WO2019168167A1 - Verification method, verification device, computer program, and verification system - Google Patents

Verification method, verification device, computer program, and verification system Download PDF

Info

Publication number
WO2019168167A1
WO2019168167A1 PCT/JP2019/008154 JP2019008154W WO2019168167A1 WO 2019168167 A1 WO2019168167 A1 WO 2019168167A1 JP 2019008154 W JP2019008154 W JP 2019008154W WO 2019168167 A1 WO2019168167 A1 WO 2019168167A1
Authority
WO
WIPO (PCT)
Prior art keywords
side channel
channel information
test device
electromagnetic wave
verification
Prior art date
Application number
PCT/JP2019/008154
Other languages
French (fr)
Japanese (ja)
Inventor
藤野 毅
久保田 貴也
Original Assignee
学校法人立命館
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 学校法人立命館 filed Critical 学校法人立命館
Priority to JP2019572255A priority Critical patent/JPWO2019168167A1/en
Publication of WO2019168167A1 publication Critical patent/WO2019168167A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing

Definitions

  • the present disclosure relates to a verification method, a verification device, a computer program, and a verification system.
  • an electronic device may operate abnormally according to illegally input data from a third party called a so-called cyber attack.
  • An abnormal operation refers to the inability to operate or an operation different from the original operation.
  • the fuzzing test is a black box test method in which various data are comprehensively sent to an electronic device to be tested to detect the presence or absence of abnormal operation.
  • Non-Patent Document 1 published at the "Cryptography and Information Security Symposium" in 2017 is based on a hardware simulator that performs the same operation as an electronic device that is the subject of a fuzzing test.
  • the verification method of the target electronic device is proposed by comparing the operation of the hardware simulator when the same data as the target electronic device is input with the operation of the target electronic device.
  • cost increases and complexity due to the use of a hardware simulator are problems. Therefore, it is desired to simplify the verification of the test device.
  • a verification method includes receiving side channel information from a test device provided with fuzz data, verifying operation of the test device based on the received side channel information, and Is provided.
  • the verification apparatus performs an operation of a test device based on an interface that receives input of side channel information from a test device to which fuzz data is given, and side channel information input through the interface. And a processing unit for verifying.
  • the computer program is a computer program for causing a computer to function as a verification device that verifies the operation of the test device, and the computer is configured to receive side channel information from the test device to which fuzz data is given. Based on the side channel information input via the input unit, and a processing unit for verifying the operation of the test device.
  • the verification system measures the operation of the test device based on the measurement device that measures the side channel information from the test device to which the fuzz data is given and the side channel information that is input from the measurement device.
  • a verification device for verification is provided.
  • FIG. 1 is a diagram illustrating an example of a configuration of a verification system and a verification method.
  • FIG. 2 is a diagram for explaining the configuration of the verification apparatus.
  • FIG. 3 is a block diagram illustrating processing executed by the control unit of the verification apparatus.
  • FIG. 4 is a diagram illustrating a specific example of a normal-time electromagnetic wave database.
  • FIG. 5 is a flowchart showing an example of the flow of abnormal operation detection processing in the verification device.
  • FIG. 6 is a diagram illustrating a specific example of the abnormal electromagnetic wave database.
  • FIG. 7 is a flowchart showing another example of the abnormal operation detection process flow in the verification apparatus.
  • FIG. 8 is a diagram showing another example of the abnormal time electromagnetic wave database.
  • FIG. 9 is a flowchart showing another example of the flow of the abnormal operation detection process in the verification device.
  • FIG. 10 is a diagram illustrating an example of the input signal (A) to the test device and the detected electromagnetic wave waveform (B) in the first embodiment.
  • FIG. 11 is an enlarged view of the input signal (A) and the detected electromagnetic wave waveform (B) after the sixth frame in FIG.
  • FIG. 12 is an enlarged view of an electromagnetic wave detected immediately after the sixth frame input in FIG.
  • FIG. 13 is a diagram illustrating another example of the input signal (A) to the test device and the detected electromagnetic wave waveform (B) in the second embodiment. It is a figure for demonstrating an example of arrangement
  • FIG. 17 is a block diagram illustrating processing executed by the control unit of the verification apparatus according to the seventh embodiment.
  • FIG. 18 is a diagram schematically showing the structure of the classifier of FIG. 17 and the learning method of the classifier.
  • the verification method included in the present embodiment includes a step of receiving side channel information from a test device to which fuzz data is given, and verifies the operation of the test device based on the received side channel information. Steps.
  • the side channel information here is synonymous with the side channel information acquired for decryption in a decryption method called a side-channel attack. That is, the side channel information is information obtained from a channel (side channel) other than the regular input / output channel of data in the test device.
  • the side channel information includes, for example, electromagnetic waves, power consumption, temperature, sound, and the like.
  • the verification of the operation of the test device may be the same as the verification performed in fuzzing, for example, verification of an unknown vulnerability in the test device.
  • the verification of the unknown vulnerability is, for example, detection of abnormal operation.
  • the method of verifying the operation based on the side channel information can avoid an increase in cost compared to the case of separately providing a hardware simulator for verification different from the test device, and the operation of the hardware simulator and the operation of the test device. Since it is not necessary to verify the identity of each other, the verification work can be simplified.
  • the step of verifying the operation of the test device includes detecting an abnormal operation of the test device.
  • the abnormal operation is different from the operation instructed by the control signal, for example, an arithmetic operation that performs an operation to divide by zero, an arithmetic operation to calculate a square root of a negative number, an operation that accompanies a buffer overflow, and a watch Such as the expiration of a dog timer.
  • an arithmetic operation that performs an operation to divide by zero
  • an arithmetic operation to calculate a square root of a negative number an operation that accompanies a buffer overflow
  • a watch Such as the expiration of a dog timer.
  • the detection of the abnormal operation is at least one of detection of the presence / absence of the abnormal operation and detection of the type of the abnormal operation.
  • this method it is possible to easily detect at least one of detection of the presence or absence of abnormal operation and detection of the type of abnormal operation.
  • the side channel information is at least one of electromagnetic waves leaking from the operating test device and power consumption of the test device.
  • an abnormal operation of the test device can be detected with high accuracy with a simple apparatus using electromagnetic waves or power consumption of the test device as side channel information.
  • the verifying step includes a step of comparing the received side channel information with reference side channel information stored in a database.
  • the database stores at least one reference side channel information during abnormal operation and during normal operation, and is stored in the database with the received side channel information in the comparing step.
  • the database stores at least one reference side channel information during abnormal operation and during normal operation, and is stored in the database with the received side channel information in the comparing step.
  • the database stores side channel information for each type of abnormal operation, and the received side channel information is compared with reference side channel information for each type of abnormal operation in the comparing step. Accordingly, the type of abnormal operation in the test device is detected in the verification step. By this method, it is possible to easily detect the type of abnormal operation.
  • the database stores reference side channel information for each type of test device, and in the comparing step, the received side channel information and the reference side channel information stored in the database are included.
  • the reference side channel information corresponding to the type of the test device is compared.
  • the type of the test device may be a product type of the test device or a manufacturer type of the test device, but is not limited thereto. By this method, an abnormal operation can be detected with higher accuracy according to the type of the test device.
  • the side channel information is time-series data
  • the step of comparing is defined in the received side channel information that is a part less than the whole of the received side channel information.
  • the information according to the period is compared with the reference side channel information stored in the database.
  • the side channel information is information measured from a specific position with respect to the test device, and the database stores reference side channel information for each position with respect to the test device.
  • the received side channel information is compared with the reference side channel information stored in the database according to the position with respect to the test device that has received the channel information.
  • the position with respect to the test device is, for example, the position where the memory of the test device is mounted, the position where the CPU is mounted, or the like.
  • the side channel information measured from a specific position with respect to the test device is, for example, leaked electromagnetic waves, power consumption, heat, sound, and the like. As a result, for each position of the test device, it is possible to detect an abnormal operation of the apparatus mounted at that position.
  • the model includes inputting the received side channel information and obtaining its output.
  • the learning model is provided with a first model for classifying the type of operation based on the feature amount obtained from the side channel information, and the side channel information at the time of abnormal operation is given from the feature amount.
  • a second model that determines whether the side channel information is during normal operation.
  • the first model is, for example, a one-dimensional convolutional neural network (1D-CNN).
  • the second model is a classification algorithm such as One class SVM (Support Vector Vector Machine).
  • the learning model is learned by a learning method called so-called transfer learning.
  • the detected abnormal operation includes a calculation abnormality.
  • the operation abnormality includes, for example, an operation that divides by zero, an operation that calculates a square root of a negative number, and the like.
  • the test device includes an in-vehicle control device.
  • operation of a vehicle-mounted control apparatus can be verified using this verification method.
  • the verification apparatus included in the present embodiment includes an interface that receives input of side channel information from a test device to which fuzz data is given, and a test device based on side channel information input through the interface. And a processing unit for verifying the operation. Since this verification apparatus employs the verification methods (1) to (14), it has the same effects as the verification methods described in (1) to (14).
  • a computer program included in the present embodiment is a computer program for causing a computer to function as a verification device that verifies the operation of a test device, and the computer is connected to a side channel from a test device to which fuzz data is given. It functions as an input unit that receives input of information and a processing unit that verifies the operation of the test device based on side channel information input via the input unit. Since this computer program causes the computer to execute the verification methods (1) to (14), the computer program has the same effects as the verification methods described in (1) to (14).
  • the verification system included in the present embodiment includes a measurement device that measures side channel information from a test device to which fuzz data is given, and a test device that is based on side channel information input from the measurement device.
  • a verification device for verifying the operation Since this verification system is a system that executes the verification methods (1) to (14), it has the same effects as the verification methods described in (1) to (14).
  • FIG. 1 is a diagram showing an example of a configuration of a verification system 100 according to the present embodiment.
  • a verification system 100 is an example of a verification apparatus 1 that executes a fuzz test, an input apparatus 3 that can input a control signal that is fuzz data to a test device D, and side channel information from the test device.
  • an electromagnetic wave measurement probe hereinafter referred to as probe 5.
  • the verification device 1 verifies the operation of the test device D by executing a fuzz test. Verification of the operation of the test device D includes detecting an abnormal operation in the test device D.
  • the abnormal operation is, for example, an operation other than the operation specified for the input control signal.
  • the test device D may be any device as long as it is a device that receives an input of a control signal that is fuzz data from the outside and executes an operation defined for the input control signal.
  • the test device D is a device that does not have a function of outputting a result of the operation, such as a display.
  • the test device D is a device that is mounted on another device and has a low operation frequency, for example.
  • the other device is, for example, a vehicle, and the test device D is, for example, an ECU (Electronic Control Unit) that is an in-vehicle control device. In the following description, it is assumed that the test device D is an ECU.
  • the ECU is connected to an in-vehicle network that adopts a communication standard such as CAN (Controller Area Network), LIN (Local Interconnect Network), Ethernet (registered trademark), or MOST (Media Oriented System Transport: MOST is a registered trademark)
  • CAN Controller Area Network
  • LIN Local Interconnect Network
  • Ethernet registered trademark
  • MOST Media Oriented System Transport: MOST is a registered trademark
  • the input device 3 is connected to the test device D by wire or wireless, and can input a CAN message, which is a control signal according to the CAN communication standard, to the ECU as an example.
  • the input device 3 may be a device independent of the verification device 1 or may be included in the verification device 1. In the following description, it is assumed that the input device 3 is an independent device from the verification device 1 and is connected to the verification device 1 so as to be communicable.
  • the input device 3 inputs a control frame to the ECU according to the CAN message from the verification device 1.
  • the probe 5 acquires side channel information, which is information indicating an operation state, from the test device D without contacting the test device D, or is acquired by being connected to the test device D by wire or wireless. It is an example of an apparatus.
  • the probe 5 receives an electromagnetic wave leaking from the test device D, which is an example of side channel information.
  • the probe 5 can communicate with the verification device 1 by wire or wirelessly, and inputs a signal indicating the received electromagnetic wave to the verification device 1.
  • the verification apparatus 1 is composed of a general PC (personal computer) or the like. Using the signal input from the probe 5, an abnormal operation detection process for detecting the presence or absence of an abnormal operation of the ECU that is the test device D is executed.
  • FIG. 2 is a diagram for explaining the configuration of the verification apparatus 1.
  • the verification device 1 includes a control unit 11, a storage unit 12, a communication unit 13, a probe interface (I / F) 14, and a communication unit 13.
  • the control unit 11 includes a CPU (Central Processing Unit).
  • the CPU of the control unit 11 includes one or a plurality of large scale integrated circuits (LSIs).
  • LSIs large scale integrated circuits
  • the plurality of LSIs cooperate to realize the function of the CPU.
  • the CPU of the control unit 11 can read out an application including one or a plurality of programs stored in the storage unit 12 and execute various processes.
  • the application can be transferred in a state of being recorded on a recording medium such as a CD-ROM or a DVD-ROM, or can be transferred by downloading from a computer device such as a server computer.
  • the storage unit 12 includes a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), or a nonvolatile memory element such as a ROM, and a volatile memory element such as a RAM (Random Access Memory).
  • the nonvolatile memory element has a storage area for storing an application or data necessary for executing the application.
  • the volatile memory element has a storage area for storing an update program to be described later.
  • the storage unit 12 stores a database 121.
  • the database 121 stores reference electromagnetic wave waveforms used for detection processing.
  • the communication unit 13 communicates with the input device 3 under the control of the control unit 11 according to the execution of the application, and instructs the input device 3 to input a control signal to the test device D.
  • the probe I / F 14 receives a signal transmitted from the probe 5 to the verification device 1.
  • the signal received by the probe I / F 14 is converted into a digital signal by the AD converter 16 and input to the control unit 11. Note that the probe I / F 14 and the AD converter 16 can be substituted by connecting a commercially available oscilloscope to the verification apparatus 1.
  • FIG. 1 further shows a method for detecting an abnormal operation in the test device D, which is an example of a verification method in the verification system 100.
  • the abnormal operation in the test device D is detected based on electromagnetic waves leaking from the test device D operating in accordance with the input control signal.
  • the input device 3 according to the control of the verification device 1 inputs a communication frame F, which is a control signal, to the ECU that is the test device D (step S1).
  • the ECU executes an operation instructed by the input communication frame F.
  • the probe 5 is brought close to the ECU to a range where electromagnetic waves leaking from the ECU can be received.
  • the probe 5 may be fixed, and the ECU that is the test device D may be arranged in a range in which the leaking electromagnetic wave can be received with respect to the probe 5.
  • the probe 5 may be plate-shaped, and the test device D may be disposed on the plate-shaped probe 5.
  • Probe 5 receives electromagnetic waves leaking from the ECU (step S2).
  • a signal indicating the received electromagnetic wave is input from the probe 5 to the verification apparatus 1.
  • the verification device 1 detects an abnormal operation of the ECU by executing an abnormal operation detection process using a signal indicating the electromagnetic wave input from the probe 5 (step S3).
  • the detection result is notified to the user, for example, by being displayed on the display unit 15 of the verification device 1.
  • the application stored in the storage unit 12 of the verification apparatus 1 is a program that causes the control unit 11 to execute processing for detecting abnormal operation in the test device D using a signal indicating the electromagnetic wave input from the probe 5. .
  • FIG. 3 is a block diagram showing an abnormal operation detection process executed by the control unit 11.
  • the abnormal operation detection process includes a reading process 111, a detection process 112, and a display process 114.
  • Read processing 111 is processing in which the control unit 11 reads the reference electromagnetic wave waveform from the database 121.
  • the control unit 11 reads the reference electromagnetic wave waveform in accordance with the type of ECU used as the test device D and the attribute of the manufacturer.
  • the control unit 11 reads the reference electromagnetic wave waveform in accordance with a control signal input from the input device 3 to the test device D.
  • FIG. 4 is a diagram illustrating a specific example of a normal electromagnetic wave database 121A, which is an example of the database 121 stored in the storage unit 12 in the present embodiment.
  • a normal electromagnetic wave database 121A for each CAN message input from the input device 3 to the ECU that is the test device D, an electromagnetic wave waveform leaking from the ECU that normally operates in accordance with the CAN message (normal time) Electromagnetic wave waveform) is stored.
  • the electromagnetic wave waveforms for each input CAN message are shown for the identification numbers 1 to 4.
  • the database 121 can store an electromagnetic wave waveform for a CAN message (normal CAN message) in which the ECU performs some operation and an electromagnetic wave waveform for a CAN message (other CAN message) that the ECU does not originally operate.
  • a CAN message normal CAN message
  • a CAN message other CAN message
  • “AAABBBCC”, “DDDEEEFF”, and “GGGHHHII” are categorized and registered as normal CAN data
  • JJJJKKLL is categorized and registered as other CAN messages. Is done.
  • the detection process 112 is a process for detecting an abnormal operation of the ECU.
  • the detection process 112 includes a comparison process 113, and the control unit 11 executes the comparison process 113 in the detection process 112.
  • the comparison process 113 is a process for comparing the reference electromagnetic wave waveform read from the database 121 by the reading process 111 and the electromagnetic wave waveform (hereinafter also referred to as a measurement waveform) indicated by the signal input from the probe 5.
  • a general pattern matching method may be employed.
  • the control unit 11 calculates a correlation coefficient between the reference electromagnetic wave waveform and the measurement waveform. That the correlation coefficient is equal to or greater than the threshold means that the measured waveform matches the reference electromagnetic wave waveform. Conversely, a correlation coefficient less than the threshold means that the measured waveform does not match the reference electromagnetic wave waveform.
  • the reference electromagnetic wave waveform is a normal electromagnetic wave waveform
  • the measured waveform matches the electromagnetic wave waveform at the normal time, it means that the ECU which is the test device D performs a normal operation, that is, no abnormal operation occurs.
  • the fact that the measured waveform does not match the normal electromagnetic wave waveform means that the ECU is not operating normally, that is, an abnormal operation is occurring. Therefore, the comparison process 113 in the first embodiment is a process for specifying whether or not there is an abnormal operation in the test device D.
  • the display process 114 is a process for displaying the detection result in the detection process 112 on the display unit 15.
  • a process for displaying at least one detection result of the presence or absence of an abnormal operation on the display unit 15 is performed.
  • FIG. 5 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment.
  • control unit 11 receives an input of a signal indicating an electromagnetic wave from probe 5 (step S ⁇ b> 101). From the input signal, an electromagnetic wave waveform (waveform A) which is a measurement waveform is specified.
  • control unit 11 reads the corresponding normal electromagnetic wave waveform (waveform B) as the reference electromagnetic wave waveform from the normal electromagnetic wave database 121A (step S103).
  • step S103 a normal electromagnetic wave waveform corresponding to the CAN message input from the input device 3 to the test device D is read.
  • the control unit 11 identifies the presence or absence of abnormal operation in the test device D by comparing the waveforms A and B (step S105). That is, when the waveform A that is the measurement waveform matches the waveform B that is the reference electromagnetic wave waveform (YES in step S107), the control unit 11 indicates that no abnormal operation is detected as a detection result of the abnormal operation of the test device D. A message indicating “normal” is displayed on the display unit 15 (step S109).
  • the control unit 11 displays, as the detection result of the abnormal operation of the test device D, a message indicating “abnormal” indicating that the abnormal operation has been detected. (Step S111).
  • the operation of the test device D is captured by electromagnetic waves. Therefore, even if the test device D is a device that does not output by operation, such as an ECU, or a device that does not have a function of performing output by operation, a hardware simulator other than the test device D is not required. In addition, the operation can be easily detected. Thereby, an apparatus structure can be made easy and an increase in cost can be suppressed. In addition, since it is not necessary to verify the identity of the operation of the test device D and the hardware simulator, the detection work can be simplified.
  • the presence / absence of the abnormal operation of the test device D is detected because the presence / absence of the abnormal operation of the test device D is detected by comparing the detected electromagnetic wave waveform with the normal-time electromagnetic wave waveform. Can be detected easily and with high accuracy.
  • the database 121 may store an abnormal electromagnetic wave waveform instead of the normal electromagnetic wave waveform.
  • the control unit 11 of the verification apparatus 1 detects an abnormal operation by the reverse detection method described above. That is, the control unit 11 detects abnormal operation when the electromagnetic wave waveform measured from the test device D input from the probe 5 includes a waveform that matches the abnormal electromagnetic wave waveform that is the reference electromagnetic wave waveform, and does not include it. In such a case, an abnormal operation is not detected, that is, a normal operation is detected. That is, the verification of the operation of the test device D may be to detect the normal operation of the test device D.
  • the database 121 stores at least one of the normal-time electromagnetic wave waveform and the abnormal-time electromagnetic wave waveform, or both as the reference electromagnetic wave waveform, and the control unit 11 determines the measured electromagnetic wave waveform and the reference electromagnetic wave waveform.
  • the presence / absence of an abnormal operation and / or the presence / absence of a normal operation can be easily detected with high accuracy.
  • the abnormal electromagnetic waveform is stored in the database 121, the normal CAN message and other CAN messages may not be categorized.
  • the verification of the operation of the test device D is not limited to the detection of the presence / absence of abnormal operation and / or the presence / absence of normal operation.
  • the verification of the operation of the test device D may be detection of the type of abnormal operation.
  • the database 121 stored in the storage unit 12 is an abnormal electromagnetic wave database 121B as shown in FIG.
  • FIG. 6 shows another example of the database 121 stored in the storage unit 12 and shows a specific example of the abnormal electromagnetic wave database 121B.
  • the electromagnetic wave database 121B at the time of abnormality stores an electromagnetic wave waveform (abnormality electromagnetic wave waveform) leaked from the ECU when an abnormality occurs for each type of abnormality.
  • an error to perform division by zero division by zero
  • an error to calculate a negative square root negative square root
  • an error due to a buffer overflow buffer overflow
  • expiration of the watchdog timer The electromagnetic wave waveform when each of these occurs is stored. Note that the timing of FIG. 6 is not used in the second embodiment, but will be described in a fourth embodiment to be described later.
  • FIG. 7 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment.
  • control unit 11 receives an input of a signal indicating an electromagnetic wave from probe 5 (step S201). From the input signal, an electromagnetic wave waveform (waveform A) which is a measurement waveform is specified.
  • the control unit 11 reads out each abnormal electromagnetic wave waveform (waveform B) stored in the abnormal electromagnetic wave database 121B (step S203), and uses the electromagnetic wave waveform (waveform A) input in step S201 for each abnormal time.
  • an abnormal electromagnetic wave waveform that matches the waveform A is specified (step S205). That is, the type of the corresponding abnormality is specified.
  • step S201 When there is no abnormal electromagnetic wave waveform that matches the electromagnetic wave waveform (waveform A) input in step S201 (NO in step S207), the control unit 11 determines that the abnormal operation is “database” as the detection result of the abnormal operation of the test device D. A message indicating “abnormality not existing in” is displayed on the display unit 15 (step S209). In step S209, a normal message indicating that no abnormal operation is detected may be output.
  • the control unit 11 displays a message indicating the type of abnormality corresponding to the abnormal electromagnetic wave waveform as a detection result of the abnormal operation of the test device D. Is displayed on the display unit 15 (step S211).
  • the type of abnormal operation of the test device D is easily detected because the type of abnormal operation of the test device D is detected by comparing the detected electromagnetic wave waveform and the electromagnetic wave waveform at the time of abnormality. In addition, it can be detected with high accuracy.
  • the reference electromagnetic wave waveform stored in the abnormal electromagnetic wave database 121B may be an electromagnetic wave waveform for each type of abnormality for each ECU type or manufacturer. This is because different types of ECUs and manufacturers have different ways of generating an abnormality, and electromagnetic wave waveforms may be different even with the same type of abnormality.
  • FIG. 8 is another example of the database 121 stored in the storage unit 12, and is a diagram showing a specific example of the abnormal electromagnetic wave database 121C.
  • the abnormal electromagnetic wave database 121C an input of a CAN message is assumed for each attribute (manufacturer) of the ECU that is the test device S from the input device 3 and each CAN message input to the ECU.
  • the cause (type) of abnormal operation and the determination result (NG) are stored.
  • the electromagnetic wave waveform for each input CAN message and the type of abnormal operation when the electromagnetic wave waveform is generated for the ECU manufactured by company A, and the determination result are NG. ,It is shown.
  • FIG. 9 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment.
  • control unit 11 receives an input of a signal indicating an electromagnetic wave from probe 5 (step S301). From the input signal, an electromagnetic wave waveform (waveform A) which is a measurement waveform is specified.
  • the control unit 11 reads the abnormal electromagnetic wave waveform (waveform B) corresponding to the type of the test device as the reference electromagnetic wave waveform from the abnormal electromagnetic wave database 121C (step S303).
  • the type of the test device is specified by a user input to the control unit 11, for example.
  • an abnormal electromagnetic wave waveform stored as an abnormal wave waveform assumed at the time of CAN message input according to the CAN message input from the input device 3 to the test device D is read.
  • a plurality of abnormal electromagnetic wave waveforms may be read.
  • the control unit 11 identifies the presence or absence of an abnormal operation assumed in the test device D by comparing the waveforms A and B (step S305). That is, when the waveform A that is the measurement waveform matches the waveform B that is the reference electromagnetic wave waveform (YES in step S307), the control unit 11 detects that the abnormal operation is detected as the detection result of the abnormal operation of the test device D. Is displayed on the display unit 15 (step S309).
  • step S305 the control unit 11 determines the electromagnetic wave waveform (waveform A) and each waveform.
  • the abnormal electromagnetic wave waveform matching the waveform A is specified. That is, a corresponding abnormality type is specified from a plurality of assumed abnormality types.
  • the control unit 11 detects the abnormal operation as a result of the abnormal operation of the test device D. A message indicating the type of abnormality corresponding to the electromagnetic wave waveform is displayed on the display unit 15 (step S309).
  • step S307 when there is no abnormal electromagnetic wave waveform that matches the waveform A (NO in step S307), the control unit 11 indicates that the abnormal operation is “abnormality not existing in the database” as the detection result of the abnormal operation of the test device D. Is displayed on the display unit 15 (step S311). In step S311, a normal message indicating that no abnormal operation is detected may be output.
  • the detected electromagnetic wave waveform and the prepared electromagnetic wave waveform are prepared by preparing in advance an electromagnetic wave waveform corresponding to the type of abnormal operation assumed for each input control signal.
  • the type of abnormal operation of the test device D can be detected in more detail.
  • the abnormal electromagnetic wave waveform for each type of test device D is stored in the database 121, but in combination with the first embodiment, the normal time for each type of test device D
  • the electromagnetic wave waveform may be stored in the database 121. In this case, the presence or absence of abnormal operation can be detected with high accuracy according to the type of the test device D.
  • the database 121 may further store information defining the comparison timing.
  • information defining the timing for comparison with the abnormal electromagnetic wave waveform is stored in the abnormal electromagnetic wave waveform database 121 ⁇ / b> B.
  • the timing of the comparison is, for example, an elapsed time from the input of the control signal, an elapsed time from the time when a specified feature point of the electromagnetic wave waveform input from the probe 5 is detected, and the like.
  • Information defining the timing of comparison may be stored in a database different from the database 121.
  • the time from when the control signal is input to when the operation according to the control signal (for example, division) is started is defined by the test device D software. Therefore, the time is known in advance by the software designer.
  • the comparison timing defined by the information stored in the database 121 is based on the above time. For example, the timing of comparison is when the above time has elapsed since the input of the control signal, or when a time shorter than the above time by a predetermined period since the input of the control signal. In the former case, the comparison timing is the timing at which the operation according to the control signal is started. In the latter case, the comparison timing is slightly before the operation according to the control signal is started.
  • the control unit 11 of the verification apparatus 1 obtains the electromagnetic wave waveform obtained from the signal at the defined timing among the signals input from the probe 5. That is, the presence / absence of abnormal operation and / or abnormality is determined only by comparing the waveform of the electromagnetic wave waveform measured from the test device D at the position defined by the database 121 and the waveform stored in the database 121. The type of operation can be specified.
  • the control unit 11 of the verification apparatus 1 determines whether or not the position where the waveform that matches the reference electromagnetic wave waveform appears among the electromagnetic wave waveforms input from the probe 5 is a specified position. The presence / absence of an operation and / or the type of abnormal operation can be specified. In this case, for each position of the electromagnetic wave waveform input from the probe 5, a database (normal electromagnetic wave waveform database 121A or abnormal electromagnetic wave waveform database 121B, 121C) storing a reference electromagnetic wave waveform used for comparison processing is prepared. May be. In this case, the control unit 11 of the verification apparatus 1 reads the reference electromagnetic wave waveform from the corresponding database and uses it for the comparison process for each position used for the comparison process among the electromagnetic wave waveforms input from the probe 5.
  • the abnormal operation of the test device can be detected with high accuracy if the timing at which the electromagnetic wave waveform is output differs depending on the abnormal operation. it can.
  • Side channel information is not limited to electromagnetic waves.
  • the power consumption of the test device D may be used.
  • the verification system 100 includes a measuring device for measuring the current value instead of the probe 5.
  • the measuring instrument is, for example, a device that can be inserted into a power supply line of the test device D, and can measure a current value by detecting a voltage difference between both ends of a minute resistance.
  • the database 121 stores a change in power consumption per unit time while the test device D is operating as a reference.
  • the control unit 11 of the verification apparatus 1 calculates a change in power consumption per unit time in the test device D by multiplying the current value obtained from the measuring instrument by a voltage value acquired in advance.
  • the control unit 11 compares the calculated change in the power consumption with the change in the reference current value stored in the database 121 and the change in the measured current value, so that the presence or absence of abnormal operation, or Detect the type of abnormal operation.
  • the side channel information is at least one of electromagnetic waves leaking from the test device D and power consumption of the test device D.
  • the side channel information may be other than electromagnetic waves and power consumption.
  • the side channel information may be heat (temperature) or sound (frequency, volume) generated during the operation of the test device D.
  • the side channel information is not limited to electromagnetic waves, but can be captured by other information. Thereby, the abnormal operation of the test device D can be detected with high accuracy by a simple apparatus.
  • the leaked electromagnetic wave waveform differs for each device (memory, CPU, etc.) mounted on the test device D.
  • the probe 5 is disposed at a position corresponding to a device that detects the presence or absence of abnormal operation in the test device D.
  • FIG. 14 is a diagram for explaining an example of the arrangement of the probes 5.
  • the test device D includes, as an example, a CPU 51, a memory 52, and an interface (I / F) 53.
  • FIG. 14 exemplifies a configuration in which the CPU 51, the memory 52, and the I / F 53 chip are arranged on one substrate.
  • the CPU 51 when the coordinates are set with the substrate surface as the XY plane, the CPU 51 is arranged in the second quadrant, the memory 52 is arranged in the third quadrant, and the I / F 53 is arranged in the fourth quadrant.
  • the probe 5 When detecting the presence or absence of abnormal operation of the CPU 51 of the test device D, the probe 5 is placed in the second quadrant position 5A to receive the leaking electromagnetic wave. When detecting the presence or absence of abnormal operation of the memory 52, the probe 5 is placed in the position 5B of the third quadrant to receive the leaking electromagnetic wave. When detecting the presence / absence of abnormal operation of the I / F 53, the probe 5 is placed in the fourth quadrant position 5C to receive the leaking electromagnetic wave.
  • the database 121 stores a reference electromagnetic wave waveform corresponding to a device that detects the presence or absence of abnormal operation.
  • the database which stores a reference electromagnetic wave waveform according to the device which detects the presence or absence of abnormal operation may be prepared.
  • FIG. 15 is a diagram illustrating another example of the database 121 stored in the storage unit 12 and an example of a normal electromagnetic wave database 121D for each position with respect to the test device D.
  • the normal-time electromagnetic wave database 121 ⁇ / b> D has an electromagnetic wave waveform that leaks from a normally operating device (normal time) for each position corresponding to the device that detects the presence or absence of abnormal operation in the test device D.
  • Electromagnetic wave wave waveform is stored.
  • the normal-time electromagnetic wave waveforms of the CPU 51, the memory 52, and the I / F 53 are stored.
  • illustration of each concrete electromagnetic wave waveform is abbreviate
  • FIG. 16 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment.
  • control unit 11 accepts selection of a position (for example, one of the first quadrant to the fourth quadrant) according to a device that detects presence / absence of abnormal operation in test device D.
  • a position for example, one of the first quadrant to the fourth quadrant
  • a user input from an input device may be received.
  • a detector not shown
  • the detection result of the position of the probe 5 for example, any one of positions 5A to 5C
  • Input may be accepted.
  • step S400 After the position is selected in step S400, the same processing as steps S101 to S111 in FIG. 5 is performed. That is, the control unit 11 receives an input of a signal indicating an electromagnetic wave from the probe 5 (step S401), and compares the input electromagnetic wave waveform with a reference electromagnetic wave waveform stored in the normal time electromagnetic wave database 121D (step S403). , S405). In the present embodiment, in step S403, the control unit 11 reads the reference electromagnetic wave waveform corresponding to the selected position from the normal electromagnetic wave database 121D. The control unit 11 outputs “normal” when the input electromagnetic wave waveform matches the reference electromagnetic wave waveform, and outputs “abnormal” when it does not (steps S407 to S411).
  • the reference electromagnetic wave waveform is a normal electromagnetic wave waveform.
  • the reference electromagnetic wave waveform may be an abnormal electromagnetic wave waveform.
  • “abnormal” is output when the input electromagnetic wave waveform matches the reference electromagnetic wave waveform corresponding to the selected position. Is done.
  • the configuration of the test device D is not limited to the configuration of FIG.
  • the verification system 100 by using the side channel information detected from the position corresponding to the apparatus that detects the presence or absence of abnormal operation in the test device D, it is more accurate and more detailed. An abnormal operation of the test device D can be detected.
  • FIG. 17 is a block diagram illustrating an abnormal operation detection process executed by the control unit 11 of the verification apparatus 1 according to the seventh embodiment.
  • the detection process 112 includes a determination process 116 instead of the comparison process 113 illustrated in FIG.
  • the determination process 116 is a process for determining whether the measurement waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform using the classifier 122.
  • a classifier 122 is stored in the storage unit 12 of the verification device 1 according to the seventh embodiment.
  • the classifier 122 is a learning model learned to output a normal-time electromagnetic wave waveform or an abnormal-time electromagnetic wave waveform when an electromagnetic wave waveform is given. As shown in FIG. 17, the classifier 122 includes a first model 122A and a second model 122B.
  • the first model 122A is learned using normal-time electromagnetic wave waveforms with respect to a plurality of CAN messages. When a certain electromagnetic wave waveform is given, the first model 122A is machine-learned to output information indicating the CAN message corresponding to the electromagnetic wave waveform. It is a learning model.
  • FIG. 18 is a diagram schematically showing the structure of the classifier 122.
  • the first model 122A is a one-dimensional convolutional neural network (1D-CNN).
  • the first model 122A may be another deep learning model obtained by executing deep learning using a plurality of the above combinations.
  • the first model 122A includes an input layer 61 that receives an input of an electromagnetic wave waveform, a convolution layer 62, a pooling layer 63, a total coupling layer 64, and an output layer 65.
  • the convolution layer 62 performs a filtering process on the input electromagnetic wave waveform to extract a feature amount.
  • the pooling layer 63 aggregates the feature values obtained by the convolution layer 62.
  • the total connection layer 64 combines the aggregated results in the pooling layer 63.
  • the output layer 65 outputs information indicating the corresponding CAN message that is the classification result based on the coupling result in the all coupling layer 64.
  • each of CAN messages M1 to M4 is input to the ECU serving as test device D (step S501).
  • the messages M1 to M4 are CAN messages for instructing operations such as vehicle speed acquisition, engine speed acquisition, and air flow meter value acquisition, for example.
  • the normal electromagnetic wave waveform from the test device D when each CAN message M1 to M4 is input is measured (step S503).
  • the normal-time electromagnetic wave waveforms a1 to a4 are measured with respect to the input of the CAN message M1.
  • the normal-time electromagnetic wave waveforms a1 to a4 measured with respect to the input of the CAN message M1 are set as input values to the first model 122A (step S505).
  • the first model 122A receives the normal-time electromagnetic wave waveforms a1 to a4 from the input layer 61, and processes the convolutional layer 62, the pooling layer 63, and the total coupling layer 64 for each input waveform. Through the processing in, the probabilities of the CAN messages M1 to M4 are output from the output layer 65.
  • a certain waveform (for example, a normal electromagnetic wave waveform a1) is input from the input layer 61, and the input waveform is classified into four classes of CAN messages M1 to M4.
  • the output is 95%, the probability of being a CAN message M2 is 5%, the probability of being a CAN message M3 is 3%, and the probability of being a CAN message M4 is 2%.
  • the coefficient of the function used in the calculation in each of the layers 62 to 64 is adjusted so as to increase the probability of the CAN message M1 corresponding to the inputted normal electromagnetic wave waveform a1 (step S507).
  • the total coupling layer is set so that the probability (95%) of the CAN message M1 output from the output layer 65 when the normal-time electromagnetic wave waveform a1 is input from the input layer 61 is higher.
  • the weighting factor at 64 is changed.
  • the first model 122A is learned by performing steps S501 to S507 of FIG. 18 for each of the CAN messages M1 to M4 for the combination of the CAN message and the normal electromagnetic wave waveform measured when the CAN message is input.
  • the accuracy of classifying the input electromagnetic wave waveform into corresponding CAN messages can be improved.
  • the second model 122B is a learning model that is machine-learned so as to output a determination result of whether the target electromagnetic wave waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform based on the feature quantity of the electromagnetic wave waveform.
  • the second model 122B is a classification algorithm such as One class SVM (Support Vector Vector Machine). In the example of FIG. 18, the second model 122B is One class SVM.
  • the second model 122B may be another deep learning model obtained by executing deep learning using a plurality of feature amounts obtained from the normal electromagnetic wave waveform.
  • the second model 122B is learned by a so-called transfer learning method as shown in FIG. 18 as an example. That is, learning of the first model 122A is the first-stage learning, and as the second-stage learning, the second model 122B is calculated from each electromagnetic wave waveform in the entire coupling layer 64 of the learned first model 122A.
  • the above-described feature quantity group of the electromagnetic wave waveform is given as an input value. Specifically, referring to FIG. 18, calculation is performed for a layer including all coupling layers 64 when a normal-time electromagnetic wave waveform (for example, waveform a ⁇ b> 1) in input layer 61 of learned first model 122 ⁇ / b> A is input.
  • the feature amount F is given to the second model 122B as an input value (step S509).
  • the layer having the total coupling layer 64 is, for example, the second or third layer from the pooling layer 63.
  • the second model 122B stores the feature value F input to the second model 122B in step S509 as normal values obtained from the normal electromagnetic wave waveform a1 of the CAN message M1. And the 2nd model 122B sets the boundary surrounding the input feature-value F as the identification boundary B which is a boundary of the normal value and abnormal value of the feature-value from the measured electromagnetic wave waveform about the CAN message M1. (Step S511).
  • the second model 122B is learned and set for each CAN message by performing steps S509 and S511 of FIG. 18 for each of the CAN messages M1 to M4 with respect to each normal electromagnetic wave waveform measured when the CAN message is input.
  • the accuracy of the identification boundary B can be improved.
  • the classifier 122 may be stored in the storage unit 12 in advance.
  • the control unit 11 further executes a learning process 115 for creating the classifier 122.
  • the learning process 115 is a process represented by steps S501 to S511. In the learning process 115, at least a part of steps S501 to S511 may be executed by another device.
  • the determination process 116 inputs a measured waveform to the learned classifier 122, and determines from the output value whether it is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform. That is, when the measured waveform is input to the classifier 122, the learned first model 122A calculates the feature value and gives it to the second model 122B. The learned second model 122B calculates the divergence between the identification boundary B set by learning and the feature value, and outputs information indicating the determination result of whether the electromagnetic wave waveform at normal time is the electromagnetic wave waveform at abnormal time based on the divergence. . The output information is once written in the storage unit 12.
  • the divergence may be, for example, data indicating whether the input feature quantity is within or outside the range surrounded by the identification boundary B.
  • the determination process 116 reads the output value from the classifier 122 from the storage unit 12 and detects whether the measurement waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform based on the value. For example, when it is within the range surrounded by the identification boundary B, it is determined that the electromagnetic wave waveform is normal, that is, normal operation, and when it is outside the above range, it is determined that the electromagnetic wave waveform is abnormal, that is, the operation is abnormal. The determination result is once written in the storage unit 12.
  • the measurement waveform and the verification apparatus 1 are used. Even if random noise is included in the reference electromagnetic wave waveform, it becomes possible to detect with high accuracy. Further, even when an interrupt process or the like occurs during execution of a program of a device to be verified (for example, an ECU), the feature point interval of the measurement waveform can be detected with high accuracy.
  • the machine learning model shown in the classifier 122 may be an auto encoder as another example.
  • the auto encoder is a learning model that is machine-learned using the feature quantity obtained by compressing the input waveform and reducing it after reducing the dimension, and the feature quantity of the input waveform. This is a machine-learned model.
  • the learned auto encoder outputs a waveform that is almost the same as the input waveform. Therefore, when an unlearned waveform, that is, an abnormal electromagnetic wave waveform that is not a normal electromagnetic wave waveform is given as an input value, substantially the same waveform is not output. Thereby, it determines with it being an electromagnetic wave waveform at the time of abnormality.
  • FIG. 10 is a diagram illustrating a measurement result of Example 1 in which the inventors verified the operation of the test device D using the verification apparatus 1 of the present application.
  • a commercially available head-up display was used as the test device D.
  • 10A is a control signal (CAN message) input to the test device D
  • FIG. 10B is an electromagnetic wave waveform measured by the probe 5 from the test device D.
  • 11 is an enlarged view of a part (dotted line part) of FIG. 10
  • FIG. 12 is an enlarged view of a part (solid line part) of FIG.
  • FIG. 11 is an enlarged view of the CAN message F6 and the electromagnetic wave waveform when the CAN message F6 is input, which is a range surrounded by a dotted line in FIG.
  • the time after the elapse of t [us] from the input of the CAN message F6 is defined as the comparison timing. Therefore, the control unit 11 of the verification apparatus 1 compares the electromagnetic wave waveform (comparison waveform) of the portion surrounded by the solid line in FIG. 11 with the reference electromagnetic wave waveform stored in the database 121.
  • FIG. 12 is an enlarged view of the comparative waveform of FIG.
  • the control unit 11 of the verification device 1 compares the comparison waveform with the reference electromagnetic wave waveform, and detects that the abnormal waveform AW1 is included in the comparison waveform.
  • the head-up display used as the test device D in the measurement of Example 1 ends abnormally due to abnormal operation.
  • abnormal operation was detected using the electromagnetic wave waveform input from the probe 5 before abnormal termination due to abnormal operation. Therefore, it was verified that the operation of the test device D can be verified with high accuracy using the verification apparatus 1.
  • FIG. 13 is a diagram illustrating a measurement result of Example 2 in which the inventors verified the operation of the test device D using the verification apparatus 1 of the present application.
  • an arithmetic unit equipped with software is used as the test device D, and a control signal for performing an operation for dividing by a number other than zero (normal division) is input, and an operation for dividing by zero (division by zero) ) Is input when a control signal is input.
  • FIGS. 13A and 13B show the measurement results of the electromagnetic wave waveform of the test device D in each.
  • the arithmetic unit used as the test device D executes division according to the control signal from the normal state (the state where division is not executed), and returns to the normal state when the division is completed.
  • the database 121 stores the electromagnetic wave waveform being divided as the reference electromagnetic wave waveform
  • the control unit 11 of the verification apparatus 1 patterns the electromagnetic wave waveform measured from the input point of the control signal with the reference electromagnetic wave waveform. Match.
  • an abnormal waveform AW2 indicating that the division is being executed is detected for the period At2 from the input time of the control signal.
  • An electromagnetic wave waveform W2 indicating a normal state was detected after the passage of At2.
  • the period At2 was 1.0 [ ⁇ s].
  • the electromagnetic wave waveform indicating that the division is being performed is continued for a period At2 shorter than the period At1 indicating the normal division execution time, and thereafter the electromagnetic wave waveform W2 is detected, whereby the test device Division by zero at D, ie, an abnormal operation was detected.
  • the test device D As described above, in Example 2, division by zero, that is, a specific abnormal operation was detected by the test device D using the electromagnetic wave waveform input from the probe 5. Therefore, it was verified that the operation of the test device D can be verified using the verification apparatus 1 according to the position where the electromagnetic wave waveform that matches the reference electromagnetic wave waveform among the electromagnetic wave waveforms input from the probe 5 appears.

Abstract

A verification method is provided with: a step S2 for receiving side channel information from a test device to which fuzz data is given; and a step S3 for verifying an operation of the test device on the basis of the received side channel information.

Description

検証方法、検証装置、コンピュータプログラム、及び、検証システムVerification method, verification device, computer program, and verification system
 本開示は、検証方法、検証装置、コンピュータプログラム、及び、検証システムに関する。 The present disclosure relates to a verification method, a verification device, a computer program, and a verification system.
 電子機器は、セキュリティの脆弱性を有すると、いわゆるサイバー攻撃と呼ばれる、第三者からの不正に入力されたデータに従って、異常動作する場合がある。異常動作とは、動作不能となったり、本来の動作とは異なる動作をとったりすることを指す。 If an electronic device has security vulnerabilities, it may operate abnormally according to illegally input data from a third party called a so-called cyber attack. An abnormal operation refers to the inability to operate or an operation different from the original operation.
 従って、電子機器のセキュリティ対策として、このような異常動作の原因となる電子機器のソフトウェアの欠陥を検出することが重要である。そのための手法として、ファッジングテストが知られている。ファッジングテストは、テスト対象の電子機器に対して様々なデータを網羅的に送付し、異常動作の有無を検出するブラックボックステスト手法である。 Therefore, it is important to detect a software defect in the electronic device that causes such abnormal operation as a security measure for the electronic device. For this purpose, a fuzzing test is known. The fuzzing test is a black box test method in which various data are comprehensively sent to an electronic device to be tested to detect the presence or absence of abnormal operation.
 昨今、外部からデータ入力を受け付けて動作する様々な電子機器がある。電子機器の中には、表示部などの出力部を有しておらず、動作状況が外部に現れないものがある。また、車両の非常ブレーキ動作のためのECU(Electronic Control Unit)のように、外部への動作頻度が低い装置もある。外部への動作頻度が低いと、電子機器が内部的には異常動作をしていても、その異常動作が、外部に異常として現れることは少ない。 Recently, there are various electronic devices that operate by receiving data input from the outside. Some electronic devices do not have an output unit such as a display unit, and the operation status does not appear outside. In addition, there are devices that are not frequently operated externally, such as an ECU (Electronic Control Unit) for emergency braking operation of a vehicle. If the frequency of external operation is low, even if the electronic device performs an internal abnormal operation, the abnormal operation rarely appears as an external abnormality.
 このような電子機器をファッジングテストの対象とする場合、異常動作が外部に現れにくいため異常動作の有無を検出し難い。そのため、従来のファッジングテストによっては電子機器の検証をし難い場合がある。 When such electronic devices are subject to fuzzing tests, it is difficult to detect the presence or absence of abnormal operations because abnormal operations are unlikely to appear outside. Therefore, it may be difficult to verify an electronic device by a conventional fuzzing test.
 この点、2017年に「暗号と情報セキュリティシンポジウム」で発表された上記の論文(非特許文献1)は、ファッジングテストの対象とする電子機器と同じ動作を行なうハードウェアシミュレータを用いて、対象とする電子機器と同じデータを入力したときのハードウェアシミュレータの動作と対象とする電子機器の動作とを比較することによって、対象とする電子機器(テストデバイス)の検証手法を提案している。しかしながら、この手法では、ハードウェアシミュレータを用いることによるコストアップや煩雑さが課題となる。したがって、テストデバイスの検証をより簡易にすることが望まれる。 In this regard, the above paper (Non-Patent Document 1) published at the "Cryptography and Information Security Symposium" in 2017 is based on a hardware simulator that performs the same operation as an electronic device that is the subject of a fuzzing test. The verification method of the target electronic device (test device) is proposed by comparing the operation of the hardware simulator when the same data as the target electronic device is input with the operation of the target electronic device. However, with this method, cost increases and complexity due to the use of a hardware simulator are problems. Therefore, it is desired to simplify the verification of the test device.
 ある実施の形態に従うと、検証方法は、ファズデータが与えられたテストデバイスからのサイドチャネル情報を受信するステップと、受信されたサイドチャネル情報に基づいて、テストデバイスの動作を検証するステップと、を備える。 According to an embodiment, a verification method includes receiving side channel information from a test device provided with fuzz data, verifying operation of the test device based on the received side channel information, and Is provided.
 他の実施の形態に従うと、検証装置は、ファズデータが与えられたテストデバイスからのサイドチャネル情報の入力を受け付けるインタフェースと、インタフェースを介して入力されたサイドチャネル情報に基づいて、テストデバイスの動作を検証する処理部と、を備える。 According to another embodiment, the verification apparatus performs an operation of a test device based on an interface that receives input of side channel information from a test device to which fuzz data is given, and side channel information input through the interface. And a processing unit for verifying.
 他の実施の形態に従うと、コンピュータプログラムは、テストデバイスの動作を検証する検証装置としてコンピュータを機能させるためのコンピュータプログラムであって、コンピュータを、ファズデータが与えられたテストデバイスからのサイドチャネル情報の入力を受け付ける入力部、及び、入力部を介して入力されたサイドチャネル情報に基づいて、テストデバイスの動作を検証する処理部、として機能させる。 According to another embodiment, the computer program is a computer program for causing a computer to function as a verification device that verifies the operation of the test device, and the computer is configured to receive side channel information from the test device to which fuzz data is given. Based on the side channel information input via the input unit, and a processing unit for verifying the operation of the test device.
 他の実施の形態に従うと、検証システムは、ファズデータが与えられたテストデバイスからのサイドチャネル情報を測定する測定装置と、測定装置から入力されたサイドチャネル情報に基づいて、テストデバイスの動作を検証する検証装置と、を備える。 According to another embodiment, the verification system measures the operation of the test device based on the measurement device that measures the side channel information from the test device to which the fuzz data is given and the side channel information that is input from the measurement device. A verification device for verification.
図1は、検証システムの構成及び検証方法の一例を示した図である。FIG. 1 is a diagram illustrating an example of a configuration of a verification system and a verification method. 図2は、検証装置の構成を説明するための図である。FIG. 2 is a diagram for explaining the configuration of the verification apparatus. 図3は、検証装置の制御部が実行する処理を表わしたブロック図である。FIG. 3 is a block diagram illustrating processing executed by the control unit of the verification apparatus. 図4は、正常時電磁波データベースの具体例を表わした図である。FIG. 4 is a diagram illustrating a specific example of a normal-time electromagnetic wave database. 図5は、検証装置における異常動作検出処理の流れの一例を表わしたフローチャートである。FIG. 5 is a flowchart showing an example of the flow of abnormal operation detection processing in the verification device. 図6は、異常時電磁波データベースの具体例を表わした図である。FIG. 6 is a diagram illustrating a specific example of the abnormal electromagnetic wave database. 図7は、検証装置における異常動作検出処理の流れの他の例を表わしたフローチャートである。FIG. 7 is a flowchart showing another example of the abnormal operation detection process flow in the verification apparatus. 図8は、異常時電磁波データベースの他の例を表わした図である。FIG. 8 is a diagram showing another example of the abnormal time electromagnetic wave database. 図9は、検証装置における異常動作検出処理の流れの他の例を表わしたフローチャートである。FIG. 9 is a flowchart showing another example of the flow of the abnormal operation detection process in the verification device. 図10は、実施例1での、テストデバイスへの入力信号(A)と検出された電磁波波形(B)との一例を示した図である。FIG. 10 is a diagram illustrating an example of the input signal (A) to the test device and the detected electromagnetic wave waveform (B) in the first embodiment. 図11は、図10の第6のフレーム以降の入力信号(A)と検出された電磁波波形(B)との拡大図である。FIG. 11 is an enlarged view of the input signal (A) and the detected electromagnetic wave waveform (B) after the sixth frame in FIG. 図12は、図11の第6のフレーム入力直後に検出された電磁波の拡大図である。FIG. 12 is an enlarged view of an electromagnetic wave detected immediately after the sixth frame input in FIG. 図13は、実施例2での、テストデバイスへの入力信号(A)と検出された電磁波波形(B)との他の例を示した図である。FIG. 13 is a diagram illustrating another example of the input signal (A) to the test device and the detected electromagnetic wave waveform (B) in the second embodiment. プローブの配置の一例を説明するための図である。It is a figure for demonstrating an example of arrangement | positioning of a probe. テストデバイスに対する位置ごとの正常時電磁波データベースの一例を表わした図である。It is a figure showing an example of the normal time electromagnetic wave database for every position with respect to a test device. 検証装置における異常動作検出処理の流れの他の例を表わしたフローチャートである。It is a flowchart showing the other example of the flow of the abnormal operation detection process in a verification apparatus. 図17は、第7の実施の形態に係る検証装置の制御部が実行する処理を表わしたブロック図である。FIG. 17 is a block diagram illustrating processing executed by the control unit of the verification apparatus according to the seventh embodiment. 図18は、図17の分類器の構造、及び、分類器の学習方法を模式的に示した図である。FIG. 18 is a diagram schematically showing the structure of the classifier of FIG. 17 and the learning method of the classifier.
[1.検証方法、検証装置、及び、コンピュータプログラムの概要] [1. Overview of Verification Method, Verification Device, and Computer Program]
(1)本実施の形態に含まれる検証方法は、ファズデータが与えられたテストデバイスからのサイドチャネル情報を受信するステップと、受信されたサイドチャネル情報に基づいて、テストデバイスの動作を検証するステップと、を備える。ここでのサイドチャネル情報は、サイドチャネル攻撃(side-channel attack)と呼ばれる暗号解読方法において、暗号解読のために取得されるサイドチャネル情報と同義である。すなわち、サイドチャネル情報は、テストデバイスにおけるデータの正規の入出力チャネル以外のチャネル(サイドチャネル)から得られる情報である。サイドチャネル情報は、たとえば、電磁波、消費電力、温度、音、などである。テストデバイスの動作の検証は、たとえば、ファジングにおいて行われる検証と同様でよく、たとえば、テストデバイスにおける未知の脆弱性についての検証である。未知の脆弱性の検証は、たとえば、異常動作の検出である。 (1) The verification method included in the present embodiment includes a step of receiving side channel information from a test device to which fuzz data is given, and verifies the operation of the test device based on the received side channel information. Steps. The side channel information here is synonymous with the side channel information acquired for decryption in a decryption method called a side-channel attack. That is, the side channel information is information obtained from a channel (side channel) other than the regular input / output channel of data in the test device. The side channel information includes, for example, electromagnetic waves, power consumption, temperature, sound, and the like. The verification of the operation of the test device may be the same as the verification performed in fuzzing, for example, verification of an unknown vulnerability in the test device. The verification of the unknown vulnerability is, for example, detection of abnormal operation.
 サイドチャネル情報に基づいて動作を検証する方法によって、テストデバイスとは異なる検証用のハードウェアシミュレータを別途設ける場合と比較してコストアップを回避できるとともに、ハードウェアシミュレータの動作とテストデバイスの動作との同一性を検証する必要がないため、検証作業を簡略化することができる。 The method of verifying the operation based on the side channel information can avoid an increase in cost compared to the case of separately providing a hardware simulator for verification different from the test device, and the operation of the hardware simulator and the operation of the test device. Since it is not necessary to verify the identity of each other, the verification work can be simplified.
(2)好ましくは、テストデバイスの動作を検証するステップは、テストデバイスの異常動作を検出することを含む。異常動作は、制御信号で指示された動作とは異なる異常動作の他、たとえば、零で除する演算を行う演算動作、負数の平方根を算出する演算動作、バッファのオーバーフローに伴う動作、及び、ウォッチドッグタイマーの満了、などである。これにより、テストデバイスの異常動作を容易に検出することができる。 (2) Preferably, the step of verifying the operation of the test device includes detecting an abnormal operation of the test device. The abnormal operation is different from the operation instructed by the control signal, for example, an arithmetic operation that performs an operation to divide by zero, an arithmetic operation to calculate a square root of a negative number, an operation that accompanies a buffer overflow, and a watch Such as the expiration of a dog timer. Thereby, the abnormal operation of the test device can be easily detected.
(3)好ましくは、異常動作の検出は、異常動作の有無の検出と、異常動作の種別の検出と、の少なくとも一方である。この方法によって、異常動作の有無の検出と、異常動作の種別の検出と、の少なくとも一方を容易に検出することができる。 (3) Preferably, the detection of the abnormal operation is at least one of detection of the presence / absence of the abnormal operation and detection of the type of the abnormal operation. By this method, it is possible to easily detect at least one of detection of the presence or absence of abnormal operation and detection of the type of abnormal operation.
(4)好ましくは、サイドチャネル情報は、動作中のテストデバイスから漏えいする電磁波と、テストデバイスの消費電力と、の少なくも一方である。この方法によって、サイドチャネル情報として電磁波又はテストデバイスの消費電力を用いて、簡易な装置で高精度にテストデバイスの異常動作を検出することができる。 (4) Preferably, the side channel information is at least one of electromagnetic waves leaking from the operating test device and power consumption of the test device. By this method, an abnormal operation of the test device can be detected with high accuracy with a simple apparatus using electromagnetic waves or power consumption of the test device as side channel information.
(5)好ましくは、検証方法は、検証するステップは、受信されたサイドチャネル情報と、データベースに格納されている基準サイドチャネル情報とを比較するステップを含む。この方法によって、容易な処理で高精度に異常動作を検出することができる。 (5) Preferably, in the verification method, the verifying step includes a step of comparing the received side channel information with reference side channel information stored in a database. By this method, an abnormal operation can be detected with high accuracy by a simple process.
(6)好ましくは、データベースは、異常動作時及び正常動作時のうちの少なくとも一方の基準サイドチャネル情報を格納しており、比較するステップで、受信されたサイドチャネル情報とデータベースに格納されている基準サイドチャネル情報とを比較することによって、検証するステップでテストデバイスでの異常動作の有無を検出する。この方法によって、容易に異常動作の有無を検出することができる。 (6) Preferably, the database stores at least one reference side channel information during abnormal operation and during normal operation, and is stored in the database with the received side channel information in the comparing step. By comparing with the reference side channel information, the presence or absence of abnormal operation in the test device is detected in the verification step. By this method, the presence or absence of abnormal operation can be easily detected.
(7)好ましくは、データベースは、異常動作の種別ごとのサイドチャネル情報を格納しており、比較するステップで、受信されたサイドチャネル情報と異常動作の種別ごとの基準サイドチャネル情報とを比較することによって、検証するステップでテストデバイスでの異常動作の種別を検出する。この方法によって、容易に異常動作の種別を検出することができる。 (7) Preferably, the database stores side channel information for each type of abnormal operation, and the received side channel information is compared with reference side channel information for each type of abnormal operation in the comparing step. Accordingly, the type of abnormal operation in the test device is detected in the verification step. By this method, it is possible to easily detect the type of abnormal operation.
(8)好ましくは、データベースは、テストデバイスの種別ごとの基準サイドチャネル情報を格納しており、比較するステップでは、受信されたサイドチャネル情報と、データベースに格納されている基準サイドチャネル情報のうちのテストデバイスの種別に応じた基準サイドチャネル情報とを比較する。テストデバイスの種別は、テストデバイスの製品種別でもよいし、テストデバイスの製造メーカ種別でもよいが、これらに限定されない。この方法によって、テストデバイスの種別に応じて、より高精度に異常動作を検出することができる。 (8) Preferably, the database stores reference side channel information for each type of test device, and in the comparing step, the received side channel information and the reference side channel information stored in the database are included. The reference side channel information corresponding to the type of the test device is compared. The type of the test device may be a product type of the test device or a manufacturer type of the test device, but is not limited thereto. By this method, an abnormal operation can be detected with higher accuracy according to the type of the test device.
(9)好ましくは、サイドチャネル情報は時系列データであって、比較するステップでは、受信されたサイドチャネル情報の全体よりも少ない一部である、受信されたサイドチャネル情報のうちの規定された期間に応じた情報と、データベースに格納されている基準サイドチャネル情報とを比較する。これにより、受信されたサイドチャネル情報の全体を用いるよりも検出処理を容易にできるとともに、検出処理に用いる範囲を限定することによって検出精度を向上させることができる。 (9) Preferably, the side channel information is time-series data, and the step of comparing is defined in the received side channel information that is a part less than the whole of the received side channel information. The information according to the period is compared with the reference side channel information stored in the database. As a result, the detection process can be facilitated rather than using the entire received side channel information, and the detection accuracy can be improved by limiting the range used for the detection process.
(10)好ましくは、サイドチャネル情報は、テストデバイスに対する特定の位置から測定される情報であり、データベースは、テストデバイスに対する位置ごとに基準サイドチャネル情報を格納しており、比較するステップでは、受信されたサイドチャネル情報と、データベースに格納されている、チャネル情報を受信したテストデバイスに対する位置に応じた基準サイドチャネル情報とを比較する。テストデバイスに対する位置は、たとえば、テストデバイスのメモリが搭載された位置、CPUが搭載された位置、などである。テストデバイスに対する特定の位置から測定されるサイドチャネル情報は、たとえば、漏えいした電磁波、消費電力量、熱、音、などである。これにより、テストデバイスの位置ごとに、その位置に搭載された装置の異常動作を検出することができる。 (10) Preferably, the side channel information is information measured from a specific position with respect to the test device, and the database stores reference side channel information for each position with respect to the test device. The received side channel information is compared with the reference side channel information stored in the database according to the position with respect to the test device that has received the channel information. The position with respect to the test device is, for example, the position where the memory of the test device is mounted, the position where the CPU is mounted, or the like. The side channel information measured from a specific position with respect to the test device is, for example, leaked electromagnetic waves, power consumption, heat, sound, and the like. As a result, for each position of the test device, it is possible to detect an abnormal operation of the apparatus mounted at that position.
(11)好ましくは、検証するステップは、サイドチャネル情報が入力されると、異常動作時のサイドチャネル情報であるか、正常動作時のサイドチャネル情報であるか、を出力するよう学習された学習モデルに、受信されたサイドチャネル情報を入力し、その出力を得るステップを含む。この方法によって、容易な処理で高精度に異常動作を検出することができる。 (11) Preferably, in the step of verifying, when side channel information is input, learning learned to output side channel information during abnormal operation or side channel information during normal operation The model includes inputting the received side channel information and obtaining its output. By this method, an abnormal operation can be detected with high accuracy by a simple process.
(12)好ましくは、学習モデルは、サイドチャネル情報から求められた特徴量に基づいて動作の種類を分類する第1モデルと、特徴量が与えられ、特徴量から、異常動作時のサイドチャネル情報であるか、正常動作時のサイドチャネル情報であるかを判定する第2モデルと、を含む。第1モデルは、例えば、一次元畳み込みニューラルネットワーク(1D-CNN)である。第2モデルは、例えば、One class SVM(Support Vector Machine)などの分類アルゴリズムである。学習モデルは、いわゆる転移学習と呼ばれる学習方法によって学習される。このように機械学習された学習モデルを用いることによって、容易な処理で高精度に異常動作を検出することができる。 (12) Preferably, the learning model is provided with a first model for classifying the type of operation based on the feature amount obtained from the side channel information, and the side channel information at the time of abnormal operation is given from the feature amount. Or a second model that determines whether the side channel information is during normal operation. The first model is, for example, a one-dimensional convolutional neural network (1D-CNN). The second model is a classification algorithm such as One class SVM (Support Vector Vector Machine). The learning model is learned by a learning method called so-called transfer learning. By using a learning model that has been machine-learned in this way, it is possible to detect an abnormal operation with high accuracy by simple processing.
(13)好ましくは、検出される異常動作は演算異常を含む。演算異常は、たとえば、零で除する演算、負数の平方根を算出する演算、などである。この方法により、テストデバイスにおける演算異常がチャネル情報を用いて容易に検出される。 (13) Preferably, the detected abnormal operation includes a calculation abnormality. The operation abnormality includes, for example, an operation that divides by zero, an operation that calculates a square root of a negative number, and the like. By this method, an operation abnormality in the test device is easily detected using the channel information.
(14)好ましくは、テストデバイスは、車載制御装置を含む。これにより、この検証方法を用いて車載制御装置の動作を検証することができる。 (14) Preferably, the test device includes an in-vehicle control device. Thereby, operation | movement of a vehicle-mounted control apparatus can be verified using this verification method.
(15)本実施の形態に含まれる検証装置は、ファズデータが与えられたテストデバイスからのサイドチャネル情報の入力を受け付けるインタフェースと、インタフェースを介して入力されたサイドチャネル情報に基づいて、テストデバイスの動作を検証する処理部と、を備える。この検証装置は(1)~(14)の検証方法を採用した装置であるため、(1)~(14)に記載の検証方法と同様の効果を奏する。 (15) The verification apparatus included in the present embodiment includes an interface that receives input of side channel information from a test device to which fuzz data is given, and a test device based on side channel information input through the interface. And a processing unit for verifying the operation. Since this verification apparatus employs the verification methods (1) to (14), it has the same effects as the verification methods described in (1) to (14).
(16)本実施の形態に含まれるコンピュータプログラムはテストデバイスの動作を検証する検証装置としてコンピュータを機能させるためのコンピュータプログラムであって、コンピュータを、ファズデータが与えられたテストデバイスからのサイドチャネル情報の入力を受け付ける入力部、及び、入力部を介して入力されたサイドチャネル情報に基づいて、テストデバイスの動作を検証する処理部、として機能させる。このコンピュータプログラムは、コンピュータに(1)~(14)の検証方法を実行させるものであるため、(1)~(14)に記載の検証方法と同様の効果を奏する。 (16) A computer program included in the present embodiment is a computer program for causing a computer to function as a verification device that verifies the operation of a test device, and the computer is connected to a side channel from a test device to which fuzz data is given. It functions as an input unit that receives input of information and a processing unit that verifies the operation of the test device based on side channel information input via the input unit. Since this computer program causes the computer to execute the verification methods (1) to (14), the computer program has the same effects as the verification methods described in (1) to (14).
(16)本実施の形態に含まれる検証システムは、ファズデータが与えられたテストデバイスからのサイドチャネル情報を測定する測定装置と、測定装置から入力されたサイドチャネル情報に基づいて、テストデバイスの動作を検証する検証装置と、を備える。この検証システムは、(1)~(14)の検証方法を実行するシステムであるため、(1)~(14)に記載の検証方法と同様の効果を奏する。 (16) The verification system included in the present embodiment includes a measurement device that measures side channel information from a test device to which fuzz data is given, and a test device that is based on side channel information input from the measurement device. A verification device for verifying the operation. Since this verification system is a system that executes the verification methods (1) to (14), it has the same effects as the verification methods described in (1) to (14).
[2.検証方法、検証装置、及び、コンピュータプログラムの例] [2. Example of Verification Method, Verification Device, and Computer Program]
 [第1の実施の形態]
 <システム構成>
 図1は、本実施の形態にかかる検証システム100の構成の一例を示した図である。図1を参照して、検証システム100は、ファズテストを実行する検証装置1と、テストデバイスDにファズデータである制御信号を入力可能な入力装置3と、テストデバイスからのサイドチャネル情報の一例である電磁波の測定用プローブ(以下プローブ)5と、を含む。 [First Embodiment]
<System configuration>
FIG. 1 is a diagram showing an example of a configuration of a verification system 100 according to the present embodiment. Referring to FIG. 1, a verification system 100 is an example of a verification apparatus 1 that executes a fuzz test, an input apparatus 3 that can input a control signal that is fuzz data to a test device D, and side channel information from the test device. And an electromagnetic wave measurement probe (hereinafter referred to as probe) 5.
 検証装置1は、ファズテストを実行することでテストデバイスDの動作を検証する。テストデバイスDの動作の検証は、テストデバイスDでの異常動作を検出することを含む。異常動作とは、たとえば、入力された制御信号に対して規定された動作以外の動作である。テストデバイスDは、外部からファズデータである制御信号の入力を受け付けて、入力された制御信号に対して規定された動作を実行するデバイスであればどのような装置であってもよい。好ましくは、テストデバイスDは、ディスプレイなどの、上記動作の結果を出力する機能を有さない装置である。また好ましくは、テストデバイスDは、たとえば、他の装置に搭載され、他の装置における動作頻度が低い装置である。他の装置は、たとえば、車両であり、テストデバイスDは、たとえば、車載制御装置であるECU(Electronic Control Unit)である。以降の説明では、テストデバイスDは、ECUであるものとする。 The verification device 1 verifies the operation of the test device D by executing a fuzz test. Verification of the operation of the test device D includes detecting an abnormal operation in the test device D. The abnormal operation is, for example, an operation other than the operation specified for the input control signal. The test device D may be any device as long as it is a device that receives an input of a control signal that is fuzz data from the outside and executes an operation defined for the input control signal. Preferably, the test device D is a device that does not have a function of outputting a result of the operation, such as a display. Preferably, the test device D is a device that is mounted on another device and has a low operation frequency, for example. The other device is, for example, a vehicle, and the test device D is, for example, an ECU (Electronic Control Unit) that is an in-vehicle control device. In the following description, it is assumed that the test device D is an ECU.
 ECUは、CAN(Controller Area Network)やLIN(Local Interconnect Network)やEthernet(登録商標)、又はMOST(Media Oriented System Transport:MOSTは登録商標)などの通信規格を採用する車内ネットワークに接続されて、車内ネットワークを介して入力された制御信号(CANの場合にはCANメッセージ、又は、通信フレーム)に従って規定された動作を実行する。 The ECU is connected to an in-vehicle network that adopts a communication standard such as CAN (Controller Area Network), LIN (Local Interconnect Network), Ethernet (registered trademark), or MOST (Media Oriented System Transport: MOST is a registered trademark) The specified operation is executed in accordance with a control signal (a CAN message or communication frame in the case of CAN) input via the in-vehicle network.
 入力装置3は、テストデバイスDに有線又は無線によって接続され、一例としてCANの通信規格に従う制御信号であるCANメッセージをECUに入力可能である。入力装置3は検証装置1とは独立した装置であってもよいし、検証装置1に含まれてもよい。以降の説明では、入力装置3は、検証装置1とは独立した装置であり、検証装置1と通信可能に接続されているものとする。入力装置3は、検証装置1からのCANメッセージに従ってECUに制御フレームを入力する。 The input device 3 is connected to the test device D by wire or wireless, and can input a CAN message, which is a control signal according to the CAN communication standard, to the ECU as an example. The input device 3 may be a device independent of the verification device 1 or may be included in the verification device 1. In the following description, it is assumed that the input device 3 is an independent device from the verification device 1 and is connected to the verification device 1 so as to be communicable. The input device 3 inputs a control frame to the ECU according to the CAN message from the verification device 1.
 プローブ5は、テストデバイスDから動作状態を示す情報であるサイドチャネル情報を、テストデバイスDに接触せずに取得する、又は、テストデバイスDと有線又は無線で接続されることによって取得する、測定装置の一例である。プローブ5は、サイドチャネル情報の一例である、テストデバイスDから漏えいする電磁波を受信する。プローブ5は、検証装置1と、有線又は無線で通信可能であって、受信した電磁波を示す信号を検証装置1に入力する。 The probe 5 acquires side channel information, which is information indicating an operation state, from the test device D without contacting the test device D, or is acquired by being connected to the test device D by wire or wireless. It is an example of an apparatus. The probe 5 receives an electromagnetic wave leaking from the test device D, which is an example of side channel information. The probe 5 can communicate with the verification device 1 by wire or wirelessly, and inputs a signal indicating the received electromagnetic wave to the verification device 1.
 検証装置1は、一般的なPC(パーソナルコンピュータ)などからなる。プローブ5から入力された信号を用いて、テストデバイスDであるECUの異常動作の有無を検出するための異常動作検出処理を実行する。 The verification apparatus 1 is composed of a general PC (personal computer) or the like. Using the signal input from the probe 5, an abnormal operation detection process for detecting the presence or absence of an abnormal operation of the ECU that is the test device D is executed.
 図2は、検証装置1の構成を説明するための図である。図2を参照して、検証装置1は、制御部11と、記憶部12と、通信部13と、プローブインタフェース(I/F)14と、通信部13と、を含む。 FIG. 2 is a diagram for explaining the configuration of the verification apparatus 1. With reference to FIG. 2, the verification device 1 includes a control unit 11, a storage unit 12, a communication unit 13, a probe interface (I / F) 14, and a communication unit 13.
 制御部11はCPU(Central Processing Unit)を含む。制御部11のCPUは、1又は複数の大規模集積回路(LSI)を含む。複数のLSIを含むCPUでは、複数のLSIが協働してCPUの機能を実現する。 The control unit 11 includes a CPU (Central Processing Unit). The CPU of the control unit 11 includes one or a plurality of large scale integrated circuits (LSIs). In a CPU including a plurality of LSIs, the plurality of LSIs cooperate to realize the function of the CPU.
 制御部11のCPUは、記憶部12に記憶された1又は複数のプログラムからなるアプリケーションを読み出して、各種処理を実行可能である。アプリケーションは、CD-ROMやDVD-ROMなどの記録媒体に記録した状態で譲渡することもできるし、サーバコンピュータなどのコンピュータ装置からのダウンロードによって譲渡することもできる。 The CPU of the control unit 11 can read out an application including one or a plurality of programs stored in the storage unit 12 and execute various processes. The application can be transferred in a state of being recorded on a recording medium such as a CD-ROM or a DVD-ROM, or can be transferred by downloading from a computer device such as a server computer.
 記憶部12は、フラッシュメモリ、EEPROM(Electrically Erasable Programmable Read Only Memory)、又は、ROMなどの不揮発性のメモリ素子と、RAM(Random Access Memory)などの揮発性のメモリ素子とを含む。不揮発性のメモリ素子は、アプリケーション又はアプリケーションの実行に必要なデータなどを記憶する記憶領域を有する。揮発性のメモリ素子は、後述する更新用プログラムなどを記憶する記憶領域を有する。また、記憶部12には、データベース121が格納されている。データベース121には、検出処理に用いられる基準電磁波波形が格納されている。 The storage unit 12 includes a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), or a nonvolatile memory element such as a ROM, and a volatile memory element such as a RAM (Random Access Memory). The nonvolatile memory element has a storage area for storing an application or data necessary for executing the application. The volatile memory element has a storage area for storing an update program to be described later. The storage unit 12 stores a database 121. The database 121 stores reference electromagnetic wave waveforms used for detection processing.
 通信部13は、アプリケーションの実行に従う制御部11の制御によって入力装置3と通信し、入力装置3に対して、テストデバイスDへの制御信号の入力を指示する。 The communication unit 13 communicates with the input device 3 under the control of the control unit 11 according to the execution of the application, and instructs the input device 3 to input a control signal to the test device D.
 プローブI/F14は、プローブ5から検証装置1に対して送信される信号を受け付ける。プローブI/F14が受信した信号は、ADコンバータ16によってデジタル信号に変換され、制御部11に入力される。なお、プローブI/F14とADコンバータ16は、市販のオシロスコープを検証装置1に接続することでも代用できる。 The probe I / F 14 receives a signal transmitted from the probe 5 to the verification device 1. The signal received by the probe I / F 14 is converted into a digital signal by the AD converter 16 and input to the control unit 11. Note that the probe I / F 14 and the AD converter 16 can be substituted by connecting a commercially available oscilloscope to the verification apparatus 1.
 <検証方法>
 図1は、さらに、検証システム100での検証方法の一例である、テストデバイスDでの異常動作の検出方法を表わしている。テストデバイスDでの異常動作は、一例として、入力された制御信号に応じて動作しているテストデバイスDから漏えいする電磁波に基づいて検出される。 <Verification method>
FIG. 1 further shows a method for detecting an abnormal operation in the test device D, which is an example of a verification method in the verification system 100. For example, the abnormal operation in the test device D is detected based on electromagnetic waves leaking from the test device D operating in accordance with the input control signal.
 詳しくは、図1を参照して、検証装置1の制御に従った入力装置3は、テストデバイスDであるECUに制御信号である通信フレームFを入力する(ステップS1)。ECUは、入力された通信フレームFによって指示された動作を実行する。 Specifically, referring to FIG. 1, the input device 3 according to the control of the verification device 1 inputs a communication frame F, which is a control signal, to the ECU that is the test device D (step S1). The ECU executes an operation instructed by the input communication frame F.
 ECUの動作中、プローブ5を、ECUから漏えいする電磁波を受信可能な範囲までECUに近づける。逆に、プローブ5を固定し、プローブ5に対してテストデバイスDであるECUを、漏えいする電磁波を受信可能な範囲に配置してもよい。たとえば、プローブ5が板状であり、テストデバイスDを板状のプローブ5上に配置する、などであってもよい。 During the operation of the ECU, the probe 5 is brought close to the ECU to a range where electromagnetic waves leaking from the ECU can be received. Conversely, the probe 5 may be fixed, and the ECU that is the test device D may be arranged in a range in which the leaking electromagnetic wave can be received with respect to the probe 5. For example, the probe 5 may be plate-shaped, and the test device D may be disposed on the plate-shaped probe 5.
 プローブ5は、ECUから漏えいする電磁波を受信する(ステップS2)。受信された電磁波を示す信号は、プローブ5から検証装置1に入力される。検証装置1は、プローブ5から入力された電磁波を示す信号を用いて異常動作検出処理を実行することで(ステップS3)、ECUの異常動作を検出する。検出結果は検証装置1の表示部15に表示されるなどして、ユーザに対して報知される。 Probe 5 receives electromagnetic waves leaking from the ECU (step S2). A signal indicating the received electromagnetic wave is input from the probe 5 to the verification apparatus 1. The verification device 1 detects an abnormal operation of the ECU by executing an abnormal operation detection process using a signal indicating the electromagnetic wave input from the probe 5 (step S3). The detection result is notified to the user, for example, by being displayed on the display unit 15 of the verification device 1.
 <異常動作検出処理>
 検証装置1の記憶部12に記憶されているアプリケーションは、プローブ5から入力された電磁波を示す信号を用いて、テストデバイスDでの異常動作を検出する処理を制御部11に実行させるプログラムである。 <Abnormal operation detection processing>
The application stored in the storage unit 12 of the verification apparatus 1 is a program that causes the control unit 11 to execute processing for detecting abnormal operation in the test device D using a signal indicating the electromagnetic wave input from the probe 5. .
 図3は、制御部11が実行する異常動作検出処理を表わしたブロック図である。図3を参照して、異常動作検出処理は、読出処理111と、検出処理112と、表示処理114と、を含む。 FIG. 3 is a block diagram showing an abnormal operation detection process executed by the control unit 11. Referring to FIG. 3, the abnormal operation detection process includes a reading process 111, a detection process 112, and a display process 114.
 読出処理111は、制御部11が、データベース121から基準電磁波波形を読み出す処理である。好ましくは、読出処理111において制御部11は、テストデバイスDとするECUの種類や製造メーカなどの属性に応じて基準電磁波波形を読み出す。また、好ましくは、読出処理111において制御部11は、入力装置3からテストデバイスDに入力される制御信号に応じて基準電磁波波形を読み出す。 Read processing 111 is processing in which the control unit 11 reads the reference electromagnetic wave waveform from the database 121. Preferably, in the reading process 111, the control unit 11 reads the reference electromagnetic wave waveform in accordance with the type of ECU used as the test device D and the attribute of the manufacturer. Preferably, in the reading process 111, the control unit 11 reads the reference electromagnetic wave waveform in accordance with a control signal input from the input device 3 to the test device D.
 図4は、本実施の形態において記憶部12に格納されるデータベース121の一例である、正常時電磁波データベース121Aの具体例を示す図である。図4を参照して、正常時電磁波データベース121Aには、入力装置3からテストデバイスDであるECUに入力されるCANメッセージごとに、CANメッセージに従って正常に動作したECUから漏えいする電磁波波形(正常時電磁波波形)が格納されている。図4の例では、識別番号1~4について、入力CANメッセージごとの電磁波波形が示されている。データベース121には、ECUが何らかの動作をするCANメッセージ(通常CANメッセージ)についての電磁波波形と、ECUが本来は動作しないCANメッセージ(その他のCANメッセージ)についての電磁波波形と、を格納することができる。例えば、図4の例において、”AAABBBCC”,“DDDEEEFF”,“GGGHHHII”の3つは、通常CANデータとしてカテゴリ分けして登録され、”JJJKKKLL”は、その他のCANメッセージとしてカテゴリ分けして登録される。 FIG. 4 is a diagram illustrating a specific example of a normal electromagnetic wave database 121A, which is an example of the database 121 stored in the storage unit 12 in the present embodiment. Referring to FIG. 4, in the normal electromagnetic wave database 121A, for each CAN message input from the input device 3 to the ECU that is the test device D, an electromagnetic wave waveform leaking from the ECU that normally operates in accordance with the CAN message (normal time) Electromagnetic wave waveform) is stored. In the example of FIG. 4, the electromagnetic wave waveforms for each input CAN message are shown for the identification numbers 1 to 4. The database 121 can store an electromagnetic wave waveform for a CAN message (normal CAN message) in which the ECU performs some operation and an electromagnetic wave waveform for a CAN message (other CAN message) that the ECU does not originally operate. . For example, in the example of FIG. 4, “AAABBBCC”, “DDDEEEFF”, and “GGGHHHII” are categorized and registered as normal CAN data, and “JJJJKKLL” is categorized and registered as other CAN messages. Is done.
 検出処理112は、ECUの異常動作を検出する処理である。検出処理112は比較処理113を含み、制御部11は、検出処理112において比較処理113を実行する。比較処理113は、読出処理111によってデータベース121から読み出された基準電磁波波形と、プローブ5から入力された信号が示す電磁波波形(以下、測定波形とも言う)とを比較する処理である。 The detection process 112 is a process for detecting an abnormal operation of the ECU. The detection process 112 includes a comparison process 113, and the control unit 11 executes the comparison process 113 in the detection process 112. The comparison process 113 is a process for comparing the reference electromagnetic wave waveform read from the database 121 by the reading process 111 and the electromagnetic wave waveform (hereinafter also referred to as a measurement waveform) indicated by the signal input from the probe 5.
 比較処理113では、一般的なパターンマッチングの手法が採用され得る。一例として、比較処理113において制御部11は、基準電磁波波形と測定波形との相関係数を算出する。相関係数が閾値以上であることは、測定波形が基準電磁波波形と一致していることを意味する。逆に、相関係数が閾値未満であることは、測定波形が基準電磁波波形と一致していないことを意味する。 In the comparison process 113, a general pattern matching method may be employed. As an example, in the comparison process 113, the control unit 11 calculates a correlation coefficient between the reference electromagnetic wave waveform and the measurement waveform. That the correlation coefficient is equal to or greater than the threshold means that the measured waveform matches the reference electromagnetic wave waveform. Conversely, a correlation coefficient less than the threshold means that the measured waveform does not match the reference electromagnetic wave waveform.
 本実施の形態では、基準電磁波波形が正常時電磁波波形であるため、相関係数と閾値とを比較することで、測定波形が正常時電磁波波形と一致するか否か、が検出される。測定波形が正常時電磁波波形と一致することは、テストデバイスDであるECUが正常な動作を行なっていること、つまり、異常動作が生じていないことを意味する。測定波形が正常時電磁波波形と一致しないことは、ECUが正常な動作を行なっていない、つまり、異常動作が生じていることを意味する。従って、第1の実施の形態での比較処理113は、テストデバイスDでの異常動作の有無を特定する処理である。 In this embodiment, since the reference electromagnetic wave waveform is a normal electromagnetic wave waveform, it is detected whether or not the measured waveform matches the normal electromagnetic wave waveform by comparing the correlation coefficient with a threshold value. When the measured waveform matches the electromagnetic wave waveform at the normal time, it means that the ECU which is the test device D performs a normal operation, that is, no abnormal operation occurs. The fact that the measured waveform does not match the normal electromagnetic wave waveform means that the ECU is not operating normally, that is, an abnormal operation is occurring. Therefore, the comparison process 113 in the first embodiment is a process for specifying whether or not there is an abnormal operation in the test device D.
 表示処理114は、検出処理112での検出結果を表示部15に表示する処理である。本実施の形態では、検出処理112においてテストデバイスDでの異常動作の有無が検出されるため、異常動作の有無のうちの少なくとも一方の検出結果を表示部15に表示する処理が行われる。 The display process 114 is a process for displaying the detection result in the detection process 112 on the display unit 15. In the present embodiment, since the presence or absence of an abnormal operation in the test device D is detected in the detection process 112, a process for displaying at least one detection result of the presence or absence of an abnormal operation on the display unit 15 is performed.
 <処理フロー>
 図5は、本実施の形態において、制御部11で実行される異常動作検出処理の流れの一例を表わしたフローチャートである。図5を参照して、始めに、制御部11は、プローブ5から電磁波を示す信号の入力を受け付ける(ステップS101)。入力された信号からは、測定波形である電磁波波形(波形A)が特定される。 <Processing flow>
FIG. 5 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment. Referring to FIG. 5, first, control unit 11 receives an input of a signal indicating an electromagnetic wave from probe 5 (step S <b> 101). From the input signal, an electromagnetic wave waveform (waveform A) which is a measurement waveform is specified.
 次に、制御部11は、正常時電磁波データベース121Aから、基準電磁波波形として、該当する正常時電磁波波形(波形B)を読み出す(ステップS103)。ステップS103では、入力装置3からテストデバイスDに入力されたCANメッセージに応じた正常時電磁波波形が読み出される。 Next, the control unit 11 reads the corresponding normal electromagnetic wave waveform (waveform B) as the reference electromagnetic wave waveform from the normal electromagnetic wave database 121A (step S103). In step S103, a normal electromagnetic wave waveform corresponding to the CAN message input from the input device 3 to the test device D is read.
 制御部11は、波形A,Bを比較することによって、テストデバイスDでの異常動作の有無を特定する(ステップS105)。すなわち、測定波形である波形Aが基準電磁波波形である波形Bと一致する場合(ステップS107でYES)、制御部11は、テストデバイスDの異常動作の検出結果として、異常動作が検出されないことを示す「正常」を表わすメッセージを表示部15に表示する(ステップS109)。 The control unit 11 identifies the presence or absence of abnormal operation in the test device D by comparing the waveforms A and B (step S105). That is, when the waveform A that is the measurement waveform matches the waveform B that is the reference electromagnetic wave waveform (YES in step S107), the control unit 11 indicates that no abnormal operation is detected as a detection result of the abnormal operation of the test device D. A message indicating “normal” is displayed on the display unit 15 (step S109).
 波形A,Bが一致しない場合(ステップS107でNO)、制御部11は、テストデバイスDの異常動作の検出結果として、異常動作が検出されたことを示す「異常」を表わすメッセージを表示部15に表示する(ステップS111)。 When the waveforms A and B do not match (NO in step S107), the control unit 11 displays, as the detection result of the abnormal operation of the test device D, a message indicating “abnormal” indicating that the abnormal operation has been detected. (Step S111).
 <実施の形態の効果>
 検証システム100では、テストデバイスDの動作を電磁波によってとらえる。そのため、テストデバイスDが、ECUのように、動作による出力を行わない装置、又は、動作による出力を行う機能を有さない装置であっても、テストデバイスD以外のハードウェアシミュレータを必要とせずに、その動作を容易に検出できる。これにより、装置構成を容易にでき、コストアップを抑えることができる。また、テストデバイスDとハードウェアシミュレータとの動作の同一性を検証する必要がないため、検出作業を簡略化することができる。 <Effect of Embodiment>
In the verification system 100, the operation of the test device D is captured by electromagnetic waves. Therefore, even if the test device D is a device that does not output by operation, such as an ECU, or a device that does not have a function of performing output by operation, a hardware simulator other than the test device D is not required. In addition, the operation can be easily detected. Thereby, an apparatus structure can be made easy and an increase in cost can be suppressed. In addition, since it is not necessary to verify the identity of the operation of the test device D and the hardware simulator, the detection work can be simplified.
 また、本実施の形態にかかる検証システム100では、検出された電磁波波形と正常時電磁波波形とを比較することによってテストデバイスDの異常動作の有無を検出するため、テストデバイスDの異常動作の有無を容易に、かつ、高精度で検出できる。 Further, in the verification system 100 according to the present embodiment, the presence / absence of the abnormal operation of the test device D is detected because the presence / absence of the abnormal operation of the test device D is detected by comparing the detected electromagnetic wave waveform with the normal-time electromagnetic wave waveform. Can be detected easily and with high accuracy.
 なお、第1の実施の形態において、データベース121には、正常時電磁波波形に替えて、異常時電磁波波形が格納されていてもよい。この場合、検証装置1の制御部11は、上記の逆の検出方法によって、異常動作を検出する。すなわち、制御部11は、プローブ5から入力された、テストデバイスDから測定された電磁波波形が、基準電磁波波形である異常時電磁波波形と一致する波形を含む場合に異常動作を検出し、含まない場合には異常動作を検出しない、つまり、正常動作であることを検出する。すなわち、テストデバイスDの動作の検証は、テストデバイスDでの正常動作を検出することであってもよい。つまり、データベース121には、正常時電磁波波形と異常時電磁波波形との少なくともいずれか一方、または、両方が基準電磁波波形として格納されており、制御部11は、測定された電磁波波形と基準電磁波波形とを比較することによって、テストデバイスDの動作の検証として、異常動作の有無、及び/又は、正常動作の有無を容易に、かつ、高精度で検出できる。なお、データベース121に異常時電磁波形が格納される場合、通常CANメッセージとその他のCANメッセージのカテゴリ分けはされていなくてもよい。 In the first embodiment, the database 121 may store an abnormal electromagnetic wave waveform instead of the normal electromagnetic wave waveform. In this case, the control unit 11 of the verification apparatus 1 detects an abnormal operation by the reverse detection method described above. That is, the control unit 11 detects abnormal operation when the electromagnetic wave waveform measured from the test device D input from the probe 5 includes a waveform that matches the abnormal electromagnetic wave waveform that is the reference electromagnetic wave waveform, and does not include it. In such a case, an abnormal operation is not detected, that is, a normal operation is detected. That is, the verification of the operation of the test device D may be to detect the normal operation of the test device D. That is, the database 121 stores at least one of the normal-time electromagnetic wave waveform and the abnormal-time electromagnetic wave waveform, or both as the reference electromagnetic wave waveform, and the control unit 11 determines the measured electromagnetic wave waveform and the reference electromagnetic wave waveform. As a verification of the operation of the test device D, the presence / absence of an abnormal operation and / or the presence / absence of a normal operation can be easily detected with high accuracy. When the abnormal electromagnetic waveform is stored in the database 121, the normal CAN message and other CAN messages may not be categorized.
 [第2の実施の形態]
 テストデバイスDの動作の検証は、異常動作の有無、及び/又は、正常動作の有無の検出のみに限定されない。テストデバイスDの動作の検証は、異常動作の種別の検出であってもよい。この場合、記憶部12に格納されるデータベース121は、図6に示されるような異常時電磁波データベース121Bである。図6は、記憶部12に格納されるデータベース121の他の例であって、異常時電磁波データベース121Bの具体例を示す図である。 [Second Embodiment]
The verification of the operation of the test device D is not limited to the detection of the presence / absence of abnormal operation and / or the presence / absence of normal operation. The verification of the operation of the test device D may be detection of the type of abnormal operation. In this case, the database 121 stored in the storage unit 12 is an abnormal electromagnetic wave database 121B as shown in FIG. FIG. 6 shows another example of the database 121 stored in the storage unit 12 and shows a specific example of the abnormal electromagnetic wave database 121B.
 図6を参照して、異常時電磁波データベース121Bには、異常の種別ごとに異常が生じた場合にECUから漏えいする電磁波波形(異常時電磁波波形)が格納されている。図6の例では、零で除する演算を行うエラー(ゼロ除算)、負数の平方根を算出するエラー(負数の平方根)、バッファのオーバーフローによるエラー(バッファオーバーフロー)、及び、ウォッチドッグタイマーの満了、のそれぞれが生じたときの電磁波波形が格納されている。なお、図6のタイミングについては、第2の実施の形態では用いず、後述する第4の実施の形態において説明する。 Referring to FIG. 6, the electromagnetic wave database 121B at the time of abnormality stores an electromagnetic wave waveform (abnormality electromagnetic wave waveform) leaked from the ECU when an abnormality occurs for each type of abnormality. In the example of FIG. 6, an error to perform division by zero (division by zero), an error to calculate a negative square root (negative square root), an error due to a buffer overflow (buffer overflow), and expiration of the watchdog timer, The electromagnetic wave waveform when each of these occurs is stored. Note that the timing of FIG. 6 is not used in the second embodiment, but will be described in a fourth embodiment to be described later.
 図7は、本実施の形態において、制御部11で実行される異常動作検出処理の流れの一例を表わしたフローチャートである。図7を参照して、始めに、制御部11は、プローブ5から電磁波を示す信号の入力を受け付ける(ステップS201)。入力された信号からは、測定波形である電磁波波形(波形A)が特定される。 FIG. 7 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment. Referring to FIG. 7, first, control unit 11 receives an input of a signal indicating an electromagnetic wave from probe 5 (step S201). From the input signal, an electromagnetic wave waveform (waveform A) which is a measurement waveform is specified.
 次に、制御部11は、異常時電磁波データベース121Bに格納されている各異常時電磁波波形(波形B)を読み出し(ステップS203)、ステップS201で入力された電磁波波形(波形A)を各異常時電磁波波形(波形B)でパターンマッチングすることで、波形Aに一致する異常時電磁波波形を特定する(ステップS205)。つまり、該当する異常の種別を特定する。 Next, the control unit 11 reads out each abnormal electromagnetic wave waveform (waveform B) stored in the abnormal electromagnetic wave database 121B (step S203), and uses the electromagnetic wave waveform (waveform A) input in step S201 for each abnormal time. By performing pattern matching with the electromagnetic wave waveform (waveform B), an abnormal electromagnetic wave waveform that matches the waveform A is specified (step S205). That is, the type of the corresponding abnormality is specified.
 ステップS201で入力された電磁波波形(波形A)に一致する異常時電磁波波形がない場合(ステップS207でNO)、制御部11は、テストデバイスDの異常動作の検出結果として、異常動作が「データベースに存在しない異常」であることを示すメッセージを表示部15に表示する(ステップS209)。なお、ステップS209では、異常動作が検出されないことを示す正常メッセージを出力してもよい。 When there is no abnormal electromagnetic wave waveform that matches the electromagnetic wave waveform (waveform A) input in step S201 (NO in step S207), the control unit 11 determines that the abnormal operation is “database” as the detection result of the abnormal operation of the test device D. A message indicating “abnormality not existing in” is displayed on the display unit 15 (step S209). In step S209, a normal message indicating that no abnormal operation is detected may be output.
 一方、波形Aに一致する異常時電磁波波形がある場合(ステップS207でYES)、制御部11は、テストデバイスDの異常動作の検出結果として、異常時電磁波波形に該当する異常の種類を示すメッセージを表示部15に表示する(ステップS211)。 On the other hand, when there is an abnormal electromagnetic wave waveform that matches the waveform A (YES in step S207), the control unit 11 displays a message indicating the type of abnormality corresponding to the abnormal electromagnetic wave waveform as a detection result of the abnormal operation of the test device D. Is displayed on the display unit 15 (step S211).
 <実施の形態の効果>
 本実施の形態にかかる検証システム100では、検出された電磁波波形と異常時電磁波波形とを比較することによってテストデバイスDの異常動作の種別を検出するため、テストデバイスDの異常動作の種別を容易に、かつ、高精度で検出できる。 <Effect of Embodiment>
In the verification system 100 according to the present embodiment, the type of abnormal operation of the test device D is easily detected because the type of abnormal operation of the test device D is detected by comparing the detected electromagnetic wave waveform and the electromagnetic wave waveform at the time of abnormality. In addition, it can be detected with high accuracy.
 [第3の実施の形態]
 データベース121にテストデバイスの種別に応じた詳細な電磁波波形を予め格納しておくことによって、より詳細に異常動作の有無、及び/又は異常動作の種別を検出することが可能になる。たとえば、異常時電磁波データベース121Bに格納する基準電磁波波形を、ECUの種類や製造メーカごとの、異常の種別ごとの電磁波波形としてもよい。ECUの種類や製造メーカが異なると、異常の発生の仕方が異なる場合があり、また、同じ異常の種別であっても電磁波波形が異なる場合があるためである。 [Third Embodiment]
By storing in advance the detailed electromagnetic wave waveform corresponding to the type of the test device in the database 121, it is possible to detect the presence / absence of abnormal operation and / or the type of abnormal operation in more detail. For example, the reference electromagnetic wave waveform stored in the abnormal electromagnetic wave database 121B may be an electromagnetic wave waveform for each type of abnormality for each ECU type or manufacturer. This is because different types of ECUs and manufacturers have different ways of generating an abnormality, and electromagnetic wave waveforms may be different even with the same type of abnormality.
 図8は、記憶部12に格納されるデータベース121の他の例であって、異常時電磁波データベース121Cの具体例を示す図である。図8を参照して、異常時電磁波データベース121Cには、入力装置3からテストデバイスSであるECUの属性(製造メーカ)と、ECUに入力されるCANメッセージごとに、CANメッセージの入力で想定される異常動作の要因(種別)、及び、その判定結果(NG)が格納されている。図8の例では、識別番号1,2について、A社製のECUについて入力CANメッセージごとの電磁波波形とその電磁波波形が生じたときの異常動作の種別、及び、それぞれ判定結果をNGとすること、が示されている。 FIG. 8 is another example of the database 121 stored in the storage unit 12, and is a diagram showing a specific example of the abnormal electromagnetic wave database 121C. Referring to FIG. 8, in the abnormal electromagnetic wave database 121C, an input of a CAN message is assumed for each attribute (manufacturer) of the ECU that is the test device S from the input device 3 and each CAN message input to the ECU. The cause (type) of abnormal operation and the determination result (NG) are stored. In the example of FIG. 8, for the identification numbers 1 and 2, the electromagnetic wave waveform for each input CAN message and the type of abnormal operation when the electromagnetic wave waveform is generated for the ECU manufactured by company A, and the determination result are NG. ,It is shown.
 図9は、本実施の形態において、制御部11で実行される異常動作検出処理の流れの一例を表わしたフローチャートである。図9を参照して、始めに、制御部11は、プローブ5から電磁波を示す信号の入力を受け付ける(ステップS301)。入力された信号からは、測定波形である電磁波波形(波形A)が特定される。 FIG. 9 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment. Referring to FIG. 9, first, control unit 11 receives an input of a signal indicating an electromagnetic wave from probe 5 (step S301). From the input signal, an electromagnetic wave waveform (waveform A) which is a measurement waveform is specified.
 次に、制御部11は、異常時電磁波データベース121Cから、基準電磁波波形として、テストデバイスの種別に対応する異常時電磁波波形(波形B)を読み出す(ステップS303)。なお、テストデバイスの種別は、例えば、制御部11へのユーザ入力によって特定される。ステップS303では、入力装置3からテストデバイスDに入力されたCANメッセージに応じた、CANメッセージ入力時に想定される異常波波形として格納されている異常時電磁波波形が読み出される。ここでは、複数の異常時電磁波波形が読み出されることがある。 Next, the control unit 11 reads the abnormal electromagnetic wave waveform (waveform B) corresponding to the type of the test device as the reference electromagnetic wave waveform from the abnormal electromagnetic wave database 121C (step S303). Note that the type of the test device is specified by a user input to the control unit 11, for example. In step S303, an abnormal electromagnetic wave waveform stored as an abnormal wave waveform assumed at the time of CAN message input according to the CAN message input from the input device 3 to the test device D is read. Here, a plurality of abnormal electromagnetic wave waveforms may be read.
 制御部11は、波形A,Bを比較することによって、テストデバイスDでの想定される異常動作の有無を特定する(ステップS305)。すなわち、測定波形である波形Aが基準電磁波波形である波形Bと一致する場合(ステップS307でYES)、制御部11は、テストデバイスDの異常動作の検出結果として、異常動作が検出されたことを示す「異常」を表わすメッセージを表示部15に表示する(ステップS309)。 The control unit 11 identifies the presence or absence of an abnormal operation assumed in the test device D by comparing the waveforms A and B (step S305). That is, when the waveform A that is the measurement waveform matches the waveform B that is the reference electromagnetic wave waveform (YES in step S307), the control unit 11 detects that the abnormal operation is detected as the detection result of the abnormal operation of the test device D. Is displayed on the display unit 15 (step S309).
 上記のように、ステップS303でテストデバイスDに入力されたCANメッセージに応じた、複数の異常時電磁波波形が読み出された場合、ステップS305で制御部11は、電磁波波形(波形A)と各異常時電磁波波形でパターンマッチングすることで、波形Aに一致する異常時電磁波波形を特定する。つまり、想定される複数の異常の種別の中から該当する異常の種別を特定する。この場合、ステップS301で入力された電磁波波形(波形A)に一致する異常時電磁波波形がある場合(ステップS307でYES)、制御部11は、テストデバイスDの異常動作の検出結果として、異常時電磁波波形に該当する異常の種類を示すメッセージを表示部15に表示する(ステップS309)。 As described above, when a plurality of abnormal electromagnetic wave waveforms corresponding to the CAN message input to the test device D in step S303 are read, in step S305, the control unit 11 determines the electromagnetic wave waveform (waveform A) and each waveform. By pattern matching with the abnormal electromagnetic wave waveform, the abnormal electromagnetic wave waveform matching the waveform A is specified. That is, a corresponding abnormality type is specified from a plurality of assumed abnormality types. In this case, when there is an abnormal electromagnetic wave waveform that matches the electromagnetic wave waveform (waveform A) input in step S301 (YES in step S307), the control unit 11 detects the abnormal operation as a result of the abnormal operation of the test device D. A message indicating the type of abnormality corresponding to the electromagnetic wave waveform is displayed on the display unit 15 (step S309).
 一方、波形Aに一致する異常時電磁波波形がない場合(ステップS307でNO)、制御部11は、テストデバイスDの異常動作の検出結果として、異常動作が「データベースに存在しない異常」であることを示すメッセージを表示部15に表示する(ステップS311)。なお、ステップS311では、異常動作が検出されないことを示す正常メッセージを出力してもよい。 On the other hand, when there is no abnormal electromagnetic wave waveform that matches the waveform A (NO in step S307), the control unit 11 indicates that the abnormal operation is “abnormality not existing in the database” as the detection result of the abnormal operation of the test device D. Is displayed on the display unit 15 (step S311). In step S311, a normal message indicating that no abnormal operation is detected may be output.
 <実施の形態の効果>
 本実施の形態にかかる検証システム100では、入力する制御信号ごとに想定される異常動作の種別に応じた電磁波波形を予め用意しておくことで、検出された電磁波波形と用意された電磁波波形との比較によってテストデバイスDの異常動作の種別をより詳細に検出できる。 <Effect of Embodiment>
In the verification system 100 according to the present embodiment, the detected electromagnetic wave waveform and the prepared electromagnetic wave waveform are prepared by preparing in advance an electromagnetic wave waveform corresponding to the type of abnormal operation assumed for each input control signal. Thus, the type of abnormal operation of the test device D can be detected in more detail.
 なお、以上の例では、テストデバイスDの種別ごとの異常時電磁波波形がデータベース121に格納されているものとしているが、第1の実施の形態と組み合わせて、テストデバイスDの種別ごとの正常時電磁波波形がデータベース121に格納されていてもよい。この場合、テストデバイスDの種別に応じて、高精度で異常動作の有無を検出することができる。 In the above example, it is assumed that the abnormal electromagnetic wave waveform for each type of test device D is stored in the database 121, but in combination with the first embodiment, the normal time for each type of test device D The electromagnetic wave waveform may be stored in the database 121. In this case, the presence or absence of abnormal operation can be detected with high accuracy according to the type of the test device D.
 [第4の実施の形態]
 図6に示されたように、データベース121には、さらに、比較のタイミングを規定する情報がさらに格納されていてもよい。たとえば、図6では、異常時電磁波波形データベース121Bに、異常時電磁波波形と比較するタイミングを規定する情報が格納されている。比較のタイミングは、たとえば、制御信号の入力時からの経過時間、プローブ5から入力された電磁波波形のうちの規定された特徴点が検出された時点からの経過時間、などである。比較のタイミングを規定する情報は、データベース121とは異なるデータベースに格納されていてもよい。 [Fourth Embodiment]
As shown in FIG. 6, the database 121 may further store information defining the comparison timing. For example, in FIG. 6, information defining the timing for comparison with the abnormal electromagnetic wave waveform is stored in the abnormal electromagnetic wave waveform database 121 </ b> B. The timing of the comparison is, for example, an elapsed time from the input of the control signal, an elapsed time from the time when a specified feature point of the electromagnetic wave waveform input from the probe 5 is detected, and the like. Information defining the timing of comparison may be stored in a database different from the database 121.
 制御信号の入力時から制御信号に従った動作(たとえば除算)が開始されるまでの時間は、テストデバイスDのソフトウェアによって規定されている。そのため、ソフトウェアの設計者によって予め把握されている時間である。データベース121に格納された情報によって規定される比較のタイミングは、上記の時間に基づくタイミングである。たとえば、比較のタイミングは、制御信号の入力時から上記時間の経過時、又は、制御信号の入力時から上記時間よりも所定期間だけ短い時間の経過時、などである。前者の場合、比較のタイミングは、制御信号に従った動作が開始されるタイミングとなる。後者の場合、比較のタイミングは、制御信号に従った動作が開始されるよりも少し前のタイミングとなる。 The time from when the control signal is input to when the operation according to the control signal (for example, division) is started is defined by the test device D software. Therefore, the time is known in advance by the software designer. The comparison timing defined by the information stored in the database 121 is based on the above time. For example, the timing of comparison is when the above time has elapsed since the input of the control signal, or when a time shorter than the above time by a predetermined period since the input of the control signal. In the former case, the comparison timing is the timing at which the operation according to the control signal is started. In the latter case, the comparison timing is slightly before the operation according to the control signal is started.
 上記のタイミングが比較のタイミングとして規定されていることによって、本実施の形態において検証装置1の制御部11は、プローブ5から入力された信号のうちの規定されたタイミングの信号から得られる電磁波波形、つまり、テストデバイスDから測定された電磁波波形のうちのデータベース121で規定された位置の波形と、データベース121に格納されている波形との比較のみによって、異常動作の有無、及び/又は、異常動作の種類を特定することができる。 Since the above timing is defined as the comparison timing, in this embodiment, the control unit 11 of the verification apparatus 1 obtains the electromagnetic wave waveform obtained from the signal at the defined timing among the signals input from the probe 5. That is, the presence / absence of abnormal operation and / or abnormality is determined only by comparing the waveform of the electromagnetic wave waveform measured from the test device D at the position defined by the database 121 and the waveform stored in the database 121. The type of operation can be specified.
 これにより、測定された電磁波波形の全体を基準電磁波波形によってマッチングするよりも高精度で異常動作の有無、及び/又は、異常動作の種類を特定することができるとともに、処理量を抑え、高速での処理を可能にする。 As a result, it is possible to specify the presence / absence of abnormal operation and / or the type of abnormal operation with higher accuracy than matching the entire measured electromagnetic wave waveform with the reference electromagnetic wave waveform, and to suppress the processing amount at high speed. Enables processing.
 また、検証装置1の制御部11は、プローブ5から入力された電磁波波形のうち、基準電磁波波形と一致する波形の表れた位置が規定された位置であるか否かを判定することによって、異常動作の有無、及び/又は、異常動作の種類を特定することができる。この場合、プローブ5から入力された電磁波波形の位置ごとに、比較処理に用いる基準電磁波波形を格納したデータベース(正常時電磁波波形データベース121A、又は、異常時電磁波波形データベース121B,121C)が用意されていてもよい。そして、この場合、検証装置1の制御部11は、プローブ5から入力された電磁波波形のうちの比較処理に用いる位置ごとに、対応するデータベースから基準電磁波波形を読み出して比較処理に用いる。 Further, the control unit 11 of the verification apparatus 1 determines whether or not the position where the waveform that matches the reference electromagnetic wave waveform appears among the electromagnetic wave waveforms input from the probe 5 is a specified position. The presence / absence of an operation and / or the type of abnormal operation can be specified. In this case, for each position of the electromagnetic wave waveform input from the probe 5, a database (normal electromagnetic wave waveform database 121A or abnormal electromagnetic wave waveform database 121B, 121C) storing a reference electromagnetic wave waveform used for comparison processing is prepared. May be. In this case, the control unit 11 of the verification apparatus 1 reads the reference electromagnetic wave waveform from the corresponding database and uses it for the comparison process for each position used for the comparison process among the electromagnetic wave waveforms input from the probe 5.
 これにより、異常動作でも同じ電磁波波形が出力されるテストデバイスであっても、異常動作によってその電磁波波形が出力されるタイミングが異なる場合には、テストデバイスの異常動作を高精度で検出することができる。 As a result, even if a test device outputs the same electromagnetic wave waveform even in abnormal operation, the abnormal operation of the test device can be detected with high accuracy if the timing at which the electromagnetic wave waveform is output differs depending on the abnormal operation. it can.
 [第5の実施の形態]
 サイドチャネル情報は電磁波に限定されない。他の例として、テストデバイスDの消費電力量であってもよい。この場合、検証システム100は、プローブ5に替えて、上記電流値を測定するための測定器を含む。測定器は、たとえば、テストデバイスDの電源ラインに挿入可能な装置であって、微小抵抗の両端の電圧差を検出することで電流値を測定可能な装置である。 [Fifth Embodiment]
Side channel information is not limited to electromagnetic waves. As another example, the power consumption of the test device D may be used. In this case, the verification system 100 includes a measuring device for measuring the current value instead of the probe 5. The measuring instrument is, for example, a device that can be inserted into a power supply line of the test device D, and can measure a current value by detecting a voltage difference between both ends of a minute resistance.
 この場合、データベース121には、基準となる、テストデバイスDで動作中の単位時間当たりの消費電力量の変化が格納されている。検証装置1の制御部11は、上記測定器から得られる電流値に予め取得している電圧値を乗じてテストデバイスDでの単位時間当たりの消費電力量の変化を算出する。制御部11は、算出した消費電力量の変化を、データベース121に格納されている、基準となる電流値の変化と測定された電流値の変化と比較することで、異常動作の有無、又は、異常動作の種別を検出する。 In this case, the database 121 stores a change in power consumption per unit time while the test device D is operating as a reference. The control unit 11 of the verification apparatus 1 calculates a change in power consumption per unit time in the test device D by multiplying the current value obtained from the measuring instrument by a voltage value acquired in advance. The control unit 11 compares the calculated change in the power consumption with the change in the reference current value stored in the database 121 and the change in the measured current value, so that the presence or absence of abnormal operation, or Detect the type of abnormal operation.
 上記より、サイドチャネル情報は、テストデバイスDから漏えいする電磁波と、テストデバイスDの消費電力と、の少なくも一方である。又は、サイドチャネル情報は、電磁波及び消費電力以外であってもよい。サイドチャネル情報のさらに他の例は、テストデバイスDの動作中に発せられる熱(温度)や音(周波数、音量)などであってもよい。 From the above, the side channel information is at least one of electromagnetic waves leaking from the test device D and power consumption of the test device D. Alternatively, the side channel information may be other than electromagnetic waves and power consumption. Still another example of the side channel information may be heat (temperature) or sound (frequency, volume) generated during the operation of the test device D.
 検証システム100では、サイドチャネル情報は電磁波に限定されず、その他の情報によってとらえることができる。これにより、簡易な装置で高精度にテストデバイスDの異常動作を検出することができる。 In the verification system 100, the side channel information is not limited to electromagnetic waves, but can be captured by other information. Thereby, the abnormal operation of the test device D can be detected with high accuracy by a simple apparatus.
 [第6の実施の形態]
 より詳細には、テストデバイスDに搭載される装置(メモリ、CPU等)ごとに、漏えいする電磁波波形が異なる。第5の実施の形態に示された消費電力量、熱、音、なども同様である。そこで、好ましくは、テストデバイスDのうちの異常動作の有無を検出する装置に応じた位置にプローブ5を配置する。 [Sixth Embodiment]
More specifically, the leaked electromagnetic wave waveform differs for each device (memory, CPU, etc.) mounted on the test device D. The same applies to the power consumption, heat, sound, and the like shown in the fifth embodiment. Therefore, preferably, the probe 5 is disposed at a position corresponding to a device that detects the presence or absence of abnormal operation in the test device D.
 図14は、プローブ5の配置の一例を説明するための図である。図14を参照して、テストデバイスDは、一例として、CPU51、メモリ52、及び、インタフェース(I/F)53を含む。図14は、1つの基板上に、CPU51、メモリ52、及び、I/F53のチップがそれぞれ配置される構成を例示している。図14の例では、基板表面をXY平面として座標を設定したときに、CPU51は第二象限、メモリ52は第三象限、I/F53は第四象限、に配置されている。 FIG. 14 is a diagram for explaining an example of the arrangement of the probes 5. With reference to FIG. 14, the test device D includes, as an example, a CPU 51, a memory 52, and an interface (I / F) 53. FIG. 14 exemplifies a configuration in which the CPU 51, the memory 52, and the I / F 53 chip are arranged on one substrate. In the example of FIG. 14, when the coordinates are set with the substrate surface as the XY plane, the CPU 51 is arranged in the second quadrant, the memory 52 is arranged in the third quadrant, and the I / F 53 is arranged in the fourth quadrant.
 テストデバイスDのCPU51の異常動作の有無を検出する場合には、プローブ5を第二象限の位置5Aに配置して、漏えいする電磁波を受信する。メモリ52の異常動作の有無を検出する場合には、プローブ5を第三象限の位置5Bに配置して、漏えいする電磁波を受信する。I/F53の異常動作の有無を検出する場合には、プローブ5を第四象限の位置5Cに配置して、漏えいする電磁波を受信する。 When detecting the presence or absence of abnormal operation of the CPU 51 of the test device D, the probe 5 is placed in the second quadrant position 5A to receive the leaking electromagnetic wave. When detecting the presence or absence of abnormal operation of the memory 52, the probe 5 is placed in the position 5B of the third quadrant to receive the leaking electromagnetic wave. When detecting the presence / absence of abnormal operation of the I / F 53, the probe 5 is placed in the fourth quadrant position 5C to receive the leaking electromagnetic wave.
 この場合、データベース121には異常動作の有無を検出する装置に応じた基準電磁波波形が格納されている。又は、異常動作の有無を検出する装置に応じて基準電磁波波形を格納するデータベースが用意されていてもよい。図15は、記憶部12に格納されるデータベース121の他の例であって、テストデバイスDに対する位置ごとの正常時電磁波データベース121Dの一例を示す図である。図15を参照して、正常時電磁波データベース121Dには、テストデバイスDのうちの異常動作の有無を検出する装置に応じた位置ごとに、正常に動作したその装置から漏えいする電磁波波形(正常時電磁波波形)が格納されている。図15の例では、CPU51、メモリ52、及び、I/F53の正常時電磁波波形が格納されている。なお、図15の例では、具体的なそれぞれの電磁波波形は図示が省略されている。 In this case, the database 121 stores a reference electromagnetic wave waveform corresponding to a device that detects the presence or absence of abnormal operation. Or the database which stores a reference electromagnetic wave waveform according to the device which detects the presence or absence of abnormal operation may be prepared. FIG. 15 is a diagram illustrating another example of the database 121 stored in the storage unit 12 and an example of a normal electromagnetic wave database 121D for each position with respect to the test device D. Referring to FIG. 15, the normal-time electromagnetic wave database 121 </ b> D has an electromagnetic wave waveform that leaks from a normally operating device (normal time) for each position corresponding to the device that detects the presence or absence of abnormal operation in the test device D. Electromagnetic wave waveform) is stored. In the example of FIG. 15, the normal-time electromagnetic wave waveforms of the CPU 51, the memory 52, and the I / F 53 are stored. In addition, in the example of FIG. 15, illustration of each concrete electromagnetic wave waveform is abbreviate | omitted.
 図16は、本実施の形態において、制御部11で実行される異常動作検出処理の流れの一例を表わしたフローチャートである。図16を参照して、始めに、制御部11は、テストデバイスDのうちの異常動作の有無を検出する装置に応じた位置の選択(たとえば第一象限~第四象限のいずれか)を受け付ける(ステップS400)。ステップS400では、図示しない入力装置によるユーザの入力を受け付けてもよい。プローブ5の位置を検出可能な、図示しない検出器と検証装置1とが接続されている場合、ステップS400では、検出器からプローブ5の位置(たとえば位置5A~5Cのいずれか)の検出結果の入力を受け付けてもよい。 FIG. 16 is a flowchart showing an example of the flow of the abnormal operation detection process executed by the control unit 11 in the present embodiment. Referring to FIG. 16, first, control unit 11 accepts selection of a position (for example, one of the first quadrant to the fourth quadrant) according to a device that detects presence / absence of abnormal operation in test device D. (Step S400). In step S400, a user input from an input device (not shown) may be received. When a detector (not shown) that can detect the position of the probe 5 and the verification device 1 are connected, in step S400, the detection result of the position of the probe 5 (for example, any one of positions 5A to 5C) is detected. Input may be accepted.
 ステップS400で位置が選択された後は、図5のステップS101~S111と同じ処理が行われる。すなわち、制御部11は、プローブ5から電磁波を示す信号の入力を受け付け(ステップS401)、入力された電磁波波形と、正常時電磁波データベース121Dに格納されている基準電磁波波形とを比較する(ステップS403,S405)。なお、本実施の形態では、ステップS403で制御部11は、選択された位置に応じた基準電磁波波形を正常時電磁波データベース121Dから読み出す。制御部11は、入力された電磁波波形が基準電磁波波形と一致する場合に「正常」、しない場合に「異常」を出力する(ステップS407~S411)。 After the position is selected in step S400, the same processing as steps S101 to S111 in FIG. 5 is performed. That is, the control unit 11 receives an input of a signal indicating an electromagnetic wave from the probe 5 (step S401), and compares the input electromagnetic wave waveform with a reference electromagnetic wave waveform stored in the normal time electromagnetic wave database 121D (step S403). , S405). In the present embodiment, in step S403, the control unit 11 reads the reference electromagnetic wave waveform corresponding to the selected position from the normal electromagnetic wave database 121D. The control unit 11 outputs “normal” when the input electromagnetic wave waveform matches the reference electromagnetic wave waveform, and outputs “abnormal” when it does not (steps S407 to S411).
 なお、図15および図16は、基準電磁波波形が正常時電磁波波形である場合の例である。基準電磁波波形は異常時電磁波波形であってもよい。この場合、第2の実施の形態、又は、第3の実施の形態と同様に、入力された電磁波波形と、選択された位置に応じた基準電磁波波形とが一致した場合に「異常」が出力される。 15 and 16 are examples in the case where the reference electromagnetic wave waveform is a normal electromagnetic wave waveform. The reference electromagnetic wave waveform may be an abnormal electromagnetic wave waveform. In this case, as in the second embodiment or the third embodiment, “abnormal” is output when the input electromagnetic wave waveform matches the reference electromagnetic wave waveform corresponding to the selected position. Is done.
 以上の例では、サイドチャネル情報として電磁波を測定する場合について説明しているが、サイドチャネル情報が消費電力量、熱、音、などであっても同様である。なお、サイドチャネル情報が電磁波又は熱などである場合、図14に示されたような1つの基板上に複数チップが配置される構成の他、CPU51、メモリ52、及び、I/F53などが1つのチップで構成される場合であっても、位置ごとにサイドチャネル情報を測定することができる。従って、テストデバイスDの構成は図14の構成には限定されない。 In the above example, the case where electromagnetic waves are measured as side channel information has been described, but the same applies to cases where the side channel information includes power consumption, heat, sound, and the like. When the side channel information is electromagnetic waves or heat, the CPU 51, the memory 52, the I / F 53, etc. are 1 in addition to the configuration in which a plurality of chips are arranged on one substrate as shown in FIG. Even in the case of a single chip, side channel information can be measured for each position. Therefore, the configuration of the test device D is not limited to the configuration of FIG.
 本実施の形態にかかる検証システム100では、テストデバイスDのうちの異常動作の有無を検出する装置に応じた位置から検出されたサイドチャネル情報を用いることによって、より高精度で、より詳細に、テストデバイスDの異常動作を検出することが可能になる。 In the verification system 100 according to the present embodiment, by using the side channel information detected from the position corresponding to the apparatus that detects the presence or absence of abnormal operation in the test device D, it is more accurate and more detailed. An abnormal operation of the test device D can be detected.
 [第7の実施の形態]
 図17は、第7の実施の形態に係る検証装置1の制御部11が実行する異常動作検出処理を表したブロック図である。図17を参照して、第7の実施の形態に係る検証装置1では、検出処理112は、図3に示された比較処理113に替えて、判定処理116を含む。判定処理116は、分類器122を用いて測定波形が正常時電磁波波形か異常時電磁波波形かを判定する処理である。 [Seventh Embodiment]
FIG. 17 is a block diagram illustrating an abnormal operation detection process executed by the control unit 11 of the verification apparatus 1 according to the seventh embodiment. With reference to FIG. 17, in the verification apparatus 1 according to the seventh embodiment, the detection process 112 includes a determination process 116 instead of the comparison process 113 illustrated in FIG. The determination process 116 is a process for determining whether the measurement waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform using the classifier 122.
 第7の実施の形態に係る検証装置1の記憶部12には分類器122が記憶されている。分類器122は、電磁波波形が与えられると正常時電磁波波形か異常時電磁波波形かを出力するよう学習された学習モデルである。図17に示されるように、分類器122は、第1モデル122Aと第2モデル122Bとを含む。 A classifier 122 is stored in the storage unit 12 of the verification device 1 according to the seventh embodiment. The classifier 122 is a learning model learned to output a normal-time electromagnetic wave waveform or an abnormal-time electromagnetic wave waveform when an electromagnetic wave waveform is given. As shown in FIG. 17, the classifier 122 includes a first model 122A and a second model 122B.
 第1モデル122Aは、複数のCANメッセージに対する正常時電磁波波形を使って学習されており、ある電磁波波形が与えられると、その電磁波波形に対応するCANメッセージを示す情報を出力するよう機械学習された学習モデルである。図18は、分類器122の構造を模式的に示した図である。図18の例では、第1モデル122Aは、一次元畳み込みニューラルネットワーク(1D-CNN)である。第1モデル122Aは、上記組み合わせを複数用いて深層学習を実行することにより得られた、他の深層学習モデルであってもよい。 The first model 122A is learned using normal-time electromagnetic wave waveforms with respect to a plurality of CAN messages. When a certain electromagnetic wave waveform is given, the first model 122A is machine-learned to output information indicating the CAN message corresponding to the electromagnetic wave waveform. It is a learning model. FIG. 18 is a diagram schematically showing the structure of the classifier 122. In the example of FIG. 18, the first model 122A is a one-dimensional convolutional neural network (1D-CNN). The first model 122A may be another deep learning model obtained by executing deep learning using a plurality of the above combinations.
 図18を参照して、第1モデル122Aは、電磁波波形の入力を受け付ける入力層61と、畳み込み層62と、プーリング層63と、全結合層64と、出力層65と、を含む。 Referring to FIG. 18, the first model 122A includes an input layer 61 that receives an input of an electromagnetic wave waveform, a convolution layer 62, a pooling layer 63, a total coupling layer 64, and an output layer 65.
 畳み込み層62は、入力された電磁波波形に対してフィルタ処理を行って特徴量を抽出する。プーリング層63は、畳み込み層62で得られた特徴量を集約する。全結合層64は、プーリング層63での集約結果を結合する。出力層65は、全結合層64での結合結果に基づいて分類結果である対応するCANメッセージを示す情報を出力する。 The convolution layer 62 performs a filtering process on the input electromagnetic wave waveform to extract a feature amount. The pooling layer 63 aggregates the feature values obtained by the convolution layer 62. The total connection layer 64 combines the aggregated results in the pooling layer 63. The output layer 65 outputs information indicating the corresponding CAN message that is the classification result based on the coupling result in the all coupling layer 64.
 第1モデル122Aには、CANメッセージごとの、そのCANメッセージに対応する複数の正常時電磁波波形が入力値として与えられ、学習される。具体的には、図18を参照して、CANメッセージM1~M4それぞれをテストデバイスDとなるECUに入力する(ステップS501)。メッセージM1~M4は、例えば、車速取得、エンジン回転数取得、エアフロメータ値取得、などの動作を指示するCANメッセージである。 In the first model 122A, for each CAN message, a plurality of normal electromagnetic wave waveforms corresponding to the CAN message are given as input values and learned. Specifically, referring to FIG. 18, each of CAN messages M1 to M4 is input to the ECU serving as test device D (step S501). The messages M1 to M4 are CAN messages for instructing operations such as vehicle speed acquisition, engine speed acquisition, and air flow meter value acquisition, for example.
 各CANメッセージM1~M4入力時のテストデバイスDからの正常時電磁波波形が測定される(ステップS503)。図18の例では、CANメッセージM1の入力に対して正常時電磁波波形a1~a4が測定されたものとする。 The normal electromagnetic wave waveform from the test device D when each CAN message M1 to M4 is input is measured (step S503). In the example of FIG. 18, it is assumed that the normal-time electromagnetic wave waveforms a1 to a4 are measured with respect to the input of the CAN message M1.
 CANメッセージM1の入力に対して測定された正常時電磁波波形a1~a4を、第1モデル122Aへの入力値とする(ステップS505)。第1モデル122Aは、入力層61で正常時電磁波波形a1~a4の入力を受け付けて、入力された波形ごとに、畳み込み層62での処理、プーリング層63での処理、及び、全結合層64での処理を経て、CANメッセージM1~M4それぞれである確率を出力層65から出力する。図18の例の場合、ある波形(例えば、正常時電磁波波形a1)を入力層61から入力してその入力波形をCANメッセージM1~M4の4クラスに分類させて、CANメッセージM1である確率が95%、CANメッセージM2である確率が5%、CANメッセージM3である確率が3%、及び、CANメッセージM4である確率が2%、との出力を得ている。 The normal-time electromagnetic wave waveforms a1 to a4 measured with respect to the input of the CAN message M1 are set as input values to the first model 122A (step S505). The first model 122A receives the normal-time electromagnetic wave waveforms a1 to a4 from the input layer 61, and processes the convolutional layer 62, the pooling layer 63, and the total coupling layer 64 for each input waveform. Through the processing in, the probabilities of the CAN messages M1 to M4 are output from the output layer 65. In the case of the example of FIG. 18, a certain waveform (for example, a normal electromagnetic wave waveform a1) is input from the input layer 61, and the input waveform is classified into four classes of CAN messages M1 to M4. The output is 95%, the probability of being a CAN message M2 is 5%, the probability of being a CAN message M3 is 3%, and the probability of being a CAN message M4 is 2%.
 次に、入力された正常時電磁波波形a1に対応するCANメッセージM1の確率をより高くするように、各層62~64での演算で用いる関数の係数を調整する(ステップS507)。図18の例の場合、正常時電磁波波形a1を入力層61から入力したときの出力層65から出力されるCANメッセージM1である確率(95%)をより高くするように、例えば、全結合層64での重み係数を変更する。 Next, the coefficient of the function used in the calculation in each of the layers 62 to 64 is adjusted so as to increase the probability of the CAN message M1 corresponding to the inputted normal electromagnetic wave waveform a1 (step S507). In the case of the example of FIG. 18, for example, the total coupling layer is set so that the probability (95%) of the CAN message M1 output from the output layer 65 when the normal-time electromagnetic wave waveform a1 is input from the input layer 61 is higher. The weighting factor at 64 is changed.
 図18のステップS501~S507を、各CANメッセージM1~M4について、CANメッセージとそのCANメッセージ入力時に測定された正常時電磁波波形それぞれとの組み合せに対して行うことで、第1モデル122Aは学習され、入力された電磁波波形を対応するCANメッセージにクラス分けする精度を向上させることができる。 The first model 122A is learned by performing steps S501 to S507 of FIG. 18 for each of the CAN messages M1 to M4 for the combination of the CAN message and the normal electromagnetic wave waveform measured when the CAN message is input. The accuracy of classifying the input electromagnetic wave waveform into corresponding CAN messages can be improved.
 第2モデル122Bは、電磁波波形の特徴量に基づいて、対象の電磁波波形が正常時電磁波波形か異常時電磁波波形かの判定結果を出力するよう機械学習された学習モデルである。第2モデル122Bは、One class SVM(Support Vector Machine)などの分類アルゴリズムである。図18の例では、第2モデル122Bは、One class SVMである。第2モデル122Bは、正常時電磁波波形から得られた特徴量を複数用いて深層学習を実行することにより得られた、他の深層学習モデルであってもよい。 The second model 122B is a learning model that is machine-learned so as to output a determination result of whether the target electromagnetic wave waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform based on the feature quantity of the electromagnetic wave waveform. The second model 122B is a classification algorithm such as One class SVM (Support Vector Vector Machine). In the example of FIG. 18, the second model 122B is One class SVM. The second model 122B may be another deep learning model obtained by executing deep learning using a plurality of feature amounts obtained from the normal electromagnetic wave waveform.
 第2モデル122Bは、一例として図18に示されるように、いわゆる転移学習と呼ばれる方法によって学習される。すなわち、第1モデル122Aの学習を第1段階目の学習とし、第2段階目の学習として、第2モデル122Bには、学習済の第1モデル122Aの全結合層64で各電磁波波形から算出される電磁波波形の上記特徴量群が、入力値として与えられる。具体的には、図18を参照して、学習済の第1モデル122Aの入力層61にある正常時電磁波波形(例えば波形a1)が入力されたときの全結合層64のある層で算出された特徴量Fが、第2モデル122Bに入力値として与えられる(ステップS509)。全結合層64のある層は、例えば、プーリング層63から2番目又は3番目の層である。 The second model 122B is learned by a so-called transfer learning method as shown in FIG. 18 as an example. That is, learning of the first model 122A is the first-stage learning, and as the second-stage learning, the second model 122B is calculated from each electromagnetic wave waveform in the entire coupling layer 64 of the learned first model 122A. The above-described feature quantity group of the electromagnetic wave waveform is given as an input value. Specifically, referring to FIG. 18, calculation is performed for a layer including all coupling layers 64 when a normal-time electromagnetic wave waveform (for example, waveform a <b> 1) in input layer 61 of learned first model 122 </ b> A is input. The feature amount F is given to the second model 122B as an input value (step S509). The layer having the total coupling layer 64 is, for example, the second or third layer from the pooling layer 63.
 第2モデル122Bは、ステップS509で第2モデル122Bに入力される特徴量Fを、いずれも、CANメッセージM1の正常時電磁波波形a1から得られた正常値として記憶する。そして、第2モデル122Bは、CANメッセージM1について、入力された特徴量Fを囲む境界を、測定された電磁波波形からの特徴量の正常値と異常値との境界である識別境界Bとして設定する(ステップS511)。 The second model 122B stores the feature value F input to the second model 122B in step S509 as normal values obtained from the normal electromagnetic wave waveform a1 of the CAN message M1. And the 2nd model 122B sets the boundary surrounding the input feature-value F as the identification boundary B which is a boundary of the normal value and abnormal value of the feature-value from the measured electromagnetic wave waveform about the CAN message M1. (Step S511).
 図18のステップS509,S511を、各CANメッセージM1~M4について、CANメッセージ入力時に測定された正常時電磁波波形それぞれに対して行うことで、第2モデル122Bは学習され、各CANメッセージについて設定される識別境界Bの精度を向上させることができる。 The second model 122B is learned and set for each CAN message by performing steps S509 and S511 of FIG. 18 for each of the CAN messages M1 to M4 with respect to each normal electromagnetic wave waveform measured when the CAN message is input. The accuracy of the identification boundary B can be improved.
 分類器122は、記憶部12に予め格納されていてもよい。好ましくは、制御部11は、分類器122を作成するための学習処理115をさらに実行する。学習処理115は、上記ステップS501~S511で表された処理である。なお、学習処理115は、上記ステップS501~S511の少なくとも一部が他の装置で実行されてもよい。 The classifier 122 may be stored in the storage unit 12 in advance. Preferably, the control unit 11 further executes a learning process 115 for creating the classifier 122. The learning process 115 is a process represented by steps S501 to S511. In the learning process 115, at least a part of steps S501 to S511 may be executed by another device.
 判定処理116は、学習済の分類器122に測定波形を入力することで、その出力値より、正常時電磁波波形か異常時電磁波波形かを判定する。すなわち、測定波形が分類器122に入力されると、学習済の第1モデル122Aが特徴値を算出し、第2モデル122Bに与える。学習済の第2モデル122Bは、学習によって設定した識別境界Bと特徴値との乖離を算出し、その乖離に基づいて正常時電磁波波形が異常時電磁波波形かの判定結果を示す情報を出力する。出力された情報は、いったん、記憶部12に書き込まれる。 The determination process 116 inputs a measured waveform to the learned classifier 122, and determines from the output value whether it is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform. That is, when the measured waveform is input to the classifier 122, the learned first model 122A calculates the feature value and gives it to the second model 122B. The learned second model 122B calculates the divergence between the identification boundary B set by learning and the feature value, and outputs information indicating the determination result of whether the electromagnetic wave waveform at normal time is the electromagnetic wave waveform at abnormal time based on the divergence. . The output information is once written in the storage unit 12.
 乖離は、例えば、入力された特徴量が識別境界Bで囲まれる範囲内であるのか範囲外であるのか、を示すデータであってもよい。判定処理116は、分類器122からの出力値を記憶部12から読出し、その値に基づいて、測定波形が正常時電磁波波形か異常時電磁波波形かを検出する。例えば、識別境界Bで囲まれる範囲内である場合には正常時電磁波波形、つまり、正常動作と判定し、上記範囲外である場合には異常時電磁波波形、つまり、動作異常と判定する。判定結果は、いったん、記憶部12に書き込まれる。 The divergence may be, for example, data indicating whether the input feature quantity is within or outside the range surrounded by the identification boundary B. The determination process 116 reads the output value from the classifier 122 from the storage unit 12 and detects whether the measurement waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform based on the value. For example, when it is within the range surrounded by the identification boundary B, it is determined that the electromagnetic wave waveform is normal, that is, normal operation, and when it is outside the above range, it is determined that the electromagnetic wave waveform is abnormal, that is, the operation is abnormal. The determination result is once written in the storage unit 12.
 測定波形が正常時電磁波波形か異常時電磁波波形かを検出するために上記の判定処理116を用いることで、測定波形や、第1~第6の実施の形態に係る検証装置1で用いられた基準電磁波波形にたとえランダムなノイズが含まれていた場合であっても、高精度で検出することが可能になる。また、検証対象の装置(例えばECU)のプログラム実行中に割り込み処理等が発生することによって測定波形の特徴点の間隔が伸縮した場合であっても、高精度で検出することが可能になる。 By using the determination process 116 described above to detect whether the measurement waveform is a normal electromagnetic wave waveform or an abnormal electromagnetic wave waveform, the measurement waveform and the verification apparatus 1 according to the first to sixth embodiments are used. Even if random noise is included in the reference electromagnetic wave waveform, it becomes possible to detect with high accuracy. Further, even when an interrupt process or the like occurs during execution of a program of a device to be verified (for example, an ECU), the feature point interval of the measurement waveform can be detected with high accuracy.
 なお、分類器122に示す機械学習モデルは、他の例として、オートエンコーダであってもよい。オートエンコーダは、入力波形を圧縮して低次元化した後に復元させることによって得られる特徴量と入力波形の特徴量とを用いて機械学習された学習モデルであって、正常時電磁波波形を用いて機械学習させたモデルである。学習済のオートエンコーダは、入力波形とほぼ同一の波形を出力する。そのため、学習していない波形、つまり、正常時電磁波波形でない異常時電磁波波形が入力値として与えられると、ほぼ同一の波形が出力とされない。これにより、異常時電磁波波形であると判定される。 It should be noted that the machine learning model shown in the classifier 122 may be an auto encoder as another example. The auto encoder is a learning model that is machine-learned using the feature quantity obtained by compressing the input waveform and reducing it after reducing the dimension, and the feature quantity of the input waveform. This is a machine-learned model. The learned auto encoder outputs a waveform that is almost the same as the input waveform. Therefore, when an unlearned waveform, that is, an abnormal electromagnetic wave waveform that is not a normal electromagnetic wave waveform is given as an input value, substantially the same waveform is not output. Thereby, it determines with it being an electromagnetic wave waveform at the time of abnormality.
 [実施例1]
 図10は、発明者らが本願の検証装置1を用いてテストデバイスDの動作を検証した実施例1の測定結果を示した図である。実施例1では、市販のヘッドアップディスプレイをテストデバイスDとして用いた。図10(A)はテストデバイスDに対して入力した制御信号(CANメッセージ)、及び、図10(B)は、テストデバイスDからプローブ5によって測定された電磁波波形である。また、図11は図10の一部(点線部分)を拡大した図、ならびに、図12は、図11の一部(実線部分)を拡大した図である。 [Example 1]
FIG. 10 is a diagram illustrating a measurement result of Example 1 in which the inventors verified the operation of the test device D using the verification apparatus 1 of the present application. In Example 1, a commercially available head-up display was used as the test device D. 10A is a control signal (CAN message) input to the test device D, and FIG. 10B is an electromagnetic wave waveform measured by the probe 5 from the test device D. 11 is an enlarged view of a part (dotted line part) of FIG. 10, and FIG. 12 is an enlarged view of a part (solid line part) of FIG.
 実施例1の測定においては、テストデバイスDとして用いられたヘッドアップディスプレイに異常動作をさせるCANメッセージF1~F6を入力したヘッドアップディスプレイとしては、かかるCANメッセージF1~F6が入力されると、CANメッセージF6が入力された時点で、異常動作する脆弱性を有しているものを用いた。 In the measurement of the first embodiment, when the CAN messages F1 to F6 for inputting the CAN messages F1 to F6 for causing the head up display used as the test device D to operate abnormally are input, When the message F6 is input, the one having the vulnerability of abnormal operation is used.
 図11は、図10において点線で囲まれた範囲である、CANメッセージF6と、CANメッセージF6が入力されたときの電磁波波形と、の拡大図である。実施例1では、CANメッセージF6の入力からt[us]経過後が比較のタイミングとして規定されている。そこで、検証装置1の制御部11は、図11の実線で囲まれた部分の電磁波波形(比較波形)と、データベース121に格納されている基準電磁波波形とを比較した。 FIG. 11 is an enlarged view of the CAN message F6 and the electromagnetic wave waveform when the CAN message F6 is input, which is a range surrounded by a dotted line in FIG. In the first embodiment, the time after the elapse of t [us] from the input of the CAN message F6 is defined as the comparison timing. Therefore, the control unit 11 of the verification apparatus 1 compares the electromagnetic wave waveform (comparison waveform) of the portion surrounded by the solid line in FIG. 11 with the reference electromagnetic wave waveform stored in the database 121.
 図12は、図11の比較波形の拡大図である。検証装置1の制御部11は、比較波形と基準電磁波波形とを比較して、比較波形の中に異常波形AW1が含まれていることを検出した。 FIG. 12 is an enlarged view of the comparative waveform of FIG. The control unit 11 of the verification device 1 compares the comparison waveform with the reference electromagnetic wave waveform, and detects that the abnormal waveform AW1 is included in the comparison waveform.
 実施例1の測定にテストデバイスDとして用いたヘッドアップディスプレイは、異常動作によって異常終了してしまう。しかしながら、実施例1の測定では、異常動作によって異常終了する前に、プローブ5から入力される電磁波波形を用いて異常動作が検出された。したがって、検証装置1を用いて高精度でテストデバイスDの動作を検証できることが検証された。 The head-up display used as the test device D in the measurement of Example 1 ends abnormally due to abnormal operation. However, in the measurement of Example 1, abnormal operation was detected using the electromagnetic wave waveform input from the probe 5 before abnormal termination due to abnormal operation. Therefore, it was verified that the operation of the test device D can be verified with high accuracy using the verification apparatus 1.
 [実施例2]
 図13は、発明者らが本願の検証装置1を用いてテストデバイスDの動作を検証した実施例2の測定結果を示した図である。実施例2では、ソフトウェアを実装した演算装置をテストデバイスDとして用い、零以外の数で除する演算(通常の除算)を行わせる制御信号を入力した場合と、零で除する演算(ゼロ除算)を行わせる制御信号を入力した場合と、を入力した。図13(A),(B)は、それぞれにおけるテストデバイスDの電磁波波形の測定結果を示している。 [Example 2]
FIG. 13 is a diagram illustrating a measurement result of Example 2 in which the inventors verified the operation of the test device D using the verification apparatus 1 of the present application. In the second embodiment, an arithmetic unit equipped with software is used as the test device D, and a control signal for performing an operation for dividing by a number other than zero (normal division) is input, and an operation for dividing by zero (division by zero) ) Is input when a control signal is input. FIGS. 13A and 13B show the measurement results of the electromagnetic wave waveform of the test device D in each.
 テストデバイスDとして用いた演算装置は、通常状態(除算を実行していない状態)から制御信号に従って除算を実行し、除算が終了すると、通常状態に復帰する。この場合、データベース121には、除算実行中の電磁波波形が基準電磁波波形として格納されており、検証装置1の制御部11は、制御信号の入力時点から測定された電磁波波形を基準電磁波波形でパターンマッチングする。 The arithmetic unit used as the test device D executes division according to the control signal from the normal state (the state where division is not executed), and returns to the normal state when the division is completed. In this case, the database 121 stores the electromagnetic wave waveform being divided as the reference electromagnetic wave waveform, and the control unit 11 of the verification apparatus 1 patterns the electromagnetic wave waveform measured from the input point of the control signal with the reference electromagnetic wave waveform. Match.
 図13(A)を参照して、通常の除算実行時、つまり、テストデバイスDが正常動作を行なっている場合、制御信号の入力時点から期間At1の間、除算実行中であることを示す電磁波波形W1が検出され、期間At1の経過後に、通常状態であることを示す電磁波波形W2が検出された。期間At1は3.5[μs]であった。 Referring to FIG. 13A, when performing normal division, that is, when the test device D is performing normal operation, electromagnetic waves indicating that division is being performed for a period At1 from the input time of the control signal. A waveform W1 is detected, and an electromagnetic wave waveform W2 indicating a normal state is detected after a period At1. The period At1 was 3.5 [μs].
 これに対して、零除算時、つまり、テストデバイスDに異常動作が生じている場合、制御信号の入力時点から期間At2の間、除算実行中であることを示す異常波形AW2が検出され、期間At2の経過後に通常状態であることを示す電磁波波形W2が検出された。期間At2は1.0[μs]であった。 On the other hand, during the division by zero, that is, when an abnormal operation occurs in the test device D, an abnormal waveform AW2 indicating that the division is being executed is detected for the period At2 from the input time of the control signal. An electromagnetic wave waveform W2 indicating a normal state was detected after the passage of At2. The period At2 was 1.0 [μs].
 実施例2では、除算実行中であることを示す電磁波波形が、通常の除算実行時を示す期間At1よりも短い期間At2の間継続して、その後に電磁波波形W2を検出することで、テストデバイスDでの零除算、すなわち、異常動作が検出された。このように、実施例2では、テストデバイスDでゼロ除算、つまり、特定の異常動作がプローブ5から入力される電磁波波形を用いて検出された。したがって、検証装置1を用いて、プローブ5から入力される電磁波波形のうちの基準電磁波波形と一致する電磁波波形の表れる位置に応じて、テストデバイスDの動作を検証できることが検証された。 In the second embodiment, the electromagnetic wave waveform indicating that the division is being performed is continued for a period At2 shorter than the period At1 indicating the normal division execution time, and thereafter the electromagnetic wave waveform W2 is detected, whereby the test device Division by zero at D, ie, an abnormal operation was detected. As described above, in Example 2, division by zero, that is, a specific abnormal operation was detected by the test device D using the electromagnetic wave waveform input from the probe 5. Therefore, it was verified that the operation of the test device D can be verified using the verification apparatus 1 according to the position where the electromagnetic wave waveform that matches the reference electromagnetic wave waveform among the electromagnetic wave waveforms input from the probe 5 appears.
 本発明は、上記実施形態に限定されるものではなく、様々な変形が可能である。 The present invention is not limited to the above embodiment, and various modifications are possible.
 1 検証装置
 3 入力装置
 5 プローブ
 5A,5B,5C プローブの位置
 11 制御部
 12 記憶部
 13 通信部
 14 プローブインタフェース
 15 表示部
 16 ADコンバータ
 51 CPU
 52 メモリ
 53 インタフェース(I/F)
 61 入力層
 62 畳み込み層
 63 プーリング層
 64 全結合層
 65 出力層
 100 検証システム
 111 読出処理
 112 検出処理
 113 比較処理
 114 表示処理
 121 データベース
 121A 正常時電磁波データベース
 121B 異常時電磁波データベース
 121C 異常時電磁波データベース
 121D 正常時電磁波データベース
 122 分類器
 122A 第1モデル
 122B 第2モデル
 At1 期間
 At2 期間
 AW1 異常波形
 AW2 異常波形
 a1~a4 正常時電磁波波形
 B 識別境界
 D テストデバイス
 F 特徴量
 M1~M4 CANメッセージ
 F1~F6 CANメッセージ
 W1 電磁波波形
 W2 電磁波波形 DESCRIPTION OF SYMBOLS 1 Verification apparatus 3 Input apparatus 5 Probe 5A, 5B, 5C Probe position 11 Control part 12 Memory | storage part 13 Communication part 14 Probe interface 15 Display part 16 AD converter 51 CPU
52 Memory 53 Interface (I / F)
61 Input layer 62 Convolutional layer 63 Pooling layer 64 Total coupling layer 65 Output layer 100 Verification system 111 Reading process 112 Detection process 113 Comparison process 114 Display process 121 Database 121A Normal electromagnetic wave database 121B Abnormal electromagnetic wave database 121C Abnormal electromagnetic wave database 121D Normal Time electromagnetic wave database 122 Classifier 122A First model 122B Second model At1 period At2 period AW1 Abnormal waveform AW2 Abnormal waveform a1 to a4 Normal electromagnetic wave waveform B Identification boundary D Test device F Features M1 to M4 CAN message F1 to F6 CAN message W1 Electromagnetic waveform W2 Electromagnetic waveform

Claims (17)

  1.  ファズデータが与えられたテストデバイスからのサイドチャネル情報を受信するステップと、
     受信された前記サイドチャネル情報に基づいて、前記テストデバイスの動作を検証するステップと、
    を備える、検証方法。     Receiving side channel information from a test device provided with fuzz data;
    Verifying operation of the test device based on the received side channel information;
    A verification method comprising:
  2.  前記テストデバイスの動作を検証するステップは、前記テストデバイスの異常動作を検出することを含む
     請求項1に記載の検証方法。     The verification method according to claim 1, wherein the step of verifying the operation of the test device includes detecting an abnormal operation of the test device.
  3.  前記異常動作の検出は、前記異常動作の有無の検出と、前記異常動作の種別の検出と、の少なくとも一方である、
    請求項2に記載の検証方法。     The detection of the abnormal operation is at least one of detection of the presence or absence of the abnormal operation and detection of the type of the abnormal operation.
    The verification method according to claim 2.
  4.  前記サイドチャネル情報は、前記動作中の前記テストデバイスから漏えいする電磁波と、前記テストデバイスの消費電力と、の少なくも一方である、
    請求項1~請求項3のいずれか一項に記載の検証方法。     The side channel information is at least one of electromagnetic waves leaking from the operating test device and power consumption of the test device.
    The verification method according to any one of claims 1 to 3.
  5.  前記検証するステップは、受信された前記サイドチャネル情報と、データベースに格納されている基準サイドチャネル情報とを比較するステップを含む、
    請求項1~請求項4のいずれか一項に記載の検証方法。     The step of verifying comprises comparing the received side channel information with reference side channel information stored in a database;
    The verification method according to any one of claims 1 to 4.
  6.  前記データベースは、異常動作時及び正常動作時のうちの少なくとも一方の基準サイドチャネル情報を格納しており、
     前記比較するステップで、受信された前記サイドチャネル情報と前記データベースに格納されている基準サイドチャネル情報とを比較することによって、前記検証するステップで前記テストデバイスでの異常動作の有無を検出する、
    請求項5に記載の検証方法。     The database stores reference side channel information of at least one of abnormal operation and normal operation,
    Detecting the presence or absence of abnormal operation in the test device in the verifying step by comparing the received side channel information with the reference side channel information stored in the database in the comparing step;
    The verification method according to claim 5.
  7.  前記データベースは、異常動作の種別ごとの基準サイドチャネル情報を格納しており、
     前記比較するステップで、受信された前記サイドチャネル情報と前記異常動作の種別ごとの基準サイドチャネル情報とを比較することによって、前記検証するステップで前記テストデバイスでの異常動作の種別を検出する、
    請求項5に記載の検証方法。     The database stores reference side channel information for each type of abnormal operation,
    Detecting the type of abnormal operation in the test device in the verifying step by comparing the received side channel information with the reference side channel information for each type of abnormal operation in the comparing step;
    The verification method according to claim 5.
  8.  前記データベースは、テストデバイスの種別ごとの基準サイドチャネル情報を格納しており、
     前記比較するステップでは、受信された前記サイドチャネル情報と、前記データベースに格納されている基準サイドチャネル情報のうちの前記テストデバイスの種別に応じた基準サイドチャネル情報とを比較する、
    請求項5~請求項7のいずれか一項に記載の検証方法。     The database stores reference side channel information for each type of test device,
    In the comparing step, the received side channel information is compared with reference side channel information corresponding to a type of the test device among reference side channel information stored in the database.
    The verification method according to any one of claims 5 to 7.
  9.  前記サイドチャネル情報は時系列データであって、
     前記比較するステップでは、受信された前記サイドチャネル情報の全体よりも少ない一部である、前記サイドチャネル情報のうちの規定された期間に応じた情報と、前記データベースに格納されている基準サイドチャネル情報とを比較する、
    請求項5~請求項8のいずれか一項に記載の検証方法。     The side channel information is time series data,
    In the comparing step, information corresponding to a specified period of the side channel information, which is a part smaller than the whole of the received side channel information, and a reference side channel stored in the database Compare with information,
    The verification method according to any one of claims 5 to 8.
  10.  前記サイドチャネル情報は、前記テストデバイスに対する特定の位置から測定される情報であり、
     前記データベースは、テストデバイスに対する位置ごとに基準サイドチャネル情報を格納しており、
     前記比較するステップでは、受信された前記サイドチャネル情報と、前記データベースに格納されている、前記サイドチャネル情報を受信した前記テストデバイスに対する位置に応じた基準サイドチャネル情報とを比較する、
    請求項5~請求項9のいずれか一項に記載の検証方法。     The side channel information is information measured from a specific position with respect to the test device,
    The database stores reference side channel information for each position relative to the test device,
    In the comparing step, the received side channel information is compared with reference side channel information according to a position with respect to the test device that has received the side channel information, which is stored in the database.
    The verification method according to any one of claims 5 to 9.
  11.  前記検証するステップは、サイドチャネル情報が入力されると、異常動作時のサイドチャネル情報であるか、正常動作時のサイドチャネル情報であるか、を出力するよう学習された学習モデルに、受信された前記サイドチャネル情報を入力し、その出力を得るステップを含む
    請求項1~請求項4のいずれか一項に記載の検証方法。     The step of verifying, when side channel information is input, is received by a learning model learned to output whether it is side channel information during abnormal operation or side channel information during normal operation. 5. The verification method according to claim 1, further comprising a step of inputting the side channel information and obtaining an output thereof.
  12.  前記学習モデルは、
     サイドチャネル情報から求められた特徴量に基づいて動作の種類を分類する第1モデルと、
     前記特徴量が与えられ、前記特徴量から、異常動作時のサイドチャネル情報であるか、正常動作時のサイドチャネル情報であるかを判定する第2モデルと、を含む
    請求項11に記載の検証方法。     The learning model is
    A first model for classifying the type of motion based on the feature amount obtained from the side channel information;
    The verification according to claim 11, further comprising: a second model that is provided with the feature amount, and that determines whether the feature amount is side channel information during abnormal operation or side channel information during normal operation. Method.
  13.  前記異常動作は演算異常を含む、
    請求項1~請求項12のいずれか一項に記載の検証方法。     The abnormal operation includes calculation abnormality,
    The verification method according to any one of claims 1 to 12.
  14.  前記テストデバイスは、車載制御装置を含む、
    請求項1~請求項13のいずれか一項に記載の検証方法。     The test device includes an in-vehicle control device,
    The verification method according to any one of claims 1 to 13.
  15.  ファズデータが与えられたテストデバイスからのサイドチャネル情報の入力を受け付けるインタフェースと、
     前記インタフェースを介して入力された前記サイドチャネル情報に基づいて、前記テストデバイスの動作を検証する処理部と、
    を備える、検証装置。     An interface that accepts input of side channel information from a test device given fuzz data;
    A processing unit for verifying the operation of the test device based on the side channel information input via the interface;
    A verification apparatus comprising:
  16.  テストデバイスの動作を検証する検証装置としてコンピュータを機能させるためのコンピュータプログラムであって、
     前記コンピュータを、
     ファズデータが与えられた前記テストデバイスからのサイドチャネル情報の入力を受け付ける入力部、及び、
     前記入力部を介して入力された前記サイドチャネル情報に基づいて、前記テストデバイスの動作を検証する処理部、として機能させる、
    コンピュータプログラム。     A computer program for causing a computer to function as a verification device for verifying the operation of a test device,
    The computer,
    An input unit for receiving input of side channel information from the test device to which fuzz data is given; and
    Based on the side channel information input via the input unit, function as a processing unit that verifies the operation of the test device,
    Computer program.
  17.  ファズデータが与えられたテストデバイスからのサイドチャネル情報を測定する測定装置と、
     前記測定装置から入力された前記サイドチャネル情報に基づいて、前記テストデバイスの動作を検証する検証装置と、
    を備える、検証システム。     A measuring device for measuring side channel information from a test device provided with fuzz data;
    A verification device for verifying the operation of the test device based on the side channel information input from the measurement device;
    A verification system comprising:
PCT/JP2019/008154 2018-03-02 2019-03-01 Verification method, verification device, computer program, and verification system WO2019168167A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2019572255A JPWO2019168167A1 (en) 2018-03-02 2019-03-01 Verification method, verification device, computer program, and verification system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018037058 2018-03-02
JP2018-037058 2018-03-02

Publications (1)

Publication Number Publication Date
WO2019168167A1 true WO2019168167A1 (en) 2019-09-06

Family

ID=67805448

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/008154 WO2019168167A1 (en) 2018-03-02 2019-03-01 Verification method, verification device, computer program, and verification system

Country Status (2)

Country Link
JP (1) JPWO2019168167A1 (en)
WO (1) WO2019168167A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021089659A1 (en) * 2019-11-06 2021-05-14 Robert Bosch Gmbh Method for determining an inadmissible deviation of the system behavior of a technical device from a standard value range
CN113630235A (en) * 2021-08-06 2021-11-09 深圳技术大学 Method and device for side channel analysis and model construction thereof
EP4002768A1 (en) * 2020-11-20 2022-05-25 Institute for Information Industry Fuzz testing apparatus and fuzz testing method
JP2022138170A (en) * 2021-03-10 2022-09-26 矢崎総業株式会社 Evaluation device

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11546427B2 (en) 2020-08-21 2023-01-03 Geotab Inc. Method and system for collecting manufacturer-specific controller-area network data
US11582060B2 (en) 2020-08-21 2023-02-14 Geotab Inc. Telematics system for identifying manufacturer-specific controller-area network data
US11212135B1 (en) 2020-08-21 2021-12-28 Geotab Inc. System for identifying manufacturer-specific controller-area network data
CN116527796B (en) * 2023-07-04 2024-02-13 北京前景无忧电子科技股份有限公司 Method for carrying out high-precision time service on ammeter based on dual-mode communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160342791A1 (en) * 2015-05-22 2016-11-24 Power Fingerprinting Inc. Systems, methods, and apparatuses for intrusion detection and analytics using power characteristics such as side-channel information collection
JP2017214049A (en) * 2016-05-27 2017-12-07 ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング Security inspection system, security inspection method, functional evaluation device and program
US20180011130A1 (en) * 2016-07-06 2018-01-11 Power Fingerprinting Inc. Methods and apparatuses for characteristic management with side-channel signature analysis

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH02219109A (en) * 1989-02-20 1990-08-31 Nippondenso Co Ltd Diagnostic device for electronic control
JP2003150406A (en) * 2001-11-15 2003-05-23 Nec Infrontia Corp Obstacle prevention system in computer system
CN1261319C (en) * 2004-11-11 2006-06-28 北京电巴科技有限公司 Electric public transport system
WO2008120552A1 (en) * 2007-03-29 2008-10-09 Nec Corporation Diagnostic system
JP2010135881A (en) * 2008-12-02 2010-06-17 Nec Corp Device, method and program for evaluating side-channel attack resistance
JP5691723B2 (en) * 2011-03-25 2015-04-01 富士通株式会社 Monitoring method, information processing apparatus, and monitoring program
JP6559600B2 (en) * 2016-03-17 2019-08-14 株式会社東芝 Information processing apparatus, information processing program, and inspection system
US20180013779A1 (en) * 2016-07-06 2018-01-11 Power Fingerprinting Inc. Methods and apparatuses for integrity validation of remote devices using side-channel information in a power signature analysis
JP2019008718A (en) * 2017-06-28 2019-01-17 株式会社東芝 Diagnostic system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160342791A1 (en) * 2015-05-22 2016-11-24 Power Fingerprinting Inc. Systems, methods, and apparatuses for intrusion detection and analytics using power characteristics such as side-channel information collection
JP2017214049A (en) * 2016-05-27 2017-12-07 ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング Security inspection system, security inspection method, functional evaluation device and program
US20180011130A1 (en) * 2016-07-06 2018-01-11 Power Fingerprinting Inc. Methods and apparatuses for characteristic management with side-channel signature analysis

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021089659A1 (en) * 2019-11-06 2021-05-14 Robert Bosch Gmbh Method for determining an inadmissible deviation of the system behavior of a technical device from a standard value range
EP4002768A1 (en) * 2020-11-20 2022-05-25 Institute for Information Industry Fuzz testing apparatus and fuzz testing method
JP2022138170A (en) * 2021-03-10 2022-09-26 矢崎総業株式会社 Evaluation device
JP7289864B2 (en) 2021-03-10 2023-06-12 矢崎総業株式会社 Evaluation device
CN113630235A (en) * 2021-08-06 2021-11-09 深圳技术大学 Method and device for side channel analysis and model construction thereof
CN113630235B (en) * 2021-08-06 2023-07-25 深圳技术大学 Method and device for analyzing side channel and constructing model of side channel

Also Published As

Publication number Publication date
JPWO2019168167A1 (en) 2020-04-16

Similar Documents

Publication Publication Date Title
WO2019168167A1 (en) Verification method, verification device, computer program, and verification system
US10054624B2 (en) Electronic component classification
CN104598342B (en) The detection method and device of memory
US8694283B2 (en) System and method for modeling conditional dependence for anomaly detection in machine condition monitoring
US7934250B2 (en) Method and apparatus for using performance and stress testing on computing devices for device authentication
CN108292247A (en) Method and apparatus for the supply chain for using channel information verification electronic equipment in side in signature analysis
EP2135144B1 (en) Machine condition monitoring using pattern rules
JPWO2009011028A1 (en) Electronic device, host device, communication system, and program
EP3690746A1 (en) Training apparatus, training method, and training program
CN112416670A (en) Hard disk test method, device, server and storage medium
US20050024064A1 (en) System and method for testing devices
US20200096363A1 (en) Providing compensation parameters for sensor integrated circuits
JP7268367B2 (en) LEARNING DEVICE, LEARNING METHOD AND LEARNING PROGRAM
US11114179B1 (en) Systems and methods for detecting counterfeit memory
US11528152B2 (en) Watermarking for electronic device tracking or verification
JP7323202B2 (en) Inspection control device, information processing device, inspection control method and program
JP4312799B2 (en) Reliability evaluation program and reliability evaluation apparatus
US20230204549A1 (en) Apparatus and automated method for evaluating sensor measured values, and use of the apparatus
US11416371B2 (en) Method and apparatus for evaluating and selecting signal comparison metrics
JP6494887B1 (en) Inspection apparatus, inspection method and inspection program
CN113874866A (en) Method and system for generating sensor model and method and system for measuring sensor
JP7287093B2 (en) Learning program, learning method and learning device
US20240086534A1 (en) Falsification detection device, falsification detection method, and falsification detection program
WO2021111832A1 (en) Information processing method, information processing system, and information processing device
CN110501626B (en) Method for generating test database of electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19760857

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019572255

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19760857

Country of ref document: EP

Kind code of ref document: A1