6 ECU
DESCRIPTION OF SYMBOLS 12 Security chip 15 Inspection agent 21 Information collection part 22 1st timer 23 2nd timer 24 1st memory | storage part 25 Transmission control part 26 Environment information acquisition part 27 Engine control part 31 Summary value generation part 32 Electronic signature provision part 40 Inspection engine 41 Reply control unit 42 Electronic signature verification unit 43 Comparison unit 44 Determination unit 45 Second storage unit 46 Third timer 47 Counter 48 Communication unit 111, 211 CPU
112, 212 RAM
113, 213 ROM

Claims (12)

One or more control devices and a management device communicate with each other, and the management device manages the control device,
The control device transmits transmission information including information related to the control device and a record related to execution of transmission processing of the information to the management device at a predetermined timing,
In response to receiving the transmission information, the management device returns a receipt notification to the control device,
When the control device does not receive the receipt notification from the management device after executing the transmission processing, the control device stores a record relating to the execution of the transmission processing in the storage unit,
Whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the record of the storage unit received from the control device The management device determines,
Management method. The management device determines that the control device is abnormal when the number of times the management device should normally receive the transmission information during the period and the number of executions do not match.
The management method according to claim 1. An electronic signature is given to the record subjected to the transmission process by software in a tamper-resistant chip,
The management method according to claim 1 or 2. The management device determines that the control device is normal when the number of times that the management device should normally receive the transmission information in the period matches the number of execution times and the verification of the electronic signature is successful. To
The management method according to claim 3. Information regarding the control device is converted into a summary value by performing a predetermined calculation, and an electronic signature is given to the summary value by software in a chip having tamper resistance.
The management method according to claim 3 or 4. The control device is a first control device that communicates with the management device, or one or more second control devices that are connected to the first control device and process predetermined information;
The first control device collectively transmits information related to the second control device to the management device.
The management method according to any one of claims 1 to 5. The transmission information includes environmental information, and based on the environmental information, it is determined whether or not the control device is normal.
The management method according to any one of claims 1 to 6. A management method executed by a management device that manages one or more control devices,
Receiving transmission information including information relating to the control device and a record relating to execution of transmission processing indicating that the information has been transmitted to the management device;
Determining whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the received record;
Management method. Receiving transmission information including information related to a control device to be managed and a record relating to execution of transmission processing indicating that the information has been transmitted;
Determining whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the received record;
A management program that causes a computer to execute processing. A management device that manages one or more control devices,
A communication unit that receives transmission information including information related to the control device and a record related to execution of transmission processing indicating that the information has been transmitted to the management device;
A determination unit that determines whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the received record;
A management device comprising: A management system including one or more control devices and a management device that manages the control devices,
The control device includes:
A transmission control unit that performs control to transmit transmission information including information related to the control device and a record related to execution of transmission processing of the information to the management device at a predetermined timing;
A storage unit that stores a record relating to the execution of the transmission process, when the control apparatus does not receive a receipt notification from the management apparatus after executing the transmission process;
With
The management device
In response to receiving the transmission information, a reply control unit that performs control to return a receipt notification to the control device;
Whether or not the control device is abnormal based on a period in which the transmission information is not received from the control device and the number of executions of the transmission process included in the recording of the storage unit received from the control device A determination unit for determining whether or not
A management system comprising: An information processing method of a control device that communicates with a management device,
The control apparatus transmits transmission information including information related to the control apparatus and a record related to execution of transmission processing indicating that the information has been transmitted to the management apparatus to the management apparatus at a predetermined timing.
When the control device does not receive the notification of receiving the transmission information from the management device after executing the transmission processing, stores a record relating to the execution of the transmission processing in a storage unit,
The control device to record about the execution of the said included in the transmission information transmission processing of transmitting, includes the number of times of execution of the transmission process,
A period in which the management device to transmit to the transmission information has not been received, and execution count of the transmission process, the control device by the management device is used to determine whether or not abnormal,
Information processing method.

Images