WO2017104106A1 - Evaluation device, evaluation system, and evaluation method - Google Patents
Evaluation device, evaluation system, and evaluation method Download PDFInfo
- Publication number
- WO2017104106A1 WO2017104106A1 PCT/JP2016/004892 JP2016004892W WO2017104106A1 WO 2017104106 A1 WO2017104106 A1 WO 2017104106A1 JP 2016004892 W JP2016004892 W JP 2016004892W WO 2017104106 A1 WO2017104106 A1 WO 2017104106A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- evaluation
- unit
- bus
- actuator
- electronic control
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R16/00—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
- B60R16/02—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R16/00—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
- B60R16/02—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
- B60R16/023—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Definitions
- This disclosure relates to a technique for evaluating security (attack resistance, etc.) of an electronic control system in which an electronic control unit such as an in-vehicle network system communicates.
- ECUs electronice control units
- CAN Controller Area Network
- ISO11898-1 Controller Area Network
- the attacker accesses the information terminal in the vehicle by wireless communication, illegally rewrites the program of the information terminal, transmits an arbitrary CAN message from the information terminal to the in-vehicle network, and sends it to the in-vehicle ECU. Attacks that control connected actuators against the driver's intention are known.
- Non-Patent Document 1 discloses a problem by sending data to a single in-vehicle ECU and paying attention to the response (mixing bugs due to programming errors). Etc.) is disclosed.
- An evaluation apparatus is an evaluation apparatus that is connected to a bus used for communication by a plurality of electronic control units in an electronic control system, and performs evaluation related to security of the electronic control system, and includes contents of a plurality of frames And a holding unit that holds attack procedure information indicating a transmission order, a transmission unit that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information, and the plurality of electronic control units. And an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit.
- An evaluation system is an evaluation system that evaluates the security of an electronic control system that includes a plurality of electronic control units that communicate via a bus, and that includes content and transmission order of a plurality of frames.
- a holding unit that holds the attack procedure information shown, a transmission unit that sends the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and an actuator unit that is controlled by any of the plurality of electronic control units
- An evaluation system comprising: a monitoring unit that monitors; and an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit.
- An evaluation method is an evaluation method for evaluating the security of an electronic control system including a plurality of electronic control units that communicate via a bus. Holding the attack procedure information to be transmitted, transmitting the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and when the plurality of frames are transmitted to the bus, any of the plurality of electronic control units. This is an evaluation method in which the actuator unit controlled by the monitoring is monitored and the evaluation is performed based on the monitoring result by the monitoring.
- FIG. 1 is a configuration diagram showing a schematic configuration of the evaluation system according to the first embodiment.
- FIG. 2 is a configuration diagram of an evaluation apparatus in the evaluation system.
- FIG. 3 is a configuration diagram of the actuator ECU in the electronic control system to be evaluated.
- FIG. 4 is a configuration diagram of an instruction ECU in the electronic control system to be evaluated.
- FIG. 5 is a configuration diagram of the security ECU in the electronic control system to be evaluated.
- FIG. 6 is a configuration diagram of the shift position ECU in the electronic control system to be evaluated.
- FIG. 7 is a diagram illustrating an example of attack procedure information held by the holding unit of the evaluation apparatus.
- FIG. 8 is a sequence diagram showing an operation example 1 of the evaluation system.
- FIG. 9 is a sequence diagram illustrating an operation example 1 of the evaluation system.
- FIG. 10 is a sequence diagram illustrating an operation example 1 of the evaluation system.
- FIG. 11 is a sequence diagram illustrating an operation example 2 of the evaluation system.
- FIG. 12 is a sequence diagram illustrating an operation example 2 of the evaluation system.
- FIG. 13 is a sequence diagram illustrating an operation example 3 of the evaluation system.
- FIG. 14 is a sequence diagram illustrating an operation example 3 of the evaluation system.
- FIG. 15 is a sequence diagram illustrating an operation example 3 of the evaluation system.
- FIG. 16 is a sequence diagram illustrating an operation example 4 of the evaluation system.
- FIG. 17 is a sequence diagram illustrating an operation example 4 of the evaluation system.
- Non-Patent Document 1 Although the technique of Non-Patent Document 1 can find a defect in a single in-vehicle ECU, security (applied to the evaluation object) is a system (electronic control system) composed of a plurality of ECUs forming an in-vehicle network. It is not possible to evaluate whether the security countermeasure technology that has been adopted can prevent an attack appropriately.
- the present disclosure provides an evaluation device capable of performing an evaluation regarding security using an electronic control system including a plurality of ECUs as an evaluation target.
- the present disclosure also provides an evaluation system capable of performing an evaluation on security of an electronic control system including a plurality of ECUs, and an evaluation method for the evaluation.
- An evaluation apparatus is an evaluation apparatus that is connected to a bus used for communication by a plurality of electronic control units in an electronic control system, and performs evaluation related to security of the electronic control system, and includes contents of a plurality of frames And a holding unit that holds attack procedure information indicating a transmission order, a transmission unit that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information, and the plurality of electronic control units. And an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit.
- the monitoring unit directly or indirectly monitors the actuator unit when a plurality of frames (for example, a CAN message) is transmitted to the bus by the transmission unit (for example, immediately after transmission or immediately before transmission to immediately after transmission). Can do.
- a security function such as a defense function against an attack related to driving of the actuator unit with an electronic control system including a plurality of electronic control units (ECUs) as an evaluation target.
- the plurality of electronic control units may perform communication via the bus in accordance with a CAN (Controller Area Network) protocol.
- CAN Controller Area Network
- the monitoring unit transmits a control instruction frame for instructing one of the plurality of electronic control units to control the actuator unit to the bus.
- the evaluation unit detects that the control instruction frame has been transmitted on the bus within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit. It is good also as performing the said evaluation so that an evaluation result may differ according to whether it was detected by the said monitoring part.
- the control instruction frame can be identified, for example, by the frame ID defined by the electronic control system. Thereby, when the frame for controlling the actuator unit is transmitted and received by the bus, the electronic control system can be appropriately evaluated by monitoring the bus.
- the monitoring unit detects that a control signal is input to the actuator unit from one of the plurality of electronic control units as the monitoring of the actuator unit, and the evaluation unit Depending on whether the monitoring unit detects that the control signal is input to the actuator unit within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit
- the evaluation may be performed so that the evaluation results are different.
- a control signal for controlling the actuator unit is defined by an electronic control system. As a result, it is possible to confirm whether or not the control signal is transmitted to the actuator unit by the attack, so that appropriate evaluation can be performed.
- the monitoring unit detects an operation of the actuator unit as the monitoring of the actuator unit, and the evaluation unit transmits one or more of the plurality of frames to the bus by the transmission unit.
- the evaluation may be performed so that the evaluation results differ depending on whether or not the monitoring unit detects that the actuator unit has operated within a certain period of time. Accordingly, it can be confirmed whether or not the actuator unit has been operated by the attack, so that an appropriate evaluation can be performed.
- the actuator unit may include an actuator
- the monitoring unit may detect the operation of the actuator unit by measuring a physical quantity that changes due to the operation of the actuator. Thereby, since it can be confirmed whether or not the actuator has actually been operated by the attack, an appropriate evaluation can be possible.
- the actuator unit includes a computer that executes a program that simulates the operation of the actuator, and the monitoring unit observes a change in predetermined data related to the program in the computer as to the operation of the actuator unit. It is good also as detecting by. Thereby, it is possible to evaluate attack resistance or the like when using a simulated actuator that replaces the actual actuator.
- the attack procedure information further indicates a transmission interval for the plurality of frames
- the transmission unit transmits the plurality of frames to the bus according to a transmission order and a transmission interval indicated by the attack procedure information. Also good. Thereby, it is possible to evaluate a defense function against an attack method determined by a transmission order and a transmission interval of a plurality of frames.
- the evaluation unit may output information indicating whether or not the electronic control system has attack resistance as an evaluation result. Thereby, the user of an evaluation apparatus etc. can know whether an electronic control system has attack tolerance.
- the transmission unit repeats an attack pattern that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information, and the evaluation unit performs a monitoring result of the attack pattern repetition. It is good also as performing the said evaluation so that an evaluation result may differ according to the presence or absence of a change. Thereby, it may be possible to evaluate the attack resistance of the electronic control system against repeated attack patterns.
- An evaluation system is an evaluation system that evaluates the security of an electronic control system that includes a plurality of electronic control units that communicate via a bus, and that includes content and transmission order of a plurality of frames.
- a holding unit that holds the attack procedure information shown, a transmission unit that sends the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and an actuator unit that is controlled by any of the plurality of electronic control units
- An evaluation system comprising: a monitoring unit that monitors; and an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit. Accordingly, it is possible to evaluate a security function such as a defense function against an attack related to driving of the actuator unit in an electronic control system including a plurality of ECUs.
- An evaluation method is an evaluation method for evaluating the security of an electronic control system including a plurality of electronic control units that communicate via a bus. Holding the attack procedure information to be transmitted, transmitting the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and when the plurality of frames are transmitted to the bus, any of the plurality of electronic control units.
- This is an evaluation method in which the actuator unit controlled by the monitoring is monitored and the evaluation is performed based on the monitoring result by the monitoring. Accordingly, it is possible to evaluate a security function such as a defense function against an attack related to driving of the actuator unit, with an electronic control system including a plurality of ECUs as an evaluation target.
- the plurality of electronic control units communicate via the bus according to a CAN (Controller Area Network) protocol, and the evaluation method is performed after one or more of the plurality of frames are transmitted to the bus.
- CAN Controller Area Network
- the evaluation may be performed so that the evaluation results are different. Thereby, it is possible to evaluate the attack resistance of an electronic control system such as an in-vehicle network system according to CAN.
- an evaluation apparatus and an evaluation method for evaluating the security of an in-vehicle network system that includes a plurality of electronic control units (ECUs) that are mounted on an automobile (vehicle) and communicate via a bus
- ECUs electronice control units
- An evaluation system including an electronic control system and an evaluation device will be described.
- FIG. 1 is a configuration diagram showing a schematic configuration of the evaluation system 10.
- the evaluation system 10 includes an evaluation device 101 and an electronic control system 11.
- the evaluation system 10 uses the electronic control system 11 as an evaluation target, and evaluates the attack resistance of the electronic control system 11 (for example, whether or not a security countermeasure technique that protects against an attack is acting properly).
- the electronic control system 11 is an in-vehicle network system, and is connected to various devices such as a control device, a sensor, an actuator (for example, a steering, an accelerator, a brake, etc. that can be electronically controlled) and a user interface device in the vehicle.
- a vehicle-mounted network including a plurality of electronic control units (ECUs) that transmit and receive frames via a bus (CAN bus).
- ECUs electronice control units
- CAN bus CAN bus
- each ECU exchanges frames to cooperate with each other, for example, a parking assistance function, a lane maintenance assistance function, and collision avoidance that are functions of an advanced driver assistance system (ADAS).
- ADAS advanced driver assistance system
- Implement functions such as support functions.
- the electronic control system 11 includes an actuator ECU 102, an instruction ECU 103, a security ECU 104, a shift position, as shown in FIG. Description will be made assuming that the ECU 105, the vehicle speed ECU 106, and the actuator 107 are provided.
- the actuator 107 represents the steering, the accelerator, the brake, and the like
- the actuator ECU 102 also represents the ECU that controls one or more of the steering, the accelerator, the brake, and the like. is there.
- Each ECU performs communication according to the CAN standard (protocol) using the CAN bus 20 as a communication path.
- a data frame (also referred to as a CAN message) that is a frame used for data transmission in CAN is defined to include an ID field that stores an ID (message ID), a data field that stores data, and the like.
- the actuator ECU 102 is connected to an actuator 107 (for example, steering, accelerator, brake, etc.) via a signal line, and is also connected to the CAN bus 20, and controls the actuator 107 based on a CAN message received via the CAN bus 20. .
- an actuator 107 for example, steering, accelerator, brake, etc.
- the instruction ECU 103 is connected to the CAN bus 20, acquires a CAN message indicating the state of the vehicle, and transmits an instruction (for example, a steering operation instruction) for controlling the actuator 107 under a certain condition to the actuator ECU 102 as a CAN message. To do.
- the security ECU 104 constantly monitors (monitors) the CAN bus 20 and takes measures such as invalidating the CAN message when it is detected that an illegal CAN message (an attack CAN message) is flowing, for example. .
- an illegal CAN message an attack CAN message
- any method can be used.
- the CAN message can be invalidated by transmitting an error frame defined by the CAN protocol so as to be superimposed on an illegal CAN message.
- the shift position ECU 105 and the vehicle speed ECU 106 acquire the state of the vehicle on which they are mounted, and transmit them to the CAN bus 20 as a CAN message.
- the shift position ECU 105 transmits a CAN message indicating the state of the transmission gear (parking: P, reverse: R, drive: D, etc.) corresponding to the shift position of the shift lever of the vehicle, and the vehicle speed ECU 106 transmits the vehicle speed (vehicle speed). ) Is transmitted.
- the evaluation device 101 is a device that evaluates the attack resistance of the security countermeasure technology applied to the electronic control system 11 (evaluation target).
- the evaluation apparatus 101 performs an attack (hacking) on the evaluation target based on the held attack procedure information 108, performs monitoring (monitoring) for observing a reaction to the attack, and performs evaluation according to the monitoring result.
- an attack for example, determination of presence / absence of resistance to the attack (attack or defense success / failure) can be given.
- the evaluation device 101 monitors the frame (message) flowing through the CAN bus 20, monitors the input signal to the actuator 107 (that is, the output signal of the actuator ECU 102), and the behavior (operation) of the actuator 107. Monitor itself.
- the attack procedure information 108 indicates the procedure (the type, order, timing, frequency, etc. of the CAN message to be transmitted) when performing an attack.
- FIG. 2 is a configuration diagram of the evaluation apparatus 101 in the evaluation system 10.
- the evaluation apparatus 101 includes a monitoring unit 200 (CAN bus monitoring unit 203, signal monitoring unit 204, and actuator monitoring unit 205), transmission / reception unit 201 (transmission unit 201a and reception unit 201b), and holding unit. 202, an evaluation unit 206, and a control unit 207.
- a monitoring unit 200 CAN bus monitoring unit 203, signal monitoring unit 204, and actuator monitoring unit 205
- transmission / reception unit 201 transmission unit 201a and reception unit 201b
- holding unit. 202 an evaluation unit 206
- a control unit 207 a control unit 207.
- the evaluation device 101 is a device including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and a hard disk.
- the memory is ROM, RAM, or the like, and can store a control program (computer program as software) executed by the processor.
- the processor operates (controls various circuits, etc.) according to a control program (computer program)
- the evaluation apparatus 101 realizes various functions.
- the computer program is configured by combining a plurality of instruction codes indicating instructions for the processor in order to achieve a predetermined function.
- the transmission / reception unit 201 is realized by a communication circuit or the like.
- the transmission / reception unit 201 includes a transmission unit 201a and a reception unit 201b.
- the transmission unit 201a transmits a CAN message (for example, a data frame indicating a shift position, a vehicle speed, or a steering operation instruction) to the CAN bus 20.
- the receiving unit 201b receives a CAN message (for example, a data frame indicating a steering operation instruction transmitted by the instruction ECU 103) that flows through the CAN bus 20.
- the holding unit 202 is realized by a storage medium such as a memory and a hard disk, and stores attack procedure information 108 indicating an attack procedure to be set by the evaluation apparatus 101 to evaluate the attack resistance of the evaluation target.
- the attack procedure information 108 indicates the transmission order of a plurality of frames (CAN messages) for attack. Details of the attack procedure information 108 will be described later with reference to FIG.
- the CAN bus monitoring unit 203 is realized by, for example, a processor that executes a program, and monitors the CAN bus 20 to which a plurality of ECUs are connected in the electronic control system 11 to be evaluated. Specifically, the CAN bus monitoring unit 203 receives a CAN message via the receiving unit 201b and confirms the content (payload) of data included in the CAN message. For example, the CAN bus monitoring unit 203 detects that the control instruction frame for instructing the instruction ECU 103 connected to the CAN bus 20 to control the actuator 107 is transmitted to the CAN bus 20 as monitoring of the actuator 107. To do.
- the CAN bus monitoring unit 203 checks the contents of the data field (valid / invalid flag of the parking support function, designation of the steering angle, etc.) of the control instruction frame (data frame related to the steering operation instruction) transmitted by the instruction ECU 103. .
- the signal monitoring unit 204 observes a signal (input signal to the actuator 107) transmitted from the actuator ECU 102 to the actuator 107 through a signal line, and confirms the signal content.
- the signal monitoring unit 204 is realized by, for example, a communication circuit connected to the actuator ECU 102 or the actuator 107 or a signal line therebetween, a processor that executes a program, and the like.
- Actuator monitoring unit 205 observes the actuator 107 and confirms the behavior (operation) of the actuator 107.
- the confirmation of the operation of the actuator 107 is a confirmation of the state of the rotation amount if the actuator 107 is a steering wheel, the displacement amount if the accelerator 107 or the brake, and the presence or absence of a change.
- the actuator monitoring unit 205 is realized by, for example, a sensor that directly or indirectly measures a physical phenomenon (physical quantity that changes due to the operation of the actuator 107) generated by the actuator 107, a processor that executes a program, and the like.
- Evaluation unit 206 The evaluation unit 206 is realized by a processor or the like that executes a program.
- the evaluation unit 206 evaluates the security of the electronic control system 11 based on the confirmation results obtained by monitoring by the monitoring unit 200 (CAN bus monitoring unit 203, signal monitoring unit 204, and actuator monitoring unit 205). Specifically, the evaluation unit 206 compares all or a part of the confirmation result by the monitoring unit 200 with an expected value when the CAN message is transmitted based on the attack procedure information 108, and whether the attack is successful. Whether or not (for example, whether or not a defense function against an attack has been appropriately activated) is determined.
- the expected value is the behavior of the actuator expected as an attack result, the control signal input to the actuator 107 expected as the attack result, the CAN message (for example, control instruction frame) expected to be transmitted by the instruction ECU 103 as the attack result, etc. And can be predefined.
- the evaluation unit 206 monitors the monitoring unit 200 when the transmission unit 201a transmits an attack CAN message based on the attack procedure information 108 to the CAN bus 20 (for example, for a certain period immediately after transmission, or immediately before transmission to immediately after transmission). Evaluation is performed based on the monitoring results.
- the evaluation unit 206 may control the control instruction frame within a certain period after one or more of a plurality of attack frames (CAN message) indicated in the attack procedure information 108 is transmitted to the CAN bus 20 by the transmission unit 201a. Can be determined by the CAN bus monitoring unit 203, and evaluation can be performed so that the evaluation results differ depending on whether a control instruction frame is detected.
- the evaluation unit 206 monitors that, for example, a control signal for control is input to the actuator 107 within a certain period after one or more of the attacking CAN messages are transmitted to the CAN bus 20. The evaluation can be performed so that the evaluation results differ depending on whether or not they are detected by the unit 204.
- the evaluation unit 206 determines whether or not the actuator monitoring unit 205 detects that the actuator 107 has operated within a certain period after one or more of the attacking CAN messages are transmitted to the CAN bus 20, for example.
- the evaluation can be performed so that the evaluation results differ depending on the case.
- Control unit 207 is realized by a processor or the like that executes a program, and manages and controls the monitoring unit 200, the transmission / reception unit 201, the holding unit 202, and the evaluation unit 206, thereby realizing the function of the evaluation apparatus 101.
- FIG. 3 is a configuration diagram of the actuator ECU 102.
- the actuator ECU 102 includes a transmission / reception unit 301, an instruction transmission unit 302, a state acquisition unit 303, a determination unit 304, and a control unit 305.
- the actuator ECU 102 is an ECU connected to the CAN bus 20.
- the ECU is a device including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, and the like.
- the memory is a ROM, a RAM, or the like, and can store a control program executed by the processor.
- the actuator ECU 102 functions as a processor operates (controls various circuits, etc.) according to a control program (computer program).
- the transmission / reception unit 301 transmits a CAN message to the CAN bus 20 and receives a CAN message flowing through the CAN bus 20.
- the transmission / reception unit 301 receives, for example, a CAN message indicating a shift position, a vehicle speed, or a steering operation instruction.
- the instruction transmission unit 302 transmits a control signal to the actuator 107 through a signal line based on the CAN message received via the transmission / reception unit 301.
- the control signal is, for example, a signal indicating a rotation angle or the like (steering operation instruction) for steering, and a displacement amount (for example, a depression amount) or the like for an accelerator or a brake. Is a signal for instructing operation and the like.
- the state acquisition unit 303 acquires the state of the actuator 107 via a signal line connected to the actuator 107.
- the state acquired by the state acquisition unit 303 is, for example, a rotation angle if the actuator 107 is a steering wheel, or a displacement amount (for example, a depression amount) if the accelerator 107 or the brake is used.
- the determination unit 304 determines whether or not to transmit a control signal to the actuator 107 based on the CAN message received via the transmission / reception unit 301. For example, when a control signal for instructing steering as the actuator 107 is output, the determination unit 304 outputs a control signal based on information such as a shift position, a vehicle speed, and a steering operation instruction received via the transmission / reception unit 301. The control amount (rotation angle or the like) designated by the control signal is determined.
- Control unit 305 manages and controls the transmission / reception unit 301, the instruction transmission unit 302, the state acquisition unit 303, and the determination unit 304 to realize the function of the actuator ECU 102.
- FIG. 4 is a configuration diagram of the instruction ECU 103.
- the instruction ECU 103 includes a transmission / reception unit 401, a determination unit 402, a calculation unit 403, and a control unit 404.
- the instruction ECU 103 is an ECU connected to the CAN bus 20.
- the instruction ECU 103 functions by the processor of the instruction ECU 103 operating according to a control program (computer program) stored in the memory.
- the transmission / reception unit 401 transmits a CAN message to the CAN bus 20 and receives a CAN message flowing through the CAN bus 20.
- the transmission / reception unit 401 transmits a CAN message indicating a steering operation instruction and receives a CAN message indicating a shift position or a vehicle speed.
- the determination unit 402 determines whether to issue a control instruction (for example, a CAN message that is a control instruction frame indicating a steering operation instruction) to the actuator ECU 102. For example, when a control instruction is issued to the actuator ECU 102 to control the steering, the control instruction is issued from the shift position indicated by the CAN message received via the transmission / reception unit 401, the vehicle speed, or information related to the start of the parking assist function. It is determined whether or not.
- a control instruction for example, a CAN message that is a control instruction frame indicating a steering operation instruction
- the CAN message indicating information related to the start of the parking support function in the electronic control system 11 is transmitted from an ECU (not shown) having a user interface connected to the CAN bus 20, for example. Yes.
- the ECU may transmit a CAN message indicating information related to the start of the parking assist function in response to an operation of the driver of the vehicle.
- the calculation unit 403 Based on the CAN message received via the transmission / reception unit 401, the calculation unit 403 calculates a control amount (for example, a steering rotation angle) to be instructed by a control instruction.
- a control amount for example, a steering rotation angle
- Control unit 404 manages and controls the transmission / reception unit 401, the determination unit 402, and the calculation unit 403 to realize the function of the instruction ECU 103.
- FIG. 5 is a configuration diagram of the security ECU 104.
- the security ECU 104 includes a transmission / reception unit 501, a CAN bus monitoring unit 502, and a control unit 503.
- the security ECU 104 is an ECU that is connected to the CAN bus 20 and has a security function (such as a defense function) for dealing with attacks.
- the security ECU 104 functions by the processor of the security ECU 104 operating according to a control program (computer program) stored in the memory.
- the transmission / reception unit 501 receives the CAN message flowing through the CAN bus 20 and transmits an error frame to the CAN bus 20 in response to an instruction from the CAN bus monitoring unit 502 in order to invalidate the invalid CAN message.
- the transmission / reception unit 501 receives, for example, a CAN message indicating a shift position, a vehicle speed, or a steering operation instruction.
- the CAN bus monitoring unit 502 confirms the content (payload) of data included in the CAN message received via the transmission / reception unit 501 from the CAN bus 20 to which a plurality of ECUs are connected.
- an illegal CAN message that is, a CAN message that does not comply with a predetermined rule in the electronic control system 11
- an error frame is transmitted via the transmission / reception unit 501. Send.
- Control unit 503 manages and controls the transmission / reception unit 501 and the CAN bus monitoring unit 502 to realize the function of the security ECU 104.
- FIG. 6 is a configuration diagram of the shift position ECU 105.
- the shift position ECU 105 includes a transmission / reception unit 601, a state acquisition unit 602, and a control unit 603.
- the vehicle speed ECU 106 also has the same configuration as the shift position ECU 105.
- Each of the shift position ECU 105 and the vehicle speed ECU 106 is an ECU connected to the CAN bus 20.
- Each ECU functions by the processor of each ECU operating according to a control program (computer program) stored in the memory.
- Transmission / reception unit 601 The transmission / reception unit 601 transmits a CAN message to the CAN bus 20 and receives a CAN message flowing through the CAN bus 20.
- the state acquisition unit 602 acquires the state of the vehicle from a sensor or the like, and transmits a CAN message indicating the acquired state via the transmission / reception unit 601.
- the state acquisition unit 602 in the shift position ECU 105 acquires the shift position, and the state acquisition unit 602 in the vehicle speed ECU 106 acquires the vehicle speed.
- Control unit 603 manages and controls the transmission / reception unit 601 and the state acquisition unit 602 to realize the function of the shift position ECU 105 or the vehicle speed ECU 106.
- attack procedure information 108 held in the holding unit 202 of the evaluation apparatus 101 is shown in FIG.
- the attack procedure information 108 includes an evaluation target function (function of the electronic control system 11 as an attack target), a CAN message to be transmitted for the attack, a message ID of the CAN message, and data in the CAN message. Contents (that is, contents notified or instructed to other ECUs), the transmission interval of the CAN message, and the transmission order are shown.
- the shift position is “reverse” by the CAN message that notifies the shift position with the ID (message ID) of 0x0123.
- the CAN message indicating the vehicle speed is notified by the CAN message indicating the vehicle speed with the ID of 0x0034, and finally the CAN message indicating the steering operation instruction with the ID of 0x0256. This indicates that data of a flag “1” for rotating the steering wheel 15 degrees to the right and a steering steering angle designation “clockwise 15 degrees” should be transmitted.
- This flag is a valid / invalid flag indicating whether the parking support function is valid or invalid, and “1” indicates that it is valid, and “0” indicates that it is not valid (invalid).
- the example of FIG. 7 is merely an example, and the content of the attack procedure information 108 can be arbitrarily determined.
- the transmission unit 201a transmits a plurality of CAN messages to the CAN bus 20 in the transmission order indicated by the attack procedure information 108.
- the attack procedure information 108 may be information that defines a transmission interval between a plurality of CAN messages. In this case, the transmission unit 201a has a plurality of transmission procedures and transmission intervals indicated by the attack procedure information 108.
- a CAN message is transmitted to the CAN bus 20.
- the CAN message regarding the shift position, the vehicle speed, or the steering operation instruction (valid / invalid state of the parking assist function) is always transmitted on the CAN bus 20 periodically.
- a CAN message regarding the steering operation instruction (valid / invalid state of the parking support function) is periodically transmitted with the flag being “0”.
- the CAN message whose flag is changed to “1” (that is, the CAN message indicating the steering operation instruction) is periodically transmitted.
- FIGS. 8 to 10 are sequence diagrams showing the operation (operation example 1) of the evaluation system 10 that evaluates the electronic control system 11 without the security ECU 104.
- FIG. The sequence diagram shown in FIG. 8 continues to the sequence diagram shown in FIG.
- the sequence diagram shown in FIG. 9 continues to the sequence diagram shown in FIG.
- the operation example 1 shows an example in which the evaluation apparatus 101 misrecognizes the actuator ECU 102 by an attack.
- each CAN message regarding the shift position, the vehicle speed, and the steering operation instruction is periodically transmitted by the shift position ECU 105, the vehicle speed ECU 106, or the instruction ECU 103.
- the shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S801), and the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S802).
- the evaluation apparatus 101 aims at overwriting the buffer for periodic processing of the CAN message in the actuator ECU 102, for example.
- a CAN message indicating a false shift position (reverse: R) that misrepresents the current shift position is transmitted to the CAN bus 20 (step S803).
- the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20 and erroneously recognizes that the current shift position is reverse: R (step S804).
- the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S805), and the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S806).
- Step S807 a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20.
- the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20 and erroneously recognizes that the current vehicle speed is 0 km / h (step S808).
- the instruction ECU 103 transmits a CAN message indicating that the parking support function is not currently effective (flag: 0) to the CAN bus 20 (step S901), and the actuator ECU 102 determines that the parking support function flowing through the CAN bus 20 is effective. / A CAN message related to the invalid state is received (step S902).
- the evaluation apparatus 101 Immediately after a CAN message indicating that the parking support function is not valid (flag: 0) flows on the CAN bus 20, the evaluation apparatus 101 presents a CAN message indicating that the parking support function is currently valid (flag: 1). Is transmitted to the CAN bus 20 (step S903). As a result, the actuator ECU 102 receives a CAN message regarding the valid / invalid state of the parking support function flowing through the CAN bus 20, and erroneously recognizes that the parking support function is currently active (step S904).
- a steering operation instruction is transmitted (step S905).
- the steering as the actuator 107 operates based on the received control signal (steering operation instruction) (step S906).
- the steering as the actuator 107 is referred to as an actuator 107 (steering).
- Evaluation device 101 receives (monitors) a control signal (steering operation instruction) transmitted from actuator ECU 102 to actuator 107 (steering) (step S1001).
- the evaluation apparatus 101 confirms (observes) the behavior of the actuator 107 (steering) (step S1002).
- the evaluation device 101 compares the received control signal and the confirmed behavior of the actuator 107 (steering) with the expected value of the attack, thereby evaluating the security of the electronic control system 11 (determination of success or failure of the attack, etc.). Is performed (step S1003). For example, the evaluation apparatus 101 determines that the attack is successful when the received control signal and the confirmed behavior of the actuator 107 (steering) are the control signal and the behavior as the expected value of the attack. .
- the evaluation apparatus 101 uses only one of the monitoring result of the control signal input to the actuator 107 (steering) and the confirmation result of the behavior of the actuator 107 (steering) to perform the attack based on the expected value of the attack. You may perform the determination about success or failure.
- the evaluation apparatus 101 can evaluate the effect of the security countermeasure technique (for example, the security ECU 104) to be introduced into the electronic control system 11 thereafter. It becomes like this.
- FIGS. 11 and 12 are sequence diagrams illustrating the operation (operation example 2) of the evaluation system 10 that evaluates the electronic control system 11 in a state where the security ECU 104 is not provided.
- the sequence diagram shown in FIG. 11 continues to the sequence diagram shown in FIG.
- the evaluation apparatus 101 shows an example in which the instruction ECU 103 is erroneously recognized by an attack.
- the shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S1101), and the instruction ECU 103 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S1102). Similarly, the actuator ECU 102 also receives a CAN message indicating the shift position flowing through the CAN bus 20 (step S1103).
- the evaluation apparatus 101 Immediately after a CAN message indicating the shift position (drive: D) flows on the CAN bus 20, the evaluation apparatus 101 indicates a false shift position (reverse: R) that misrepresents the current shift position according to the attack procedure information 108. A message is transmitted to the CAN bus 20 (step S1104). Thereby, the instruction ECU 103 receives the CAN message indicating the shift position flowing through the CAN bus 20, and erroneously recognizes that the current shift position is reverse: R (step S1105). Similarly, the actuator ECU 102 receives a CAN message indicating the shift position flowing through the CAN bus 20 and erroneously recognizes that the current shift position is reverse: R (step S1106).
- the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S1107), and the instruction ECU 103 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S1108). Similarly, the actuator ECU 102 also receives a CAN message indicating the vehicle speed flowing through the CAN bus 20 (step S1109).
- Step S1110 a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20.
- the instruction ECU 103 receives a CAN message indicating the vehicle speed flowing through the CAN bus 20, and erroneously recognizes that the current vehicle speed is 0 km / h (step S1111).
- the actuator ECU 102 receives a CAN message indicating the vehicle speed flowing through the CAN bus 20 and erroneously recognizes that the current vehicle speed is 0 km / h (step S1112).
- the evaluation apparatus 101 transmits a CAN message indicating the start of the parking support function to the CAN bus 20 (step S1201), and the instruction ECU 103 transmits a CAN message (parking) related to the start of the parking support function flowing through the CAN bus 20. (CAN message indicating start of the support function) is received (step S1202).
- the instruction ECU 103 determines that the parking support function is valid (flag: 1) because the false shift position and the vehicle speed that have already been received satisfy certain conditions for executing the parking support function (that is, flag: 1).
- a CAN message indicating a steering operation instruction is transmitted to the CAN bus 20 (step S1203).
- the actuator ECU 102 receives the CAN message regarding the valid / invalid state of the parking support function that is flowing through the CAN bus, erroneously recognizes that the parking support function is currently active (step S1204), and provides parking support.
- a control signal (steering operation instruction) is transmitted to the actuator 107 (steering) based on the designation of the steering angle of the steering included in the CAN message (CAN message indicating the steering operation instruction) regarding the valid / invalid state of the function (step S1205). . Then, the actuator 107 (steering) operates based on the received control signal (steering operation instruction) (step S1206).
- the evaluation apparatus 101 receives (monitors) the CAN message (flag: 1) regarding the valid / invalid state of the parking support function transmitted from the instruction ECU 103 to the CAN bus (step S1207).
- the evaluation device 101 evaluates the security of the electronic control system 11 (determination of success or failure of the attack, etc.) by comparing the content of the received CAN message regarding the valid / invalid state of the parking support function with the expected value of the attack. Is performed (step S1208).
- the evaluation device 101 controls the actuator 107 (steering) when the flag of the received CAN message regarding the validity / invalidity of the parking support function is the flag value (1) as the expected value of the attack. It is determined that the control instruction frame for detecting the attack is detected, and it is determined that the attack is successful.
- the evaluation apparatus 101 can evaluate the effect of the security countermeasure technique (for example, the security ECU 104) to be introduced into the electronic control system 11 thereafter. It becomes like this.
- FIGS. 13 to 15 are sequence diagrams showing the operation (operation example 3) of the evaluation system 10 that evaluates the electronic control system 11 in a state in which the security ECU 104 is provided (see FIG. 1).
- the sequence diagram shown in FIG. 13 continues to the sequence diagram shown in FIG.
- the sequence diagram shown in FIG. 14 is continued from the sequence diagram shown in FIG.
- the operation example 3 shows an example in which the evaluation apparatus 101 tries to misrecognize the actuator ECU 102 by an attack.
- the shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S801), and the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S802).
- the evaluation apparatus 101 Immediately after a CAN message indicating the shift position (drive: D) flows on the CAN bus 20, the evaluation apparatus 101 indicates a false shift position (reverse: R) that misrepresents the current shift position according to the attack procedure information 108. A message is transmitted to the CAN bus 20 (step S803). Thus, the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20 and erroneously recognizes that the current shift position is reverse: R (step S804).
- the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S805), and the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S806).
- Step S807 a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20.
- the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20 and erroneously recognizes that the current vehicle speed is 0 km / h (step S808).
- the instruction ECU 103 transmits a CAN message indicating that the parking support function is not currently effective (flag: 0) to the CAN bus 20 (step S901), and the actuator ECU 102 determines that the parking support function flowing through the CAN bus 20 is effective. / A CAN message related to the invalid state is received (step S902).
- step S903 a CAN message indicating that the parking support function is currently valid (flag: 1). Is transmitted to the CAN bus 20 (step S903).
- the security ECU 104 determines that the CAN message regarding the valid / invalid state of the parking support function transmitted from the evaluation apparatus 101 to the CAN bus 20 in step S903 is an invalid CAN message, an error frame is displayed. Is transmitted to invalidate the CAN message (step S1401).
- the actuator ECU 102 Since it is not affected by the invalidated CAN message, the actuator ECU 102 does not transmit a control signal (steering operation instruction) to the actuator 107 (steering) 107. For this reason, the actuator 107 (steering) does not particularly operate.
- the evaluation apparatus 101 confirms that the actuator ECU 102 has not transmitted a control signal (steering operation instruction) to the actuator 107 (steering) (step S1402), and confirms that the actuator 107 (steering) is not operating ( In step S1403), if they can be confirmed, it is determined that the defense (security measure) has succeeded (that is, the attack has failed) (step S1501). It should be noted that the evaluation apparatus 101 is protected if only one of the confirmation that the actuator ECU 102 is not transmitting a control signal to the actuator 107 (steering) and the confirmation that the actuator 107 (steering) is not operating can be confirmed. It is also possible to evaluate security using only one of them, such as determining that has succeeded.
- FIGS. 16 and 17 are sequence diagrams illustrating the operation (operation example 4) of the evaluation system 10 that evaluates the electronic control system 11 in a state in which the security ECU 104 is provided (see FIG. 1).
- the sequence diagram shown in FIG. 16 continues to the sequence diagram shown in FIG.
- the operation example 4 shows an example in which the evaluation apparatus 101 tries to misrecognize the instruction ECU 103 by an attack.
- the shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S1101), and the instruction ECU 103 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S1102). Similarly, the actuator ECU 102 also receives a CAN message indicating the shift position flowing through the CAN bus 20 (step S1103).
- step S1104 a CAN message indicating the shift position (drive: D) flows on the CAN bus 20
- step S1104 a false shift position (reverse: R) that misrepresents the current shift position according to the attack procedure information 108.
- step S1104 the security ECU 104 determines that the CAN message indicating the shift position (reverse: R) transmitted from the evaluation apparatus 101 to the CAN bus 20 in step S1104 is an invalid CAN message, an error frame is displayed. By transmitting, the CAN message is invalidated (step S1601).
- the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S1107), and the instruction ECU 103 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S1108). Similarly, the actuator ECU 102 also receives a CAN message indicating the vehicle speed flowing through the CAN bus 20 (step S1109).
- Step S1110 a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20.
- the security ECU 104 determines that the CAN message indicating the vehicle speed (0 km / h) transmitted from the evaluation apparatus 101 to the CAN bus 20 in step S1110 is an invalid CAN message, the security ECU 104 transmits an error frame. This invalidates the CAN message (step S1602).
- the evaluation apparatus 101 transmits a CAN message indicating the start of the parking support function to the CAN bus 20 (step S1201), and the instruction ECU 103 transmits a CAN message (parking) related to the start of the parking support function flowing through the CAN bus 20. (CAN message indicating start of the support function) is received (step S1202).
- a CAN message (a CAN message relating to the valid / invalid state of the parking support function) is transmitted to the CAN bus 20 (step S1701).
- the actuator ECU 102 receives the CAN message regarding the valid / invalid state of the parking support function flowing through the CAN bus, recognizes that the parking support function is currently invalid (step S1702), and the actuator 107 ( No control signal (steering operation instruction) is sent to (steering).
- the evaluation apparatus 101 receives (monitors) the CAN message (flag: 0) regarding the valid / invalid state of the parking support function transmitted from the instruction ECU 103 to the CAN bus 20 (step S1703).
- the evaluation device 101 evaluates the security of the electronic control system 11 (determination of success or failure of the attack, etc.) by comparing the content of the received CAN message regarding the valid / invalid state of the parking support function with the expected value of the attack. Is performed (step S1704). For example, the evaluation device 101 controls the actuator 107 (steering) when the flag of the received CAN message regarding the valid / invalid state of the parking support function is not the flag value (1) as the expected value of the attack. It is determined that the control instruction frame for performing the detection is not detected, and it is determined that the defense (security measure) is successful.
- the evaluation apparatus 101 attacks the electronic control system 11 by transmitting a CAN message (CAN message indicating false information).
- the evaluation apparatus 101 may attack using any method, and may perform the attack using a method other than the CAN message transmission.
- the evaluation apparatus 101 may replace the sensing information of sensors connected to various ECUs in the electronic control system 11 to be evaluated by signal lines with false information and cause the ECU to misrecognize.
- the various ECUs and actuators are assumed to be real (actual) ECUs and actuators.
- various ECUs in the electronic control system 11 as an evaluation target of the evaluation system 10 simulate (simulate) the ECU instead of a real ECU (for example, an ECU mounted on an evaluation board, an ECU as a product, etc.).
- G may be a simulated ECU (for example, a computer that executes software that simulates the function, behavior, etc. of the ECU).
- the evaluation target of the evaluation system 10 may be an electronic control system including an actuator unit that is either a real actuator or a simulated actuator.
- the actuator unit 205 may perform observation of the actuator unit by, for example, confirming various parameters used in the simulation using an output function of simulation software.
- the monitoring unit 204 may check the parameters input to the simulation software.
- the monitoring unit 200 determines the operation of the actuator unit with predetermined data related to simulation software (program) in the computer (for example, a predetermined memory area of the computer corresponding to a physical quantity that changes with the operation of the actuator). It may be detected by observing a change in the content or output content).
- predetermined data related to simulation software program
- the computer for example, a predetermined memory area of the computer corresponding to a physical quantity that changes with the operation of the actuator. It may be detected by observing a change in the content or output content).
- the evaluation apparatus 101 is one apparatus connected to the CAN bus 20, but the evaluation apparatus 101 transmits an attack CAN message according to the attack procedure information 108. Even if it has a configuration separated into a plurality of housings, such as being separated into a transmission device, a CAN message flowing through the CAN bus 20, a control signal output from the actuator ECU 102, and a monitoring device that monitors the behavior of the actuator 107, etc. good.
- the electronic control system 11 including the in-vehicle network using the CAN bus 20 is exemplified as the evaluation target of the evaluation system 10.
- the evaluation apparatus 101 transmits an attack message in the evaluation system 10.
- the network to be monitored does not necessarily have to be an in-vehicle network, and may be a network other than the CAN bus 20 that performs communication using the CAN protocol.
- the evaluation system 10 may evaluate a network such as a robot or an industrial device or another network communication system.
- the CAN protocol also has a broad meaning including CANNOpen used for embedded systems in automation systems, and derivative protocols such as TTCAN (Time-Triggered CAN) and CANFD (CAN with Flexible Data Rate). Should be treated.
- a communication protocol other than the CAN protocol for example, Ethernet (registered trademark), MOST (registered trademark), FlexRay (registered trademark), LIN (Local Interconnect Network), or the like may be used.
- a system including a complex network in which networks in accordance with various protocols are combined may be evaluated, and the evaluation apparatus 101 may attack and monitor the network.
- the evaluation apparatus 101 performs an attack in which a CAN message indicating false information is transmitted.
- the shift position ECU 105, the vehicle speed ECU 106, the instruction ECU 103, and the like transmit.
- An attack may be performed by falsifying a part of the content of the CAN message on the CAN bus 20.
- the above-described evaluation apparatus 101 may perform evaluation by attacking, for example, the electronic control system 11 corresponding to a part of the in-vehicle network system.
- a regular CAN message that flows in a steady state is transmitted to the in-vehicle network not included in the evaluation target.
- an attack may be set against the evaluation target.
- the security ECU 104 in the evaluation target detects an invalid CAN message and invalidates it, the security ECU 104 evaluates the evaluation target by checking whether or not an invalid irrelevant message has been invalidated. May be.
- the evaluation apparatus 101 may evaluate the evaluation target by confirming whether or not a bad influence (a large communication delay or the like) is exerted on the transmission / reception of the regular CAN message in the steady state.
- a bad influence a large communication delay or the like
- the evaluation apparatus 101 performs evaluation such as determination of presence / absence of attack resistance based on the number and ratio of fraudulent CAN messages that have passed through the defense as an evaluation of the security to be evaluated (attack resistance, etc.) It may be.
- the evaluation apparatus 101 can use a threshold value that defines an upper limit or the like for the number and ratio of fraudulent CAN messages in order to determine whether or not there is attack resistance. This threshold value may be arbitrarily set for the evaluation apparatus 101, or may be changed (adjusted) according to the evaluation result or the like when the evaluation is repeatedly performed. Further, the evaluation apparatus 101 may calculate the attack success rate (success frequency or the like).
- the evaluation apparatus 101 may evaluate whether or not each of the plurality of defense functions operates or how effectively it acts, in addition to the determination of success or failure of the attack or the success or failure of the defense.
- the transmission unit 201a repeats an attack pattern in which a plurality of CAN messages are transmitted to the CAN bus 20 in the transmission order indicated by the attack procedure information 108, and the evaluation unit 206 performs monitoring by repeating the attack pattern. It is good also as evaluating so that an evaluation result may differ according to the presence or absence of the change of the monitoring result of the part 200.
- the evaluation result in the evaluation unit 206 of the evaluation apparatus 101 is recorded in a storage medium such as a memory by the evaluation apparatus 101 and is also output to the outside of the evaluation apparatus 101 (for example, display of the evaluation result, information indicating the evaluation result) Etc.).
- the evaluation unit 206 may output information indicating whether or not the electronic control system to be evaluated has attack resistance as an evaluation result.
- the security function including the security ECU 104 in the electronic control system 11 to be evaluated may record log information (such as a CAN message reception history) regarding fraud detection.
- the evaluation apparatus 101 By comparing the log information with the expected value related to the attack held by the evaluation apparatus 101, it is possible to determine whether or not the attack has succeeded or to calculate the probability of successful attack, etc. It is good also as performing evaluation of.
- the electronic control system 11 can include the independent security ECU 104 as a security function.
- all or some of the plurality of ECUs that communicate via the bus have security functions. It is good also as providing.
- a plurality of ECUs may be realized by distributing security functions.
- the evaluation apparatus 101 is directly connected to the bus in the electronic control system 11 to be evaluated.
- a relay device such as a gateway is provided between the evaluation apparatus 101 and the evaluation object. It may be interposed.
- the evaluation apparatus 101 performs mutual authentication or one-way authentication with the gateway and transmits an attack CAN message to cause the gateway to transfer the CAN message to the CAN bus 20. It is also possible to evaluate the security (e.g., attack resistance) of the evaluation target by acquiring the CAN message from 20 via the gateway.
- the evaluation apparatus 101 notifies the state of the actuator 107 that the actuator ECU 102 transmits to the CAN bus 20 (current steering angle, accelerator or brake displacement, engine
- the operation (behavior) of the actuator 107 may be indirectly confirmed by monitoring a CAN message related to the rotation speed of the actuator 107.
- the evaluation device 101 and the various ECUs in the above embodiment are devices including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, etc., but other than a display, a keyboard, a mouse, etc.
- the hardware components may be included.
- the function may be realized by dedicated hardware (digital circuit or the like).
- the functional blocks of the CAN bus monitoring unit 203, the signal monitoring unit 204, the actuator monitoring unit 205, the transmission / reception unit 201, the holding unit 202, the evaluation unit 206, and the control unit 207 of the evaluation apparatus 101 can be realized by an integrated circuit.
- the functional blocks of the transmission / reception unit 301, the instruction transmission unit 302, the state acquisition unit 303, the determination unit 304, and the control unit 305 of the actuator ECU 102 can be realized by an integrated circuit.
- the functional blocks of the transmission / reception unit 401, the determination unit 402, the calculation unit 403, and the control unit 404 of the instruction ECU 103 can be realized by an integrated circuit.
- the functional blocks of the transmission / reception unit 501, the CAN bus monitoring unit 502, and the control unit 503 of the security ECU 104 can be realized by an integrated circuit.
- the functional blocks of the transmission / reception unit 601, the state acquisition unit 602, and the control unit 603 of the shift position ECU 105 or the vehicle speed ECU 106 can be realized by an integrated circuit.
- the system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip.
- the system LSI is a computer system including a microprocessor, a ROM, a RAM, and the like. .
- a computer program is recorded in the RAM.
- the system LSI achieves its functions by the microprocessor operating according to the computer program.
- each part of the constituent elements constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or the whole.
- the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration.
- the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible.
- An FPGA Field Programmable Gate Array
- a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used.
- integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied as a possibility.
- a part or all of the constituent elements constituting each of the above devices may be constituted by an IC card or a single module that can be attached to and detached from each device.
- the IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like.
- the IC card or the module may include the super multifunctional LSI described above.
- the IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.
- the evaluation method is an evaluation method for evaluating the security of the electronic control system 11 including a plurality of ECUs that communicate via the CAN bus 20, and includes attack procedure information 108 indicating the contents and transmission order of a plurality of frames.
- attack procedure information 108 for example, steps S803, S807, S903, S1104, S1110, S1201
- the actuator unit for example, the actuator 107) controlled by any of the plurality of ECUs is directly or indirectly monitored (for example, steps S1001, S1002, and S1207), and evaluated based on the monitoring results (for example, S1003 and S1208).
- a computer program that realizes the processing according to the evaluation method by a computer may be used, or a digital signal that includes the computer program may be used.
- a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD can be used as the computer program or the digital signal.
- the digital signal may be recorded on these recording media.
- the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like.
- an aspect of the present disclosure may be a computer system including a microprocessor and a memory, the memory recording the computer program, and the microprocessor operating according to the computer program.
- the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like and executed by another independent computer system. You may do that.
- This disclosure can be used to evaluate whether or not the security countermeasure technology applied to the electronic control system can appropriately prevent an attack.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mechanical Engineering (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Small-Scale Networks (AREA)
Abstract
Provided is an evaluation device (101) which is connected to a bus which a plurality of electronic control units uses in communication in an electronic control system, and which carries out an evaluation relating to the security of the electronic control system. The evaluation device (101) comprises: a retaining unit (202) which retains hacking sequence information (108) which indicates the content of a plurality of frames and an order of transmission; a transmission unit (201a) which transmits the plurality of frames to the bus in the order of transmission which the hacking sequence information indicates; a monitoring unit (200) which monitors an actuator unit which is controlled by one of the plurality of electronic control units; and an evaluation unit (206) which carries out an evaluation on the basis of the result of the monitoring by the monitoring unit (200) when the plurality of frames is transmitted to the bus by the transmission unit (201a).
Description
本開示は、車載ネットワークシステム等の電子制御ユニットが通信を行う電子制御システムのセキュリティ(攻撃耐性等)に関する評価を行う技術に関する。
This disclosure relates to a technique for evaluating security (attack resistance, etc.) of an electronic control system in which an electronic control unit such as an in-vehicle network system communicates.
近年、自動車には多数の電子制御ユニット(ECU:Electronic Control Unit)が配置され、ECUをつなぐ車載ネットワークには、例えばISO11898-1で規定されているCAN(Controller Area Network)規格等が用いられる。車載ネットワークに対する攻撃としては、攻撃者が車内の情報端末に無線通信でアクセスし、情報端末のプログラムを不正に書き換えてその情報端末から車載ネットワークに対して任意のCANメッセージを送信し、車載ECUにつながるアクチュエータを運転者の意図に反して制御するような攻撃が知られている。自動車の運転自動化等に向けて、車載ECU自体がV2X(車車間通信(V2V:Vehicle to Vehicle)及び路車間通信(V2I:Vehicle to Infrastructure))等の無線通信の機能を搭載する状況になれば、情報端末と同様に、V2Xに対応するECUのプログラムが不正に書き換えられ、攻撃に利用され得る。攻撃対策の評価手法については、現状ではまだ研究が少ないが、例えば、非特許文献1には、単体の車載ECUにデータを送信してその応答に注目することで不具合(プログラミング間違いによるバグの混入等)を見つけるファジング手法が開示されている。
Recently, a large number of electronic control units (ECUs) are arranged in an automobile, and for example, a CAN (Controller Area Network) standard defined by ISO11898-1 is used for an in-vehicle network connecting ECUs. As an attack on the in-vehicle network, the attacker accesses the information terminal in the vehicle by wireless communication, illegally rewrites the program of the information terminal, transmits an arbitrary CAN message from the information terminal to the in-vehicle network, and sends it to the in-vehicle ECU. Attacks that control connected actuators against the driver's intention are known. If the in-vehicle ECU itself is equipped with wireless communication functions such as V2X (V2V: Vehicle to Vehicle) and road-to-vehicle communication (V2I: Vehicle to Infrastructure) for auto driving, etc. Similarly to the information terminal, the ECU program corresponding to V2X can be illegally rewritten and used for an attack. Although there is still little research on evaluation methods for countermeasures against attacks, for example, Non-Patent Document 1 discloses a problem by sending data to a single in-vehicle ECU and paying attention to the response (mixing bugs due to programming errors). Etc.) is disclosed.
本開示の一態様に係る評価装置は、電子制御システムにおいて複数の電子制御ユニットが通信に用いるバスに接続され、当該電子制御システムのセキュリティに関する評価を行う評価装置であって、複数のフレームの内容及び送信順序を示す攻撃手順情報を保持する保持部と、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する送信部と、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視する監視部と、前記送信部により前記複数のフレームが前記バスに送信される際における前記監視部の監視結果に基づいて前記評価を行う評価部とを備える評価装置である。
An evaluation apparatus according to an aspect of the present disclosure is an evaluation apparatus that is connected to a bus used for communication by a plurality of electronic control units in an electronic control system, and performs evaluation related to security of the electronic control system, and includes contents of a plurality of frames And a holding unit that holds attack procedure information indicating a transmission order, a transmission unit that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information, and the plurality of electronic control units. And an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit.
また、本開示の一態様に係る評価システムは、バスを介して通信する複数の電子制御ユニットを備える電子制御システムのセキュリティに関する評価を行う評価システムであって、複数のフレームの内容及び送信順序を示す攻撃手順情報を保持する保持部と、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する送信部と、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視する監視部と、前記送信部により前記複数のフレームが前記バスに送信される際における前記監視部の監視結果に基づいて前記評価を行う評価部とを備える評価システムである。
An evaluation system according to an aspect of the present disclosure is an evaluation system that evaluates the security of an electronic control system that includes a plurality of electronic control units that communicate via a bus, and that includes content and transmission order of a plurality of frames. A holding unit that holds the attack procedure information shown, a transmission unit that sends the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and an actuator unit that is controlled by any of the plurality of electronic control units An evaluation system comprising: a monitoring unit that monitors; and an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit.
また、本開示の一態様に係る評価方法は、バスを介して通信する複数の電子制御ユニットを備える電子制御システムのセキュリティに関する評価を行う評価方法であって、複数のフレームの内容及び送信順序を示す攻撃手順情報を保持し、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信し、前記複数のフレームが前記バスに送信される際に、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視し、前記監視による監視結果に基づいて前記評価を行う評価方法である。
An evaluation method according to an aspect of the present disclosure is an evaluation method for evaluating the security of an electronic control system including a plurality of electronic control units that communicate via a bus. Holding the attack procedure information to be transmitted, transmitting the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and when the plurality of frames are transmitted to the bus, any of the plurality of electronic control units This is an evaluation method in which the actuator unit controlled by the monitoring is monitored and the evaluation is performed based on the monitoring result by the monitoring.
本開示によれば、複数のECUから構成される電子制御システムの攻撃耐性(電子制御システムに施されたセキュリティ対策技術が攻撃を適切に防御できるか否か等)について評価することが可能となる。
According to the present disclosure, it is possible to evaluate attack resistance of an electronic control system including a plurality of ECUs (whether or not security countermeasure technology applied to the electronic control system can appropriately prevent an attack). .
(本発明の基礎となった知見)
非特許文献1の手法は、単体の車載ECUの不具合を見つけることはできても、車載ネットワークを形成する複数のECUで構成されるシステム(電子制御システム)を評価対象としてセキュリティ(評価対象に施されたセキュリティ対策技術が攻撃を適切に防御できるか否かという攻撃耐性等)に関する評価を行えるものではない。 (Knowledge that became the basis of the present invention)
Although the technique of Non-PatentDocument 1 can find a defect in a single in-vehicle ECU, security (applied to the evaluation object) is a system (electronic control system) composed of a plurality of ECUs forming an in-vehicle network. It is not possible to evaluate whether the security countermeasure technology that has been adopted can prevent an attack appropriately.
非特許文献1の手法は、単体の車載ECUの不具合を見つけることはできても、車載ネットワークを形成する複数のECUで構成されるシステム(電子制御システム)を評価対象としてセキュリティ(評価対象に施されたセキュリティ対策技術が攻撃を適切に防御できるか否かという攻撃耐性等)に関する評価を行えるものではない。 (Knowledge that became the basis of the present invention)
Although the technique of Non-Patent
そこで、本開示は、複数のECUから構成される電子制御システムを評価対象としてセキュリティに関する評価を行い得る評価装置を提供する。また、本開示は、複数のECUから構成される電子制御システムのセキュリティに関する評価を行い得る評価システム及びその評価のための評価方法を提供する。
Therefore, the present disclosure provides an evaluation device capable of performing an evaluation regarding security using an electronic control system including a plurality of ECUs as an evaluation target. The present disclosure also provides an evaluation system capable of performing an evaluation on security of an electronic control system including a plurality of ECUs, and an evaluation method for the evaluation.
本開示の一態様に係る評価装置は、電子制御システムにおいて複数の電子制御ユニットが通信に用いるバスに接続され、当該電子制御システムのセキュリティに関する評価を行う評価装置であって、複数のフレームの内容及び送信順序を示す攻撃手順情報を保持する保持部と、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する送信部と、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視する監視部と、前記送信部により前記複数のフレームが前記バスに送信される際における前記監視部の監視結果に基づいて前記評価を行う評価部とを備える評価装置である。監視部は、送信部により複数のフレーム(例えばCANメッセージ)がバスに送信される際に(例えば、送信直後に、或いは、送信直前から送信直後に亘り)、アクチュエータ部について直接又は間接的に監視し得る。これにより、複数の電子制御ユニット(ECU)から構成される電子制御システムを評価対象として、アクチュエータ部の駆動に係る攻撃への防御機能等といったセキュリティ機能の評価を行い得る。
An evaluation apparatus according to an aspect of the present disclosure is an evaluation apparatus that is connected to a bus used for communication by a plurality of electronic control units in an electronic control system, and performs evaluation related to security of the electronic control system, and includes contents of a plurality of frames And a holding unit that holds attack procedure information indicating a transmission order, a transmission unit that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information, and the plurality of electronic control units. And an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit. The monitoring unit directly or indirectly monitors the actuator unit when a plurality of frames (for example, a CAN message) is transmitted to the bus by the transmission unit (for example, immediately after transmission or immediately before transmission to immediately after transmission). Can do. As a result, it is possible to evaluate a security function such as a defense function against an attack related to driving of the actuator unit with an electronic control system including a plurality of electronic control units (ECUs) as an evaluation target.
また、例えば、前記複数の電子制御ユニットは、CAN(Controller Area Network)プロトコルに従って前記バスを介して通信を行うこととしても良い。これにより、ECU間でフレームの授受を行うためのCANに従うネットワークにおける攻撃耐性等の評価が可能となり得る。
Further, for example, the plurality of electronic control units may perform communication via the bus in accordance with a CAN (Controller Area Network) protocol. Thereby, it may be possible to evaluate attack resistance or the like in a network according to CAN for transferring frames between ECUs.
また、例えば、前記監視部は、前記アクチュエータ部についての前記監視として、前記複数の電子制御ユニットのうちの1つに前記アクチュエータ部を制御させるよう指示するための制御指示フレームが前記バスに送信されたことを検出し、前記評価部は、前記送信部により前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記制御指示フレームが前記バス上で送信されたことが前記監視部により検出されたか否かに応じて評価結果が相違するように前記評価を行うこととしても良い。制御指示フレームは例えば電子制御システムで規定されたフレームのIDにより識別可能である。これにより、アクチュエータ部を制御するためのフレームがバスで授受される場合においてバスの監視により適切に電子制御システムを評価し得る。
Further, for example, as the monitoring of the actuator unit, the monitoring unit transmits a control instruction frame for instructing one of the plurality of electronic control units to control the actuator unit to the bus. The evaluation unit detects that the control instruction frame has been transmitted on the bus within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit. It is good also as performing the said evaluation so that an evaluation result may differ according to whether it was detected by the said monitoring part. The control instruction frame can be identified, for example, by the frame ID defined by the electronic control system. Thereby, when the frame for controlling the actuator unit is transmitted and received by the bus, the electronic control system can be appropriately evaluated by monitoring the bus.
また、例えば、前記監視部は、前記アクチュエータ部についての前記監視として、前記複数の電子制御ユニットのうちの1つから前記アクチュエータ部に制御信号が入力されたことを検出し、前記評価部は、前記送信部により前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記アクチュエータ部に前記制御信号が入力されたことが前記監視部により検出されたか否かに応じて評価結果が相違するように前記評価を行うこととしても良い。アクチュエータ部を制御するための制御信号は電子制御システムで規定されている。これにより、攻撃によってアクチュエータ部への制御信号が伝達されたか否かが確認できるので適切な評価が可能となり得る。
Further, for example, the monitoring unit detects that a control signal is input to the actuator unit from one of the plurality of electronic control units as the monitoring of the actuator unit, and the evaluation unit Depending on whether the monitoring unit detects that the control signal is input to the actuator unit within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit The evaluation may be performed so that the evaluation results are different. A control signal for controlling the actuator unit is defined by an electronic control system. As a result, it is possible to confirm whether or not the control signal is transmitted to the actuator unit by the attack, so that appropriate evaluation can be performed.
また、例えば、前記監視部は、前記アクチュエータ部についての前記監視として、前記アクチュエータ部の動作を検出し、前記評価部は、前記送信部により前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記アクチュエータ部が動作したことが前記監視部により検出されたか否かに応じて評価結果が相違するように前記評価を行うこととしても良い。これにより、攻撃によってアクチュエータ部が動作したか否かが確認できるので適切な評価が可能となり得る。
Further, for example, the monitoring unit detects an operation of the actuator unit as the monitoring of the actuator unit, and the evaluation unit transmits one or more of the plurality of frames to the bus by the transmission unit. The evaluation may be performed so that the evaluation results differ depending on whether or not the monitoring unit detects that the actuator unit has operated within a certain period of time. Accordingly, it can be confirmed whether or not the actuator unit has been operated by the attack, so that an appropriate evaluation can be performed.
また、例えば、前記アクチュエータ部は、アクチュエータを有し、前記監視部は、前記アクチュエータ部の動作を、前記アクチュエータの動作で変化する物理量の測定によって検出することとしても良い。これにより、攻撃によって実際にアクチュエータが動作したか否かが確認できるので適切な評価が可能となり得る。
Further, for example, the actuator unit may include an actuator, and the monitoring unit may detect the operation of the actuator unit by measuring a physical quantity that changes due to the operation of the actuator. Thereby, since it can be confirmed whether or not the actuator has actually been operated by the attack, an appropriate evaluation can be possible.
また、例えば、前記アクチュエータ部は、アクチュエータの動作を模擬するプログラムを実行するコンピュータを有し、前記監視部は、前記アクチュエータ部の動作を、前記コンピュータにおいて前記プログラムに関わる所定データの変化を観測することによって検出することとしても良い。これにより、実際のアクチュエータを代替する模擬アクチュエータを用いる場合において攻撃耐性等の評価が可能となり得る。
Further, for example, the actuator unit includes a computer that executes a program that simulates the operation of the actuator, and the monitoring unit observes a change in predetermined data related to the program in the computer as to the operation of the actuator unit. It is good also as detecting by. Thereby, it is possible to evaluate attack resistance or the like when using a simulated actuator that replaces the actual actuator.
また、例えば、前記攻撃手順情報は更に前記複数のフレームについての送信間隔を示し、前記送信部は、前記攻撃手順情報が示す送信順序及び送信間隔に従って前記複数のフレームを前記バスに送信することとしても良い。これにより、複数のフレームの送信順序と送信間隔とで定まる攻撃方法に対する防御機能等の評価が可能となり得る。
Further, for example, the attack procedure information further indicates a transmission interval for the plurality of frames, and the transmission unit transmits the plurality of frames to the bus according to a transmission order and a transmission interval indicated by the attack procedure information. Also good. Thereby, it is possible to evaluate a defense function against an attack method determined by a transmission order and a transmission interval of a plurality of frames.
また、例えば、前記評価部は、評価結果として前記電子制御システムに攻撃耐性があるか否かを示す情報を出力することとしても良い。これにより、評価装置の利用者等は、電子制御システムに攻撃耐性があるか否かを知り得る。
Further, for example, the evaluation unit may output information indicating whether or not the electronic control system has attack resistance as an evaluation result. Thereby, the user of an evaluation apparatus etc. can know whether an electronic control system has attack tolerance.
また、例えば、前記送信部は、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する攻撃パターンを複数回繰り返し、前記評価部は、前記攻撃パターンの繰り返しによる前記監視結果の変化の有無に応じて評価結果が相違するように前記評価を行うこととしても良い。これにより、攻撃パターンの繰り返しに対する電子制御システムの攻撃耐性等についての評価が可能となり得る。
Further, for example, the transmission unit repeats an attack pattern that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information, and the evaluation unit performs a monitoring result of the attack pattern repetition. It is good also as performing the said evaluation so that an evaluation result may differ according to the presence or absence of a change. Thereby, it may be possible to evaluate the attack resistance of the electronic control system against repeated attack patterns.
また、本開示の一態様に係る評価システムは、バスを介して通信する複数の電子制御ユニットを備える電子制御システムのセキュリティに関する評価を行う評価システムであって、複数のフレームの内容及び送信順序を示す攻撃手順情報を保持する保持部と、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する送信部と、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視する監視部と、前記送信部により前記複数のフレームが前記バスに送信される際における前記監視部の監視結果に基づいて前記評価を行う評価部とを備える評価システムである。これにより、複数のECUから構成される電子制御システムにおけるアクチュエータ部の駆動に係る攻撃への防御機能等といったセキュリティ機能の評価を行い得る。
An evaluation system according to an aspect of the present disclosure is an evaluation system that evaluates the security of an electronic control system that includes a plurality of electronic control units that communicate via a bus, and that includes content and transmission order of a plurality of frames. A holding unit that holds the attack procedure information shown, a transmission unit that sends the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and an actuator unit that is controlled by any of the plurality of electronic control units An evaluation system comprising: a monitoring unit that monitors; and an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit. Accordingly, it is possible to evaluate a security function such as a defense function against an attack related to driving of the actuator unit in an electronic control system including a plurality of ECUs.
また、本開示の一態様に係る評価方法は、バスを介して通信する複数の電子制御ユニットを備える電子制御システムのセキュリティに関する評価を行う評価方法であって、複数のフレームの内容及び送信順序を示す攻撃手順情報を保持し、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信し、前記複数のフレームが前記バスに送信される際に、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視し、前記監視による監視結果に基づいて前記評価を行う評価方法である。これにより、複数のECUから構成される電子制御システムを評価対象として、アクチュエータ部の駆動に係る攻撃への防御機能等といったセキュリティ機能の評価を行い得る。
An evaluation method according to an aspect of the present disclosure is an evaluation method for evaluating the security of an electronic control system including a plurality of electronic control units that communicate via a bus. Holding the attack procedure information to be transmitted, transmitting the plurality of frames to the bus in the transmission order indicated by the attack procedure information, and when the plurality of frames are transmitted to the bus, any of the plurality of electronic control units This is an evaluation method in which the actuator unit controlled by the monitoring is monitored and the evaluation is performed based on the monitoring result by the monitoring. Accordingly, it is possible to evaluate a security function such as a defense function against an attack related to driving of the actuator unit, with an electronic control system including a plurality of ECUs as an evaluation target.
また、例えば、前記複数の電子制御ユニットは、CAN(Controller Area Network)プロトコルに従って前記バスを介して通信を行い、前記評価方法は、前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記複数の電子制御ユニットのうちの1つに前記アクチュエータ部を制御させるよう指示するための制御指示フレームが前記バスに送信されたことを検出したか否かに応じて、評価結果が相違するように前記評価を行うこととしても良い。これにより、CANに従う車載ネットワークシステム等の電子制御システムについて攻撃耐性等の評価が可能となり得る。
In addition, for example, the plurality of electronic control units communicate via the bus according to a CAN (Controller Area Network) protocol, and the evaluation method is performed after one or more of the plurality of frames are transmitted to the bus. Depending on whether or not it is detected that a control instruction frame for instructing one of the plurality of electronic control units to control the actuator unit is transmitted to the bus within a certain period of time, The evaluation may be performed so that the evaluation results are different. Thereby, it is possible to evaluate the attack resistance of an electronic control system such as an in-vehicle network system according to CAN.
なお、これらの全般的又は具体的な態様は、システム、方法、集積回路、コンピュータプログラム又はコンピュータで読み取り可能なCD-ROM等の記録媒体で実現されても良く、システム、方法、集積回路、コンピュータプログラム又は記録媒体の任意な組み合わせで実現されても良い。
These general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a computer-readable recording medium such as a CD-ROM. The system, method, integrated circuit, computer You may implement | achieve with arbitrary combinations of a program or a recording medium.
以下、実施の形態に係る評価システムについて、図面を参照しながら説明する。ここで示す実施の形態は、いずれも本開示の一具体例を示すものである。従って、以下の実施の形態で示される数値、構成要素、構成要素の配置及び接続形態、並びに、ステップ(工程)及びステップの順序等は、一例であって本開示を限定するものではない。以下の実施の形態における構成要素のうち、独立請求項に記載されていない構成要素については、任意に付加可能な構成要素である。また、各図は、模式図であり、必ずしも厳密に図示されたものではない。
Hereinafter, the evaluation system according to the embodiment will be described with reference to the drawings. Each of the embodiments shown here shows a specific example of the present disclosure. Therefore, numerical values, components, arrangement and connection forms of components, and steps (processes) and order of steps shown in the following embodiments are merely examples, and do not limit the present disclosure. Among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims can be arbitrarily added. Each figure is a mimetic diagram and is not necessarily illustrated strictly.
(実施の形態1)
以下、自動車(車両)に搭載され、バスを介して通信する複数の電子制御ユニット(ECU)を含んで構成される車載ネットワークシステム(電子制御システム)のセキュリティに関する評価を行う評価装置及び評価方法、並びに、電子制御システムと評価装置とを含む評価システムについて説明する。 (Embodiment 1)
Hereinafter, an evaluation apparatus and an evaluation method for evaluating the security of an in-vehicle network system (electronic control system) that includes a plurality of electronic control units (ECUs) that are mounted on an automobile (vehicle) and communicate via a bus, An evaluation system including an electronic control system and an evaluation device will be described.
以下、自動車(車両)に搭載され、バスを介して通信する複数の電子制御ユニット(ECU)を含んで構成される車載ネットワークシステム(電子制御システム)のセキュリティに関する評価を行う評価装置及び評価方法、並びに、電子制御システムと評価装置とを含む評価システムについて説明する。 (Embodiment 1)
Hereinafter, an evaluation apparatus and an evaluation method for evaluating the security of an in-vehicle network system (electronic control system) that includes a plurality of electronic control units (ECUs) that are mounted on an automobile (vehicle) and communicate via a bus, An evaluation system including an electronic control system and an evaluation device will be described.
[1.1 評価システム10の構成]
図1は、評価システム10の概略構成を示す構成図である。評価システム10は、同図に示すように、評価装置101と、電子制御システム11とを含んで構成される。評価システム10は、電子制御システム11を評価対象として、電子制御システム11の攻撃耐性(攻撃に対して防御を行うセキュリティ対策技術が適切に作用しているか否か等)について評価を行う。 [1.1 Configuration of Evaluation System 10]
FIG. 1 is a configuration diagram showing a schematic configuration of theevaluation system 10. As shown in the figure, the evaluation system 10 includes an evaluation device 101 and an electronic control system 11. The evaluation system 10 uses the electronic control system 11 as an evaluation target, and evaluates the attack resistance of the electronic control system 11 (for example, whether or not a security countermeasure technique that protects against an attack is acting properly).
図1は、評価システム10の概略構成を示す構成図である。評価システム10は、同図に示すように、評価装置101と、電子制御システム11とを含んで構成される。評価システム10は、電子制御システム11を評価対象として、電子制御システム11の攻撃耐性(攻撃に対して防御を行うセキュリティ対策技術が適切に作用しているか否か等)について評価を行う。 [1.1 Configuration of Evaluation System 10]
FIG. 1 is a configuration diagram showing a schematic configuration of the
電子制御システム11は、車載ネットワークシステムであり、車両内の制御装置、センサ、アクチュエータ(例えば電子制御可能にされたステアリング、アクセル、ブレーキ等)、ユーザインタフェース装置等の各種機器に接続されて、車内のバス(CANバス)を介してフレームの送受信を行う複数の電子制御ユニット(ECU)を含んで構成される車載ネットワークを備える。電子制御システム11では、各ECUがフレームを授受して連携することで、例えば、先進運転者支援システム(ADAS:Advanced Driver Assistance System)の一機能である駐車支援機能、車線維持支援機能、衝突回避支援機能等の機能を実現する。
The electronic control system 11 is an in-vehicle network system, and is connected to various devices such as a control device, a sensor, an actuator (for example, a steering, an accelerator, a brake, etc. that can be electronically controlled) and a user interface device in the vehicle. A vehicle-mounted network including a plurality of electronic control units (ECUs) that transmit and receive frames via a bus (CAN bus). In the electronic control system 11, each ECU exchanges frames to cooperate with each other, for example, a parking assistance function, a lane maintenance assistance function, and collision avoidance that are functions of an advanced driver assistance system (ADAS). Implement functions such as support functions.
車内には多数のセンサ、アクチュエータ、ECU等が含まれ得るが、ここでは説明の便宜上、一例として、電子制御システム11は、図1に示すように、アクチュエータECU102、指示ECU103、セキュリティECU104、シフト位置ECU105、車速ECU106、及び、アクチュエータ107を備えるものとして説明する。ここでは、アクチュエータ107は、ステアリング、アクセル、ブレーキ等を代表して表したものであり、アクチュエータECU102も、ステアリング、アクセル、ブレーキ等の1つ又は複数を制御するECUを代表して表したものである。なお、各ECUは、CANバス20を通信路としてCAN規格(プロトコル)に従って通信を行う。CANにおいてデータの伝送に用いられるフレームであるデータフレーム(CANメッセージとも称する)は、ID(メッセージID)を格納するIDフィールド、データを格納するデータフィールド等を含むように規定されている。
A number of sensors, actuators, ECUs, and the like may be included in the vehicle. For convenience of explanation, the electronic control system 11 includes an actuator ECU 102, an instruction ECU 103, a security ECU 104, a shift position, as shown in FIG. Description will be made assuming that the ECU 105, the vehicle speed ECU 106, and the actuator 107 are provided. Here, the actuator 107 represents the steering, the accelerator, the brake, and the like, and the actuator ECU 102 also represents the ECU that controls one or more of the steering, the accelerator, the brake, and the like. is there. Each ECU performs communication according to the CAN standard (protocol) using the CAN bus 20 as a communication path. A data frame (also referred to as a CAN message) that is a frame used for data transmission in CAN is defined to include an ID field that stores an ID (message ID), a data field that stores data, and the like.
アクチュエータECU102は、アクチュエータ107(例えば、ステアリング、アクセル、ブレーキ等)と信号線で接続されると共に、CANバス20とも接続され、CANバス20を介して受信したCANメッセージに基づいてアクチュエータ107を制御する。
The actuator ECU 102 is connected to an actuator 107 (for example, steering, accelerator, brake, etc.) via a signal line, and is also connected to the CAN bus 20, and controls the actuator 107 based on a CAN message received via the CAN bus 20. .
指示ECU103は、CANバス20に接続され、車両の状態等を示すCANメッセージを取得し、一定条件下でアクチュエータ107を制御させるための指示(例えばステアリング操作指示)を、CANメッセージとしてアクチュエータECU102へ送信する。
The instruction ECU 103 is connected to the CAN bus 20, acquires a CAN message indicating the state of the vehicle, and transmits an instruction (for example, a steering operation instruction) for controlling the actuator 107 under a certain condition to the actuator ECU 102 as a CAN message. To do.
セキュリティECU104は、CANバス20を常時監視(モニタリング)し、例えば不正なCANメッセージ(攻撃用のCANメッセージ)が流れていることを検知した場合に、そのCANメッセージを無効化する等の対処を行う。CANメッセージの無効化の方法としては、任意の方法を用いることができるが、例えば不正なCANメッセージに重畳させるように、CANプロトコルで規定されたエラーフレームを送信することで無効化し得る。
The security ECU 104 constantly monitors (monitors) the CAN bus 20 and takes measures such as invalidating the CAN message when it is detected that an illegal CAN message (an attack CAN message) is flowing, for example. . As a method of invalidating the CAN message, any method can be used. For example, the CAN message can be invalidated by transmitting an error frame defined by the CAN protocol so as to be superimposed on an illegal CAN message.
シフト位置ECU105及び車速ECU106は、これらを搭載する車両の状態を取得し、CANメッセージとしてCANバス20に送信する。シフト位置ECU105は、車両のシフトレバーのシフト位置に対応する変速ギアの状態(パーキング:P、リバース:R、ドライブ:D等)を示すCANメッセージを送信し、車速ECU106は、車速(車両の速度)を示すCANメッセージを送信する。
The shift position ECU 105 and the vehicle speed ECU 106 acquire the state of the vehicle on which they are mounted, and transmit them to the CAN bus 20 as a CAN message. The shift position ECU 105 transmits a CAN message indicating the state of the transmission gear (parking: P, reverse: R, drive: D, etc.) corresponding to the shift position of the shift lever of the vehicle, and the vehicle speed ECU 106 transmits the vehicle speed (vehicle speed). ) Is transmitted.
評価装置101は、電子制御システム11(評価対象)に対して施されたセキュリティ対策技術の攻撃耐性を評価する装置である。評価装置101は、保持する攻撃手順情報108に基づいて、評価対象に対して攻撃(ハッキング)を仕掛け、攻撃への反応を観測するための監視(モニタリング)を行い、監視結果に応じた評価を行う。評価装置101による評価の一例としては、例えば、その攻撃に対する耐性の有無(攻撃或いは防御の成否)の判定が挙げられる。評価装置101は、監視として具体的には、CANバス20を流れるフレーム(メッセージ)の監視、アクチュエータ107への入力信号(つまりアクチュエータECU102の出力信号)の監視、及び、アクチュエータ107の挙動(動作)そのものの監視を行う。攻撃手順情報108は、攻撃を仕掛ける際の手順(送信すべきCANメッセージの種類、順序、タイミング、頻度等)を示す。
The evaluation device 101 is a device that evaluates the attack resistance of the security countermeasure technology applied to the electronic control system 11 (evaluation target). The evaluation apparatus 101 performs an attack (hacking) on the evaluation target based on the held attack procedure information 108, performs monitoring (monitoring) for observing a reaction to the attack, and performs evaluation according to the monitoring result. Do. As an example of the evaluation by the evaluation apparatus 101, for example, determination of presence / absence of resistance to the attack (attack or defense success / failure) can be given. Specifically, the evaluation device 101 monitors the frame (message) flowing through the CAN bus 20, monitors the input signal to the actuator 107 (that is, the output signal of the actuator ECU 102), and the behavior (operation) of the actuator 107. Monitor itself. The attack procedure information 108 indicates the procedure (the type, order, timing, frequency, etc. of the CAN message to be transmitted) when performing an attack.
以下、評価システム10の各構成要素について詳細に説明する。
Hereinafter, each component of the evaluation system 10 will be described in detail.
[1.2 評価装置101の構成]
図2は、評価システム10における評価装置101の構成図である。 [1.2 Configuration of Evaluation Apparatus 101]
FIG. 2 is a configuration diagram of theevaluation apparatus 101 in the evaluation system 10.
図2は、評価システム10における評価装置101の構成図である。 [1.2 Configuration of Evaluation Apparatus 101]
FIG. 2 is a configuration diagram of the
評価装置101は、図2に示すように、監視部200(CANバス監視部203、信号監視部204及びアクチュエータ監視部205)と、送受信部201(送信部201a及び受信部201b)と、保持部202と、評価部206と、制御部207とを含んで構成される。
As shown in FIG. 2, the evaluation apparatus 101 includes a monitoring unit 200 (CAN bus monitoring unit 203, signal monitoring unit 204, and actuator monitoring unit 205), transmission / reception unit 201 (transmission unit 201a and reception unit 201b), and holding unit. 202, an evaluation unit 206, and a control unit 207.
評価装置101は、例えば、プロセッサ(マイクロプロセッサ)、メモリ等のデジタル回路、アナログ回路、通信回路、ハードディスク等を含む装置である。メモリは、ROM、RAM等であり、プロセッサにより実行される制御プログラム(ソフトウェアとしてのコンピュータプログラム)を記憶することができる。例えばプロセッサが、制御プログラム(コンピュータプログラム)に従って動作(各種回路の制御等)することにより、評価装置101は各種機能を実現することになる。なお、コンピュータプログラムは、所定の機能を達成するために、プロセッサに対する指令を示す命令コードが複数個組み合わされて構成されたものである。
The evaluation device 101 is a device including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and a hard disk. The memory is ROM, RAM, or the like, and can store a control program (computer program as software) executed by the processor. For example, when the processor operates (controls various circuits, etc.) according to a control program (computer program), the evaluation apparatus 101 realizes various functions. The computer program is configured by combining a plurality of instruction codes indicating instructions for the processor in order to achieve a predetermined function.
(1)送受信部201
送受信部201は、通信回路等により実現される。送受信部201は、送信部201a及び受信部201bで構成される。送信部201aは、CANバス20に対してCANメッセージ(例えば、シフト位置、車速、或いは、ステアリング操作指示を示すデータフレーム等)を送信する。受信部201bは、CANバス20を流れるCANメッセージ(例えば指示ECU103が送信するステアリング操作指示を示すデータフレーム等)を受信する。 (1) Transmission /reception unit 201
The transmission /reception unit 201 is realized by a communication circuit or the like. The transmission / reception unit 201 includes a transmission unit 201a and a reception unit 201b. The transmission unit 201a transmits a CAN message (for example, a data frame indicating a shift position, a vehicle speed, or a steering operation instruction) to the CAN bus 20. The receiving unit 201b receives a CAN message (for example, a data frame indicating a steering operation instruction transmitted by the instruction ECU 103) that flows through the CAN bus 20.
送受信部201は、通信回路等により実現される。送受信部201は、送信部201a及び受信部201bで構成される。送信部201aは、CANバス20に対してCANメッセージ(例えば、シフト位置、車速、或いは、ステアリング操作指示を示すデータフレーム等)を送信する。受信部201bは、CANバス20を流れるCANメッセージ(例えば指示ECU103が送信するステアリング操作指示を示すデータフレーム等)を受信する。 (1) Transmission /
The transmission /
(2)保持部202
保持部202は、メモリ、ハードディスク等の記憶媒体で実現され、評価装置101が評価対象の攻撃耐性等を評価するために仕掛ける攻撃の手順を示す攻撃手順情報108を記憶している。攻撃手順情報108は攻撃用の複数のフレーム(CANメッセージ)の送信順序等を示す。攻撃手順情報108の詳細については後に図7を用いて説明する。 (2)Holding unit 202
The holdingunit 202 is realized by a storage medium such as a memory and a hard disk, and stores attack procedure information 108 indicating an attack procedure to be set by the evaluation apparatus 101 to evaluate the attack resistance of the evaluation target. The attack procedure information 108 indicates the transmission order of a plurality of frames (CAN messages) for attack. Details of the attack procedure information 108 will be described later with reference to FIG.
保持部202は、メモリ、ハードディスク等の記憶媒体で実現され、評価装置101が評価対象の攻撃耐性等を評価するために仕掛ける攻撃の手順を示す攻撃手順情報108を記憶している。攻撃手順情報108は攻撃用の複数のフレーム(CANメッセージ)の送信順序等を示す。攻撃手順情報108の詳細については後に図7を用いて説明する。 (2)
The holding
(3)CANバス監視部203
CANバス監視部203は、例えばプログラムを実行するプロセッサ等により実現され、評価対象の電子制御システム11で複数のECUが接続されているCANバス20を監視する。CANバス監視部203は、具体的には受信部201bを介してCANメッセージを受信して、CANメッセージに含まれるデータの中身(ペイロード)を確認する。例えば、CANバス監視部203は、アクチュエータ107についての監視として、CANバス20に接続された指示ECU103にアクチュエータ107を制御させるよう指示するための制御指示フレームがCANバス20に送信されたことを検出する。そしてCANバス監視部203は、例えば指示ECU103が送信する制御指示フレーム(ステアリング操作指示に関するデータフレーム)のデータフィールドの内容(駐車支援機能の有効/無効フラグ、ステアリング操舵角の指定等)を確認する。 (3) CANbus monitoring unit 203
The CANbus monitoring unit 203 is realized by, for example, a processor that executes a program, and monitors the CAN bus 20 to which a plurality of ECUs are connected in the electronic control system 11 to be evaluated. Specifically, the CAN bus monitoring unit 203 receives a CAN message via the receiving unit 201b and confirms the content (payload) of data included in the CAN message. For example, the CAN bus monitoring unit 203 detects that the control instruction frame for instructing the instruction ECU 103 connected to the CAN bus 20 to control the actuator 107 is transmitted to the CAN bus 20 as monitoring of the actuator 107. To do. Then, for example, the CAN bus monitoring unit 203 checks the contents of the data field (valid / invalid flag of the parking support function, designation of the steering angle, etc.) of the control instruction frame (data frame related to the steering operation instruction) transmitted by the instruction ECU 103. .
CANバス監視部203は、例えばプログラムを実行するプロセッサ等により実現され、評価対象の電子制御システム11で複数のECUが接続されているCANバス20を監視する。CANバス監視部203は、具体的には受信部201bを介してCANメッセージを受信して、CANメッセージに含まれるデータの中身(ペイロード)を確認する。例えば、CANバス監視部203は、アクチュエータ107についての監視として、CANバス20に接続された指示ECU103にアクチュエータ107を制御させるよう指示するための制御指示フレームがCANバス20に送信されたことを検出する。そしてCANバス監視部203は、例えば指示ECU103が送信する制御指示フレーム(ステアリング操作指示に関するデータフレーム)のデータフィールドの内容(駐車支援機能の有効/無効フラグ、ステアリング操舵角の指定等)を確認する。 (3) CAN
The CAN
(4)信号監視部204
信号監視部204は、アクチュエータECU102がアクチュエータ107に対して信号線により送信した信号(アクチュエータ107への入力信号)を観測し、信号内容を確認する。信号監視部204は、例えば、アクチュエータECU102かアクチュエータ107かその間の信号線かに接続する通信回路、プログラムを実行するプロセッサ等により実現される。 (4)Signal monitoring unit 204
Thesignal monitoring unit 204 observes a signal (input signal to the actuator 107) transmitted from the actuator ECU 102 to the actuator 107 through a signal line, and confirms the signal content. The signal monitoring unit 204 is realized by, for example, a communication circuit connected to the actuator ECU 102 or the actuator 107 or a signal line therebetween, a processor that executes a program, and the like.
信号監視部204は、アクチュエータECU102がアクチュエータ107に対して信号線により送信した信号(アクチュエータ107への入力信号)を観測し、信号内容を確認する。信号監視部204は、例えば、アクチュエータECU102かアクチュエータ107かその間の信号線かに接続する通信回路、プログラムを実行するプロセッサ等により実現される。 (4)
The
(5)アクチュエータ監視部205
アクチュエータ監視部205は、アクチュエータ107を観測し、アクチュエータ107の挙動(動作)を確認する。アクチュエータ107の動作の確認は、アクチュエータ107がステアリングであれば回転量、アクセル或いはブレーキであれば変位量等の状態、変化の有無等の確認である。アクチュエータ監視部205は、例えば、アクチュエータ107が生じる物理現象(アクチュエータ107の動作で変化する物理量)を直接的又は間接的に測定するセンサ、プログラムを実行するプロセッサ等で実現される。 (5)Actuator monitoring unit 205
Theactuator monitoring unit 205 observes the actuator 107 and confirms the behavior (operation) of the actuator 107. The confirmation of the operation of the actuator 107 is a confirmation of the state of the rotation amount if the actuator 107 is a steering wheel, the displacement amount if the accelerator 107 or the brake, and the presence or absence of a change. The actuator monitoring unit 205 is realized by, for example, a sensor that directly or indirectly measures a physical phenomenon (physical quantity that changes due to the operation of the actuator 107) generated by the actuator 107, a processor that executes a program, and the like.
アクチュエータ監視部205は、アクチュエータ107を観測し、アクチュエータ107の挙動(動作)を確認する。アクチュエータ107の動作の確認は、アクチュエータ107がステアリングであれば回転量、アクセル或いはブレーキであれば変位量等の状態、変化の有無等の確認である。アクチュエータ監視部205は、例えば、アクチュエータ107が生じる物理現象(アクチュエータ107の動作で変化する物理量)を直接的又は間接的に測定するセンサ、プログラムを実行するプロセッサ等で実現される。 (5)
The
(6)評価部206
評価部206は、プログラムを実行するプロセッサ等により実現される。評価部206は、監視部200(CANバス監視部203、信号監視部204及びアクチュエータ監視部205)での監視による確認結果に基づいて、電子制御システム11のセキュリティに関する評価を行う。具体的には、評価部206は、監視部200による確認結果の全部又は一部と、攻撃手順情報108に基づいてCANメッセージを送信するときの期待値とを比較し、攻撃が成功しているか否か(例えば攻撃に対する防御機能が適切に作動したか否か)等を判定する。期待値は、攻撃結果として期待されるアクチュエータの挙動、攻撃結果として期待される、アクチュエータ107へ入力される制御信号、攻撃結果として指示ECU103が送信すると期待されるCANメッセージ(例えば制御指示フレーム)等であり、予め規定され得る。評価部206は、送信部201aにより攻撃手順情報108に基づく攻撃用のCANメッセージがCANバス20に送信される際(例えば送信直後の一定期間、或いは送信直前から送信直後まで等)における監視部200の監視結果に基づいて評価を行う。評価部206は、例えば、送信部201aにより攻撃手順情報108に示される攻撃用の複数のフレーム(CANメッセージ)の1つ以上がCANバス20に送信された後の一定期間内に、制御指示フレームがCANバス20上で送信されたことがCANバス監視部203により検出されたか否かを判定し、制御指示フレームが検出されたか否かに応じて評価結果が相違するように評価を行い得る。また評価部206は、例えば、攻撃用のCANメッセージの1つ以上がCANバス20に送信された後の一定期間内に、アクチュエータ107に、制御のための制御信号が入力されたことが信号監視部204により検出されたか否かに応じて評価結果が相違するように評価を行い得る。また、評価部206は、例えば、攻撃用のCANメッセージの1つ以上がCANバス20に送信された後の一定期間内に、アクチュエータ107が動作したことがアクチュエータ監視部205により検出されたか否かに応じて評価結果が相違するように評価を行い得る。 (6)Evaluation unit 206
Theevaluation unit 206 is realized by a processor or the like that executes a program. The evaluation unit 206 evaluates the security of the electronic control system 11 based on the confirmation results obtained by monitoring by the monitoring unit 200 (CAN bus monitoring unit 203, signal monitoring unit 204, and actuator monitoring unit 205). Specifically, the evaluation unit 206 compares all or a part of the confirmation result by the monitoring unit 200 with an expected value when the CAN message is transmitted based on the attack procedure information 108, and whether the attack is successful. Whether or not (for example, whether or not a defense function against an attack has been appropriately activated) is determined. The expected value is the behavior of the actuator expected as an attack result, the control signal input to the actuator 107 expected as the attack result, the CAN message (for example, control instruction frame) expected to be transmitted by the instruction ECU 103 as the attack result, etc. And can be predefined. The evaluation unit 206 monitors the monitoring unit 200 when the transmission unit 201a transmits an attack CAN message based on the attack procedure information 108 to the CAN bus 20 (for example, for a certain period immediately after transmission, or immediately before transmission to immediately after transmission). Evaluation is performed based on the monitoring results. For example, the evaluation unit 206 may control the control instruction frame within a certain period after one or more of a plurality of attack frames (CAN message) indicated in the attack procedure information 108 is transmitted to the CAN bus 20 by the transmission unit 201a. Can be determined by the CAN bus monitoring unit 203, and evaluation can be performed so that the evaluation results differ depending on whether a control instruction frame is detected. In addition, the evaluation unit 206 monitors that, for example, a control signal for control is input to the actuator 107 within a certain period after one or more of the attacking CAN messages are transmitted to the CAN bus 20. The evaluation can be performed so that the evaluation results differ depending on whether or not they are detected by the unit 204. Further, the evaluation unit 206 determines whether or not the actuator monitoring unit 205 detects that the actuator 107 has operated within a certain period after one or more of the attacking CAN messages are transmitted to the CAN bus 20, for example. The evaluation can be performed so that the evaluation results differ depending on the case.
評価部206は、プログラムを実行するプロセッサ等により実現される。評価部206は、監視部200(CANバス監視部203、信号監視部204及びアクチュエータ監視部205)での監視による確認結果に基づいて、電子制御システム11のセキュリティに関する評価を行う。具体的には、評価部206は、監視部200による確認結果の全部又は一部と、攻撃手順情報108に基づいてCANメッセージを送信するときの期待値とを比較し、攻撃が成功しているか否か(例えば攻撃に対する防御機能が適切に作動したか否か)等を判定する。期待値は、攻撃結果として期待されるアクチュエータの挙動、攻撃結果として期待される、アクチュエータ107へ入力される制御信号、攻撃結果として指示ECU103が送信すると期待されるCANメッセージ(例えば制御指示フレーム)等であり、予め規定され得る。評価部206は、送信部201aにより攻撃手順情報108に基づく攻撃用のCANメッセージがCANバス20に送信される際(例えば送信直後の一定期間、或いは送信直前から送信直後まで等)における監視部200の監視結果に基づいて評価を行う。評価部206は、例えば、送信部201aにより攻撃手順情報108に示される攻撃用の複数のフレーム(CANメッセージ)の1つ以上がCANバス20に送信された後の一定期間内に、制御指示フレームがCANバス20上で送信されたことがCANバス監視部203により検出されたか否かを判定し、制御指示フレームが検出されたか否かに応じて評価結果が相違するように評価を行い得る。また評価部206は、例えば、攻撃用のCANメッセージの1つ以上がCANバス20に送信された後の一定期間内に、アクチュエータ107に、制御のための制御信号が入力されたことが信号監視部204により検出されたか否かに応じて評価結果が相違するように評価を行い得る。また、評価部206は、例えば、攻撃用のCANメッセージの1つ以上がCANバス20に送信された後の一定期間内に、アクチュエータ107が動作したことがアクチュエータ監視部205により検出されたか否かに応じて評価結果が相違するように評価を行い得る。 (6)
The
(7)制御部207
制御部207は、プログラムを実行するプロセッサ等により実現され、監視部200、送受信部201、保持部202、及び、評価部206を管理、制御して評価装置101の機能を実現する。 (7)Control unit 207
Thecontrol unit 207 is realized by a processor or the like that executes a program, and manages and controls the monitoring unit 200, the transmission / reception unit 201, the holding unit 202, and the evaluation unit 206, thereby realizing the function of the evaluation apparatus 101.
制御部207は、プログラムを実行するプロセッサ等により実現され、監視部200、送受信部201、保持部202、及び、評価部206を管理、制御して評価装置101の機能を実現する。 (7)
The
[1.3 アクチュエータECU102の構成]
図3は、アクチュエータECU102の構成図である。 [1.3 Configuration of Actuator ECU 102]
FIG. 3 is a configuration diagram of theactuator ECU 102.
図3は、アクチュエータECU102の構成図である。 [1.3 Configuration of Actuator ECU 102]
FIG. 3 is a configuration diagram of the
アクチュエータECU102は、図3に示すように、送受信部301と、指示送信部302と、状態取得部303と、判定部304と、制御部305とを含んで構成される。
As shown in FIG. 3, the actuator ECU 102 includes a transmission / reception unit 301, an instruction transmission unit 302, a state acquisition unit 303, a determination unit 304, and a control unit 305.
アクチュエータECU102は、CANバス20に接続されたECUである。ECUは、例えば、プロセッサ、メモリ等のデジタル回路、アナログ回路、通信回路等を含む装置である。メモリは、ROM、RAM等であり、プロセッサにより実行される制御プログラムを記憶することができる。例えばプロセッサが、制御プログラム(コンピュータプログラム)に従って動作(各種回路の制御等)することにより、アクチュエータECU102は機能を果たす。
The actuator ECU 102 is an ECU connected to the CAN bus 20. The ECU is a device including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, and the like. The memory is a ROM, a RAM, or the like, and can store a control program executed by the processor. For example, the actuator ECU 102 functions as a processor operates (controls various circuits, etc.) according to a control program (computer program).
(1)送受信部301
送受信部301は、CANバス20に対してCANメッセージを送信し、CANバス20を流れるCANメッセージを受信する。送受信部301は、例えば、シフト位置、車速、或いは、ステアリング操作指示を示すCANメッセージを受信する。 (1) Transmission /reception unit 301
The transmission /reception unit 301 transmits a CAN message to the CAN bus 20 and receives a CAN message flowing through the CAN bus 20. The transmission / reception unit 301 receives, for example, a CAN message indicating a shift position, a vehicle speed, or a steering operation instruction.
送受信部301は、CANバス20に対してCANメッセージを送信し、CANバス20を流れるCANメッセージを受信する。送受信部301は、例えば、シフト位置、車速、或いは、ステアリング操作指示を示すCANメッセージを受信する。 (1) Transmission /
The transmission /
(2)指示送信部302
指示送信部302は、送受信部301を介して受信したCANメッセージに基づき、アクチュエータ107に対して信号線で制御信号を送信する。制御信号は、例えば、ステアリングに対しては、回転角度等を示して回転等を指示する信号(ステアリング動作指示)であり、アクセル或いはブレーキに対しては、変位量(例えば踏み込み量)等を示して作動等を指示する信号である。 (2)Instruction transmission unit 302
Theinstruction transmission unit 302 transmits a control signal to the actuator 107 through a signal line based on the CAN message received via the transmission / reception unit 301. The control signal is, for example, a signal indicating a rotation angle or the like (steering operation instruction) for steering, and a displacement amount (for example, a depression amount) or the like for an accelerator or a brake. Is a signal for instructing operation and the like.
指示送信部302は、送受信部301を介して受信したCANメッセージに基づき、アクチュエータ107に対して信号線で制御信号を送信する。制御信号は、例えば、ステアリングに対しては、回転角度等を示して回転等を指示する信号(ステアリング動作指示)であり、アクセル或いはブレーキに対しては、変位量(例えば踏み込み量)等を示して作動等を指示する信号である。 (2)
The
(3)状態取得部303
状態取得部303は、アクチュエータ107と接続する信号線を介してアクチュエータ107の状態を取得する。状態取得部303が取得する状態は、例えば、アクチュエータ107がステアリングであれば回転角度、アクセル或いはブレーキであれば変位量(例えば踏み込み量)等である。 (3)Status acquisition unit 303
Thestate acquisition unit 303 acquires the state of the actuator 107 via a signal line connected to the actuator 107. The state acquired by the state acquisition unit 303 is, for example, a rotation angle if the actuator 107 is a steering wheel, or a displacement amount (for example, a depression amount) if the accelerator 107 or the brake is used.
状態取得部303は、アクチュエータ107と接続する信号線を介してアクチュエータ107の状態を取得する。状態取得部303が取得する状態は、例えば、アクチュエータ107がステアリングであれば回転角度、アクセル或いはブレーキであれば変位量(例えば踏み込み量)等である。 (3)
The
(4)判定部304
判定部304は、送受信部301を介して受信したCANメッセージに基づき、アクチュエータ107へ制御信号を送信するか否かを判定する。例えば、アクチュエータ107としてのステアリングへ指示する制御信号を出す場合には、判定部304は、送受信部301を介して受信したシフト位置、車速、ステアリング操作指示等の情報に基づいて、制御信号を出すか否かを判定し、制御信号で指定する制御量(回転角度等)を決定する。 (4)Determination unit 304
Thedetermination unit 304 determines whether or not to transmit a control signal to the actuator 107 based on the CAN message received via the transmission / reception unit 301. For example, when a control signal for instructing steering as the actuator 107 is output, the determination unit 304 outputs a control signal based on information such as a shift position, a vehicle speed, and a steering operation instruction received via the transmission / reception unit 301. The control amount (rotation angle or the like) designated by the control signal is determined.
判定部304は、送受信部301を介して受信したCANメッセージに基づき、アクチュエータ107へ制御信号を送信するか否かを判定する。例えば、アクチュエータ107としてのステアリングへ指示する制御信号を出す場合には、判定部304は、送受信部301を介して受信したシフト位置、車速、ステアリング操作指示等の情報に基づいて、制御信号を出すか否かを判定し、制御信号で指定する制御量(回転角度等)を決定する。 (4)
The
(5)制御部305
制御部305は、送受信部301、指示送信部302、状態取得部303、及び、判定部304を管理、制御してアクチュエータECU102の機能を実現する。 (5)Control unit 305
Thecontrol unit 305 manages and controls the transmission / reception unit 301, the instruction transmission unit 302, the state acquisition unit 303, and the determination unit 304 to realize the function of the actuator ECU 102.
制御部305は、送受信部301、指示送信部302、状態取得部303、及び、判定部304を管理、制御してアクチュエータECU102の機能を実現する。 (5)
The
[1.4 指示ECU103の構成]
図4は、指示ECU103の構成図である。 [1.4 Configuration of Instruction ECU 103]
FIG. 4 is a configuration diagram of theinstruction ECU 103.
図4は、指示ECU103の構成図である。 [1.4 Configuration of Instruction ECU 103]
FIG. 4 is a configuration diagram of the
指示ECU103は、図4に示すように、送受信部401と、判定部402と、算出部403と、制御部404とを含んで構成される。
As shown in FIG. 4, the instruction ECU 103 includes a transmission / reception unit 401, a determination unit 402, a calculation unit 403, and a control unit 404.
指示ECU103は、CANバス20に接続されたECUである。指示ECU103のプロセッサが、メモリに記憶された制御プログラム(コンピュータプログラム)に従って動作することにより、指示ECU103は機能を果たす。
The instruction ECU 103 is an ECU connected to the CAN bus 20. The instruction ECU 103 functions by the processor of the instruction ECU 103 operating according to a control program (computer program) stored in the memory.
(1)送受信部401
送受信部401は、CANバス20に対してCANメッセージを送信し、CANバス20を流れるCANメッセージを受信する。送受信部401は、例えば、ステアリング操作指示を示すCANメッセージを送信し、シフト位置或いは車速を示すCANメッセージを受信する。 (1) Transmission /reception unit 401
The transmission /reception unit 401 transmits a CAN message to the CAN bus 20 and receives a CAN message flowing through the CAN bus 20. For example, the transmission / reception unit 401 transmits a CAN message indicating a steering operation instruction and receives a CAN message indicating a shift position or a vehicle speed.
送受信部401は、CANバス20に対してCANメッセージを送信し、CANバス20を流れるCANメッセージを受信する。送受信部401は、例えば、ステアリング操作指示を示すCANメッセージを送信し、シフト位置或いは車速を示すCANメッセージを受信する。 (1) Transmission /
The transmission /
(2)判定部402
判定部402は、送受信部401を介して受信したCANメッセージに基づき、アクチュエータECU102へ制御指示(例えばステアリング操作指示を示す制御指示フレームであるCANメッセージ)を出すか否かを判定する。例えば、ステアリングを制御させるためにアクチュエータECU102へ制御指示を出す場合、送受信部401を介して受信したCANメッセージが示すシフト位置、車速、或いは、駐車支援機能の開始に関する情報等から、制御指示を出すか否かを判定する。ここでは、電子制御システム11において駐車支援機能の開始に関する情報を示すCANメッセージは、例えば、CANバス20に接続された、ユーザインタフェースを備えるECU(不図示)から送信されること等を想定している。そのECUは例えば車両の運転者の操作に応じて駐車支援機能の開始に関する情報を示すCANメッセージを送信し得る。 (2)Determination unit 402
Based on the CAN message received via the transmission /reception unit 401, the determination unit 402 determines whether to issue a control instruction (for example, a CAN message that is a control instruction frame indicating a steering operation instruction) to the actuator ECU 102. For example, when a control instruction is issued to the actuator ECU 102 to control the steering, the control instruction is issued from the shift position indicated by the CAN message received via the transmission / reception unit 401, the vehicle speed, or information related to the start of the parking assist function. It is determined whether or not. Here, it is assumed that the CAN message indicating information related to the start of the parking support function in the electronic control system 11 is transmitted from an ECU (not shown) having a user interface connected to the CAN bus 20, for example. Yes. For example, the ECU may transmit a CAN message indicating information related to the start of the parking assist function in response to an operation of the driver of the vehicle.
判定部402は、送受信部401を介して受信したCANメッセージに基づき、アクチュエータECU102へ制御指示(例えばステアリング操作指示を示す制御指示フレームであるCANメッセージ)を出すか否かを判定する。例えば、ステアリングを制御させるためにアクチュエータECU102へ制御指示を出す場合、送受信部401を介して受信したCANメッセージが示すシフト位置、車速、或いは、駐車支援機能の開始に関する情報等から、制御指示を出すか否かを判定する。ここでは、電子制御システム11において駐車支援機能の開始に関する情報を示すCANメッセージは、例えば、CANバス20に接続された、ユーザインタフェースを備えるECU(不図示)から送信されること等を想定している。そのECUは例えば車両の運転者の操作に応じて駐車支援機能の開始に関する情報を示すCANメッセージを送信し得る。 (2)
Based on the CAN message received via the transmission /
(3)算出部403
算出部403は、送受信部401を介して受信したCANメッセージに基づき、制御指示で指示すべき制御量(例えばステアリングの回転角度等)を算出する。 (3)Calculation unit 403
Based on the CAN message received via the transmission /reception unit 401, the calculation unit 403 calculates a control amount (for example, a steering rotation angle) to be instructed by a control instruction.
算出部403は、送受信部401を介して受信したCANメッセージに基づき、制御指示で指示すべき制御量(例えばステアリングの回転角度等)を算出する。 (3)
Based on the CAN message received via the transmission /
(4)制御部404
制御部404は、送受信部401、判定部402、及び、算出部403を管理、制御して指示ECU103の機能を実現する。 (4)Control unit 404
Thecontrol unit 404 manages and controls the transmission / reception unit 401, the determination unit 402, and the calculation unit 403 to realize the function of the instruction ECU 103.
制御部404は、送受信部401、判定部402、及び、算出部403を管理、制御して指示ECU103の機能を実現する。 (4)
The
[1.5 セキュリティECU104の構成]
図5は、セキュリティECU104の構成図である。 [1.5 Configuration of Security ECU 104]
FIG. 5 is a configuration diagram of thesecurity ECU 104.
図5は、セキュリティECU104の構成図である。 [1.5 Configuration of Security ECU 104]
FIG. 5 is a configuration diagram of the
セキュリティECU104は、図5に示すように、送受信部501と、CANバス監視部502と、制御部503とを含んで構成される。
As shown in FIG. 5, the security ECU 104 includes a transmission / reception unit 501, a CAN bus monitoring unit 502, and a control unit 503.
セキュリティECU104は、CANバス20に接続され、攻撃に対処するセキュリティ機能(防御機能等)を備えたECUである。セキュリティECU104のプロセッサが、メモリに記憶された制御プログラム(コンピュータプログラム)に従って動作することにより、セキュリティECU104は機能を果たす。
The security ECU 104 is an ECU that is connected to the CAN bus 20 and has a security function (such as a defense function) for dealing with attacks. The security ECU 104 functions by the processor of the security ECU 104 operating according to a control program (computer program) stored in the memory.
(1)送受信部501
送受信部501は、CANバス20を流れるCANメッセージを受信し、CANバス監視部502の指示を受けてCANバス20に、不正なCANメッセージを無効化するためにエラーフレームを送信する。送受信部501は、例えば、シフト位置、車速、或いは、ステアリング操作指示を示すCANメッセージを受信する。 (1) Transmission /reception unit 501
The transmission /reception unit 501 receives the CAN message flowing through the CAN bus 20 and transmits an error frame to the CAN bus 20 in response to an instruction from the CAN bus monitoring unit 502 in order to invalidate the invalid CAN message. The transmission / reception unit 501 receives, for example, a CAN message indicating a shift position, a vehicle speed, or a steering operation instruction.
送受信部501は、CANバス20を流れるCANメッセージを受信し、CANバス監視部502の指示を受けてCANバス20に、不正なCANメッセージを無効化するためにエラーフレームを送信する。送受信部501は、例えば、シフト位置、車速、或いは、ステアリング操作指示を示すCANメッセージを受信する。 (1) Transmission /
The transmission /
(2)CANバス監視部502
CANバス監視部502は、複数のECUが接続されているCANバス20から送受信部501を介して受信したCANメッセージに含まれるデータの中身(ペイロード)を確認する。CANバス監視部502は、不正なCANメッセージ(つまり電子制御システム11において予め定められたルールに準拠していないCANメッセージ)が流れていることを確認した場合に、送受信部501を介してエラーフレームを送信する。 (2) CANbus monitoring unit 502
The CANbus monitoring unit 502 confirms the content (payload) of data included in the CAN message received via the transmission / reception unit 501 from the CAN bus 20 to which a plurality of ECUs are connected. When the CAN bus monitoring unit 502 confirms that an illegal CAN message (that is, a CAN message that does not comply with a predetermined rule in the electronic control system 11) flows, an error frame is transmitted via the transmission / reception unit 501. Send.
CANバス監視部502は、複数のECUが接続されているCANバス20から送受信部501を介して受信したCANメッセージに含まれるデータの中身(ペイロード)を確認する。CANバス監視部502は、不正なCANメッセージ(つまり電子制御システム11において予め定められたルールに準拠していないCANメッセージ)が流れていることを確認した場合に、送受信部501を介してエラーフレームを送信する。 (2) CAN
The CAN
(3)制御部503
制御部503は、送受信部501及びCANバス監視部502を管理、制御してセキュリティECU104の機能を実現する。 (3)Control unit 503
Thecontrol unit 503 manages and controls the transmission / reception unit 501 and the CAN bus monitoring unit 502 to realize the function of the security ECU 104.
制御部503は、送受信部501及びCANバス監視部502を管理、制御してセキュリティECU104の機能を実現する。 (3)
The
[1.6 シフト位置ECU105、車速ECU106の構成]
図6は、シフト位置ECU105の構成図である。 [1.6 Configurations ofShift Position ECU 105 and Vehicle Speed ECU 106]
FIG. 6 is a configuration diagram of theshift position ECU 105.
図6は、シフト位置ECU105の構成図である。 [1.6 Configurations of
FIG. 6 is a configuration diagram of the
シフト位置ECU105は、図6に示すように、送受信部601と、状態取得部602と、制御部603とを含んで構成される。車速ECU106も、シフト位置ECU105と同様の構成を備える。
As shown in FIG. 6, the shift position ECU 105 includes a transmission / reception unit 601, a state acquisition unit 602, and a control unit 603. The vehicle speed ECU 106 also has the same configuration as the shift position ECU 105.
シフト位置ECU105及び車速ECU106のそれぞれは、CANバス20に接続されたECUである。それぞれのECUのプロセッサが、メモリに記憶された制御プログラム(コンピュータプログラム)に従って動作することにより、それぞれのECUは機能を果たす。
Each of the shift position ECU 105 and the vehicle speed ECU 106 is an ECU connected to the CAN bus 20. Each ECU functions by the processor of each ECU operating according to a control program (computer program) stored in the memory.
(1)送受信部601
送受信部601は、CANバス20に対してCANメッセージを送信し、CANバス20を流れるCANメッセージを受信する。 (1) Transmission /reception unit 601
The transmission /reception unit 601 transmits a CAN message to the CAN bus 20 and receives a CAN message flowing through the CAN bus 20.
送受信部601は、CANバス20に対してCANメッセージを送信し、CANバス20を流れるCANメッセージを受信する。 (1) Transmission /
The transmission /
(2)状態取得部602
状態取得部602は、センサ等から車両の状態を取得し、送受信部601を介してその取得した状態を示すCANメッセージを送信する。シフト位置ECU105における状態取得部602は、シフト位置を取得し、車速ECU106における状態取得部602は、車速を取得する。 (2)Status acquisition unit 602
Thestate acquisition unit 602 acquires the state of the vehicle from a sensor or the like, and transmits a CAN message indicating the acquired state via the transmission / reception unit 601. The state acquisition unit 602 in the shift position ECU 105 acquires the shift position, and the state acquisition unit 602 in the vehicle speed ECU 106 acquires the vehicle speed.
状態取得部602は、センサ等から車両の状態を取得し、送受信部601を介してその取得した状態を示すCANメッセージを送信する。シフト位置ECU105における状態取得部602は、シフト位置を取得し、車速ECU106における状態取得部602は、車速を取得する。 (2)
The
(3)制御部603
制御部603は、送受信部601及び状態取得部602を管理、制御して、シフト位置ECU105或いは車速ECU106の機能を実現する。 (3)Control unit 603
Thecontrol unit 603 manages and controls the transmission / reception unit 601 and the state acquisition unit 602 to realize the function of the shift position ECU 105 or the vehicle speed ECU 106.
制御部603は、送受信部601及び状態取得部602を管理、制御して、シフト位置ECU105或いは車速ECU106の機能を実現する。 (3)
The
[1.7 攻撃手順情報]
評価装置101の保持部202に保持される攻撃手順情報108の一例を図7に示す。図7の例では、攻撃手順情報108は、評価対象機能(攻撃対象とする電子制御システム11の機能)、攻撃のために送信すべきCANメッセージ、そのCANメッセージのメッセージID、そのCANメッセージにおけるデータ内容(即ち他のECUへ通知又は指示する内容)、そのCANメッセージの送信間隔、及び、送信順序を示す。 [1.7 Attack procedure information]
An example of theattack procedure information 108 held in the holding unit 202 of the evaluation apparatus 101 is shown in FIG. In the example of FIG. 7, the attack procedure information 108 includes an evaluation target function (function of the electronic control system 11 as an attack target), a CAN message to be transmitted for the attack, a message ID of the CAN message, and data in the CAN message. Contents (that is, contents notified or instructed to other ECUs), the transmission interval of the CAN message, and the transmission order are shown.
評価装置101の保持部202に保持される攻撃手順情報108の一例を図7に示す。図7の例では、攻撃手順情報108は、評価対象機能(攻撃対象とする電子制御システム11の機能)、攻撃のために送信すべきCANメッセージ、そのCANメッセージのメッセージID、そのCANメッセージにおけるデータ内容(即ち他のECUへ通知又は指示する内容)、そのCANメッセージの送信間隔、及び、送信順序を示す。 [1.7 Attack procedure information]
An example of the
図7の例の攻撃手順情報108は、駐車支援機能を攻撃対象とする場合については、ID(メッセージID)が0x0123である、シフト位置を通知するCANメッセージにより、シフト位置が「リバース」であることを通知し、その後、IDが0x0034である、車速を通知するCANメッセージにより、車速が「6km/h」であること通知し、最後に、IDが0x0256である、ステアリング操作指示を示すCANメッセージにより、ステアリングを右に15度回転させるためのフラグ「1」及びステアリング操舵角の指定「右旋回15度」のデータを送信すべきことを示す。このフラグは、駐車支援機能が有効か無効かを示す有効/無効フラグであり、「1」が有効であることを示し、「0」が有効でない(無効である)ことを示す。なお、図7の例は、一例に過ぎず、攻撃手順情報108の内容は、任意に定め得る。送信部201aは、攻撃手順情報108が示す送信順序で複数のCANメッセージをCANバス20に送信することになる。また、攻撃手順情報108は、複数のCANメッセージ間の送信間隔を規定したものであっても良く、この場合には、送信部201aは、攻撃手順情報108が示す送信順序及び送信間隔に従って複数のCANメッセージをCANバス20に送信することになる。
In the attack procedure information 108 in the example of FIG. 7, when the parking support function is the attack target, the shift position is “reverse” by the CAN message that notifies the shift position with the ID (message ID) of 0x0123. After that, the CAN message indicating the vehicle speed is notified by the CAN message indicating the vehicle speed with the ID of 0x0034, and finally the CAN message indicating the steering operation instruction with the ID of 0x0256. This indicates that data of a flag “1” for rotating the steering wheel 15 degrees to the right and a steering steering angle designation “clockwise 15 degrees” should be transmitted. This flag is a valid / invalid flag indicating whether the parking support function is valid or invalid, and “1” indicates that it is valid, and “0” indicates that it is not valid (invalid). The example of FIG. 7 is merely an example, and the content of the attack procedure information 108 can be arbitrarily determined. The transmission unit 201a transmits a plurality of CAN messages to the CAN bus 20 in the transmission order indicated by the attack procedure information 108. Further, the attack procedure information 108 may be information that defines a transmission interval between a plurality of CAN messages. In this case, the transmission unit 201a has a plurality of transmission procedures and transmission intervals indicated by the attack procedure information 108. A CAN message is transmitted to the CAN bus 20.
なお、電子制御システム11ではCANバス20においてシフト位置、車速、或いは、ステアリング操作指示(駐車支援機能の有効/無効の状態)に関するCANメッセージは、常に周期的に送信されている。ステアリングの操作が必要ない場合(駐車支援機能が働いていない場合)には、フラグが「0」の状態でステアリング操作指示(駐車支援機能の有効/無効の状態)に関するCANメッセージが周期的に送信され、ステアリングの操作が必要な場合(駐車支援機能を働かせる場合)には、フラグが「1」の状態に変えられたそのCANメッセージ(つまりステアリング操作指示を示すCANメッセージ)が周期的に送信される。
In the electronic control system 11, the CAN message regarding the shift position, the vehicle speed, or the steering operation instruction (valid / invalid state of the parking assist function) is always transmitted on the CAN bus 20 periodically. When the steering operation is not necessary (when the parking support function is not working), a CAN message regarding the steering operation instruction (valid / invalid state of the parking support function) is periodically transmitted with the flag being “0”. When the steering operation is necessary (when the parking assist function is activated), the CAN message whose flag is changed to “1” (that is, the CAN message indicating the steering operation instruction) is periodically transmitted. The
[1.8 評価システム10の動作]
以下、上述した構成を備える評価システム10において、評価装置101により評価対象の電子制御システム11を、攻撃手順情報108に従って攻撃(CANメッセージの送信により攻撃)することで評価する動作について説明する。まず、セキュリティECU104を除去した状態(セキュリティECU104の導入前等)の電子制御システム11を評価対象として評価する動作例1及び動作例2を説明し、その後に、セキュリティECU104を有する状態(セキュリティECU104の導入後等)の電子制御システム11を評価対象として評価する動作例3及び動作例4を説明する。 [1.8 Operation of Evaluation System 10]
Hereinafter, in theevaluation system 10 having the above-described configuration, an operation in which the evaluation apparatus 101 evaluates the electronic control system 11 to be evaluated in accordance with the attack procedure information 108 (attack by sending a CAN message) will be described. First, an operation example 1 and an operation example 2 in which the electronic control system 11 in a state in which the security ECU 104 is removed (before the introduction of the security ECU 104, etc.) are evaluated will be described, and then, a state having the security ECU 104 (the security ECU 104 An operation example 3 and an operation example 4 for evaluating the electronic control system 11 after the introduction etc. as an evaluation object will be described.
以下、上述した構成を備える評価システム10において、評価装置101により評価対象の電子制御システム11を、攻撃手順情報108に従って攻撃(CANメッセージの送信により攻撃)することで評価する動作について説明する。まず、セキュリティECU104を除去した状態(セキュリティECU104の導入前等)の電子制御システム11を評価対象として評価する動作例1及び動作例2を説明し、その後に、セキュリティECU104を有する状態(セキュリティECU104の導入後等)の電子制御システム11を評価対象として評価する動作例3及び動作例4を説明する。 [1.8 Operation of Evaluation System 10]
Hereinafter, in the
[1.8.1 評価システム10の動作例1]
図8~図10は、セキュリティECU104を備えない状態の電子制御システム11を評価する評価システム10の動作(動作例1)を示すシーケンス図である。図8に示すシーケンス図は、図9に示すシーケンス図へ続く。図9に示すシーケンス図は、図10に示すシーケンス図へ続く。動作例1では、評価装置101が、攻撃によりアクチュエータECU102を誤認識させる例を示す。電子制御システム11ではシフト位置、車速、及び、ステアリング操作指示に関する各CANメッセージが、シフト位置ECU105、車速ECU106、或いは、指示ECU103により周期的に送信されている。 [1.8.1 Operation example 1 of evaluation system 10]
FIGS. 8 to 10 are sequence diagrams showing the operation (operation example 1) of theevaluation system 10 that evaluates the electronic control system 11 without the security ECU 104. FIG. The sequence diagram shown in FIG. 8 continues to the sequence diagram shown in FIG. The sequence diagram shown in FIG. 9 continues to the sequence diagram shown in FIG. The operation example 1 shows an example in which the evaluation apparatus 101 misrecognizes the actuator ECU 102 by an attack. In the electronic control system 11, each CAN message regarding the shift position, the vehicle speed, and the steering operation instruction is periodically transmitted by the shift position ECU 105, the vehicle speed ECU 106, or the instruction ECU 103.
図8~図10は、セキュリティECU104を備えない状態の電子制御システム11を評価する評価システム10の動作(動作例1)を示すシーケンス図である。図8に示すシーケンス図は、図9に示すシーケンス図へ続く。図9に示すシーケンス図は、図10に示すシーケンス図へ続く。動作例1では、評価装置101が、攻撃によりアクチュエータECU102を誤認識させる例を示す。電子制御システム11ではシフト位置、車速、及び、ステアリング操作指示に関する各CANメッセージが、シフト位置ECU105、車速ECU106、或いは、指示ECU103により周期的に送信されている。 [1.8.1 Operation example 1 of evaluation system 10]
FIGS. 8 to 10 are sequence diagrams showing the operation (operation example 1) of the
シフト位置ECU105は、現在のシフト位置(ドライブ:D)を示すCANメッセージをCANバス20へ送信し(ステップS801)、アクチュエータECU102は、CANバス20を流れているそのシフト位置を示すCANメッセージを受信する(ステップS802)。
The shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S801), and the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S802).
評価装置101は、例えばアクチュエータECU102におけるCANメッセージの定期処理用のバッファを上書きさせること等を狙って、CANバス20にシフト位置(ドライブ:D)を示すCANメッセージが流れた直後に、攻撃手順情報108に従って現在のシフト位置を詐称する偽のシフト位置(リバース:R)を示すCANメッセージをCANバス20へ送信する(ステップS803)。これにより、アクチュエータECU102は、CANバス20を流れているシフト位置を示すCANメッセージを受信して、現在のシフト位置がリバース:Rであると誤認識する(ステップS804)。
Immediately after the CAN message indicating the shift position (drive: D) flows on the CAN bus 20, the evaluation apparatus 101 aims at overwriting the buffer for periodic processing of the CAN message in the actuator ECU 102, for example. In accordance with 108, a CAN message indicating a false shift position (reverse: R) that misrepresents the current shift position is transmitted to the CAN bus 20 (step S803). Thus, the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20 and erroneously recognizes that the current shift position is reverse: R (step S804).
また、車速ECU106は、現在の車速(30km/h)を示すCANメッセージをCANバス20へ送信し(ステップS805)、アクチュエータECU102は、CANバス20を流れているその車速を示すCANメッセージを受信する(ステップS806)。
Further, the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S805), and the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S806).
評価装置101は、CANバス20に車速(30km/h)を示すCANメッセージが流れた直後に、現在の車速を詐称する偽の車速(0km/h)を示すCANメッセージをCANバス20へ送信する(ステップS807)。これにより、アクチュエータECU102は、CANバス20を流れている車速を示すCANメッセージを受信して、現在の車速が0km/hであると誤認識する(ステップS808)。
Immediately after the CAN message indicating the vehicle speed (30 km / h) flows on the CAN bus 20, the evaluation apparatus 101 transmits a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20. (Step S807). Thereby, the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20 and erroneously recognizes that the current vehicle speed is 0 km / h (step S808).
指示ECU103は、現在、駐車支援機能が有効でないこと(フラグ:0)を示すCANメッセージをCANバス20へ送信し(ステップS901)、アクチュエータECU102は、CANバス20を流れている駐車支援機能の有効/無効の状態に関するCANメッセージを受信する(ステップS902)。
The instruction ECU 103 transmits a CAN message indicating that the parking support function is not currently effective (flag: 0) to the CAN bus 20 (step S901), and the actuator ECU 102 determines that the parking support function flowing through the CAN bus 20 is effective. / A CAN message related to the invalid state is received (step S902).
評価装置101は、CANバス20に駐車支援機能が有効でないこと(フラグ:0)を示すCANメッセージが流れた直後に、現在、駐車支援機能が有効であること(フラグ:1)を示すCANメッセージをCANバス20へ送信する(ステップS903)。これにより、アクチュエータECU102は、CANバス20を流れているその駐車支援機能の有効/無効の状態に関するCANメッセージを受信して、現在、駐車支援機能が有効であると誤認識し(ステップS904)、駐車支援機能の有効/無効の状態に関するCANメッセージ(つまり駐車支援機能が有効であるのでステアリング操作指示を示すCANメッセージ)に含まれるステアリングの操舵角の指定に基づきステアリングを動作させるための制御信号(ステアリング動作指示)を送信する(ステップS905)。そして、アクチュエータ107としてのステアリングは、受信した制御信号(ステアリング動作指示)に基づいて動作する(ステップS906)。以後の説明において、アクチュエータ107としてのステアリングをアクチュエータ107(ステアリング)と称する。
Immediately after a CAN message indicating that the parking support function is not valid (flag: 0) flows on the CAN bus 20, the evaluation apparatus 101 presents a CAN message indicating that the parking support function is currently valid (flag: 1). Is transmitted to the CAN bus 20 (step S903). As a result, the actuator ECU 102 receives a CAN message regarding the valid / invalid state of the parking support function flowing through the CAN bus 20, and erroneously recognizes that the parking support function is currently active (step S904). A control signal for operating the steering based on the designation of the steering angle of the steering included in the CAN message regarding the valid / invalid state of the parking assistance function (that is, the CAN message indicating the steering operation instruction because the parking assistance function is valid) A steering operation instruction) is transmitted (step S905). Then, the steering as the actuator 107 operates based on the received control signal (steering operation instruction) (step S906). In the following description, the steering as the actuator 107 is referred to as an actuator 107 (steering).
評価装置101は、アクチュエータECU102がアクチュエータ107(ステアリング)へ送信した制御信号(ステアリング動作指示)を受信(監視)する(ステップS1001)。また、評価装置101は、アクチュエータ107(ステアリング)の挙動を確認(観測)する(ステップS1002)。評価装置101は、受信した制御信号、及び、確認したアクチュエータ107(ステアリング)の挙動を、攻撃の期待値と比較することにより、電子制御システム11のセキュリティの評価(攻撃の成否についての判定等)を行う(ステップS1003)。評価装置101は、例えば、受信した制御信号、及び、確認したアクチュエータ107(ステアリング)の挙動が、攻撃の期待値としての制御信号及び挙動となっている場合に攻撃が成功していると判定する。なお、評価装置101は、アクチュエータ107(ステアリング)へ入力される制御信号の監視結果と、アクチュエータ107(ステアリング)の挙動の確認結果とのうち一方のみを用いて攻撃の期待値に基づいて攻撃の成否についての判定等を行っても良い。
Evaluation device 101 receives (monitors) a control signal (steering operation instruction) transmitted from actuator ECU 102 to actuator 107 (steering) (step S1001). The evaluation apparatus 101 confirms (observes) the behavior of the actuator 107 (steering) (step S1002). The evaluation device 101 compares the received control signal and the confirmed behavior of the actuator 107 (steering) with the expected value of the attack, thereby evaluating the security of the electronic control system 11 (determination of success or failure of the attack, etc.). Is performed (step S1003). For example, the evaluation apparatus 101 determines that the attack is successful when the received control signal and the confirmed behavior of the actuator 107 (steering) are the control signal and the behavior as the expected value of the attack. . Note that the evaluation apparatus 101 uses only one of the monitoring result of the control signal input to the actuator 107 (steering) and the confirmation result of the behavior of the actuator 107 (steering) to perform the attack based on the expected value of the attack. You may perform the determination about success or failure.
評価装置101が、攻撃手順情報108に従った攻撃が成功していることを確認することで、例えば、その後に電子制御システム11に導入するセキュリティ対策技術(例えば、セキュリティECU104)の効果について評価できるようになる。
By confirming that the attack according to the attack procedure information 108 is successful, the evaluation apparatus 101 can evaluate the effect of the security countermeasure technique (for example, the security ECU 104) to be introduced into the electronic control system 11 thereafter. It becomes like this.
[1.8.2 評価システム10の動作例2]
図11及び図12は、セキュリティECU104を備えない状態の電子制御システム11を評価する評価システム10の動作(動作例2)を示すシーケンス図である。図11に示すシーケンス図は、図12に示すシーケンス図へ続く。動作例2では、評価装置101が、攻撃により指示ECU103を誤認識させる例を示す。 [1.8.2 Operation example 2 of evaluation system 10]
FIGS. 11 and 12 are sequence diagrams illustrating the operation (operation example 2) of theevaluation system 10 that evaluates the electronic control system 11 in a state where the security ECU 104 is not provided. The sequence diagram shown in FIG. 11 continues to the sequence diagram shown in FIG. In the operation example 2, the evaluation apparatus 101 shows an example in which the instruction ECU 103 is erroneously recognized by an attack.
図11及び図12は、セキュリティECU104を備えない状態の電子制御システム11を評価する評価システム10の動作(動作例2)を示すシーケンス図である。図11に示すシーケンス図は、図12に示すシーケンス図へ続く。動作例2では、評価装置101が、攻撃により指示ECU103を誤認識させる例を示す。 [1.8.2 Operation example 2 of evaluation system 10]
FIGS. 11 and 12 are sequence diagrams illustrating the operation (operation example 2) of the
シフト位置ECU105は、現在のシフト位置(ドライブ:D)を示すCANメッセージをCANバス20へ送信し(ステップS1101)、指示ECU103は、CANバス20を流れているそのシフト位置を示すCANメッセージを受信する(ステップS1102)。アクチュエータECU102も、同様にCANバス20を流れているそのシフト位置を示すCANメッセージを受信する(ステップS1103)。
The shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S1101), and the instruction ECU 103 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S1102). Similarly, the actuator ECU 102 also receives a CAN message indicating the shift position flowing through the CAN bus 20 (step S1103).
評価装置101は、CANバス20にシフト位置(ドライブ:D)を示すCANメッセージが流れた直後に、攻撃手順情報108に従って現在のシフト位置を詐称する偽のシフト位置(リバース:R)を示すCANメッセージをCANバス20へ送信する(ステップS1104)。これにより、指示ECU103は、CANバス20を流れているシフト位置を示すCANメッセージを受信して、現在のシフト位置がリバース:Rであると誤認識する(ステップS1105)。アクチュエータECU102も、同様にCANバス20を流れているそのシフト位置を示すCANメッセージを受信して、現在のシフト位置がリバース:Rであると誤認識する(ステップS1106)。
Immediately after a CAN message indicating the shift position (drive: D) flows on the CAN bus 20, the evaluation apparatus 101 indicates a false shift position (reverse: R) that misrepresents the current shift position according to the attack procedure information 108. A message is transmitted to the CAN bus 20 (step S1104). Thereby, the instruction ECU 103 receives the CAN message indicating the shift position flowing through the CAN bus 20, and erroneously recognizes that the current shift position is reverse: R (step S1105). Similarly, the actuator ECU 102 receives a CAN message indicating the shift position flowing through the CAN bus 20 and erroneously recognizes that the current shift position is reverse: R (step S1106).
また、車速ECU106は、現在の車速(30km/h)を示すCANメッセージをCANバス20へ送信し(ステップS1107)、指示ECU103は、CANバス20を流れているその車速を示すCANメッセージを受信する(ステップS1108)。アクチュエータECU102も、同様にCANバス20を流れているその車速を示すCANメッセージを受信する(ステップS1109)。
Further, the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S1107), and the instruction ECU 103 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S1108). Similarly, the actuator ECU 102 also receives a CAN message indicating the vehicle speed flowing through the CAN bus 20 (step S1109).
評価装置101は、CANバス20に車速(30km/h)を示すCANメッセージが流れた直後に、現在の車速を詐称する偽の車速(0km/h)を示すCANメッセージをCANバス20へ送信する(ステップS1110)。これにより、指示ECU103は、CANバス20を流れている車速を示すCANメッセージを受信して、現在の車速が0km/hであると誤認識する(ステップS1111)。アクチュエータECU102も、同様にCANバス20を流れているその車速を示すCANメッセージを受信して、現在の車速が0km/hであると誤認識する(ステップS1112)。
Immediately after the CAN message indicating the vehicle speed (30 km / h) flows on the CAN bus 20, the evaluation apparatus 101 transmits a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20. (Step S1110). As a result, the instruction ECU 103 receives a CAN message indicating the vehicle speed flowing through the CAN bus 20, and erroneously recognizes that the current vehicle speed is 0 km / h (step S1111). Similarly, the actuator ECU 102 receives a CAN message indicating the vehicle speed flowing through the CAN bus 20 and erroneously recognizes that the current vehicle speed is 0 km / h (step S1112).
評価装置101は、駐車支援機能を開始することを示すCANメッセージをCANバス20へ送信し(ステップS1201)、指示ECU103は、CANバス20を流れているその駐車支援機能の開始に関するCANメッセージ(駐車支援機能を開始することを示すCANメッセージ)を受信する(ステップS1202)。
The evaluation apparatus 101 transmits a CAN message indicating the start of the parking support function to the CAN bus 20 (step S1201), and the instruction ECU 103 transmits a CAN message (parking) related to the start of the parking support function flowing through the CAN bus 20. (CAN message indicating start of the support function) is received (step S1202).
続いて指示ECU103は、既に受信した偽のシフト位置及び車速が駐車支援機能を実行するための一定条件を満たすことから、駐車支援機能が有効であること(フラグ:1)を示すCANメッセージ(つまりステアリング操作指示を示すCANメッセージ)をCANバス20へ送信する(ステップS1203)。これにより、アクチュエータECU102は、CANバスを流れている駐車支援機能の有効/無効の状態に関するCANメッセージを受信して、現在、駐車支援機能が有効であると誤認識し(ステップS1204)、駐車支援機能の有効/無効の状態に関するCANメッセージ(ステアリング操作指示を示すCANメッセージ)に含まれるステアリングの操舵角の指定に基づきアクチュエータ107(ステアリング)へ制御信号(ステアリング動作指示)を送信する(ステップS1205)。そして、アクチュエータ107(ステアリング)は、受信した制御信号(ステアリング動作指示)に基づいて動作する(ステップS1206)。
Subsequently, the instruction ECU 103 determines that the parking support function is valid (flag: 1) because the false shift position and the vehicle speed that have already been received satisfy certain conditions for executing the parking support function (that is, flag: 1). A CAN message indicating a steering operation instruction) is transmitted to the CAN bus 20 (step S1203). As a result, the actuator ECU 102 receives the CAN message regarding the valid / invalid state of the parking support function that is flowing through the CAN bus, erroneously recognizes that the parking support function is currently active (step S1204), and provides parking support. A control signal (steering operation instruction) is transmitted to the actuator 107 (steering) based on the designation of the steering angle of the steering included in the CAN message (CAN message indicating the steering operation instruction) regarding the valid / invalid state of the function (step S1205). . Then, the actuator 107 (steering) operates based on the received control signal (steering operation instruction) (step S1206).
また、評価装置101は、指示ECU103がCANバスへ送信した駐車支援機能の有効/無効の状態に関するCANメッセージ(フラグ:1)を、受信(監視)する(ステップS1207)。評価装置101は、受信した駐車支援機能の有効/無効の状態に関するCANメッセージの内容を、攻撃の期待値と比較することにより、電子制御システム11のセキュリティの評価(攻撃の成否についての判定等)を行う(ステップS1208)。評価装置101は、例えば、受信した駐車支援機能の有効/無効の状態に関するCANメッセージのフラグが、攻撃の期待値としてのフラグ値(1)となっている場合に、アクチュエータ107(ステアリング)を制御するための制御指示フレームを検出したと判定して、攻撃が成功していると判定する。
Further, the evaluation apparatus 101 receives (monitors) the CAN message (flag: 1) regarding the valid / invalid state of the parking support function transmitted from the instruction ECU 103 to the CAN bus (step S1207). The evaluation device 101 evaluates the security of the electronic control system 11 (determination of success or failure of the attack, etc.) by comparing the content of the received CAN message regarding the valid / invalid state of the parking support function with the expected value of the attack. Is performed (step S1208). For example, the evaluation device 101 controls the actuator 107 (steering) when the flag of the received CAN message regarding the validity / invalidity of the parking support function is the flag value (1) as the expected value of the attack. It is determined that the control instruction frame for detecting the attack is detected, and it is determined that the attack is successful.
評価装置101が、攻撃手順情報108に従った攻撃が成功していることを確認することで、例えば、その後に電子制御システム11に導入するセキュリティ対策技術(例えば、セキュリティECU104)の効果について評価できるようになる。
By confirming that the attack according to the attack procedure information 108 is successful, the evaluation apparatus 101 can evaluate the effect of the security countermeasure technique (for example, the security ECU 104) to be introduced into the electronic control system 11 thereafter. It becomes like this.
[1.8.3 評価システム10の動作例3]
図13~図15は、セキュリティECU104を備える状態(図1参照)の電子制御システム11を評価する評価システム10の動作(動作例3)を示すシーケンス図である。図13に示すシーケンス図は、図14に示すシーケンス図へ続く。図14に示すシーケンス図は、図15に示すシーケンス図へ続く。動作例3では、評価装置101が、攻撃によりアクチュエータECU102を誤認識させようと試みる例を示す。 [1.8.3 Operation Example 3 of Evaluation System 10]
FIGS. 13 to 15 are sequence diagrams showing the operation (operation example 3) of theevaluation system 10 that evaluates the electronic control system 11 in a state in which the security ECU 104 is provided (see FIG. 1). The sequence diagram shown in FIG. 13 continues to the sequence diagram shown in FIG. The sequence diagram shown in FIG. 14 is continued from the sequence diagram shown in FIG. The operation example 3 shows an example in which the evaluation apparatus 101 tries to misrecognize the actuator ECU 102 by an attack.
図13~図15は、セキュリティECU104を備える状態(図1参照)の電子制御システム11を評価する評価システム10の動作(動作例3)を示すシーケンス図である。図13に示すシーケンス図は、図14に示すシーケンス図へ続く。図14に示すシーケンス図は、図15に示すシーケンス図へ続く。動作例3では、評価装置101が、攻撃によりアクチュエータECU102を誤認識させようと試みる例を示す。 [1.8.3 Operation Example 3 of Evaluation System 10]
FIGS. 13 to 15 are sequence diagrams showing the operation (operation example 3) of the
シフト位置ECU105は、現在のシフト位置(ドライブ:D)を示すCANメッセージをCANバス20へ送信し(ステップS801)、アクチュエータECU102は、CANバス20を流れているそのシフト位置を示すCANメッセージを受信する(ステップS802)。
The shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S801), and the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S802).
評価装置101は、CANバス20にシフト位置(ドライブ:D)を示すCANメッセージが流れた直後に、攻撃手順情報108に従って現在のシフト位置を詐称する偽のシフト位置(リバース:R)を示すCANメッセージをCANバス20へ送信する(ステップS803)。これにより、アクチュエータECU102は、CANバス20を流れているシフト位置を示すCANメッセージを受信して、現在のシフト位置がリバース:Rであると誤認識する(ステップS804)。
Immediately after a CAN message indicating the shift position (drive: D) flows on the CAN bus 20, the evaluation apparatus 101 indicates a false shift position (reverse: R) that misrepresents the current shift position according to the attack procedure information 108. A message is transmitted to the CAN bus 20 (step S803). Thus, the actuator ECU 102 receives the CAN message indicating the shift position flowing through the CAN bus 20 and erroneously recognizes that the current shift position is reverse: R (step S804).
また、車速ECU106は、現在の車速(30km/h)を示すCANメッセージをCANバス20へ送信し(ステップS805)、アクチュエータECU102は、CANバス20を流れているその車速を示すCANメッセージを受信する(ステップS806)。
Further, the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S805), and the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S806).
評価装置101は、CANバス20に車速(30km/h)を示すCANメッセージが流れた直後に、現在の車速を詐称する偽の車速(0km/h)を示すCANメッセージをCANバス20へ送信する(ステップS807)。これにより、アクチュエータECU102は、CANバス20を流れている車速を示すCANメッセージを受信して、現在の車速が0km/hであると誤認識する(ステップS808)。
Immediately after the CAN message indicating the vehicle speed (30 km / h) flows on the CAN bus 20, the evaluation apparatus 101 transmits a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20. (Step S807). Thereby, the actuator ECU 102 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20 and erroneously recognizes that the current vehicle speed is 0 km / h (step S808).
指示ECU103は、現在、駐車支援機能が有効でないこと(フラグ:0)を示すCANメッセージをCANバス20へ送信し(ステップS901)、アクチュエータECU102は、CANバス20を流れている駐車支援機能の有効/無効の状態に関するCANメッセージを受信する(ステップS902)。
The instruction ECU 103 transmits a CAN message indicating that the parking support function is not currently effective (flag: 0) to the CAN bus 20 (step S901), and the actuator ECU 102 determines that the parking support function flowing through the CAN bus 20 is effective. / A CAN message related to the invalid state is received (step S902).
評価装置101は、CANバス20に駐車支援機能が有効でないこと(フラグ:0)を示すCANメッセージが流れた直後に、現在、駐車支援機能が有効であること(フラグ:1)を示すCANメッセージをCANバス20へ送信する(ステップS903)。これに対して、セキュリティECU104は、評価装置101がステップS903でCANバス20へ送信した駐車支援機能の有効/無効の状態に関するCANメッセージを、不正なCANメッセージであると判定した場合に、エラーフレームを送信することでそのCANメッセージを無効化する(ステップS1401)。無効化されたCANメッセージの影響を受けないことから、アクチュエータECU102は、アクチュエータ107(ステアリング)107へ制御信号(ステアリング動作指示)を送信しない。このため、アクチュエータ107(ステアリング)は、特に動作しない。
Immediately after a CAN message indicating that the parking support function is not valid (flag: 0) flows on the CAN bus 20, the evaluation apparatus 101 presents a CAN message indicating that the parking support function is currently valid (flag: 1). Is transmitted to the CAN bus 20 (step S903). On the other hand, when the security ECU 104 determines that the CAN message regarding the valid / invalid state of the parking support function transmitted from the evaluation apparatus 101 to the CAN bus 20 in step S903 is an invalid CAN message, an error frame is displayed. Is transmitted to invalidate the CAN message (step S1401). Since it is not affected by the invalidated CAN message, the actuator ECU 102 does not transmit a control signal (steering operation instruction) to the actuator 107 (steering) 107. For this reason, the actuator 107 (steering) does not particularly operate.
評価装置101は、アクチュエータECU102がアクチュエータ107(ステアリング)へ制御信号(ステアリング動作指示)を送信していないことを確認し(ステップS1402)、アクチュエータ107(ステアリング)が動作していないことを確認し(ステップS1403)、それらが確認できた場合に防御(セキュリティ対策)が成功している(つまり攻撃が失敗している)と判定する(ステップS1501)。なお、評価装置101は、アクチュエータECU102がアクチュエータ107(ステアリング)へ制御信号を送信していないことの確認と、アクチュエータ107(ステアリング)が動作していないことの確認とのうち一方のみが確認できれば防御が成功していると判定する等、その一方のみを用いてセキュリティについての評価を行っても良い。
The evaluation apparatus 101 confirms that the actuator ECU 102 has not transmitted a control signal (steering operation instruction) to the actuator 107 (steering) (step S1402), and confirms that the actuator 107 (steering) is not operating ( In step S1403), if they can be confirmed, it is determined that the defense (security measure) has succeeded (that is, the attack has failed) (step S1501). It should be noted that the evaluation apparatus 101 is protected if only one of the confirmation that the actuator ECU 102 is not transmitting a control signal to the actuator 107 (steering) and the confirmation that the actuator 107 (steering) is not operating can be confirmed. It is also possible to evaluate security using only one of them, such as determining that has succeeded.
[1.8.4 評価システム10の動作例4]
図16及び図17は、セキュリティECU104を備える状態(図1参照)の電子制御システム11を評価する評価システム10の動作(動作例4)を示すシーケンス図である。図16に示すシーケンス図は、図17に示すシーケンス図へ続く。動作例4では、評価装置101が、攻撃により指示ECU103を誤認識させようと試みる例を示す。 [1.8.4 Operation Example 4 of Evaluation System 10]
FIGS. 16 and 17 are sequence diagrams illustrating the operation (operation example 4) of theevaluation system 10 that evaluates the electronic control system 11 in a state in which the security ECU 104 is provided (see FIG. 1). The sequence diagram shown in FIG. 16 continues to the sequence diagram shown in FIG. The operation example 4 shows an example in which the evaluation apparatus 101 tries to misrecognize the instruction ECU 103 by an attack.
図16及び図17は、セキュリティECU104を備える状態(図1参照)の電子制御システム11を評価する評価システム10の動作(動作例4)を示すシーケンス図である。図16に示すシーケンス図は、図17に示すシーケンス図へ続く。動作例4では、評価装置101が、攻撃により指示ECU103を誤認識させようと試みる例を示す。 [1.8.4 Operation Example 4 of Evaluation System 10]
FIGS. 16 and 17 are sequence diagrams illustrating the operation (operation example 4) of the
シフト位置ECU105は、現在のシフト位置(ドライブ:D)を示すCANメッセージをCANバス20へ送信し(ステップS1101)、指示ECU103は、CANバス20を流れているそのシフト位置を示すCANメッセージを受信する(ステップS1102)。アクチュエータECU102も、同様にCANバス20を流れているそのシフト位置を示すCANメッセージを受信する(ステップS1103)。
The shift position ECU 105 transmits a CAN message indicating the current shift position (drive: D) to the CAN bus 20 (step S1101), and the instruction ECU 103 receives the CAN message indicating the shift position flowing through the CAN bus 20. (Step S1102). Similarly, the actuator ECU 102 also receives a CAN message indicating the shift position flowing through the CAN bus 20 (step S1103).
評価装置101は、CANバス20にシフト位置(ドライブ:D)を示すCANメッセージが流れた直後に、攻撃手順情報108に従って現在のシフト位置を詐称する偽のシフト位置(リバース:R)を示すCANメッセージをCANバス20へ送信する(ステップS1104)。これに対して、セキュリティECU104は、評価装置101がステップS1104でCANバス20へ送信したシフト位置(リバース:R)を示すCANメッセージを、不正なCANメッセージであると判定した場合に、エラーフレームを送信することでそのCANメッセージを無効化する(ステップS1601)。
Immediately after a CAN message indicating the shift position (drive: D) flows on the CAN bus 20, the evaluation apparatus 101 indicates a false shift position (reverse: R) that misrepresents the current shift position according to the attack procedure information 108. A message is transmitted to the CAN bus 20 (step S1104). On the other hand, when the security ECU 104 determines that the CAN message indicating the shift position (reverse: R) transmitted from the evaluation apparatus 101 to the CAN bus 20 in step S1104 is an invalid CAN message, an error frame is displayed. By transmitting, the CAN message is invalidated (step S1601).
また、車速ECU106は、現在の車速(30km/h)を示すCANメッセージをCANバス20へ送信し(ステップS1107)、指示ECU103は、CANバス20を流れているその車速を示すCANメッセージを受信する(ステップS1108)。アクチュエータECU102も、同様にCANバス20を流れているその車速を示すCANメッセージを受信する(ステップS1109)。
Further, the vehicle speed ECU 106 transmits a CAN message indicating the current vehicle speed (30 km / h) to the CAN bus 20 (step S1107), and the instruction ECU 103 receives the CAN message indicating the vehicle speed flowing through the CAN bus 20. (Step S1108). Similarly, the actuator ECU 102 also receives a CAN message indicating the vehicle speed flowing through the CAN bus 20 (step S1109).
評価装置101は、CANバス20に車速(30km/h)を示すCANメッセージが流れた直後に、現在の車速を詐称する偽の車速(0km/h)を示すCANメッセージをCANバス20へ送信する(ステップS1110)。これに対して、セキュリティECU104は、評価装置101がステップS1110でCANバス20へ送信した車速(0km/h)を示すCANメッセージを、不正なCANメッセージであると判定した場合に、エラーフレームを送信することでそのCANメッセージを無効化する(ステップS1602)。
Immediately after the CAN message indicating the vehicle speed (30 km / h) flows on the CAN bus 20, the evaluation apparatus 101 transmits a CAN message indicating the fake vehicle speed (0 km / h) that misrepresents the current vehicle speed to the CAN bus 20. (Step S1110). On the other hand, when the security ECU 104 determines that the CAN message indicating the vehicle speed (0 km / h) transmitted from the evaluation apparatus 101 to the CAN bus 20 in step S1110 is an invalid CAN message, the security ECU 104 transmits an error frame. This invalidates the CAN message (step S1602).
評価装置101は、駐車支援機能を開始することを示すCANメッセージをCANバス20へ送信し(ステップS1201)、指示ECU103は、CANバス20を流れているその駐車支援機能の開始に関するCANメッセージ(駐車支援機能を開始することを示すCANメッセージ)を受信する(ステップS1202)。
The evaluation apparatus 101 transmits a CAN message indicating the start of the parking support function to the CAN bus 20 (step S1201), and the instruction ECU 103 transmits a CAN message (parking) related to the start of the parking support function flowing through the CAN bus 20. (CAN message indicating start of the support function) is received (step S1202).
続いて指示ECU103は、偽のシフト位置及び車速を受信していないので、駐車支援機能を実行するための一定条件が満たされないことから、駐車支援機能が無効であること(フラグ:0)を示すCANメッセージ(駐車支援機能の有効/無効の状態に関するCANメッセージ)をCANバス20へ送信する(ステップS1701)。これにより、アクチュエータECU102は、CANバスを流れている駐車支援機能の有効/無効の状態に関するCANメッセージを受信して、現在、駐車支援機能が無効であると認識し(ステップS1702)、アクチュエータ107(ステアリング)へ制御信号(ステアリング動作指示)を送信しない。
Subsequently, since the instruction ECU 103 has not received the false shift position and the vehicle speed, it indicates that the parking support function is invalid (flag: 0) because a certain condition for executing the parking support function is not satisfied. A CAN message (a CAN message relating to the valid / invalid state of the parking support function) is transmitted to the CAN bus 20 (step S1701). As a result, the actuator ECU 102 receives the CAN message regarding the valid / invalid state of the parking support function flowing through the CAN bus, recognizes that the parking support function is currently invalid (step S1702), and the actuator 107 ( No control signal (steering operation instruction) is sent to (steering).
評価装置101は、指示ECU103がCANバス20へ送信した駐車支援機能の有効/無効の状態に関するCANメッセージ(フラグ:0)を受信(監視)する(ステップS1703)。評価装置101は、受信した駐車支援機能の有効/無効の状態に関するCANメッセージの内容を、攻撃の期待値と比較することにより、電子制御システム11のセキュリティの評価(攻撃の成否についての判定等)を行う(ステップS1704)。評価装置101は、例えば、受信した駐車支援機能の有効/無効の状態に関するCANメッセージのフラグが、攻撃の期待値としてのフラグ値(1)となっていない場合に、アクチュエータ107(ステアリング)を制御するための制御指示フレームを検出しなかった判定して、防御(セキュリティ対策)が成功していると判定する。
The evaluation apparatus 101 receives (monitors) the CAN message (flag: 0) regarding the valid / invalid state of the parking support function transmitted from the instruction ECU 103 to the CAN bus 20 (step S1703). The evaluation device 101 evaluates the security of the electronic control system 11 (determination of success or failure of the attack, etc.) by comparing the content of the received CAN message regarding the valid / invalid state of the parking support function with the expected value of the attack. Is performed (step S1704). For example, the evaluation device 101 controls the actuator 107 (steering) when the flag of the received CAN message regarding the valid / invalid state of the parking support function is not the flag value (1) as the expected value of the attack. It is determined that the control instruction frame for performing the detection is not detected, and it is determined that the defense (security measure) is successful.
(変形例)
以上のように、本開示に係る技術の例示として実施の形態1を説明した。しかしながら、本開示に係る技術は、これに限定されず、適宜、変更、置き換え、付加、省略等を行った実施の形態にも適用可能である。例えば、以下のような変形例も本開示の一実施態様に含まれる。 (Modification)
As described above, the first embodiment has been described as an example of the technique according to the present disclosure. However, the technology according to the present disclosure is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, and the like are appropriately performed. For example, the following modifications are also included in one embodiment of the present disclosure.
以上のように、本開示に係る技術の例示として実施の形態1を説明した。しかしながら、本開示に係る技術は、これに限定されず、適宜、変更、置き換え、付加、省略等を行った実施の形態にも適用可能である。例えば、以下のような変形例も本開示の一実施態様に含まれる。 (Modification)
As described above, the first embodiment has been described as an example of the technique according to the present disclosure. However, the technology according to the present disclosure is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, and the like are appropriately performed. For example, the following modifications are also included in one embodiment of the present disclosure.
(1)上記実施の形態では、評価装置101がCANメッセージ(偽の情報を示すCANメッセージ)の送信により電子制御システム11を攻撃する例を示した。しかし、評価装置101は、いかなる方法を用いて攻撃を行っても良く、CANメッセージの送信以外の方法で攻撃を行っても良い。例えば、評価装置101は、評価対象の電子制御システム11における各種ECUと信号線で接続されるセンサのセンシング情報を偽の情報に差し替えてそのECUに誤認識させることとしても良い。
(1) In the above-described embodiment, an example has been shown in which the evaluation apparatus 101 attacks the electronic control system 11 by transmitting a CAN message (CAN message indicating false information). However, the evaluation apparatus 101 may attack using any method, and may perform the attack using a method other than the CAN message transmission. For example, the evaluation apparatus 101 may replace the sensing information of sensors connected to various ECUs in the electronic control system 11 to be evaluated by signal lines with false information and cause the ECU to misrecognize.
(2)上述の電子制御システム11では、各種ECU及びアクチュエータは、リアルな(実物としての)ECU及びアクチュエータを想定して説明した。しかし、評価システム10の評価対象としての電子制御システム11における各種ECUは、リアルなECU(例えば、評価ボード上で実装されたECU、製品としてのECU等)の代わりに、そのECUを模擬(シミュレート)する模擬ECU(例えば、そのECUの機能、挙動等を模擬するソフトウェアを実行するコンピュータ等)であることとしても良い。同様に、評価対象の電子制御システム11では、リアルなアクチュエータ(ステアリング、アクセル、ブレーキ等)の代わりに、そのアクチュエータを模擬する模擬アクチュエータ(例えば、アクチュエータの動作を模擬するシミュレーションソフトウェアを実行するコンピュータ等)を備えていても良い。即ち、評価システム10の評価対象は、リアルなアクチュエータ及び模擬アクチュエータのいずれかであるアクチュエータ部を備える電子制御システムであれば良い。アクチュエータ部が模擬アクチュエータである場合においてはアクチュエータ部の観測を、アクチュエータ監視部205は例えばシミュレーションソフトウェアの出力機能等を利用してシミュレーションで用いられる各種パラメータを確認すること等で行っても良く、信号監視部204は例えばそのシミュレーションソフトウェアへ入力されるパラメータ等を確認すること等で行っても良い。即ち、アクチュエータ部が模擬アクチュエータである場合において監視部200は、アクチュエータ部の動作を、コンピュータにおいてシミュレーションソフトウェア(プログラム)に関わる所定データ(例えばアクチュエータの動作で変化する物理量に対応したコンピュータの所定メモリ領域の内容或いは出力内容等)の変化を観測することによって検出しても良い。
(2) In the electronic control system 11 described above, the various ECUs and actuators are assumed to be real (actual) ECUs and actuators. However, various ECUs in the electronic control system 11 as an evaluation target of the evaluation system 10 simulate (simulate) the ECU instead of a real ECU (for example, an ECU mounted on an evaluation board, an ECU as a product, etc.). G) may be a simulated ECU (for example, a computer that executes software that simulates the function, behavior, etc. of the ECU). Similarly, in the electronic control system 11 to be evaluated, instead of a real actuator (steering, accelerator, brake, etc.), a simulated actuator that simulates the actuator (for example, a computer that executes simulation software that simulates the operation of the actuator) ) May be provided. That is, the evaluation target of the evaluation system 10 may be an electronic control system including an actuator unit that is either a real actuator or a simulated actuator. When the actuator unit is a simulated actuator, the actuator unit 205 may perform observation of the actuator unit by, for example, confirming various parameters used in the simulation using an output function of simulation software. For example, the monitoring unit 204 may check the parameters input to the simulation software. That is, when the actuator unit is a simulated actuator, the monitoring unit 200 determines the operation of the actuator unit with predetermined data related to simulation software (program) in the computer (for example, a predetermined memory area of the computer corresponding to a physical quantity that changes with the operation of the actuator). It may be detected by observing a change in the content or output content).
(3)上記実施の形態では、評価装置101が、CANバス20に接続された1つの装置である例を示したが、評価装置101は、攻撃手順情報108に従って攻撃用のCANメッセージを送信する送信装置と、CANバス20を流れるCANメッセージ、アクチュエータECU102の出力する制御信号、アクチュエータ107の挙動等を監視する監視装置とに分離される等、複数の筐体に分離された構成を備えても良い。
(3) In the above embodiment, the evaluation apparatus 101 is one apparatus connected to the CAN bus 20, but the evaluation apparatus 101 transmits an attack CAN message according to the attack procedure information 108. Even if it has a configuration separated into a plurality of housings, such as being separated into a transmission device, a CAN message flowing through the CAN bus 20, a control signal output from the actuator ECU 102, and a monitoring device that monitors the behavior of the actuator 107, etc. good.
(4)上記実施の形態では、評価システム10の評価対象として、CANバス20による車載ネットワークを備える電子制御システム11を例示したが、評価システム10で評価装置101が攻撃用のメッセージを送信したり監視の対象としたりするネットワークは、必ずしも車載ネットワークでなくても良く、また、CANプロトコルによる通信が行われるCANバス20以外のネットワークであっても良い。例えば、評価システム10は、ロボット、産業機器等のネットワークその他のネットワーク通信システムを評価対象としても良い。また、CANプロトコルは、オートメーションシステム内の組み込みシステム等に用いられるCANOpen、或いは、TTCAN(Time-Triggered CAN)、CANFD(CAN with Flexible Data Rate)等の派生的なプロトコルも包含する広義の意味のものと扱われるべきである。また、評価対象のネットワークシステムで、CANプロトコル以外の通信プロトコル、例えば、Ethernet(登録商標)や、MOST(登録商標)、FlexRay(登録商標)、LIN(Local Interconnect Network)等を用いても良い。また、各種プロトコルに従ったネットワークを組み合わせた複合的なネットワークを含むシステムを評価対象として、評価装置101で、そのネットワークに対して攻撃及び監視を行うこととしても良い。
(4) In the above embodiment, the electronic control system 11 including the in-vehicle network using the CAN bus 20 is exemplified as the evaluation target of the evaluation system 10. However, the evaluation apparatus 101 transmits an attack message in the evaluation system 10. The network to be monitored does not necessarily have to be an in-vehicle network, and may be a network other than the CAN bus 20 that performs communication using the CAN protocol. For example, the evaluation system 10 may evaluate a network such as a robot or an industrial device or another network communication system. The CAN protocol also has a broad meaning including CANNOpen used for embedded systems in automation systems, and derivative protocols such as TTCAN (Time-Triggered CAN) and CANFD (CAN with Flexible Data Rate). Should be treated. Further, in the network system to be evaluated, a communication protocol other than the CAN protocol, for example, Ethernet (registered trademark), MOST (registered trademark), FlexRay (registered trademark), LIN (Local Interconnect Network), or the like may be used. Further, a system including a complex network in which networks in accordance with various protocols are combined may be evaluated, and the evaluation apparatus 101 may attack and monitor the network.
(5)上記実施の形態では、評価装置101が、偽の情報を示すCANメッセージを送信する攻撃を行う例を示したが、この他に、シフト位置ECU105、車速ECU106、指示ECU103等が送信するCANメッセージの内容の一部をCANバス20上で改ざんすることで攻撃を行っても良い。
(5) In the above embodiment, the evaluation apparatus 101 performs an attack in which a CAN message indicating false information is transmitted. In addition to this, the shift position ECU 105, the vehicle speed ECU 106, the instruction ECU 103, and the like transmit. An attack may be performed by falsifying a part of the content of the CAN message on the CAN bus 20.
(6)上述した評価装置101は、例えば車載ネットワークシステムの一部に相当する電子制御システム11を評価対象として攻撃することで評価しても良い。この場合には、評価対象に含まれない車載ネットワークシステムの部分(評価環境を構成する部分)を模擬するために、評価対象に含まれない車載ネットワークに定常状態で流れる正規のCANメッセージを送信しつつ、評価対象に対して攻撃を仕掛けることとしても良い。この場合において、例えば、評価対象におけるセキュリティECU104が、不正なCANメッセージを検知して無効化する場合に、関係のない正規のメッセージを無効化していないかを確認することで、評価対象を評価しても良い。また、不正なCANメッセージを検知して無効化する以外の攻撃対処のためのセキュリティ機能(CANメッセージへのメッセージ認証コード(MAC)付与やMAC検証等)が導入されている場合に、攻撃対処のために、定常状態の正規のCANメッセージの送受信に悪影響(大幅な通信遅延等)を及ぼしていないか等を確認することで、評価装置101は、評価対象を評価しても良い。
(6) The above-described evaluation apparatus 101 may perform evaluation by attacking, for example, the electronic control system 11 corresponding to a part of the in-vehicle network system. In this case, in order to simulate a part of the in-vehicle network system not included in the evaluation target (part constituting the evaluation environment), a regular CAN message that flows in a steady state is transmitted to the in-vehicle network not included in the evaluation target. However, an attack may be set against the evaluation target. In this case, for example, when the security ECU 104 in the evaluation target detects an invalid CAN message and invalidates it, the security ECU 104 evaluates the evaluation target by checking whether or not an invalid irrelevant message has been invalidated. May be. In addition, if security functions for attack countermeasures other than detecting and invalidating invalid CAN messages (such as adding a message authentication code (MAC) to a CAN message or MAC verification) are introduced, Therefore, the evaluation apparatus 101 may evaluate the evaluation target by confirming whether or not a bad influence (a large communication delay or the like) is exerted on the transmission / reception of the regular CAN message in the steady state.
(7)評価装置101は、評価対象のセキュリティ(攻撃耐性等)についての評価として、防御をすり抜けた不正なCANメッセージの個数や割合に基づいて、攻撃耐性の有無の判定等といった評価を行うものであっても良い。なお、評価装置101は、攻撃耐性の有無を判定するために、不正なCANメッセージの個数や割合についての上限等を規定する閾値を用い得る。この閾値は、評価装置101に対して任意に設定可能にしても良いし、評価を繰り返し実施する場合において評価結果等に応じて変化(調整)し得るようにしても良い。また、評価装置101は、攻撃の成功率(成功の頻度等)を算定しても良い。このように評価装置101は、攻撃成否或いは防御成否の択一判定の他に、例えば複数の防御機能それぞれが作動するか否か或いはどの程度有効に作用したかについて評価しても良い。また、評価装置101では、送信部201aが、攻撃手順情報108が示す送信順序で複数のCANメッセージをCANバス20に送信する攻撃パターンを複数回繰り返し、評価部206が、攻撃パターンの繰り返しによる監視部200の監視結果の変化の有無に応じて評価結果が相違するように評価を行うこととしても良い。なお、評価装置101の評価部206での評価結果は、評価装置101によりメモリ等の記憶媒体に記録される他、評価装置101の外部に出力(例えば、評価結果の表示、評価結果を示す情報の送信等)され得る。例えば、評価部206は、評価結果として評価対象の電子制御システムに攻撃耐性があるか否かを示す情報を出力することとしても良い。
(7) The evaluation apparatus 101 performs evaluation such as determination of presence / absence of attack resistance based on the number and ratio of fraudulent CAN messages that have passed through the defense as an evaluation of the security to be evaluated (attack resistance, etc.) It may be. Note that the evaluation apparatus 101 can use a threshold value that defines an upper limit or the like for the number and ratio of fraudulent CAN messages in order to determine whether or not there is attack resistance. This threshold value may be arbitrarily set for the evaluation apparatus 101, or may be changed (adjusted) according to the evaluation result or the like when the evaluation is repeatedly performed. Further, the evaluation apparatus 101 may calculate the attack success rate (success frequency or the like). As described above, the evaluation apparatus 101 may evaluate whether or not each of the plurality of defense functions operates or how effectively it acts, in addition to the determination of success or failure of the attack or the success or failure of the defense. In the evaluation apparatus 101, the transmission unit 201a repeats an attack pattern in which a plurality of CAN messages are transmitted to the CAN bus 20 in the transmission order indicated by the attack procedure information 108, and the evaluation unit 206 performs monitoring by repeating the attack pattern. It is good also as evaluating so that an evaluation result may differ according to the presence or absence of the change of the monitoring result of the part 200. FIG. The evaluation result in the evaluation unit 206 of the evaluation apparatus 101 is recorded in a storage medium such as a memory by the evaluation apparatus 101 and is also output to the outside of the evaluation apparatus 101 (for example, display of the evaluation result, information indicating the evaluation result) Etc.). For example, the evaluation unit 206 may output information indicating whether or not the electronic control system to be evaluated has attack resistance as an evaluation result.
(8)評価対象の電子制御システム11におけるセキュリティECU104を含むセキュリティ機能は、不正の検知に関するログ情報(CANメッセージの受信履歴等)を記録することとしても良く、この場合には、評価装置101は、そのログ情報と、その評価装置101が保持する、攻撃に関する期待値とを比較することで、攻撃が成功したか否かの判定或いは攻撃が成功した確率等の算出を行うことで、セキュリティについての評価を行うこととしても良い。
(8) The security function including the security ECU 104 in the electronic control system 11 to be evaluated may record log information (such as a CAN message reception history) regarding fraud detection. In this case, the evaluation apparatus 101 By comparing the log information with the expected value related to the attack held by the evaluation apparatus 101, it is possible to determine whether or not the attack has succeeded or to calculate the probability of successful attack, etc. It is good also as performing evaluation of.
(9)上記実施の形態では電子制御システム11はセキュリティ機能として、独立したセキュリティECU104を備え得ることとしたが、バスを介して通信する複数のECUのうちの全部又は一部のECUがセキュリティ機能を備えることとしても良い。また、複数のECUがセキュリティ機能を分散して実現しても良い。
(9) In the above embodiment, the electronic control system 11 can include the independent security ECU 104 as a security function. However, all or some of the plurality of ECUs that communicate via the bus have security functions. It is good also as providing. A plurality of ECUs may be realized by distributing security functions.
(10)上記実施の形態では評価装置101が評価対象の電子制御システム11におけるバスに直接接続されている例を示したが、評価装置101と評価対象との間に、ゲートウェイ等の中継装置が介在しても良い。例えば、評価装置101が、ゲートウェイとの間で相互認証又は片方向認証を実施した上で攻撃用のCANメッセージを送信することで、ゲートウェイにそのCANメッセージをCANバス20へと転送させ、CANバス20からのCANメッセージを、ゲートウェイを介して取得する等により、評価対象のセキュリティ(攻撃耐性等)を評価することとしても良い。
(10) In the above embodiment, the evaluation apparatus 101 is directly connected to the bus in the electronic control system 11 to be evaluated. However, a relay device such as a gateway is provided between the evaluation apparatus 101 and the evaluation object. It may be interposed. For example, the evaluation apparatus 101 performs mutual authentication or one-way authentication with the gateway and transmits an attack CAN message to cause the gateway to transfer the CAN message to the CAN bus 20. It is also possible to evaluate the security (e.g., attack resistance) of the evaluation target by acquiring the CAN message from 20 via the gateway.
(11)評価装置101は、アクチュエータ監視部205でアクチュエータ107を観測する代わりに、アクチュエータECU102がCANバス20へ送信するアクチュエータ107の状態通知(ステアリングの現在の角度、アクセル又はブレーキの変位量、エンジンの回転数等)に係るCANメッセージを監視することでアクチュエータ107の動作(挙動)を間接的に確認しても良い。
(11) Instead of observing the actuator 107 by the actuator monitoring unit 205, the evaluation apparatus 101 notifies the state of the actuator 107 that the actuator ECU 102 transmits to the CAN bus 20 (current steering angle, accelerator or brake displacement, engine The operation (behavior) of the actuator 107 may be indirectly confirmed by monitoring a CAN message related to the rotation speed of the actuator 107.
(12)上記実施の形態における評価装置101及び各種ECUは、例えば、プロセッサ、メモリ等のデジタル回路、アナログ回路、通信回路等を含む装置であることとしたが、ディスプレイ、キーボード、マウス等の他のハードウェア構成要素を含んでいても良い。また、メモリに記憶された制御プログラムがプロセッサにより実行されてソフトウェア的に機能を実現する代わりに、専用のハードウェア(デジタル回路等)によりその機能を実現することとしても良い。例えば、評価装置101のCANバス監視部203、信号監視部204、アクチュエータ監視部205、送受信部201、保持部202、評価部206及び制御部207の各機能ブロックは、集積回路で実現され得る。また、例えば、アクチュエータECU102の送受信部301、指示送信部302、状態取得部303、判定部304及び制御部305の各機能ブロックは、集積回路で実現され得る。また、例えば、指示ECU103の送受信部401、判定部402、算出部403及び制御部404の各機能ブロックは、集積回路で実現され得る。また、例えば、セキュリティECU104の送受信部501、CANバス監視部502及び制御部503の各機能ブロックは、集積回路で実現され得る。また、例えば、シフト位置ECU105或いは車速ECU106の送受信部601、状態取得部602及び制御部603の各機能ブロックは、集積回路で実現され得る。
(12) The evaluation device 101 and the various ECUs in the above embodiment are devices including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, etc., but other than a display, a keyboard, a mouse, etc. The hardware components may be included. Further, instead of the control program stored in the memory being executed by the processor and realizing the function in software, the function may be realized by dedicated hardware (digital circuit or the like). For example, the functional blocks of the CAN bus monitoring unit 203, the signal monitoring unit 204, the actuator monitoring unit 205, the transmission / reception unit 201, the holding unit 202, the evaluation unit 206, and the control unit 207 of the evaluation apparatus 101 can be realized by an integrated circuit. Further, for example, the functional blocks of the transmission / reception unit 301, the instruction transmission unit 302, the state acquisition unit 303, the determination unit 304, and the control unit 305 of the actuator ECU 102 can be realized by an integrated circuit. Further, for example, the functional blocks of the transmission / reception unit 401, the determination unit 402, the calculation unit 403, and the control unit 404 of the instruction ECU 103 can be realized by an integrated circuit. Further, for example, the functional blocks of the transmission / reception unit 501, the CAN bus monitoring unit 502, and the control unit 503 of the security ECU 104 can be realized by an integrated circuit. Further, for example, the functional blocks of the transmission / reception unit 601, the state acquisition unit 602, and the control unit 603 of the shift position ECU 105 or the vehicle speed ECU 106 can be realized by an integrated circuit.
(13)上記実施の形態における各装置(評価装置101、各種ECU等)を構成する構成要素の一部又は全部は、1個のシステムLSI(Large Scale Integration:大規模集積回路)から構成されているとしても良い。システムLSIは、複数の構成部を1個のチップ上に集積して製造された超多機能LSIであり、具体的には、マイクロプロセッサ、ROM、RAM等を含んで構成されるコンピュータシステムである。前記RAMには、コンピュータプログラムが記録されている。前記マイクロプロセッサが、前記コンピュータプログラムに従って動作することにより、システムLSIは、その機能を達成する。また、上記各装置を構成する構成要素の各部は、個別に1チップ化されていても良いし、一部又は全部を含むように1チップ化されても良い。また、ここでは、システムLSIとしたが、集積度の違いにより、IC、LSI、スーパーLSI、ウルトラLSIと呼称されることもある。また、集積回路化の手法はLSIに限るものではなく、専用回路又は汎用プロセッサで実現しても良い。LSI製造後に、プログラムすることが可能なFPGA(Field Programmable Gate Array)や、LSI内部の回路セルの接続や設定を再構成可能なリコンフィギュラブル・プロセッサを利用しても良い。更には、半導体技術の進歩又は派生する別技術によりLSIに置き換わる集積回路化の技術が登場すれば、当然、その技術を用いて機能ブロックの集積化を行っても良い。バイオ技術の適用等が可能性としてあり得る。
(13) Part or all of the components constituting each device (evaluation device 101, various ECUs, etc.) in the above-described embodiment are configured by one system LSI (Large Scale Integration). It's okay. The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip. Specifically, the system LSI is a computer system including a microprocessor, a ROM, a RAM, and the like. . A computer program is recorded in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program. In addition, each part of the constituent elements constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or the whole. Although the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used. Furthermore, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied as a possibility.
(14)上記各装置を構成する構成要素の一部又は全部は、各装置に脱着可能なICカード又は単体のモジュールから構成されているとしても良い。前記ICカード又は前記モジュールは、マイクロプロセッサ、ROM、RAM等から構成されるコンピュータシステムである。前記ICカード又は前記モジュールは、上記の超多機能LSIを含むとしても良い。マイクロプロセッサが、コンピュータプログラムに従って動作することにより、前記ICカード又は前記モジュールは、その機能を達成する。このICカード又はこのモジュールは、耐タンパ性を有するとしても良い。
(14) A part or all of the constituent elements constituting each of the above devices may be constituted by an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.
(15)本開示の一態様としては、例えば図8~図17等に例示する処理手順の全部又は一部を含む評価方法であるとしても良い。例えば、評価方法は、CANバス20を介して通信する複数のECUを備える電子制御システム11のセキュリティに関する評価を行う評価方法であって、複数のフレームの内容及び送信順序を示す攻撃手順情報108を保持し、攻撃手順情報108が示す送信順序で複数のフレームをCANバス20に送信し(例えばステップS803、S807、S903、S1104、S1110、S1201)、複数のフレームがCANバス20に送信される際に、複数のECUのいずれかにより制御されるアクチュエータ部(例えばアクチュエータ107)について直接又は間接的に監視し(例えばステップS1001、S1002、S1207)、監視による監視結果に基づいて評価(例えばS1003、S1208)を行う評価方法である。また、本開示の一態様としては、この評価方法に係る処理をコンピュータにより実現するコンピュータプログラムであるとしても良いし、前記コンピュータプログラムからなるデジタル信号であるとしても良い。また、本開示の一態様としては、前記コンピュータプログラム又は前記デジタル信号をコンピュータで読み取り可能な記録媒体、例えば、フレキシブルディスク、ハードディスク、CD-ROM、MO、DVD、DVD-ROM、DVD-RAM、BD(Blu-ray(登録商標) Disc)、半導体メモリ等に記録したものとしても良い。また、これらの記録媒体に記録されている前記デジタル信号であるとしても良い。また、本開示の一態様としては、前記コンピュータプログラム又は前記デジタル信号を、電気通信回線、無線又は有線通信回線、インターネットを代表とするネットワーク、データ放送等を経由して伝送するものとしても良い。また、本開示の一態様としては、マイクロプロセッサとメモリを備えたコンピュータシステムであって、前記メモリは、上記コンピュータプログラムを記録しており、前記マイクロプロセッサは、前記コンピュータプログラムに従って動作するとしても良い。また、前記プログラム若しくは前記デジタル信号を前記記録媒体に記録して移送することにより、又は、前記プログラム若しくは前記デジタル信号を前記ネットワーク等を経由して移送することにより、独立した他のコンピュータシステムにより実施するとしても良い。
(15) As one aspect of the present disclosure, for example, an evaluation method including all or part of the processing procedures illustrated in FIGS. For example, the evaluation method is an evaluation method for evaluating the security of the electronic control system 11 including a plurality of ECUs that communicate via the CAN bus 20, and includes attack procedure information 108 indicating the contents and transmission order of a plurality of frames. When the plurality of frames are transmitted to the CAN bus 20 in the transmission order indicated by the attack procedure information 108 (for example, steps S803, S807, S903, S1104, S1110, S1201), and the plurality of frames are transmitted to the CAN bus 20. In addition, the actuator unit (for example, the actuator 107) controlled by any of the plurality of ECUs is directly or indirectly monitored (for example, steps S1001, S1002, and S1207), and evaluated based on the monitoring results (for example, S1003 and S1208). Is an evaluation method. Further, as one aspect of the present disclosure, a computer program that realizes the processing according to the evaluation method by a computer may be used, or a digital signal that includes the computer program may be used. Further, as one aspect of the present disclosure, a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD can be used as the computer program or the digital signal. (Blu-ray (registered trademark) Disc), recorded on a semiconductor memory or the like. Further, the digital signal may be recorded on these recording media. As one aspect of the present disclosure, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, an aspect of the present disclosure may be a computer system including a microprocessor and a memory, the memory recording the computer program, and the microprocessor operating according to the computer program. . In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like and executed by another independent computer system. You may do that.
(16)上記実施の形態及び上記変形例で示した各構成要素及び機能を任意に組み合わせることで実現される形態も本開示の範囲に含まれる。
(16) Embodiments realized by arbitrarily combining the constituent elements and functions shown in the embodiment and the modified examples are also included in the scope of the present disclosure.
本開示は、電子制御システムに対して施されたセキュリティ対策技術が攻撃を適切に防御できるか否か等の評価を実施するために利用可能である。
This disclosure can be used to evaluate whether or not the security countermeasure technology applied to the electronic control system can appropriately prevent an attack.
10 評価システム
11 電子制御システム
20 CANバス
101 評価装置
102 アクチュエータECU
103 指示ECU
104 セキュリティECU
105 シフト位置ECU
106 車速ECU
107 アクチュエータ
108 攻撃手順情報
200 監視部
201,301,401,501,601 送受信部
201a 送信部
201b 受信部
202 保持部
203,502 CANバス監視部
204 信号監視部
205 アクチュエータ監視部
206 評価部
207,305,404,503,603 制御部
302 指示送信部
303,602 状態取得部
304,402 判定部
403 算出部 DESCRIPTION OFSYMBOLS 10 Evaluation system 11 Electronic control system 20 CAN bus 101 Evaluation apparatus 102 Actuator ECU
103 instruction ECU
104 Security ECU
105 Shift position ECU
106 Vehicle speed ECU
DESCRIPTION OFSYMBOLS 107 Actuator 108 Attack procedure information 200 Monitoring part 201,301,401,501,601 Transmission / reception part 201a Transmission part 201b Reception part 202 Holding part 203,502 CAN bus monitoring part 204 Signal monitoring part 205 Actuator monitoring part 206 Evaluation part 207,305 , 404, 503, 603 Control unit 302 Instruction transmission unit 303, 602 Status acquisition unit 304, 402 Determination unit 403 Calculation unit
11 電子制御システム
20 CANバス
101 評価装置
102 アクチュエータECU
103 指示ECU
104 セキュリティECU
105 シフト位置ECU
106 車速ECU
107 アクチュエータ
108 攻撃手順情報
200 監視部
201,301,401,501,601 送受信部
201a 送信部
201b 受信部
202 保持部
203,502 CANバス監視部
204 信号監視部
205 アクチュエータ監視部
206 評価部
207,305,404,503,603 制御部
302 指示送信部
303,602 状態取得部
304,402 判定部
403 算出部 DESCRIPTION OF
103 instruction ECU
104 Security ECU
105 Shift position ECU
106 Vehicle speed ECU
DESCRIPTION OF
Claims (13)
- 電子制御システムにおいて複数の電子制御ユニットが通信に用いるバスに接続され、当該電子制御システムのセキュリティに関する評価を行う評価装置であって、
複数のフレームの内容及び送信順序を示す攻撃手順情報を保持する保持部と、
前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する送信部と、
前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視する監視部と、
前記送信部により前記複数のフレームが前記バスに送信される際における前記監視部の監視結果に基づいて前記評価を行う評価部とを備える
評価装置。 In the electronic control system, a plurality of electronic control units are connected to a bus used for communication, and an evaluation device that evaluates the security of the electronic control system,
A holding unit for holding attack procedure information indicating the contents and transmission order of a plurality of frames;
A transmitter that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information;
A monitoring unit for monitoring an actuator unit controlled by any of the plurality of electronic control units;
An evaluation apparatus comprising: an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit. - 前記複数の電子制御ユニットは、CAN(Controller Area Network)プロトコルに従って前記バスを介して通信を行う
請求項1記載の評価装置。 The evaluation apparatus according to claim 1, wherein the plurality of electronic control units perform communication via the bus according to a CAN (Controller Area Network) protocol. - 前記監視部は、前記アクチュエータ部についての前記監視として、前記複数の電子制御ユニットのうちの1つに前記アクチュエータ部を制御させるよう指示するための制御指示フレームが前記バスに送信されたことを検出し、
前記評価部は、前記送信部により前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記制御指示フレームが前記バス上で送信されたことが前記監視部により検出されたか否かに応じて評価結果が相違するように前記評価を行う
請求項1又は2記載の評価装置。 The monitoring unit detects that a control instruction frame for instructing one of the plurality of electronic control units to control the actuator unit is transmitted to the bus as the monitoring of the actuator unit. And
The evaluation unit detects that the control instruction frame is transmitted on the bus within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit. The evaluation apparatus according to claim 1, wherein the evaluation is performed so that evaluation results differ depending on whether or not the evaluation is performed. - 前記監視部は、前記アクチュエータ部についての前記監視として、前記複数の電子制御ユニットのうちの1つから前記アクチュエータ部に制御信号が入力されたことを検出し、
前記評価部は、前記送信部により前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記アクチュエータ部に前記制御信号が入力されたことが前記監視部により検出されたか否かに応じて評価結果が相違するように前記評価を行う
請求項1~3のいずれか一項に記載の評価装置。 The monitoring unit detects that a control signal is input to the actuator unit from one of the plurality of electronic control units as the monitoring of the actuator unit;
In the evaluation unit, the monitoring unit detects that the control signal is input to the actuator unit within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit. The evaluation apparatus according to any one of claims 1 to 3, wherein the evaluation is performed so that the evaluation results differ depending on whether or not the evaluation results are satisfied. - 前記監視部は、前記アクチュエータ部についての前記監視として、前記アクチュエータ部の動作を検出し、
前記評価部は、前記送信部により前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記アクチュエータ部が動作したことが前記監視部により検出されたか否かに応じて評価結果が相違するように前記評価を行う
請求項1~4のいずれか一項に記載の評価装置。 The monitoring unit detects the operation of the actuator unit as the monitoring of the actuator unit,
The evaluation unit is configured to determine whether or not the monitoring unit detects that the actuator unit has operated within a certain period after one or more of the plurality of frames are transmitted to the bus by the transmission unit. The evaluation apparatus according to any one of claims 1 to 4, wherein the evaluation is performed so that the evaluation results are different. - 前記アクチュエータ部は、アクチュエータを有し、
前記監視部は、前記アクチュエータ部の動作を、前記アクチュエータの動作で変化する物理量の測定によって検出する
請求項5記載の評価装置。 The actuator unit includes an actuator,
The evaluation apparatus according to claim 5, wherein the monitoring unit detects the operation of the actuator unit by measuring a physical quantity that changes due to the operation of the actuator. - 前記アクチュエータ部は、アクチュエータの動作を模擬するプログラムを実行するコンピュータを有し、
前記監視部は、前記アクチュエータ部の動作を、前記コンピュータにおいて前記プログラムに関わる所定データの変化を観測することによって検出する
請求項5記載の評価装置。 The actuator unit has a computer that executes a program for simulating the operation of the actuator,
The evaluation apparatus according to claim 5, wherein the monitoring unit detects the operation of the actuator unit by observing a change in predetermined data related to the program in the computer. - 前記攻撃手順情報は更に前記複数のフレームについての送信間隔を示し、
前記送信部は、前記攻撃手順情報が示す送信順序及び送信間隔に従って前記複数のフレームを前記バスに送信する
請求項1~7のいずれか一項に記載の評価装置。 The attack procedure information further indicates transmission intervals for the plurality of frames,
The evaluation apparatus according to claim 1, wherein the transmission unit transmits the plurality of frames to the bus according to a transmission order and a transmission interval indicated by the attack procedure information. - 前記評価部は、評価結果として前記電子制御システムに攻撃耐性があるか否かを示す情報を出力する
請求項1~8のいずれか一項に記載の評価装置。 The evaluation device according to any one of claims 1 to 8, wherein the evaluation unit outputs information indicating whether or not the electronic control system has attack resistance as an evaluation result. - 前記送信部は、前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する攻撃パターンを複数回繰り返し、
前記評価部は、前記攻撃パターンの繰り返しによる前記監視結果の変化の有無に応じて評価結果が相違するように前記評価を行う
請求項1~9のいずれか一項に記載の評価装置。 The transmission unit repeats an attack pattern for transmitting the plurality of frames to the bus in a transmission order indicated by the attack procedure information a plurality of times,
The evaluation apparatus according to any one of claims 1 to 9, wherein the evaluation unit performs the evaluation so that the evaluation results differ depending on whether or not the monitoring results change due to repetition of the attack pattern. - バスを介して通信する複数の電子制御ユニットを備える電子制御システムのセキュリティに関する評価を行う評価システムであって、
複数のフレームの内容及び送信順序を示す攻撃手順情報を保持する保持部と、
前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信する送信部と、
前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視する監視部と、
前記送信部により前記複数のフレームが前記バスに送信される際における前記監視部の監視結果に基づいて前記評価を行う評価部とを備える
評価システム。 An evaluation system for evaluating the security of an electronic control system comprising a plurality of electronic control units that communicate via a bus,
A holding unit for holding attack procedure information indicating the contents and transmission order of a plurality of frames;
A transmitter that transmits the plurality of frames to the bus in a transmission order indicated by the attack procedure information;
A monitoring unit for monitoring an actuator unit controlled by any of the plurality of electronic control units;
An evaluation system comprising: an evaluation unit that performs the evaluation based on a monitoring result of the monitoring unit when the plurality of frames are transmitted to the bus by the transmission unit. - バスを介して通信する複数の電子制御ユニットを備える電子制御システムのセキュリティに関する評価を行う評価方法であって、
複数のフレームの内容及び送信順序を示す攻撃手順情報を保持し、
前記攻撃手順情報が示す送信順序で前記複数のフレームを前記バスに送信し、
前記複数のフレームが前記バスに送信される際に、前記複数の電子制御ユニットのいずれかにより制御されるアクチュエータ部について監視し、
前記監視による監視結果に基づいて前記評価を行う
評価方法。 An evaluation method for evaluating the security of an electronic control system including a plurality of electronic control units that communicate via a bus,
Holds attack procedure information indicating the contents and transmission order of multiple frames,
Transmitting the plurality of frames to the bus in a transmission order indicated by the attack procedure information;
When the plurality of frames are transmitted to the bus, the actuator unit controlled by any of the plurality of electronic control units is monitored,
An evaluation method for performing the evaluation based on a monitoring result by the monitoring. - 前記複数の電子制御ユニットは、CAN(Controller Area Network)プロトコルに従って前記バスを介して通信を行い、
前記評価方法は、
前記複数のフレームの1つ以上が前記バスに送信された後の一定期間内に、前記複数の電子制御ユニットのうちの1つに前記アクチュエータ部を制御させるよう指示するための制御指示フレームが前記バスに送信されたことを検出したか否かに応じて、評価結果が相違するように前記評価を行う
請求項12記載の評価方法。 The plurality of electronic control units communicate via the bus according to a CAN (Controller Area Network) protocol,
The evaluation method is:
A control instruction frame for instructing one of the plurality of electronic control units to control the actuator unit within a certain period after one or more of the plurality of frames is transmitted to the bus. The evaluation method according to claim 12, wherein the evaluation is performed so that evaluation results are different depending on whether or not transmission to the bus is detected.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201680003169.XA CN107111716B (en) | 2015-12-14 | 2016-11-16 | Evaluation device, evaluation system, and evaluation method |
EP16875096.6A EP3392792B1 (en) | 2015-12-14 | 2016-11-16 | Evaluation device, evaluation system, and evaluation method |
US15/922,970 US10977373B2 (en) | 2015-12-14 | 2018-03-16 | Evaluation device, evaluation system, and evaluation method |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015-243433 | 2015-12-14 | ||
JP2015243433 | 2015-12-14 | ||
JP2016-201242 | 2016-10-12 | ||
JP2016201242A JP6712938B2 (en) | 2015-12-14 | 2016-10-12 | Evaluation device, evaluation system, and evaluation method |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/922,970 Continuation US10977373B2 (en) | 2015-12-14 | 2018-03-16 | Evaluation device, evaluation system, and evaluation method |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017104106A1 true WO2017104106A1 (en) | 2017-06-22 |
Family
ID=59056180
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2016/004892 WO2017104106A1 (en) | 2015-12-14 | 2016-11-16 | Evaluation device, evaluation system, and evaluation method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107111716B (en) |
WO (1) | WO2017104106A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112823494A (en) * | 2018-11-02 | 2021-05-18 | 松下电器(美国)知识产权公司 | Abnormality prevention control system, monitoring device, and abnormality prevention control method |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102017216096A1 (en) * | 2017-09-12 | 2019-03-14 | Volkswagen Aktiengesellschaft | Method and apparatus for detecting an attack on a serial communication system |
WO2019117184A1 (en) * | 2017-12-15 | 2019-06-20 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | On-vehicle network abnormality detection system and on-vehicle network abnormality detection method |
CN108924098A (en) * | 2018-06-14 | 2018-11-30 | 北京汽车股份有限公司 | Vehicle and the method and system for preventing vehicle data to be tampered |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015114833A (en) * | 2013-12-11 | 2015-06-22 | 三菱電機株式会社 | Inspection system, equipment information acquisition device, inspection instruction device, inspection execution device, equipment inspection method, and program |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW200732909A (en) * | 2006-02-27 | 2007-09-01 | Dmp Electronics Inc | Central processing unit capable of recording number of breakdown |
CN2919369Y (en) * | 2006-05-11 | 2007-07-04 | 深圳市昭营科技有限公司 | Central processing unit |
US8925083B2 (en) * | 2011-10-25 | 2014-12-30 | GM Global Technology Operations LLC | Cyber security in an automotive network |
US9342695B2 (en) * | 2012-10-02 | 2016-05-17 | Mordecai Barkan | Secured automated or semi-automated systems |
EP3751818A1 (en) * | 2012-10-17 | 2020-12-16 | Tower-Sec Ltd. | A device for detection and prevention of an attack on a vehicle |
JP6126980B2 (en) * | 2013-12-12 | 2017-05-10 | 日立オートモティブシステムズ株式会社 | Network device and network system |
US20150169911A1 (en) * | 2013-12-13 | 2015-06-18 | Qualcomm Incorporated | Position location system architecture: filtering position fixes |
EP4246893A3 (en) * | 2014-04-17 | 2023-12-27 | Panasonic Intellectual Property Corporation of America | Vehicle-mounted network system, invalidity detection electronic control unit, and invalidity detection method |
JP6263437B2 (en) * | 2014-05-07 | 2018-01-17 | 日立オートモティブシステムズ株式会社 | Inspection device, inspection system, and inspection method |
CN104581705A (en) * | 2014-12-11 | 2015-04-29 | 深圳市金立通信设备有限公司 | Terminal |
-
2016
- 2016-11-16 WO PCT/JP2016/004892 patent/WO2017104106A1/en unknown
- 2016-11-16 CN CN201680003169.XA patent/CN107111716B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015114833A (en) * | 2013-12-11 | 2015-06-22 | 三菱電機株式会社 | Inspection system, equipment information acquisition device, inspection instruction device, inspection execution device, equipment inspection method, and program |
Non-Patent Citations (1)
Title |
---|
TAKESHI KISHIKAWA: "Shasai Network o Hogo suru Security ECU no Teian: HW/SW Kyocho ni yoru Koshin Kano na CAN no Hogo Shuho to sono Hyoka", 2015 SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY SCIS2015 [ CD-ROM ] 2015 SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY GAIYOSHU, 23 January 2015 (2015-01-23), pages 1 - 8, XP009507128 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112823494A (en) * | 2018-11-02 | 2021-05-18 | 松下电器(美国)知识产权公司 | Abnormality prevention control system, monitoring device, and abnormality prevention control method |
CN112823494B (en) * | 2018-11-02 | 2022-04-29 | 松下电器(美国)知识产权公司 | Abnormality prevention control system, monitoring device, and abnormality prevention control method |
Also Published As
Publication number | Publication date |
---|---|
CN107111716A (en) | 2017-08-29 |
CN107111716B (en) | 2022-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6712938B2 (en) | Evaluation device, evaluation system, and evaluation method | |
JP6741559B2 (en) | Evaluation device, evaluation system, and evaluation method | |
JP7105279B2 (en) | Security device, attack detection method and program | |
US11539727B2 (en) | Abnormality detection apparatus and abnormality detection method | |
CN108028784B (en) | Abnormality detection method, monitoring electronic control unit, and vehicle-mounted network system | |
US20190356687A1 (en) | Attack detection method, attack detection device and bus system for a motor vehicle | |
EP3744583B1 (en) | Data analysis device and program | |
WO2017104106A1 (en) | Evaluation device, evaluation system, and evaluation method | |
JP7231559B2 (en) | Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method | |
CN106168796B (en) | Method and system for preventing fraud in a network of motor vehicles | |
JP2019008618A (en) | Information processing apparatus, information processing method, and program | |
US11394726B2 (en) | Method and apparatus for transmitting a message sequence over a data bus and method and apparatus for detecting an attack on a message sequence thus transmitted | |
JP2020108132A (en) | Electronic control system, electronic control device, control method, and program | |
CN112540555A (en) | Method for remotely controlling a motor vehicle | |
US10725882B2 (en) | Monitoring an integrity of a test dataset | |
WO2017061079A1 (en) | Security device, attack detection method, and program | |
JPWO2020137743A1 (en) | Electronic control devices, electronic control systems and programs | |
CN107196897B (en) | Monitoring device and communication system | |
Lampe et al. | IDS for CAN: A practical intrusion detection system for CAN bus security | |
US11902300B2 (en) | Method for monitoring a data transmission system, data transmission system and motor vehicle | |
Biswal et al. | IoT‐Based Response Time Analysis of Messages for Smart Autonomous Collision Avoidance System Using Controller Area Network | |
WO2017125978A1 (en) | Evaluation device, evaluation system, and evaluation method | |
JP2022146311A (en) | Drive control system and drive means control method | |
CN114826643A (en) | System and method for detecting and transferring attacks on vehicle-mounted controllers and networks | |
JP5545125B2 (en) | Communication device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16875096 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |