WO2020008872A1 - On-board security system and attack dealing method - Google Patents

On-board security system and attack dealing method Download PDF

Info

Publication number
WO2020008872A1
WO2020008872A1 PCT/JP2019/024208 JP2019024208W WO2020008872A1 WO 2020008872 A1 WO2020008872 A1 WO 2020008872A1 JP 2019024208 W JP2019024208 W JP 2019024208W WO 2020008872 A1 WO2020008872 A1 WO 2020008872A1
Authority
WO
WIPO (PCT)
Prior art keywords
ecu
electronic control
control device
vehicle
processing
Prior art date
Application number
PCT/JP2019/024208
Other languages
French (fr)
Japanese (ja)
Inventor
伊藤 慎悟
一 芹沢
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2020008872A1 publication Critical patent/WO2020008872A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present invention relates to an in-vehicle security system and an attack countermeasure method capable of coping with security threats such as takeover of an in-vehicle system and impersonation of an external device.
  • ECUs Electronic Control Units: hereinafter referred to as ECUs
  • HSM Hard Security Module
  • security functions such as encryption and authentication are realized by hardware, and the processing load on the ECU can be reduced as compared with the case where similar functions are realized by software.
  • security function is realized by independent hardware separate from a normal system, it is resistant to security threats such as tampering with software, and a more secure function (environment) can be provided to the vehicle-mounted system.
  • Patent Document 1 proposes a technique in which a monitoring ECU provided between in-vehicle networks detects illegal data and executes processing for suppressing the routing of illegal data. For example, an ECU that monitors communication between the in-vehicle networks is provided, monitors communication between the networks, and detects illegal data. Then, a technique has been proposed in which, when illegal data is detected, warning information is transmitted to an ECU on a network as suppression processing, and a message for prohibiting the routing of illegal data is transmitted.
  • Patent Document 2 proposes a technique in which a monitoring device called a verification center monitors an in-vehicle network, and detects tampering of a message or spoofing of an ECU by using an electronic signature as a verification message.
  • the message ID is an ID for identifying the type of the message.
  • an abnormality cannot be detected unless the data is in an incorrect state.
  • the ECU is hijacked
  • the ECU is hijacked.
  • the processing for the warning may not be executed correctly because there is a possibility that the information is transmitted through an ECU in an invalid state.
  • Patent Document 2 can detect unauthorized data and external spoofing, but cannot detect an abnormality such as hijacking of an ECU when the data itself is not illegal. could not take appropriate action. Furthermore, since the network is used via the spoofed ECU, there is a possibility that the processing for the abnormality cannot be executed correctly.
  • an attacker detects that unauthorized data or external spoofing is detected and, when an appropriate response process is performed for a threat, the response process is appropriately performed. Therefore, there is a possibility that a further attack from an attacker or a new attack by another means may be caused to the corresponding process.
  • the present invention has been made in view of the above circumstances, and an object of the present invention is to provide an in-vehicle security system capable of returning a response indicating that a process different from the process has been performed even when a process for an input at the time of an attack is performed. It is to provide a system and an attack countermeasure method.
  • an in-vehicle security system includes a first electronic control device, a second electronic control device capable of communicating with the first electronic control device, and the second electronic control device. Executes a first process for an input from the first electronic control device, and returns a response indicating that a second process different from the first process has been executed for the input to the first electronic control device.
  • a response indicating that a process different from that process has been executed can be returned.
  • FIG. 1 is a block diagram illustrating a configuration of the vehicle-mounted security system according to the first embodiment.
  • FIG. 2 is a diagram showing a configuration example of the scenario definition information of FIG.
  • FIG. 3 is a block diagram illustrating an operation example of the vehicle-mounted security system according to the first embodiment.
  • FIG. 4 is a flowchart illustrating an abnormality determination process of the vehicle-mounted security system according to the first embodiment.
  • FIG. 5 is a flowchart illustrating a scenario execution result determination process of the vehicle-mounted security system according to the first embodiment.
  • FIG. 6 is a block diagram illustrating the content of the abnormality handling process of the in-vehicle security system according to the first embodiment.
  • FIG. 7 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the first embodiment.
  • FIG. 8 is a flowchart showing the function level high processing of FIG.
  • FIG. 9 is a flowchart showing the mid-function level processing and the low function level processing of FIG.
  • FIG. 10 is a block diagram illustrating the configuration of the vehicle-mounted security system according to the second embodiment.
  • FIG. 11 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the third embodiment.
  • FIG. 12 is a block diagram showing the configuration of the vehicle-mounted security system according to the third embodiment.
  • FIG. 13 is a block diagram illustrating a hardware configuration of an ECU used in the vehicle-mounted security system according to the fourth embodiment.
  • FIG. 1 is a block diagram illustrating a configuration of the vehicle-mounted security system according to the first embodiment.
  • the in-vehicle security system includes an ECU-X102, an ECU-A103, an ECU-B104, and a monitoring ECU 105.
  • ECU-X102, ECU-A103, ECU-B104, and monitoring ECU 105 can be mounted on a vehicle.
  • the ECU-X 102, the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 can be connected to each other via the in-vehicle network 101.
  • Examples of the in-vehicle network 101 include CAN (Control Area Network), FlexRay, LIN (Local Interconnect Network), and Ethernet (registered trademark).
  • the ECU-X 102 is connected to an external device 113A and an external network 113B.
  • OBD On-Board @ Diagnostics
  • Ethernet can be used.
  • the external network 113B may be a WAN (Wide Area Network) such as the Internet, a LAN (Local Area Network) such as WiFi, or a mixture of a WAN and a LAN.
  • FIG. 1 shows an example in which the ECU-X 102 is connected to the external device 113A and the external network 113B, the ECU-X 102 may be connected to only one of the external device 113A and the external network 113B.
  • the ECU-X 102 connected to the external device 113A and the external network 113B can be handled as an attack target ECU by taking over via the external network 113B or impersonating the external device 113A.
  • ECU-X102, ECU-A103 and ECU-B104 electronically control on-vehicle equipment of the vehicle.
  • the on-vehicle device is, for example, a power device, a steering device, a braking device, or a transmission.
  • An engine or an electric motor can be used as the power unit of the vehicle.
  • the in-vehicle device may be a headlight, a power window, a door lock, an electric seat, an instrument panel, or the like.
  • ECU-X102 is connected to sensor 100x and actuator 106x.
  • the ECU-A 103 is connected to the sensor 100A and the actuator 106A.
  • the ECU-B 104 is connected to the sensor 100B and the actuator 106B.
  • the actuators 106x, 106A, 106B are, for example, actuators for operating an accelerator, a brake, and a steering.
  • the ECU-A 103 and the ECU-B 104 are connected to a warning display unit 114.
  • the warning display unit 114 displays a warning when an abnormality occurs due to takeover via the external network 113B or impersonation of the external device 113A.
  • the ECU-A 103 and the ECU-B 104 communicate with the warning display unit 114 via a communication network that does not include the ECU-X 102 connected to the external device 113A and the external network 113B.
  • the monitoring ECU 105 monitors the ECU-X102, the ECU-A103, and the ECU-B104 for any abnormality.
  • the security level of the monitoring ECU 105 can be higher than the security levels of the ECU-X102, ECU-A103, and ECU-B104.
  • the monitoring ECU 105 may have a security function such as an HSM, or may not be directly connected to an external network.
  • the monitoring ECU 105 collects information indicating the operation state of the ECU-X102 from the ECU-X102, which is the target ECU, via the in-vehicle network 101.
  • the monitoring ECU 105 monitors the operation state of the ECU-X 102 based on the information indicating the operation state of the ECU-X 102 collected from the ECU-X 102. At this time, the monitoring ECU 105 can determine that the takeover of the ECU-X 102 has occurred when there is a deviation of the operating state from the normal operating condition defined for the ECU-X 102 by a certain amount or more.
  • the monitoring ECU 105 collects information indicating the operation states of the ECU-A 103 and the ECU-B 104 from the ECU-A 103 and the ECU-B 104 via the in-vehicle network 101.
  • the monitoring ECU 105 monitors the operation states of the ECU-A 103 and the ECU-B 104 based on the information indicating the operation states of the ECU-A 103 and the ECU-B 104 collected from the ECU-A 103 and the ECU-B 104.
  • the monitoring ECU 105 determines that the deviation of the operating state of the ECU-A 103 by a certain amount or more from the ECU-A 103 and the ECU. -Determine whether or not it is caused by communication with X102. Then, when there is a deviation of the operating state of the ECU-A 103 by a certain degree or more due to the communication between the ECU-A 103 and the ECU-X 102, it can be determined that the takeover of the ECU-X 102 has occurred.
  • the ECU-A 103 and the ECU-B 104 execute a first process for an input from the ECU-X 102. Also, the ECU-A 103 and the ECU-B 104 return a response to the ECU-X 102 indicating that the second process different from the first process has been executed in response to the input from the ECU-X 102. At this time, the ECU-A 103 and the ECU-B 104 can acquire from the monitoring ECU 105 a detection result indicating that the ECU-X 102 has deviated from the predetermined operation. The ECU-A 103 and the ECU-B 104 may detect a deviation from a predetermined operation of the ECU-X 102 by themselves. At this time, the monitoring ECU 105 may be omitted.
  • the first process can be a safety process for an input from the ECU-X102.
  • This safety process can be a process on the fail safe side in response to an instruction to the ECU-X 102 at the time of an attack.
  • the second process may be a process executed as instructed by the input from the ECU-X102.
  • the ECU-A103 and the ECU-B104 execute a safety process for the input from the ECU-X102, while the ECU-X102 receives the input from the ECU-X102. Returns a response indicating that execution was performed as instructed.
  • the ECU-A103 and the ECU-B104 execute the attack as instructed by the attacker while ensuring their own safety against the attack. Can pretend to be an attacker. As a result, it is possible to prevent an attacker from knowing that the security process was performed in response to the attack, and to prevent the attacker from further attacking the security process or a new attack by another means. Invitation can be prevented.
  • a search program for searching for an attacker is added to the response. You may.
  • the search program is loaded into the ECU-X 102, the attacker can be identified by performing reverse detection of the attacker. Then, the search program can notify the ECU-A103 and the ECU-B104 of information specifying the attacker.
  • ECU-X 102 holds ECU-X scenario definition information 107x
  • ECU-A 103 holds ECU-A scenario definition information 107A
  • ECU-B 104 holds ECU-B scenario definition information 107B.
  • ECU-X scenario definition information 107x function sequence information indicating a series of normal operations executed by the ECU-X 102 is set.
  • ECU-A scenario definition information 107A function sequence information indicating a series of normal operations executed by the ECU-A 103 is set.
  • ECU-B scenario definition information 107B function sequence information indicating a series of normal operations executed by the ECU-B 104 is set.
  • the function sequence information includes, as an execution procedure, a normal processing order, execution conditions, and execution timing for executing each function of the ECU-X 102, the ECU-A 103, and the ECU-B 104.
  • the ECU-X 102 normally causes the actuator 106x to execute “function A”
  • the ECU-X 102 executes a series of operations of processing 1 ⁇ processing 4 ⁇ processing 5 ⁇ function A.
  • the -X scenario definition information 107x information of "process 1 ⁇ process 4 ⁇ process 5 ⁇ execute function A" is set as function sequence information.
  • the function sequence information may include control value information and communication information necessary for the ECU-X102, the ECU-A103, and the ECU-B104 to execute the function.
  • the information of the control value is the item of the control value, the change amount or range of the control value, the upper and lower limit values of the control value, and the update timing of the control value.
  • the communication information is a communication item, a message ID, a message data length, an update timing, and an update frequency.
  • the scenario execution result storage memories 108x, 108A, and 108B are provided in the ECU-X102, the ECU-A103, and the ECU-B104, respectively.
  • ECU-X scenario definition information 107x, ECU-A scenario definition information 107A, and ECU-B scenario definition of ECU-X102, ECU-A103, and ECU-B104 respectively.
  • the information on the execution result of the function sequence defined by the information 107B is stored.
  • each scenario execution result storage memory 108x, 108A, 108B stores ECU-X scenario definition information 107x, ECU-A scenario definition information 107A and ECU-A of ECU-X102, ECU-A103 and ECU-B104 related to each other.
  • -B Stores information on the execution result of the function sequence defined in the scenario definition information 107B.
  • the scenario execution result storage memory 108x not only information on the execution result and timing of the scenario of the ECU-X102, the intermediate generation value of the control value, but also information on other ECUs executed by the ECU-X102 to execute the function are stored.
  • Communication data for transmission and reception can be stored.
  • the scenario execution result storage memories 108x, 108A, and 108B may use an external shared memory so that the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 can access them in common.
  • this shared memory for example, a nonvolatile memory such as an EEPROM (Electrically ⁇ Erasable ⁇ Programmable ⁇ Read-Only ⁇ Memory) can be used.
  • EEPROM Electrically ⁇ Erasable ⁇ Programmable ⁇ Read-Only ⁇ Memory
  • all information is collected in the monitoring ECU 105 by using in-vehicle network communication such as CAN or FlexRay communication.
  • the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 A configuration in which any one ECU collectively has information may be used.
  • the ECU-X102, ECU-A103, and ECU-B104 are provided with abnormality handling units 109x, 109A, and 109B, respectively.
  • the abnormality processing unit 109x executes a safety process for an input from the peripheral ECU on its own ECU. Further, each of the abnormality handling processing units 109x, 109A, and 109B returns a response to the input from the peripheral ECU to the peripheral ECU, indicating that the processing has been executed as instructed by the input from the peripheral ECU. .
  • the abnormality handling units 109x, 109A, and 109B can obtain from the monitoring ECU 105 a detection result indicating that the peripheral ECU has deviated from the predetermined operation.
  • each of the abnormality handling processing sections 109x, 109A, and 109B re-executes the function of the own ECU according to the normal execution procedure and continuously operates. Can be done.
  • each of the abnormality handling processing units 109x, 109A, and 109B returns a response indicating that the function has been executed in an abnormal execution procedure to peripheral ECUs, and can display a warning on its own ECU. .
  • the abnormality handling units 109x, 109A, and 109B can operate their own ECUs by returning the control values to the initial values.
  • each of the abnormality handling units 109x, 109A, and 109B returns a response indicating that the function has been executed with the abnormal control value to the peripheral ECU, and can display a warning on its own ECU. .
  • each of the abnormality handling units 109x, 109A, and 109B can shut off the communication with respect to its own ECU if there is an abnormality in the communication item.
  • each of the abnormality handling processing units 109x, 109A, and 109B returns a response indicating that the function has been executed in a state where the communication item has an abnormality to the peripheral ECU, and displays a warning on its own ECU. be able to.
  • the monitoring ECU 105 holds the ECU-X, A, and B scenario definition information 110.
  • the ECU-X, A, B scenario definition information 110 can include ECU-X scenario definition information 107x, ECU-A scenario definition information 107A, and ECU-B scenario definition information 107B.
  • the monitoring ECU 105 is provided with a scenario execution result determination processing unit 111.
  • the scenario execution result determination processing unit 111 collects information indicating the operation states of the ECU-X 102, the ECU-A 103, and the ECU-B 104 from the ECU-X 102, the ECU-A 103, and the ECU-B 104. Then, by comparing the ECU-X, A-B, and B-scenario definition information 110 of the ECU-X102, the ECU-A103, and the ECU-B104 with the information indicating the operation states of the ECU-X102, the ECU-A103, and the ECU-B104. , ECU-X102, ECU-A103, and ECU-B104 are determined as to whether there is any hijacking from outside or improper operation due to impersonation of an external device.
  • the monitoring ECU 105 As a method for the monitoring ECU 105 to acquire information from the ECU-X 102, the ECU-A 103, and the ECU-B 104, for example, if there is an external memory such as an EEPROM, the information can be acquired from the external memory. If there is no external memory, in-vehicle network communication such as CAN or FlexRay communication between the monitoring ECU 105 and the ECU-X 102, the ECU-A 103, and the ECU-B 104 can be used.
  • in-vehicle network communication such as CAN or FlexRay communication between the monitoring ECU 105 and the ECU-X 102, the ECU-A 103, and the ECU-B 104 can be used.
  • in-vehicle network communication for monitoring can be prepared separately from ordinary in-vehicle network communication, such as using a dedicated message for transmitting information.
  • the timing for acquiring the information for monitoring can be set to an arbitrary timing according to the in-vehicle system. For example, information can be acquired at a timing when a specific value changes, or at a timing when abnormality processing can be safely performed when it is determined that an abnormality has occurred.
  • the monitoring ECU 105 is provided with a determination result notification processing unit 112.
  • the determination result notification processing unit 112 determines whether or not the processing of the ECU-X 102, the ECU-A 103, and the ECU-B 104 has been executed in accordance with the function sequence defined in the ECU-X, A, B scenario definition information 110. Notify ECU-X102, ECU-A103 and ECU-B104.
  • the monitoring ECU 105 may transmit, for example, a message notifying the determination result to the ECU-X 102, the ECU-A 103, and the ECU-B 104.
  • the monitoring ECU 105 may store the determination result in a common memory accessible from the ECU-X 102, the ECU-A 103, and the ECU-B 104.
  • FIG. 2 is a diagram showing a configuration example of the scenario definition information of FIG.
  • the ECU-X scenario definition information 107x, the ECU-A scenario definition information 107A, and the ECU-B scenario definition information 107B are illegal operations due to hijacking of the ECU-X102, ECU-A103, and ECU-B104 or impersonation of an external device. Can be used for detection by the monitoring ECU 105.
  • Each of the ECU-X scenario definition information 107x, the ECU-A scenario definition information 107A, and the ECU-B scenario definition information 107B is roughly divided into a function execution procedure 115, information 116 on important control values handled by the ECU, and information on the ECU. It can be composed of three pieces of information 117 of communication items.
  • the function execution procedure 115 can include information indicating the order of processing for executing a specific function, information indicating conditions for executing the function, and information indicating timing for executing the function.
  • the information indicating the order of processing for executing a specific function is, for example, an execution completion flag.
  • the condition for executing the function is, for example, information on a status in which the function can be executed.
  • the timing for executing the function is, for example, an execution cycle.
  • the monitoring ECU 105 can use the function execution procedure 115 to check whether a specific function is being executed in a regular procedure. For example, when the procedure for executing the function A is “process 1 ⁇ process 3 ⁇ process 5”, the function execution procedure 115 sets the execution completion flag indicating the order of “process 1 ⁇ process 3 ⁇ process 5” to a variable. Can be defined as If there is a condition for executing a specific function, information such as "when the status is idle" can be defined as the execution condition. If a specific function is to be executed periodically, information such as “execute a function every 100 ⁇ sec” can be defined as the execution cycle information.
  • the important control value information 116 handled by the ECU includes control values handled by the ECU-X102, ECU-A103, and ECU-B104 that can be taken when the ECU-X102, ECU-A103, and ECU-B104 execute a specific function. Item, the appropriate value for the change of the control value of the control item, the amount of change (range), the upper and lower limit value, and the timing information at which the control value is updated.
  • control value is a value for controlling the actuators 106x, 106A, 106B and the sensors 100x, 100A, 100B which are controlled by the ECU-X102, the ECU-A103, and the ECU-B104, respectively.
  • the control value is a value of an important control item that may cause a problem in the safety of the vehicle-mounted system when tampered with an illegal operation. For example, it is a value actually output such as a current value used for motor control or a voltage value used for battery control, or a value transmitted to another ECU.
  • the important control value information 116 handled by the ECU can be constituted by information that can be externally checked and monitored whether the ECU is operating correctly.
  • the important control value information 116 handled by the ECU can usually include a value that is not changed unless tampered from outside, specifically, software version information and the like.
  • the timing information at which the control value is updated can be constituted by control value update cycle information, for example, information every 100 ⁇ sec.
  • the information 117 on communication items with each ECU is information on communication items with each ECU, and can include, for example, a message ID, a communication data length, an update timing and an update interval of the information.
  • the information 117 on the communication items with each ECU can be constituted by information that can be monitored from the outside, such as communication cycle information for each message ID.
  • the monitoring ECU 105 determines whether the functions of the ECU-X 102, the ECU-A 103, and the ECU-B 104 are operating properly. It is possible to determine what should be monitored.
  • the monitoring ECU 105 confirms and monitors the information defined by the ECU-X, A, B scenario definition information 110, thereby taking over the ECU-X 102, the ECU-A 103, and the ECU-B 104, and illegally masquerading as an external device. It can be determined whether or not an operation has been performed.
  • FIG. 3 is a block diagram showing an operation example of the vehicle-mounted security system according to the first embodiment.
  • the ECU-X102 is the target ECU.
  • the monitoring ECU 105 detects that the ECU-X 102 has deviated from the predetermined operation, and the ECU-A 103 and the ECU-B 104 execute processing for the input from the ECU-X 102 based on the detection result of the monitoring ECU 105. Take an example.
  • each of the ECU-A 103 and the ECU-B 104 becomes the ECU-A, the X scenario definition information 117A, and the ECU-B and the X scenario definition information 117B, respectively.
  • the ECU-A scenario definition information 107A and the ECU-B scenario definition information 107B but also the ECU-X scenario definition information 107x of the ECU-X102.
  • the ECU-A 103 and the ECU-B 104 may obtain the ECU-X scenario definition information 107x of the ECU-X 102 from the monitoring ECU 105 when the ECU-X 102 is set as the attack target ECU, or the ECU-X scenario
  • the definition information 107x may be held in advance.
  • the ECU-X 102 receives an attack from the external device 113A or the external network 113B (P1).
  • the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 acquire and record information indicating the operation state of the ECU-X 102 from the ECU-X 102 (P2 to P4).
  • the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 may obtain any information of the ECU-X 102 set as the attack target ECU by referring to the ECU-X scenario definition information 107x of the ECU-X 102. Can be determined.
  • the monitoring ECU 105 collects information indicating the operation state of the ECU-A103 from the ECU-A103 (P5), and collects information indicating the operation state of the ECU-B104 from the ECU-B104 (P6). Then, the monitoring ECU 105 compares the ECU-X scenario definition information 107x of the ECU-X 102 with the information indicating the operation state of the ECU-X 102, thereby taking over the ECU-X 102 from the outside and impersonating the external device. It is determined whether there is any unauthorized operation or the like.
  • the monitoring ECU 105 compares the ECU-A scenario definition information 107A of the ECU-A 103 with the information indicating the operation state of the ECU-A 103, thereby performing an unauthorized operation of the ECU-A 103 due to communication with the ECU-X 102. It is determined whether or not there is any. Furthermore, the monitoring ECU 105 compares the ECU-B scenario definition information 107B of the ECU-B 104 with the information indicating the operation state of the ECU-B 104, thereby performing an unauthorized operation of the ECU-B 104 due to communication with the ECU-X 102. It is determined whether or not there is any.
  • the monitoring ECU 105 determines whether there is an unauthorized operation of the ECU-X 102, an unauthorized operation of the ECU-A 103 resulting from communication with the ECU-X 102, or an ECU-E caused by communication with the ECU-X 102.
  • the determination result is notified to ECU-A103 and ECU-B104 (P7, P8).
  • the ECU-A 103 and the ECU-B 104 execute a safety process on a message, a control value, and the like input from the ECU-X 102 on their own ECUs. Further, the ECU-A 103 and the ECU-B 104 respond to the message or control value input from the ECU-X 102, indicating that the processing has been executed in accordance with the message or control value input from the ECU-X 102. Return to ECU-X102 (P9, P10). Further, the ECU-A 103 and the ECU-B 104 display a warning on the warning display unit 114 for a message, a control value, or the like input from the ECU-X 102 (P11, P12).
  • the ECU-A103 and the ECU-B104 secure the safety of the ECU-A103 and the ECU-B104 against the attack of the ECU-X102, and The attacker can be pretended to be performing the attack as instructed.
  • ECU-X, A-B, and B-scenario definition information 110 of the ECU-X102, the ECU-A103, and the ECU-B104 with the information indicating the operation states of the ECU-X102, the ECU-A103, and the ECU-B104. Even if an illegal operation of the ECU-X 102 is performed without entering an abnormal state or inputting / outputting an abnormal control value or an abnormal message ID, the illegal operation can be detected.
  • an in-vehicle system using the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 without the HSM can cope with security threats such as hijacking of the in-vehicle system and impersonation of external devices. it can.
  • the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 monitor the ECU-X 102, which is set as an attack target, in order to monitor whether the ECU-X 102 has been hijacked from the outside or an unauthorized operation due to impersonation of an external device. What is necessary is just to hold the ECU-X scenario definition information 107x of X102. Therefore, even when it is difficult to add software functions due to the low processing capacity of the ECU-X102, the ECU-A103, and the ECU-B104, security against security threats such as hijacking of an in-vehicle system and impersonation of an external device is ensured. Can be guaranteed.
  • the monitoring ECU 105 holds not only the ECU-X scenario definition information 107x of the ECU-X 102 set as the attack target, but also the ECU-A scenario definition information 107A and the ECU-B scenario definition information 107B. This allows the monitoring ECU 105 to take into account the information of the ECU-A 103 and the ECU-B 104 as well as the information of the ECU-X 102 set as the attack target, and the ECU-X 102 set as the attack target is taken over. It is possible to determine with higher accuracy whether or not an unauthorized operation has been performed from an external device.
  • the monitoring ECU 105 acquires information indicating the operation state of the ECU-A 103 from the ECU-A 103, and compares the ECU-A scenario definition information 107A of the ECU-A 103 with information indicating the operation state of the ECU-A 103. This makes it possible to determine whether or not there is any unauthorized operation of the ECU-A 103 due to communication with the ECU-X 102.
  • FIG. 4 is a flowchart illustrating an abnormality determination process of the vehicle-mounted security system according to the first embodiment.
  • step S101 of FIG. 4 when the monitoring ECU 105 starts the abnormality determination processing of the ECU-X 102 set as an attack target, in step S102, the monitoring ECU 105 acquires information indicating the operation state of the ECU-X 102 from the ECU-X 102.
  • step S103 the monitoring ECU 105 acquires information indicating the operation state of the ECU-A103 from the ECU-A103.
  • step S104 monitoring ECU 105 acquires information indicating the operation state of ECU-B104 from ECU-B104.
  • step S105 the monitoring ECU 105 compares the information indicating the operation states of the ECU-X102, ECU-A103, and ECU-B104 acquired in steps S102 to S104 with the ECU-X, A, B scenario definition information 110. I do. Then, the monitoring ECU 105 determines that the information indicating any one of the operation states of the ECU-X 102, the ECU-A 103, and the ECU-B 104 acquired in steps S102 to S104 is constant from the contents of the ECU-X, A, B scenario definition information 110. If the values deviate as described above, it is determined that the ECU-X102 has an abnormality.
  • step S106 the monitoring ECU 105 notifies the ECU-A 103 and the ECU-B 104 of the determination result obtained in step S105. After that, in step S107, the abnormality determination processing of the ECU-X 102 ends.
  • the abnormality determination of the ECU-X 102 by the monitoring ECU 105 can be performed at an arbitrary timing. However, it is preferable that the abnormality determination is performed at a timing that can safely cope with an unauthorized operation due to takeover or impersonation from an external device. For example, it can be executed at a timing when a specific value serving as a reference changes, a control cycle for performing a function, or a timing such as FTTI (Fault ⁇ Tolerant ⁇ Time ⁇ Interval) for functional safety. Basically, it is desirable to execute the processing at a timing that has little effect on the processing load of the on-vehicle system and that can guarantee security.
  • FTTI fault ⁇ Tolerant ⁇ Time ⁇ Interval
  • FIG. 5 is a flowchart illustrating a scenario execution result determination process of the vehicle-mounted security system according to the first embodiment. Note that the process in FIG. 5 can be executed by the process in step S105 in FIG.
  • the scenario execution result determination processing unit 111 starts the scenario execution result determination processing in step S201 of FIG. 5, in step S202, it checks the execution procedure.
  • the scenario execution result determination processing unit 111 executes execution procedure information at the time of operation of the ECU-X 102, the ECU-A 103, and the ECU-B 104 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104, and the ECU-X,
  • the execution procedure 115 of the function defined by the A and B scenario definition information 110 is compared.
  • the scenario execution result determination processing unit 111 confirms whether or not the function of the ECU-X 102 is executed according to the execution procedure registered in the execution procedure 115 of the function of the ECU-X scenario definition information 107x. It is determined whether there is any abnormality in X102. Further, the scenario execution result determination processing unit 111 performs the ECU-A according to the execution procedure registered in the execution procedure 115 of the function of the ECU-A scenario definition information 107A based on the transmission data transmitted from the ECU-X 102 to the ECU-A 103. By checking whether the function of A103 is being executed, it is determined whether there is any abnormality in the ECU-X102.
  • scenario execution result determination processing section 111 executes the ECU-B according to the execution procedure registered in execution procedure 115 of the function of ECU-B scenario definition information 107B. By checking whether the function of B104 is being executed, it is determined whether there is any abnormality in the ECU-X102.
  • scenario execution result determination processing unit 111 execution of any of the functions of the ECU-X102, ECU-A103, and ECU-B104 is registered in the execution procedure 115 of the function of the ECU-X, A, and B scenario definition information 110.
  • execution procedure 115 When deviating from the execution procedure by a certain amount or more, it can be determined that there is an abnormality in the ECU-X102.
  • A, B scenario definition information 110 To determine whether the functions of the ECU-X 102, the ECU-A 103, and the ECU-B 104 are being executed according to the execution procedure registered in the execution procedure 115 of the function of the ECU-X, A, B scenario definition information 110. For example, whether all the execution completion flags indicating whether or not the execution is defined in the function execution procedure 115 are complete, whether the status at the time of executing the function defined in the function execution procedure 115 is correct, It is possible to determine whether the program is being executed at the specified cycle defined at 115.
  • the scenario execution result determination processing unit 111 checks a change in the control value.
  • the scenario execution result determination processing unit 111 includes control value information at the time of operation of the ECU-X 102, the ECU-A 103, and the ECU-B 104 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104, and the ECU-X, A, B:
  • the important control value information 116 handled by the ECU defined in the scenario definition information 110 is compared, and it is determined whether or not the ECU-X 102 has an abnormality.
  • Specific examples of these comparison targets are items of control values, appropriate values for changes in control values of control items, amounts of change (ranges), upper and lower limit values, and timing information for updating control values.
  • the scenario execution result determination processing unit 111 determines that the control value information obtained from the ECU-A 103 deviates from the important control value information 116 handled by the ECU registered in the ECU-A scenario definition information 107A by a certain amount or more. In this case, if the deviation is caused by transmission data transmitted from the ECU-X 102 to the ECU-A 103, it is possible to determine that the ECU-X 102 is abnormal.
  • the scenario execution result determination processing unit 111 deviates the control value information acquired from the ECU-B 104 from the important control value information 116 handled by the ECU registered in the ECU-B scenario definition information 107B by a certain amount or more. In this case, if the deviation is caused by transmission data transmitted from the ECU-X 102 to the ECU-A 104, it is possible to determine that the ECU-X 102 is abnormal.
  • control value information for example, whether the value specified in the important control value information 116 handled by the ECU of the ECU-X scenario definition information 107x and the actual control value of the ECU-X 102 match, It is possible to determine whether the control value of the ECU-X10 is not stuck to the upper limit for a certain period of time or whether the amount of change in the control value of the ECU-X102 is appropriate.
  • control value of the ECU-X 102 normally increases by 10
  • the control value increases accordingly, or if the control value is updated once every two cycles, the control value becomes the specified cycle. It can be determined whether or not it has been updated.
  • the scenario execution result determination processing unit 111 confirms a change in a communication item.
  • the scenario execution result determination processing unit 111 is defined by the contents of the communication items of the ECU-X 102 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104, and the ECU-X, A, B scenario definition information 110.
  • the ECU 117 compares the information 117 of the communication items with the ECUs and determines whether there is any abnormality in the ECU-X102.
  • the scenario execution result determination processing unit 111 stores the contents of the communication items of the ECU-X 102 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104 in each of the ECUs registered in the ECU-X, A, and B scenario definition information 110. If the value deviates from the communication item information 117 by a certain amount or more, it can be determined that there is an abnormality in the ECU-X102.
  • step S205 the scenario execution result determination processing unit 111 determines whether there is any abnormality in the results confirmed in steps SS202 to S204. If there is an abnormality, an abnormality determination result is stored in step S206. If there is no abnormality in the confirmation in steps S202 to S204, the scenario execution result determination processing ends in step S207.
  • the abnormality handling units 109A and 109B of FIG. 1 execute the abnormality handling process 109 of FIG.
  • FIG. 6 is a block diagram illustrating the content of the abnormality handling process of the in-vehicle security system according to the first embodiment.
  • the abnormality handling process 109 includes an ECU status determination process 120, function level definition information 121, a function level handling process 122, a warning display process 123, and a dummy response process 124.
  • the ECU status determination processing 120 confirms the abnormality determination result of the ECU-X 102 notified from the monitoring ECU 105. For example, the ECU status determination processing 120 checks a flag indicating whether the ECU-X 102 on the vehicle-mounted network 101 is normal or abnormal. Then, the abnormality handling processing units 109A and 109B perform normal processing if normal, and execute processing according to the abnormality if abnormal.
  • the function level definition information 121 classifies the functions of the ECU-A 103 and the ECU-B 104 into categories based on processing intervals such as a function execution cycle. If an abnormality occurs in the ECU-A103 and the ECU-B104, and the ECU-A103 and the ECU-B104 execute abnormality handling processing for all functions, the processing load on the ECU-A103 and the ECU-B104 increases, Ideal failure handling may not be possible for important functions.
  • the ECU-A103 and the ECU-B104 can effectively use the time until the abnormality handling processing.
  • a function having a short processing cycle such as motor speed control or high voltage control is set to have a high function level.
  • the function level definition information 121 defines such function information as a database.
  • functions such as having a large safety impact when an abnormality occurs may be defined as a function level higher than the function level of the execution cycle even if the execution cycle is long. It is possible.
  • a criterion used for defining the function level another criterion may be used in addition to the execution cycle of the function or the importance of the function.
  • the function level corresponding process 122 executes a process corresponding to the function level defined by the function level definition information 121. For example, in the case of a process with a high function level, there is little time to cope with the abnormality, so that the process is executed with priority given to the process time using an initial value or a previous value. In the case of the processing of the middle or low function level, the data transmitted from the ECU-X 102 is checked, and if there is no problem in the data, the normal processing is performed, and the abnormal processing is performed so as not to increase the processing load. .
  • a difference can be provided in the abnormality handling processing for the function level by providing a difference in the threshold value used for the determination when checking the data transmitted from the ECU-X102.
  • the threshold value used for the determination for example, in the case of processing during the function level, the original value range is 1 to 10, but the range is an intermediate value of 3 to 7, and neither the upper limit nor the lower limit can be operated reliably. Define so that normal processing can be executed only for the values in the range.
  • the warning display process 123 executes a warning display in the ECU-A 103 and the ECU-B 104, which have a low risk of impersonating the external device 113A and the external device not connected to the external network 113B or taking over from the outside.
  • the warning display is performed without passing through the ECU-X 102 that has become abnormal due to impersonation of an external device or takeover from the outside. can do.
  • the warning display process 123 includes only the output from the ECU-A 103 and the ECU-B 104, and eliminates an external input, thereby suppressing a risk of impersonating an external device or taking over from the outside.
  • the dummy response process 124 is performed by the ECU-A 103 and the ECU-B 104 using data transmitted from the ECU-X 102 in an abnormal state, such as impersonation of an external device or takeover from the outside, using the transmitted data.
  • a response (referred to as a dummy response) is returned to the ECU-X 102 as if the processing was executed. For example, it is assumed that the data value 15 is transmitted from the ECU-X 102 to the ECU-A 103 for the function that the ECU-A 103 originally executes with the data value 10.
  • the function is actually executed with the data value 10 inside the ECU-A 103, but the response to the transmission of the data value 15 from the ECU-X 102 to the ECU-X 102 makes it appear that the execution is performed with the data value 15. Is returned to the ECU-X102.
  • FIG. 7 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the first embodiment.
  • the ECU-A 103 and the ECU-B 104 start the abnormality handling process in step S301 in FIG. 7, in step S302, the ECU-A 103 and the ECU-B 104 acquire the message data transmitted from the ECU-X 102.
  • the ECU-A 103 and the ECU-B 104 acquire data necessary for executing the functions of the ECU-A 103 and the ECU-B 104 in response to the input from the ECU-X 102.
  • the ECU-A 103 and the ECU-B 104 may obtain data in a message buffer, may obtain the data using an interface function of data transfer, or may store the data in a global memory. Data may be acquired.
  • step S303 the ECU-A 103 and the ECU-B 104 determine the status of the ECU-X 102 that has transmitted the message data acquired in step S302 based on the determination result notified from the monitoring ECU 105 in step S106 in FIG. Is determined.
  • the ECU-A 103 and the ECU-B 104 obtain the status of the ECU-X 102 from a message indicating the status of the ECU-X 102 transmitted from the monitoring ECU 105, a common memory storing the status of the ECU-X 102, and the like. It is determined whether the ECU-X 102 is normal or abnormal based on the state.
  • step S303 If the result of the determination in step S303 is a normal state, the flow proceeds to step S304, and normal processing is executed. On the other hand, if the result of the determination in step S303 is an abnormal state, that is, if there is impersonation of an external device or takeover from the outside with respect to the ECU-X102, the process proceeds to step S305, and the function levels of the functions executed by the ECU-A103 and the ECU-B104 are changed. judge.
  • the ECU-A 103 and the ECU-B 104 execute a process according to the function level determined in step S305. That is, when the result of the determination is that the function level is high, the processing of the function level is performed in step S306. When the result of the determination is that the function level is in progress, the processing in the function level is executed in step S307. When the result of the determination is low, the process of low function level is executed in step S308.
  • control to be executed this time is the motor rotation speed control
  • the motor speed control is defined as a high function level
  • a process of a high function level is executed.
  • step S309 the ECU-A103 and the ECU-B104 display a warning to the user as necessary.
  • the abnormality may be notified to the user so that the user can select a measure.
  • a warning lamp may be turned on or a message may be displayed on a display for each occurrence of an abnormality to urge the user to respond.
  • step S310 the ECU-A 103 and the ECU-B 104 create dummy response data that makes it appear that the function has been executed using the data specified by the attacker. For example, when the data value 15 is transmitted from the ECU-X 102 for the function originally performed with the data value 10, the ECU-A103 and the ECU-B104 perform the function with the data value 10 even though the function is performed with the data value 10. As the response message, dummy response data indicating that the execution was performed with the data value 15 is created.
  • step S311 the ECU-A 103 and the ECU-B 104 return a response created according to the normal state or the abnormal state of the ECU-X 102 to the ECU-X 102, and ends the abnormality handling process in step S312.
  • a protocol or an interface function of the vehicle-mounted network 101 can be used.
  • FIG. 8 is a flowchart showing the function level high processing of FIG.
  • step S401 in FIG. 8 when the ECU-A103 and the ECU-B104 start processing with a high function level, in step S402, they execute safety processing.
  • the safety process it is possible to execute a countermeasure process in which a data value transmitted by invalid operation due to takeover from the outside or impersonation of an external device becomes invalid.
  • the function is re-executed in a regular procedure, the control value or the acquired data value is changed to the initial value to continue the operation, or the operation is set to a value (intermediate value or the like) having no problem in operation. be able to.
  • the processing of the high function level ends in step S403.
  • Functions with a high function level have a short execution cycle and many important functions, so processing that simplifies processing, shortens processing time, and uses data values that can execute processing safely and reliably Is desirable.
  • FIG. 9 is a flowchart showing the mid-function level processing and the low function level processing of FIG.
  • step S501 in FIG. 9 when the ECU-A103 and the ECU-B104 start processing in the middle and low function levels, in step S502, the ECU-A103 and the ECU-B104 confirm data used by the ECU-A103 and the ECU-B104. If the values of the data used by the ECU-A 103 and the ECU-B 104 are within the proper range and there is no abnormality, a normal process is executed in step S503. On the other hand, if the values of the data used by the ECU-A 103 and the ECU-B 104 are out of the proper range or abnormal, a safety process is executed in step S504. When the normal processing in step S503 or the safety processing in step S504 is executed, the processing in the function level middle or low function level is ended in step S505.
  • the processing at the middle of the function level and the processing at the low function level have basically the same processing flow, but the threshold value of the judgment value used in the confirmation of the use data in step S502 differs.
  • the threshold value of the judgment value used in the confirmation of the use data in step S502 differs.
  • up to ⁇ 5 of the data value is allowed, while in the processing of the low function level, up to ⁇ 10 of the data value can be allowed.
  • the same threshold value as that for normal abnormality determination may be used, and a difference may be provided between the determination values.
  • the method in which the monitoring ECU 105 acquires information from the ECU-X 102, the ECU-A 103, and the ECU-B 104 in order to determine the state of the ECU-X 102 has been described.
  • the information may be obtained, the information may be obtained only from the ECU-A103, the information may be obtained only from the ECU-B104, or the ECU-A103 and the ECU-B104 may be obtained.
  • the information may be obtained from.
  • not only the ECU-X102, the ECU-A103, and the ECU-B104, but also information from more ECUs may be acquired to determine the abnormality of the ECU-X102.
  • the more information obtained from the ECU the more accurate the determination of unauthorized operation due to takeover from the outside or impersonation of the external device can be improved.
  • the method in which the monitoring ECU 105 determines the abnormality of the ECU-X 102 and notifies the ECU-A 103 and the ECU-B 104 of the determination result may be incorporated in the ECU-A103 or the ECU-B104 to determine whether the ECU-X102 is abnormal.
  • the monitoring ECU 105 can be omitted.
  • the abnormality of the ECU-X 102 may be determined by using information of a plurality of ECUs.
  • ECU-X102 When information on a plurality of ECUs is used, if at least one ECU has been determined to be abnormal, it may be determined that there is an abnormality in the ECU-X102. May be determined, or the abnormality of the ECU-X 102 may be determined by majority decision of a plurality of ECUs.
  • an in-vehicle system controlled by a normal control value on an in-vehicle system to which a plurality of ECUs are connected via an in-vehicle network is not determined to be abnormal.
  • security threats such as hijacking from outside and impersonation of external devices, etc., detect unauthorized operations by hijacking from outside or impersonating external devices, and prevent the attacker from knowing the processing for the illegal operations. This makes it possible to secure time for safely operating the in-vehicle system in response to an attack from an attacker.
  • a description will be given of a second embodiment having a backup in-vehicle network that is not connected to the outside, separately from a normal in-vehicle network.
  • a method of detecting an abnormality and a method of coping with the abnormality can have the same mechanism as in the first embodiment.
  • FIG. 10 is a block diagram illustrating the configuration of the vehicle-mounted security system according to the second embodiment.
  • the configuration in FIG. 10 includes an ECU-A 203, an ECU-B 204, and a monitoring ECU 205 instead of the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 in FIG.
  • a backup vehicle-mounted network 125 (hereinafter, referred to as a backup network) not connected to the external device 113A and the external network 113B is provided separately from the vehicle-mounted network 101 of FIG.
  • the backup network 125 includes only the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 that are not connected to the external device 113A and the external network 113B, and does not include the ECU-X 102 that is connected to the external device 113A and the external network 113B. For this reason, the backup network 125 is a secure in-vehicle network with a small risk of spoofing of external devices or taking over from outside.
  • the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 can execute communication using the in-vehicle network 101 when the ECU-X 102 has no abnormality.
  • the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 execute communication with the ECU-X 102 using the in-vehicle network 101 when the ECU-X 102 has an abnormality, and the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 Communication can be performed using the backup network 125 between them.
  • Other configurations of the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 are the same as those of the ECU-A 103, the ECU-B 104, and the monitoring ECU 105.
  • the ECU-X 102 when the ECU-X 102 is spoofed by an external device or hijacked from the outside, the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 perform communication with the vehicle-mounted network 101 to which the abnormal ECU-X 102 is connected. Can always transmit a dummy response and transmit normal data only to the backup network 125.
  • the independent backup network 125 having no external threat, it is possible to prevent illegal data and normal data from being mixed in communication data, and to perform secure communication. In addition, the risk of exposure to threats from unauthorized data can be reduced, and the processing load can be reduced.
  • FIG. 11 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the third embodiment.
  • the ECU-A 203 and the ECU-B 204 start the abnormality handling process in step S601 in FIG. 11, in step S602, the ECU-A 203 and the ECU-B 204 acquire the message data transmitted from the ECU-X.
  • the ECU-A 203 and the ECU-B 204 acquire data necessary for executing the functions of the ECU-A 203 and the ECU-B 204 in response to the input from the ECU-X 102.
  • step S603 the ECU-A 103 and the ECU-B 104 determine the status of the transmission source of the message data acquired in step S602, based on the determination result notified from the monitoring ECU 205.
  • step S603 If the result of the determination in step S603 is a normal state, the flow proceeds to step S604, and normal processing is executed. On the other hand, if the result of the determination in step S603 is an abnormal state, the flow advances to step S605 to determine the function levels of the functions executed by the ECU-A 203 and the ECU-B 204.
  • the ECU-A 203 and the ECU-B 204 execute processing according to the function level determined in step S605. That is, when the result of the determination is that the function level is high, the processing of the function level is performed in step S606. When the determination result indicates that the function level is in progress, the processing in the function level is executed in step S607. If the result of the determination is low, the process of low function level is executed in step S608.
  • step S609 the ECU-A 203 and the ECU-B 204 perform a warning display to the user as necessary.
  • the abnormality may be notified to the user so that the user can select a measure.
  • a warning lamp may be turned on or a message may be displayed on a display for each occurrence of an abnormality to urge the user to respond.
  • step S610 the ECU-A 203 and the ECU-B 204 execute, via the backup network 125, a communication process of transmitting or receiving a value necessary for the processing corresponding to each function level determined in step S605.
  • step S611 the ECU-A 203 and the ECU-B 204 create dummy response data that makes it appear that the function has been executed using the data specified by the attacker.
  • step S612 the ECU-A 203 and the ECU-B 204 return a response created according to the normal state or the abnormal state of the ECU-X 102 to the ECU-X 102, and ends the abnormality handling process in step S613.
  • a protocol or an interface function of the vehicle-mounted network 101 can be used.
  • an in-vehicle system controlled by a normal control value on an in-vehicle system to which a plurality of ECUs are connected via an in-vehicle network is not determined to be abnormal.
  • security threats such as hijacking from outside and impersonation of external devices, etc.
  • FIG. 12 is a block diagram showing the configuration of the vehicle-mounted security system according to the third embodiment.
  • an ECU-A 303, an ECU-B 304 and a monitoring ECU 305 are provided instead of the ECU-A 103, the ECU-B 104 and the monitoring ECU 105 of FIG.
  • the vehicle-mounted networks 126, 127, 301, and 325 and the gateways 128 and 129 are provided instead of the vehicle-mounted network 101 of FIG.
  • the in-vehicle networks 126, 127, 301, and 325 are provided independently of each other.
  • the ECU-X 102 and the monitoring ECU 305 are doubly connected via in-vehicle networks 301 and 325, respectively.
  • the ECU-A 303 and the ECU-B 304 are doubly connected via in-vehicle networks 126 and 127, respectively.
  • the vehicle-mounted networks 301 and 126 are connected via a gateway 128.
  • the in-vehicle networks 325 and 127 are connected via a gateway 129.
  • the monitoring ECU 305 controls the switching of the gateways 128 and 129.
  • the ECU-A 303 and the ECU-B 304 execute communication via the in-vehicle network 126 when there is no abnormality in the ECU-X 102, and execute the communication via the in-vehicle network 126 when the ECU-X 102 has abnormality.
  • Communication with the monitoring ECU 305 can be performed, and communication can be performed between the ECU-A 303 and the ECU-B 304 via the in-vehicle network 127.
  • Other configurations of the ECU-A 303, the ECU-B 304, and the monitoring ECU 305 are the same as those of the ECU-A 103, the ECU-B 104, and the monitoring ECU 105.
  • the ECU-X 102, the ECU-A 303, the ECU-B 304, and the monitoring ECU 305 perform communication via the on-vehicle networks 301 and 126.
  • the monitoring ECU 305 detects that the ECU-X 102 has been hijacked, the monitoring ECU 305 notifies the ECU-A 303 and the ECU-B 304 that the connection between the in-vehicle networks 127 and 325 is to be disconnected. Further, monitoring ECU 305 instructs gateway 129 to disconnect the connection between in-vehicle networks 127 and 325.
  • the ECU-A 303 and the ECU-B 304 that have received the notification from the monitoring ECU 305 return a normal response to the vehicle-mounted network 127 and return a dummy response to the ECU-X 102 to the vehicle-mounted network 126.
  • the ECU-A 303 and the ECU-B 304 can continue the normal operation via the in-vehicle network 127 disconnected from the ECU-X 102 while limiting the range in which the dummy response flows to the in-vehicle networks 126 and 301.
  • the stability of the system can be improved.
  • FIG. 13 is a block diagram illustrating a hardware configuration of an ECU used in the vehicle-mounted security system according to the fourth embodiment.
  • the ECU 10 is provided with a processor 11, a communication control device 12, a communication interface 13, a main storage device 14, an external storage device 15, and an input / output interface 17.
  • the processor 11, the communication control device 12, the communication interface 13, the main storage device 14, the external storage device 15, and the input / output interface 17 are interconnected via an internal bus 16.
  • the main storage device 14 and the external storage device 15 are accessible from the processor 11.
  • the sensor 20, the display unit 30, and the actuator 40 are provided outside the ECU 10.
  • the sensor 20, the display unit 30, and the actuator 40 are connected to the internal bus 16 via the input / output interface 17.
  • the sensor 20 is, for example, an air flow meter that detects an air intake amount, a pressure sensor that detects an intake pipe pressure, a throttle sensor that detects a throttle opening, and a rotation speed sensor that detects an engine speed.
  • the display unit 30 displays a warning message or the like when another ECU connected via the network 19 takes over, or displays a measure that can be selected by the user.
  • the actuator 40 performs acceleration, deceleration, braking, steering, and the like of the host vehicle by operating the engine, transmission, brake, steering, and the like of the host vehicle.
  • the processor 11 is hardware that controls the operation of the entire ECU 10.
  • the main storage device 14 can be composed of, for example, a semiconductor memory such as an SRAM or a DRAM.
  • the main storage device 14 can store a program being executed by the processor 11 or provide a work area for the processor 11 to execute the program.
  • the external storage device 15 is a storage device having a large storage capacity, and is, for example, a hard disk device, SSD (Solid State Drive), or a flash memory.
  • the external storage device 15 can hold executable files of various programs and data used when executing the programs.
  • the external storage device 15 can store an attack countermeasure program 15A, scenario definition information 15B, and function level definition information 15C.
  • the attack countermeasure program 15A may be software that can be installed in the ECU 10, or may be incorporated in the ECU 10 as firmware.
  • the communication control device 12 is hardware having a function of controlling communication with the outside.
  • the communication control device 12 is connected to a network 19 via a communication interface 13.
  • a vehicle-mounted network such as CAN, FlexRay, LIN, and Ethernet can be used.
  • the processor 11 reads the attack countermeasure program 15A and the function level definition information 15C into the main storage device 14, and executes the attack countermeasure program 15A while referring to the function level definition information 15C, thereby realizing the abnormality handling process of FIG. Can be.
  • 100x, 100A, 100B sensor, 101: in-vehicle network, 102: ECU-X, 103: ECU-A, 104: ECU-B, 105: monitoring ECU, 106x, 106A, 106B: actuator, 107x, 107A, 107B, 110: scenario definition information, 108x, 108A, 108B: scenario execution result storage memory, 109x, 109A, 109B: abnormality handling processing unit, 111: scenario execution result determination processing unit, 112: determination result notification processing unit, 113A: external device , 113B: external network, 114: warning display unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Mechanical Engineering (AREA)
  • Small-Scale Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

According to the present invention, even when processing for an input in the event of an attack has been executed, a response indicating that processing different from that processing has been executed is returned. A monitoring ECU 105 collects, from an ECU-X 102, information indicating the operation status of the ECU-X 102, which is an attacking target ECU, and determines that a takeover of the ECU-X 102 has occurred when there is a departure beyond a certain level in the operation status from a legitimate operation condition defined for the ECU-X 102. When a departure of the ECU-X 102 from a prescribed operation has been detected, an ECU-A 103 and an ECU-B 104 execute safety processing for inputs from the ECU-X 102 to return such responses to the inputs from the ECU-X 102 that indicate that processing has been executed as instructed by the inputs from the ECU-X 102.

Description

車載セキュリティシステムおよび攻撃対処方法In-vehicle security system and attack countermeasures
 本発明は、車載システムの乗っ取りや、外部機器のなりすまし等のセキュリティ脅威に対処することが可能な車載セキュリティシステムおよび攻撃対処方法に関する。 The present invention relates to an in-vehicle security system and an attack countermeasure method capable of coping with security threats such as takeover of an in-vehicle system and impersonation of an external device.
 近年、自動車は、カーナビゲーションシステムや携帯電話からのネットワーク接続によるネットワーク機能(サービス)が搭載されるなど、車載システムのネットワーク化(有線・無線)が急速に進んでいる。この車載システムのネットワーク化により、自動車に対する外部からのハッキングや車載システムの乗っ取りによる不正操作、外部機器のなりすましによるソフトウェアの改竄などのセキュリティ脅威が増大している。そのため、車載システムにおけるサイバーセキュリティ(以降、セキュリティと言う)対策が急務となっている。特に、車載システムの乗っ取りによる不正操作の脅威に対し、安全上もセキュリティ対策が必須となる。 In recent years, networking (wired / wireless) of in-vehicle systems has been rapidly progressing, for example, in vehicles equipped with a car navigation system and a network function (service) through network connection from a mobile phone. Due to the networking of the in-vehicle system, security threats such as hacking of the vehicle from the outside, unauthorized operation due to hijacking of the in-vehicle system, and falsification of software due to impersonation of an external device are increasing. Therefore, cyber security (hereinafter referred to as security) measures for in-vehicle systems are urgently needed. In particular, security measures are indispensable in terms of safety against the threat of unauthorized operation due to hijacking of in-vehicle systems.
 そのような中、車載システムの電子制御装置(Electronic Control Unit:以下、ECUと称す)には、メインのECU機能とは別にセキュリティハードウェアであるHSM(Hardware Security Module)の搭載が進んでいる。HSMは、暗号化や認証などのセキュリティ機能をハードウェアで実現し、同様の機能をソフトウェアで実現するよりもECUの処理負荷を少なくすることができる。また、セキュリティ機能を通常のシステムとは別に独立したハードウェアで実現するため、ソフトウェアの改竄などに対するセキュリティ脅威にも強く、車載システムに対しよりセキュアな機能(環境)を提供することができる。 Under such circumstances, electronic control units (Electronic Control Units: hereinafter referred to as ECUs) of in-vehicle systems are increasingly equipped with HSM (Hardware Security Module) which is security hardware separately from a main ECU function. In the HSM, security functions such as encryption and authentication are realized by hardware, and the processing load on the ECU can be reduced as compared with the case where similar functions are realized by software. In addition, since the security function is realized by independent hardware separate from a normal system, it is resistant to security threats such as tampering with software, and a more secure function (environment) can be provided to the vehicle-mounted system.
 しかし、HSMを用いて強固なセキュリティ機能を実装したとしても、セキュリティを突破される可能性がある。特に、車載システムの乗っ取りなどのセキュリティ脅威では、車載システム自身が乗っ取られていることに気づかない状況も考えられる。このように強固なセキュリティ機能を実装したとしても、セキュリティを突破されたことを想定し、いかにして、セキュリティ脅威を検出し迅速に安全を確保するかが重要である。 However, even if a strong security function is implemented using HSM, security may be broken. In particular, in the case of a security threat such as a hijacking of an in-vehicle system, there may be a situation where the in-vehicle system itself does not notice that it has been hijacked. Even if such a strong security function is implemented, assuming that security has been broken, it is important how to detect security threats and quickly secure security.
 特許文献1では、車載ネットワーク間に設けられた監視ECUにより不正データの検知および不正データのルーティングの抑止処理を実行する技術が提案されている。例えば、各車載ネットワーク間の通信を監視するECUが設けられ、ネットワーク間の通信を監視し、不正データを検知する。そして、不正データを検知した場合、抑止処理として警告情報をネットワーク上のECUに送信するとともに、不正なデータのルーティングを禁止するメッセージを送信する技術が提案されている。 Patent Document 1 proposes a technique in which a monitoring ECU provided between in-vehicle networks detects illegal data and executes processing for suppressing the routing of illegal data. For example, an ECU that monitors communication between the in-vehicle networks is provided, monitors communication between the networks, and detects illegal data. Then, a technique has been proposed in which, when illegal data is detected, warning information is transmitted to an ECU on a network as suppression processing, and a message for prohibiting the routing of illegal data is transmitted.
 また、特許文献2では、検証センタと呼ばれる監視装置が、車載ネットワークを監視し、検証メッセージとして電子署名を用いてメッセージの改ざんや、ECUのなりすましを検出する技術が提案されている。 Patent Document 2 proposes a technique in which a monitoring device called a verification center monitors an in-vehicle network, and detects tampering of a message or spoofing of an ECU by using an electronic signature as a verification message.
特開2013-131907号公報JP 2013-131907 A 特開2014-138380号公報JP 2014-138380 A
 しかしながら、ECUへのハッキングやソフトウェアを不正に改竄するなどして車載システムを乗っ取る場合、異常な状態に陥ることや、異常な制御値および異常なメッセージIDを入出力することなく、不正操作を行うため、検出が困難である。なお、メッセージIDとは、メッセージの種別を識別するためのIDである。 However, when the in-vehicle system is hijacked by hacking the ECU or tampering with software illegally, the illegal operation is performed without falling into an abnormal state or inputting / outputting an abnormal control value and an abnormal message ID. Therefore, detection is difficult. Note that the message ID is an ID for identifying the type of the message.
 また、上記特許文献1に開示された技術では、データが不正な状態でなければ異常を検知できず、例えばECUが乗っ取られた場合、正常なデータを使用されていればECUが乗っ取られていたとしても不正な状態と検知することができず、異常に対して適切な対応処理ができなかった。さらに、抑止処理として警告情報を送信したとしても、不正な状態のECUを介する可能性があるため、警告に対する処理が正しく実行できないこともあった。 Further, in the technology disclosed in Patent Document 1, an abnormality cannot be detected unless the data is in an incorrect state. For example, when the ECU is hijacked, if the normal data is used, the ECU is hijacked. However, it was not possible to detect the state as an illegal state, and an appropriate response process could not be performed for the abnormality. Furthermore, even if the warning information is transmitted as the suppression processing, the processing for the warning may not be executed correctly because there is a possibility that the information is transmitted through an ECU in an invalid state.
 また、上記特許文献2に開示された技術では、不正データや外部のなりすましの検出はできるが、ECUの乗っ取りなど、データ自体に不正がない場合の異常を検出することができず、異常に対して適切な対応処理ができなかった。さらに、なりすましたECUを介してネットワークが使用されるので、異常に対する処理が正しく実行できない可能性もあった。 In addition, the technology disclosed in Patent Document 2 can detect unauthorized data and external spoofing, but cannot detect an abnormality such as hijacking of an ECU when the data itself is not illegal. Could not take appropriate action. Furthermore, since the network is used via the spoofed ECU, there is a possibility that the processing for the abnormality cannot be executed correctly.
 また、上記特許文献1、2に開示された技術では、不正データや外部のなりすましを検知し、脅威に対して適切な対応処理を実行した時に、その対応処理を適切に実行したことが攻撃者に知られることがあるため、その対応処理に対して攻撃者からの更なる攻撃や別の手段による新たな攻撃を招く可能性もあった。 Further, according to the technologies disclosed in Patent Documents 1 and 2, an attacker detects that unauthorized data or external spoofing is detected and, when an appropriate response process is performed for a threat, the response process is appropriately performed. Therefore, there is a possibility that a further attack from an attacker or a new attack by another means may be caused to the corresponding process.
 本発明は、上記事情に鑑みなされたものであり、その目的は、攻撃時の入力に対する処理を実行した場合においても、その処理と異なる処理が実行されたという応答を返すことが可能な車載セキュリティシステムおよび攻撃対処方法を提供することにある。 The present invention has been made in view of the above circumstances, and an object of the present invention is to provide an in-vehicle security system capable of returning a response indicating that a process different from the process has been performed even when a process for an input at the time of an attack is performed. It is to provide a system and an attack countermeasure method.
 上記目的を達成するため、第1の観点に係る車載セキュリティシステムは、第1電子制御装置と、前記第1電子制御装置と通信可能な第2電子制御装置とを備え、前記第2電子制御装置は、前記第1電子制御装置からの入力に対する第1処理を実行し、前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を前記第1電子制御装置に返す。 To achieve the above object, an in-vehicle security system according to a first aspect includes a first electronic control device, a second electronic control device capable of communicating with the first electronic control device, and the second electronic control device. Executes a first process for an input from the first electronic control device, and returns a response indicating that a second process different from the first process has been executed for the input to the first electronic control device.
 本発明によれば、攻撃時の入力に対する処理を実行した場合においても、その処理と異なる処理が実行されたという応答を返すことができる。 According to the present invention, even when a process for an input at the time of an attack is executed, a response indicating that a process different from that process has been executed can be returned.
図1は、第1実施形態に係る車載セキュリティシステムの構成を示すブロック図である。FIG. 1 is a block diagram illustrating a configuration of the vehicle-mounted security system according to the first embodiment. 図2は、図1のシナリオ定義情報の構成例を示す図である。FIG. 2 is a diagram showing a configuration example of the scenario definition information of FIG. 図3は、第1実施形態に係る車載セキュリティシステムの動作例を示すブロック図である。FIG. 3 is a block diagram illustrating an operation example of the vehicle-mounted security system according to the first embodiment. 図4は、第1実施形態に係る車載セキュリティシステムの異常判定処理を示すフローチャートである。FIG. 4 is a flowchart illustrating an abnormality determination process of the vehicle-mounted security system according to the first embodiment. 図5は、第1実施形態に係る車載セキュリティシステムのシナリオ実行結果判定処理を示すフローチャートである。FIG. 5 is a flowchart illustrating a scenario execution result determination process of the vehicle-mounted security system according to the first embodiment. 図6は、第1実施形態に係る車載セキュリティシステムの異常対応処理の内容を示すブロック図である。FIG. 6 is a block diagram illustrating the content of the abnormality handling process of the in-vehicle security system according to the first embodiment. 図7は、第1実施形態に係る車載セキュリティシステムの異常対応処理を示すフローチャートである。FIG. 7 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the first embodiment. 図8は、図7の機能レベル高処理を示すフローチャートである。FIG. 8 is a flowchart showing the function level high processing of FIG. 図9は、図7の機能レベル中処理および機能レベル低処理を示すフローチャートである。FIG. 9 is a flowchart showing the mid-function level processing and the low function level processing of FIG. 図10は、第2実施形態に係る車載セキュリティシステムの構成を示すブロック図である。FIG. 10 is a block diagram illustrating the configuration of the vehicle-mounted security system according to the second embodiment. 図11は、第3実施形態に係る車載セキュリティシステムの異常対応処理を示すフローチャートである。FIG. 11 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the third embodiment. 図12は、第3実施形態に係る車載セキュリティシステムの構成を示すブロック図である。FIG. 12 is a block diagram showing the configuration of the vehicle-mounted security system according to the third embodiment. 図13は、第4実施形態に係る車載セキュリティシステムに用いられるECUのハードウェア構成を示すブロック図である。FIG. 13 is a block diagram illustrating a hardware configuration of an ECU used in the vehicle-mounted security system according to the fourth embodiment.
 実施形態について、図面を参照して説明する。なお、以下に説明する実施形態は特許請求の範囲に係る発明を限定するものではなく、また、実施形態の中で説明されている諸要素及びその組み合わせの全てが発明の解決手段に必須であるとは限らない。 The embodiment will be described with reference to the drawings. The embodiments described below do not limit the invention according to the claims, and all of the elements and combinations thereof described in the embodiments are essential for solving the invention. Not necessarily.
 図1は、第1実施形態に係る車載セキュリティシステムの構成を示すブロック図である。
 図1において、この車載セキュリティシステムには、ECU-X102、ECU-A103、ECU-B104および監視ECU105が設けられている。ECU-X102、ECU-A103、ECU-B104および監視ECU105は、車両に搭載することができる。この時、ECU-X102、ECU-A103、ECU-B104および監視ECU105は、車載ネットワーク101を介して互いに接続することができる。車載ネットワーク101の例としては、CAN(Control Area Netwaork)、FlexRay、LIN(Local Interconnect Network)、Ethernet(登録商標)等である。 FIG. 1 is a block diagram illustrating a configuration of the vehicle-mounted security system according to the first embodiment.
In FIG. 1, the in-vehicle security system includes an ECU-X102, an ECU-A103, an ECU-B104, and a monitoring ECU 105. ECU-X102, ECU-A103, ECU-B104, and monitoring ECU 105 can be mounted on a vehicle. At this time, the ECU-X 102, the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 can be connected to each other via the in-vehicle network 101. Examples of the in-vehicle network 101 include CAN (Control Area Network), FlexRay, LIN (Local Interconnect Network), and Ethernet (registered trademark).
 また、ECU-X102は、外部機器113Aおよび外部ネットワーク113Bに接続されている。外部機器113Aとの接続には、OBD(On-Board Diagnostics)またはEthernetを用いることができる。外部ネットワーク113Bは、インターネットなどのWAN(Wide Area Network)であってもよいし、WiFiなどのLAN(Local Area Network)であってもよいし、WANとLANが混在していてもよい。図1では、ECU-X102は、外部機器113Aおよび外部ネットワーク113Bに接続されている例を示したが、外部機器113Aおよび外部ネットワーク113Bのいずれか一方にのみ接続されていてもよい。 The ECU-X 102 is connected to an external device 113A and an external network 113B. For connection to the external device 113A, OBD (On-Board @ Diagnostics) or Ethernet can be used. The external network 113B may be a WAN (Wide Area Network) such as the Internet, a LAN (Local Area Network) such as WiFi, or a mixture of a WAN and a LAN. Although FIG. 1 shows an example in which the ECU-X 102 is connected to the external device 113A and the external network 113B, the ECU-X 102 may be connected to only one of the external device 113A and the external network 113B.
 ここで、外部機器113Aおよび外部ネットワーク113Bに接続されているECU-X102は、外部ネットワーク113Bを介した乗っ取りまたは外部機器113Aのなりすましによる攻撃対象ECUとして扱うことができる。 Here, the ECU-X 102 connected to the external device 113A and the external network 113B can be handled as an attack target ECU by taking over via the external network 113B or impersonating the external device 113A.
 ECU-X102、ECU-A103およびECU-B104は、車両の車載機器を電子制御する。車載機器は、例えば、動力装置、操舵装置、制動装置または変速装置である。車両の動力装置として、エンジンまたは電動機を用いることができる。車載機器は、ヘッドライト、パワーウィンドウ、ドアロック、電動シート、インストルメントパネルなどであってもよい。 ECU-X102, ECU-A103 and ECU-B104 electronically control on-vehicle equipment of the vehicle. The on-vehicle device is, for example, a power device, a steering device, a braking device, or a transmission. An engine or an electric motor can be used as the power unit of the vehicle. The in-vehicle device may be a headlight, a power window, a door lock, an electric seat, an instrument panel, or the like.
 ECU-X102は、センサ100xおよびアクチュエータ106xに接続されている。ECU-A103は、センサ100Aおよびアクチュエータ106Aに接続されている。ECU-B104は、センサ100Bおよびアクチュエータ106Bに接続されている。アクチュエータ106x、106A、106Bは、例えば、アクセル、ブレーキ、ステアリングを操作するためのアクチュエータである。また、ECU-A103およびECU-B104は、警告表示部114に接続されている。警告表示部114は、外部ネットワーク113Bを介した乗っ取りまたは外部機器113Aのなりすましによる異常発生時に警告表示を行う。この時、ECU-A103およびECU-B104は、外部機器113Aおよび外部ネットワーク113Bに接続されたECU-X102を含まない通信ネットワークを介して警告表示部114と通信する。 ECU-X102 is connected to sensor 100x and actuator 106x. The ECU-A 103 is connected to the sensor 100A and the actuator 106A. The ECU-B 104 is connected to the sensor 100B and the actuator 106B. The actuators 106x, 106A, 106B are, for example, actuators for operating an accelerator, a brake, and a steering. The ECU-A 103 and the ECU-B 104 are connected to a warning display unit 114. The warning display unit 114 displays a warning when an abnormality occurs due to takeover via the external network 113B or impersonation of the external device 113A. At this time, the ECU-A 103 and the ECU-B 104 communicate with the warning display unit 114 via a communication network that does not include the ECU-X 102 connected to the external device 113A and the external network 113B.
 監視ECU105は、ECU-X102、ECU-A103およびECU-B104に異常がないかを監視する。監視ECU105のセキュリティレベルは、ECU-X102、ECU-A103およびECU-B104のセキュリティレベルより高くすることができる。この時、監視ECU105は、HSMのようなセキュリティ機能を持っていてもよいし、外部ネットワークと直接接続されないようにしてもよい。 (4) The monitoring ECU 105 monitors the ECU-X102, the ECU-A103, and the ECU-B104 for any abnormality. The security level of the monitoring ECU 105 can be higher than the security levels of the ECU-X102, ECU-A103, and ECU-B104. At this time, the monitoring ECU 105 may have a security function such as an HSM, or may not be directly connected to an external network.
 監視ECU105は、車載ネットワーク101を介し、攻撃対象ECUであるECU-X102から、ECU-X102の動作状態を示す情報を収集する。そして、監視ECU105は、ECU-X102から収集したECU-X102の動作状態を示す情報に基づいて、ECU-X102の動作状態を監視する。この時、監視ECU105は、ECU-X102について定められた正規の動作条件からの動作状態の一定以上の逸脱がある場合、ECU-X102の乗っ取りが発生したと判断することができる。 (4) The monitoring ECU 105 collects information indicating the operation state of the ECU-X102 from the ECU-X102, which is the target ECU, via the in-vehicle network 101. The monitoring ECU 105 monitors the operation state of the ECU-X 102 based on the information indicating the operation state of the ECU-X 102 collected from the ECU-X 102. At this time, the monitoring ECU 105 can determine that the takeover of the ECU-X 102 has occurred when there is a deviation of the operating state from the normal operating condition defined for the ECU-X 102 by a certain amount or more.
 さらに、監視ECU105は、車載ネットワーク101を介し、ECU-A103およびECU-B104から、ECU-A103およびECU-B104の動作状態を示す情報を収集する。そして、監視ECU105は、ECU-A103およびECU-B104から収集したECU-A103およびECU-B104の動作状態を示す情報に基づいて、ECU-A103およびECU-B104の動作状態を監視する。この時、監視ECU105は、例えば、ECU-A103について定められた正規の動作条件からの動作状態の一定以上の逸脱がある場合、ECU-A103の動作状態の一定以上の逸脱がECU-A103とECU-X102との通信に起因しているかどうかを判断する。そして、ECU-A103とECU-X102との通信に起因してECU-A103の動作状態の一定以上の逸脱がある場合、ECU-X102の乗っ取りが発生したと判断することができる。 監視 Furthermore, the monitoring ECU 105 collects information indicating the operation states of the ECU-A 103 and the ECU-B 104 from the ECU-A 103 and the ECU-B 104 via the in-vehicle network 101. The monitoring ECU 105 monitors the operation states of the ECU-A 103 and the ECU-B 104 based on the information indicating the operation states of the ECU-A 103 and the ECU-B 104 collected from the ECU-A 103 and the ECU-B 104. At this time, for example, when there is a deviation of the operating state from the normal operating condition defined for the ECU-A 103 by a certain amount or more, the monitoring ECU 105 determines that the deviation of the operating state of the ECU-A 103 by a certain amount or more from the ECU-A 103 and the ECU. -Determine whether or not it is caused by communication with X102. Then, when there is a deviation of the operating state of the ECU-A 103 by a certain degree or more due to the communication between the ECU-A 103 and the ECU-X 102, it can be determined that the takeover of the ECU-X 102 has occurred.
 ECU-A103およびECU-B104は、ECU-X102が所定の動作から逸脱したことを検知すると、ECU-X102からの入力に対する第1処理を実行する。また、ECU-A103およびECU-B104は、ECU-X102からの入力に対して第1処理と異なる第2処理を実行したことを示す応答をECU-X102に返す。この時、ECU-A103およびECU-B104は、ECU-X102が所定の動作から逸脱したことを示す検知結果を監視ECU105から取得することができる。ECU-A103およびECU-B104が自ら、ECU-X102の所定の動作からの逸脱を検知するようにしてもよい。この時、監視ECU105はなくてもよい。 When the ECU-A 103 and the ECU-B 104 detect that the ECU-X 102 has deviated from the predetermined operation, the ECU-A 103 and the ECU-B 104 execute a first process for an input from the ECU-X 102. Also, the ECU-A 103 and the ECU-B 104 return a response to the ECU-X 102 indicating that the second process different from the first process has been executed in response to the input from the ECU-X 102. At this time, the ECU-A 103 and the ECU-B 104 can acquire from the monitoring ECU 105 a detection result indicating that the ECU-X 102 has deviated from the predetermined operation. The ECU-A 103 and the ECU-B 104 may detect a deviation from a predetermined operation of the ECU-X 102 by themselves. At this time, the monitoring ECU 105 may be omitted.
 第1処理は、ECU-X102からの入力に対する安全処理とすることができる。この安全処理は、ECU-X102への攻撃時の指示に対してフェールセーフ側の処理とすることができる。第2処理は、ECU-X102からの入力の指示通りに実行した処理とすることができる。 The first process can be a safety process for an input from the ECU-X102. This safety process can be a process on the fail safe side in response to an instruction to the ECU-X 102 at the time of an attack. The second process may be a process executed as instructed by the input from the ECU-X102.
 ここで、ECU-X102に攻撃があった時に、ECU-A103およびECU-B104は、ECU-X102からの入力に対する安全処理を実行する一方で、ECU-X102には、ECU-X102からの入力の指示通りに実行したことを示す応答を返す。これにより、ECU-X102に攻撃があった場合においても、ECU-A103およびECU-B104は、その攻撃に対して自らの安全性を確保しつつ、攻撃者の指示通りに攻撃が実行されているように攻撃者に見せかけることができる。この結果、攻撃に対して安全処理が行われたことを攻撃者に知られるのを防止することができ、その安全処理に対して攻撃者からの更なる攻撃や別の手段による新たな攻撃を招くのを防止することができる。 Here, when the ECU-X102 is attacked, the ECU-A103 and the ECU-B104 execute a safety process for the input from the ECU-X102, while the ECU-X102 receives the input from the ECU-X102. Returns a response indicating that execution was performed as instructed. Thus, even when the ECU-X102 is attacked, the ECU-A103 and the ECU-B104 execute the attack as instructed by the attacker while ensuring their own safety against the attack. Can pretend to be an attacker. As a result, it is possible to prevent an attacker from knowing that the security process was performed in response to the attack, and to prevent the attacker from further attacking the security process or a new attack by another means. Invitation can be prevented.
 なお、ECU-A103およびECU-B104は、ECU-X102からの入力の指示通りに実行したことを示す応答をECU-X102に返す時に、攻撃者を探索する探索プログラムをその応答に付加するようにしてもよい。この探索プログラムは、ECU-X102に取り込まれると、攻撃者を逆探知することにより、攻撃者を特定することができる。そして、探索プログラムは、攻撃者を特定する情報をECU-A103およびECU-B104に通知することができる。 When the ECU-A 103 and the ECU-B 104 return a response to the ECU-X 102 indicating that the execution has been performed as instructed by the input from the ECU-X 102, a search program for searching for an attacker is added to the response. You may. When the search program is loaded into the ECU-X 102, the attacker can be identified by performing reverse detection of the attacker. Then, the search program can notify the ECU-A103 and the ECU-B104 of information specifying the attacker.
 以下、ECU-X102、ECU-A103、ECU-B104および監視ECU105の構成例について具体的に説明する。
 図1において、ECU-X102は、ECU-Xシナリオ定義情報107xを保持し、ECU-A103は、ECU-Aシナリオ定義情報107Aを保持し、ECU-B104は、ECU-Bシナリオ定義情報107Bを保持する。ECU-Xシナリオ定義情報107xには、ECU-X102が実行する正規の一連の動作を示す機能シーケンス情報が設定される。ECU-Aシナリオ定義情報107Aには、ECU-A103が実行する正規の一連の動作を示す機能シーケンス情報が設定される。ECU-Bシナリオ定義情報107Bには、ECU-B104が実行する正規の一連の動作を示す機能シーケンス情報が設定される。 Hereinafter, configuration examples of the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 will be specifically described.
In FIG. 1, ECU-X 102 holds ECU-X scenario definition information 107x, ECU-A 103 holds ECU-A scenario definition information 107A, and ECU-B 104 holds ECU-B scenario definition information 107B. I do. In the ECU-X scenario definition information 107x, function sequence information indicating a series of normal operations executed by the ECU-X 102 is set. In the ECU-A scenario definition information 107A, function sequence information indicating a series of normal operations executed by the ECU-A 103 is set. In the ECU-B scenario definition information 107B, function sequence information indicating a series of normal operations executed by the ECU-B 104 is set.
 機能シーケンス情報は、ECU-X102、ECU-A103およびECU-B104のそれぞれの機能を実行するための正規の処理順番、実行条件および実行タイミングを実行手順として含む。例えば、ECU-X102がアクチュエータ106xに対して“機能A”を正常に実行させる場合、ECU-X102は、処理1⇒処理4⇒処理5⇒機能Aという一連の動作を実行するものとすると、ECU-Xシナリオ定義情報107xには、機能シーケンス情報として、“処理1⇒処理4⇒処理5⇒機能Aを実行”という情報が設定される。 The function sequence information includes, as an execution procedure, a normal processing order, execution conditions, and execution timing for executing each function of the ECU-X 102, the ECU-A 103, and the ECU-B 104. For example, when the ECU-X 102 normally causes the actuator 106x to execute “function A”, the ECU-X 102 executes a series of operations of processing 1 → processing 4 → processing 5 → function A. In the -X scenario definition information 107x, information of "process 1 ⇒ process 4 ⇒ process 5 ⇒ execute function A" is set as function sequence information.
 また、機能シーケンス情報は、ECU-X102、ECU-A103およびECU-B104が機能を実行するために必要な制御値の情報や通信の情報を含むことができる。制御値の情報は、制御値の項目、制御値の変化量または範囲、制御値の上下限値および制御値の更新タイミングである。通信の情報は、通信項目、メッセージID、メッセージのデータ長、更新タイミングおよび更新頻度である。 The function sequence information may include control value information and communication information necessary for the ECU-X102, the ECU-A103, and the ECU-B104 to execute the function. The information of the control value is the item of the control value, the change amount or range of the control value, the upper and lower limit values of the control value, and the update timing of the control value. The communication information is a communication item, a message ID, a message data length, an update timing, and an update frequency.
 また、ECU-X102、ECU-A103およびECU-B104には、シナリオ実行結果格納メモリ108x、108A、108Bがそれぞれ設けられている。各シナリオ実行結果格納メモリ108x、108A、108Bには、ECU-X102、ECU-A103およびECU-B104のそれぞれ自身のECU-Xシナリオ定義情報107x、ECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bで定義された機能シーケンスの実行結果に関する情報を格納する。さらに、各シナリオ実行結果格納メモリ108x、108A、108Bには、互いに関係するECU-X102、ECU-A103およびECU-B104のそれぞれのECU-Xシナリオ定義情報107x、ECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bで定義された機能シーケンスの実行結果に関する情報を格納する。 The scenario execution result storage memories 108x, 108A, and 108B are provided in the ECU-X102, the ECU-A103, and the ECU-B104, respectively. In each scenario execution result storage memory 108x, 108A, 108B, ECU-X scenario definition information 107x, ECU-A scenario definition information 107A, and ECU-B scenario definition of ECU-X102, ECU-A103, and ECU-B104 respectively. The information on the execution result of the function sequence defined by the information 107B is stored. Further, each scenario execution result storage memory 108x, 108A, 108B stores ECU-X scenario definition information 107x, ECU-A scenario definition information 107A and ECU-A of ECU-X102, ECU-A103 and ECU-B104 related to each other. -B Stores information on the execution result of the function sequence defined in the scenario definition information 107B.
 例えば、シナリオ実行結果格納メモリ108xには、ECU-X102のシナリオの実行結果やタイミング、制御値の中間生成値の情報だけでなく、ECU-X102が機能を実行するために行った他のECU-A103およびECU-B104との送受信の通信データ、ECU-X102の処理に関係する他のECU-A103およびECU-B104がどのシナリオ定義情報を実行し、その際にECU-A103およびECU-B104が行った送受信の通信データなどを格納することができる。 For example, in the scenario execution result storage memory 108x, not only information on the execution result and timing of the scenario of the ECU-X102, the intermediate generation value of the control value, but also information on other ECUs executed by the ECU-X102 to execute the function are stored. Communication scenario data transmitted to and received from A103 and ECU-B104, and what scenario definition information is executed by other ECU-A103 and ECU-B104 related to the processing of ECU-X102. Communication data for transmission and reception can be stored.
 各シナリオ実行結果格納メモリ108x、108A、108Bは、ECU-X102、ECU-A103、ECU-B104および監視ECU105が共通でアクセスできるように外部の共有メモリを用いるようにしてもよい。この共有メモリは、例えば、EEPROM(Electrically Erasable Programmable Read-Only Memory)等の不揮発メモリを使用することができる。外部の共有メモリを使用できない場合は、CANやFlexRay通信等の車載ネットワーク通信を用いて、監視ECU105に全ての情報を集めるなど、ECU-X102、ECU-A103、ECU-B104および監視ECU105のうちのどれか一つのECUがまとめて情報を持つような構成としてもよい。 The scenario execution result storage memories 108x, 108A, and 108B may use an external shared memory so that the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 can access them in common. As this shared memory, for example, a nonvolatile memory such as an EEPROM (Electrically \ Erasable \ Programmable \ Read-Only \ Memory) can be used. When the external shared memory cannot be used, all information is collected in the monitoring ECU 105 by using in-vehicle network communication such as CAN or FlexRay communication. For example, the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 A configuration in which any one ECU collectively has information may be used.
 さらに、ECU-X102、ECU-A103およびECU-B104には、異常対応処理部109x、109A、109Bがそれぞれ設けられている。各異常対応処理部109x、109A、109Bは、周辺のECUが所定の動作から逸脱したことを検知すると、その周辺のECUからの入力に対する安全処理を自身のECU上で実行する。また、各異常対応処理部109x、109A、109Bは、周辺のECUからの入力に対して、その周辺のECUからの入力の指示通りに処理を実行したことを示す応答をその周辺のECUに返す。この時、各異常対応処理部109x、109A、109Bは、周辺のECUが所定の動作から逸脱したことを示す検知結果を監視ECU105から取得することができる。 異常 Furthermore, the ECU-X102, ECU-A103, and ECU-B104 are provided with abnormality handling units 109x, 109A, and 109B, respectively. When each of the abnormality handling processing units 109x, 109A, and 109B detects that a peripheral ECU deviates from a predetermined operation, the abnormality processing unit 109x executes a safety process for an input from the peripheral ECU on its own ECU. Further, each of the abnormality handling processing units 109x, 109A, and 109B returns a response to the input from the peripheral ECU to the peripheral ECU, indicating that the processing has been executed as instructed by the input from the peripheral ECU. . At this time, the abnormality handling units 109x, 109A, and 109B can obtain from the monitoring ECU 105 a detection result indicating that the peripheral ECU has deviated from the predetermined operation.
 例えば、各異常対応処理部109x、109A、109Bは、周辺のECUの実行手順に異常があった場合は、自身のECUに対しては、正規の実行手順で機能を再実行し継続して動作させることができる。一方、各異常対応処理部109x、109A、109Bは、周辺のECUに対しては、異常な実行手順で機能が実行されたことを示す応答を返し、自身のECU上で警告表示することができる。 For example, when there is an abnormality in the execution procedure of the peripheral ECU, each of the abnormality handling processing sections 109x, 109A, and 109B re-executes the function of the own ECU according to the normal execution procedure and continuously operates. Can be done. On the other hand, each of the abnormality handling processing units 109x, 109A, and 109B returns a response indicating that the function has been executed in an abnormal execution procedure to peripheral ECUs, and can display a warning on its own ECU. .
 また、各異常対応処理部109x、109A、109Bは、周辺のECUの制御値に異常があれば、自身のECUに対しては制御値を初期値に戻して動作させることができる。一方、各異常対応処理部109x、109A、109Bは、周辺のECUに対しては、異常な制御値で機能が実行されたことを示す応答を返し、自身のECU上で警告表示することができる。 If the control values of the peripheral ECUs are abnormal, the abnormality handling units 109x, 109A, and 109B can operate their own ECUs by returning the control values to the initial values. On the other hand, each of the abnormality handling units 109x, 109A, and 109B returns a response indicating that the function has been executed with the abnormal control value to the peripheral ECU, and can display a warning on its own ECU. .
 さらに、各異常対応処理部109x、109A、109Bは、通信項目に異常があれば、自身のECUに対しては該当の通信を遮断することができる。一方、各異常対応処理部109x、109A、109Bは、周辺のECUに対しては、通信項目に異常がある状態で機能が実行されたことを示す応答を返し、自身のECU上で警告表示することができる。 異常 Furthermore, each of the abnormality handling units 109x, 109A, and 109B can shut off the communication with respect to its own ECU if there is an abnormality in the communication item. On the other hand, each of the abnormality handling processing units 109x, 109A, and 109B returns a response indicating that the function has been executed in a state where the communication item has an abnormality to the peripheral ECU, and displays a warning on its own ECU. be able to.
 監視ECU105は、ECU-X、A、Bシナリオ定義情報110を保持する。ECU-X、A、Bシナリオ定義情報110は、ECU-Xシナリオ定義情報107x、ECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bを含むことができる。 The monitoring ECU 105 holds the ECU-X, A, and B scenario definition information 110. The ECU-X, A, B scenario definition information 110 can include ECU-X scenario definition information 107x, ECU-A scenario definition information 107A, and ECU-B scenario definition information 107B.
 また、監視ECU105には、シナリオ実行結果判定処理部111が設けられている。シナリオ実行結果判定処理部111は、ECU-X102、ECU-A103およびECU-B104から、ECU-X102、ECU-A103およびECU-B104の動作状態を示す情報を収集する。そして、ECU-X102、ECU-A103およびECU-B104のECU-X、A、Bシナリオ定義情報110と、ECU-X102、ECU-A103およびECU-B104の動作状態を示す情報とを比較することにより、ECU-X102、ECU-A103およびECU-B104について、外部からの乗っ取りや、外部機器のなりすましによる不正操作等がないかを判定する。 (4) The monitoring ECU 105 is provided with a scenario execution result determination processing unit 111. The scenario execution result determination processing unit 111 collects information indicating the operation states of the ECU-X 102, the ECU-A 103, and the ECU-B 104 from the ECU-X 102, the ECU-A 103, and the ECU-B 104. Then, by comparing the ECU-X, A-B, and B-scenario definition information 110 of the ECU-X102, the ECU-A103, and the ECU-B104 with the information indicating the operation states of the ECU-X102, the ECU-A103, and the ECU-B104. , ECU-X102, ECU-A103, and ECU-B104 are determined as to whether there is any hijacking from outside or improper operation due to impersonation of an external device.
 監視ECU105が、ECU-X102、ECU-A103およびECU-B104から情報を取得する方法としては、例えば、EEPROM等の外部メモリがあれば、その外部メモリから取得することができる。外部メモリがない場合は、監視ECU105とECU-X102、ECU-A103およびECU-B104との間のCANやFlexRay通信などの車載ネットワーク通信を用いることができる。 As a method for the monitoring ECU 105 to acquire information from the ECU-X 102, the ECU-A 103, and the ECU-B 104, for example, if there is an external memory such as an EEPROM, the information can be acquired from the external memory. If there is no external memory, in-vehicle network communication such as CAN or FlexRay communication between the monitoring ECU 105 and the ECU-X 102, the ECU-A 103, and the ECU-B 104 can be used.
 その際、監視のための車載ネットワーク通信では、情報を送信するための専用のメッセージを用いるなど、通常の車載ネットワーク通信とは別に用意することができる。また、監視のための情報を取得するタイミングは、車載システムに合わせた任意のタイミングに設定することができる。例えば、特定の値が変化したタイミングや、異常と判断された場合に安全に異常処理を実行できるタイミングで情報を取得することができる。 At this time, in-vehicle network communication for monitoring can be prepared separately from ordinary in-vehicle network communication, such as using a dedicated message for transmitting information. Further, the timing for acquiring the information for monitoring can be set to an arbitrary timing according to the in-vehicle system. For example, information can be acquired at a timing when a specific value changes, or at a timing when abnormality processing can be safely performed when it is determined that an abnormality has occurred.
 さらに、監視ECU105には、判定結果通知処理部112が設けられている。判定結果通知処理部112は、ECU-X、A、Bシナリオ定義情報110で定義された機能シーケンス通りにECU-X102、ECU-A103およびECU-B104の処理が実行されたかどうかを示す判定結果をECU-X102、ECU-A103およびECU-B104に通知する。 Further, the monitoring ECU 105 is provided with a determination result notification processing unit 112. The determination result notification processing unit 112 determines whether or not the processing of the ECU-X 102, the ECU-A 103, and the ECU-B 104 has been executed in accordance with the function sequence defined in the ECU-X, A, B scenario definition information 110. Notify ECU-X102, ECU-A103 and ECU-B104.
 この時、監視ECU105は、例えば、判定結果を通知するメッセージをECU-X102、ECU-A103およびECU-B104に送信するようにしてもよい。あるいは、監視ECU105は、ECU-X102、ECU-A103およびECU-B104からアクセス可能な共通メモリに判定結果を格納するようにしてもよい。 At this time, the monitoring ECU 105 may transmit, for example, a message notifying the determination result to the ECU-X 102, the ECU-A 103, and the ECU-B 104. Alternatively, the monitoring ECU 105 may store the determination result in a common memory accessible from the ECU-X 102, the ECU-A 103, and the ECU-B 104.
 図2は、図1のシナリオ定義情報の構成例を示す図である。
 図2において、ECU-Xシナリオ定義情報107x、ECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bは、ECU-X102、ECU-A103、ECU-B104の乗っ取りまたは外部機器のなりすましによる不正操作を監視ECU105が検知するために使用することができる。 FIG. 2 is a diagram showing a configuration example of the scenario definition information of FIG.
In FIG. 2, the ECU-X scenario definition information 107x, the ECU-A scenario definition information 107A, and the ECU-B scenario definition information 107B are illegal operations due to hijacking of the ECU-X102, ECU-A103, and ECU-B104 or impersonation of an external device. Can be used for detection by the monitoring ECU 105.
 ECU-Xシナリオ定義情報107x、ECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bのそれぞれは大きく分けて、機能の実行手順115、ECUで扱う重要な制御値の情報116およびECUとの通信項目の情報117という3つの情報で構成することができる。 Each of the ECU-X scenario definition information 107x, the ECU-A scenario definition information 107A, and the ECU-B scenario definition information 107B is roughly divided into a function execution procedure 115, information 116 on important control values handled by the ECU, and information on the ECU. It can be composed of three pieces of information 117 of communication items.
 機能の実行手順115は、特定の機能を実行するための処理の順番を示す情報、機能を実行する条件および機能を実行するタイミングを示す情報を含むことができる。特定の機能を実行するための処理の順番を示す情報は、例えば、実行完了フラグである。機能を実行する条件は、例えば、機能が実行できるステータスの情報である。機能を実行するタイミングは、例えば実行周期である。 The function execution procedure 115 can include information indicating the order of processing for executing a specific function, information indicating conditions for executing the function, and information indicating timing for executing the function. The information indicating the order of processing for executing a specific function is, for example, an execution completion flag. The condition for executing the function is, for example, information on a status in which the function can be executed. The timing for executing the function is, for example, an execution cycle.
 監視ECU105は、正規の手順で特定の機能が実行されているか確認するために機能の実行手順115を用いることができる。例えば、機能Aを実行するための手順が“処理1⇒処理3⇒処理5”の場合、機能の実行手順115は、“処理1⇒処理3⇒処理5”の順番を示す実行完了フラグを変数で定義することができる。特定の機能を実行するための条件があれば、その実行条件として、例えば、“ステータスがアイドル状態の時”などの情報を定義することができる。特定の機能を周期的に実行するのであれば、実行周期情報として、例えば、“100μsec毎に機能を実行する”などの情報を定義することができる。 (4) The monitoring ECU 105 can use the function execution procedure 115 to check whether a specific function is being executed in a regular procedure. For example, when the procedure for executing the function A is “process 1 ⇒ process 3 ⇒ process 5”, the function execution procedure 115 sets the execution completion flag indicating the order of “process 1 ⇒ process 3 ⇒ process 5” to a variable. Can be defined as If there is a condition for executing a specific function, information such as "when the status is idle" can be defined as the execution condition. If a specific function is to be executed periodically, information such as “execute a function every 100 μsec” can be defined as the execution cycle information.
 機能の実行手順115を定義することにより、ECUや外部から実行した機能が正しい条件下で実行されているか、監視ECU105や監視対象以外の他のECUから確認および監視することができる。 By defining the function execution procedure 115, it is possible to confirm and monitor from the monitoring ECU 105 and other ECUs other than the monitoring target whether the ECU or a function executed from the outside is being executed under correct conditions.
 ECUで扱う重要な制御値の情報116は、ECU-X102、ECU-A103およびECU-B104が特定の機能を実行する際に取り得る、ECU-X102、ECU-A103およびECU-B104が扱う制御値の項目、制御項目の制御値の変化に対する適正値、変化量(範囲)や上下限値および制御値が更新されるタイミング情報を含むことができる。 The important control value information 116 handled by the ECU includes control values handled by the ECU-X102, ECU-A103, and ECU-B104 that can be taken when the ECU-X102, ECU-A103, and ECU-B104 execute a specific function. Item, the appropriate value for the change of the control value of the control item, the amount of change (range), the upper and lower limit value, and the timing information at which the control value is updated.
 例えば、制御値は、ECU-X102、ECU-A103およびECU-B104がそれぞれ制御するアクチュエータ106x、106A、106Bやセンサ100x、100A、100Bを制御するための値である。制御値は、不正な操作で改竄された場合、車載システムの安全上問題になるような重要な制御項目の値である。例えば、モータ制御に使用する電流値やバッテリ制御に使用する電圧値などの実際に出力される値や、他のECUに送信される値である。 For example, the control value is a value for controlling the actuators 106x, 106A, 106B and the sensors 100x, 100A, 100B which are controlled by the ECU-X102, the ECU-A103, and the ECU-B104, respectively. The control value is a value of an important control item that may cause a problem in the safety of the vehicle-mounted system when tampered with an illegal operation. For example, it is a value actually output such as a current value used for motor control or a voltage value used for battery control, or a value transmitted to another ECU.
 ECUで扱う重要な制御値の情報116は、当該ECUが正しく動いているか外部から確認および監視が可能な情報で構成することができる。また、ECUで扱う重要な制御値の情報116は、通常、外部から改竄されない限り変更されない値、具体的には、ソフトウェアのバージョン情報なども含むことができる。また、制御値が更新されるタイミング情報は、制御値の更新周期情報、例えば100μsec毎などの情報で構成することができる。 (4) The important control value information 116 handled by the ECU can be constituted by information that can be externally checked and monitored whether the ECU is operating correctly. The important control value information 116 handled by the ECU can usually include a value that is not changed unless tampered from outside, specifically, software version information and the like. Further, the timing information at which the control value is updated can be constituted by control value update cycle information, for example, information every 100 μsec.
 各ECUとの通信項目の情報117は、各ECUと行う通信項目の情報で、例えば、メッセージIDや通信データ長、それらの情報の更新タイミングや更新間隔を含むことができる。各ECUとの通信項目の情報117は、例えば、メッセージID毎の通信周期情報などの外部から監視が可能な情報で構成することができる。 The information 117 on communication items with each ECU is information on communication items with each ECU, and can include, for example, a message ID, a communication data length, an update timing and an update interval of the information. The information 117 on the communication items with each ECU can be constituted by information that can be monitored from the outside, such as communication cycle information for each message ID.
 上述した3つの情報でECU-X、A、Bシナリオ定義情報110を構成することにより、ECU-X102、ECU-A103およびECU-B104の機能が正しく動作しているか判定するために、監視ECU105が何を監視すればよいかを判断することが可能となる。監視ECU105は、ECU-X、A、Bシナリオ定義情報110で定義された情報を確認および監視することにより、ECU-X102、ECU-A103およびECU-B104に対して乗っ取りや外部機器のなりすましによる不正操作がされていないかを判定することができる。 By configuring the ECU-X, A, and B scenario definition information 110 with the three pieces of information described above, the monitoring ECU 105 determines whether the functions of the ECU-X 102, the ECU-A 103, and the ECU-B 104 are operating properly. It is possible to determine what should be monitored. The monitoring ECU 105 confirms and monitors the information defined by the ECU-X, A, B scenario definition information 110, thereby taking over the ECU-X 102, the ECU-A 103, and the ECU-B 104, and illegally masquerading as an external device. It can be determined whether or not an operation has been performed.
 図3は、第1実施形態に係る車載セキュリティシステムの動作例を示すブロック図である。なお、図3では、ECU-X102が攻撃対象ECUであるものとする。そして、ECU-X102が所定の動作から逸脱したことを監視ECU105が検知し、ECU-A103およびECU-B104は、監視ECU105の検知結果に基づいてECU-X102からの入力に対する処理を実行する場合を例にとる。 FIG. 3 is a block diagram showing an operation example of the vehicle-mounted security system according to the first embodiment. In FIG. 3, it is assumed that the ECU-X102 is the target ECU. Then, the monitoring ECU 105 detects that the ECU-X 102 has deviated from the predetermined operation, and the ECU-A 103 and the ECU-B 104 execute processing for the input from the ECU-X 102 based on the detection result of the monitoring ECU 105. Take an example.
 図3において、ECU-X102が攻撃対象ECUに設定されると、ECU-A103およびECU-B104のそれぞれは、ECU-A、Xシナリオ定義情報117AおよびECU-B、Xシナリオ定義情報117Bとして、自身のECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bを保持するだけでなく、ECU-X102のECU-Xシナリオ定義情報107xも保持する。 In FIG. 3, when the ECU-X 102 is set as the attack target ECU, each of the ECU-A 103 and the ECU-B 104 becomes the ECU-A, the X scenario definition information 117A, and the ECU-B and the X scenario definition information 117B, respectively. Not only the ECU-A scenario definition information 107A and the ECU-B scenario definition information 107B, but also the ECU-X scenario definition information 107x of the ECU-X102.
 ECU-A103およびECU-B104は、ECU-X102が攻撃対象ECUに設定された時に、ECU-X102のECU-Xシナリオ定義情報107xを監視ECU105から取得するようにしてもよいし、ECU-Xシナリオ定義情報107xを予め保持するようにししてもよい。 The ECU-A 103 and the ECU-B 104 may obtain the ECU-X scenario definition information 107x of the ECU-X 102 from the monitoring ECU 105 when the ECU-X 102 is set as the attack target ECU, or the ECU-X scenario The definition information 107x may be held in advance.
 ECU-X102は、外部機器113Aまたは外部ネットワーク113Bから攻撃を受ける(P1)。ECU-A103、ECU-B104および監視ECU105は、ECU-X102の動作状態を示す情報をECU-X102から取得し記録する(P2~P4)。この時、ECU-A103、ECU-B104および監視ECU105は、ECU-X102のECU-Xシナリオ定義情報107xを参照することにより、攻撃対象ECUに設定されたECU-X102のどの情報を取得すればよいか判別することができる。 (4) The ECU-X 102 receives an attack from the external device 113A or the external network 113B (P1). The ECU-A 103, the ECU-B 104, and the monitoring ECU 105 acquire and record information indicating the operation state of the ECU-X 102 from the ECU-X 102 (P2 to P4). At this time, the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 may obtain any information of the ECU-X 102 set as the attack target ECU by referring to the ECU-X scenario definition information 107x of the ECU-X 102. Can be determined.
 次に、監視ECU105は、ECU-A103の動作状態を示す情報をECU-A103から収集し(P5)、ECU-B104の動作状態を示す情報をECU-B104から収集する(P6)。そして、監視ECU105は、ECU-X102のECU-Xシナリオ定義情報107xと、ECU-X102の動作状態を示す情報とを比較することにより、ECU-X102について、外部からの乗っ取りや、外部機器のなりすましによる不正操作等がないかを判定する。また、監視ECU105は、ECU-A103のECU-Aシナリオ定義情報107Aと、ECU-A103の動作状態を示す情報とを比較することにより、ECU-X102との通信に起因するECU-A103の不正操作等がないかを判定する。さらに、監視ECU105は、ECU-B104のECU-Bシナリオ定義情報107Bと、ECU-B104の動作状態を示す情報とを比較することにより、ECU-X102との通信に起因するECU-B104の不正操作等がないかを判定する。 Next, the monitoring ECU 105 collects information indicating the operation state of the ECU-A103 from the ECU-A103 (P5), and collects information indicating the operation state of the ECU-B104 from the ECU-B104 (P6). Then, the monitoring ECU 105 compares the ECU-X scenario definition information 107x of the ECU-X 102 with the information indicating the operation state of the ECU-X 102, thereby taking over the ECU-X 102 from the outside and impersonating the external device. It is determined whether there is any unauthorized operation or the like. Further, the monitoring ECU 105 compares the ECU-A scenario definition information 107A of the ECU-A 103 with the information indicating the operation state of the ECU-A 103, thereby performing an unauthorized operation of the ECU-A 103 due to communication with the ECU-X 102. It is determined whether or not there is any. Furthermore, the monitoring ECU 105 compares the ECU-B scenario definition information 107B of the ECU-B 104 with the information indicating the operation state of the ECU-B 104, thereby performing an unauthorized operation of the ECU-B 104 due to communication with the ECU-X 102. It is determined whether or not there is any.
 そして、監視ECU105は、ECU-X102の不正操作等があるか、またはECU-X102との通信に起因するECU-A103の不正操作等があるか、またはECU-X102との通信に起因するECU-B104の不正操作等があると判定した場合、ECU-X102に異常があると判定し、その判定結果をECU-A103およびECU-B104に通知する(P7、P8)。 Then, the monitoring ECU 105 determines whether there is an unauthorized operation of the ECU-X 102, an unauthorized operation of the ECU-A 103 resulting from communication with the ECU-X 102, or an ECU-E caused by communication with the ECU-X 102. When it is determined that there is an unauthorized operation of B104, etc., it is determined that there is an abnormality in ECU-X102, and the determination result is notified to ECU-A103 and ECU-B104 (P7, P8).
 ECU-A103およびECU-B104は、ECU-X102の異常の判定結果を監視ECU105から受け取ると、ECU-X102から入力されたメッセージや制御値などに対する安全処理を自身のECU上で実行する。また、ECU-A103およびECU-B104は、ECU-X102から入力されたメッセージや制御値などに対して、ECU-X102から入力されたメッセージや制御値の通りに処理を実行したことを示す応答をECU-X102に返す(P9、P10)。さらに、ECU-A103およびECU-B104は、ECU-X102から入力されたメッセージや制御値などに対して、警告表示部114上で警告表示する(P11、P12)。 When the ECU-A 103 and the ECU-B 104 receive the determination result of the abnormality of the ECU-X 102 from the monitoring ECU 105, the ECU-A 103 and the ECU-B 104 execute a safety process on a message, a control value, and the like input from the ECU-X 102 on their own ECUs. Further, the ECU-A 103 and the ECU-B 104 respond to the message or control value input from the ECU-X 102, indicating that the processing has been executed in accordance with the message or control value input from the ECU-X 102. Return to ECU-X102 (P9, P10). Further, the ECU-A 103 and the ECU-B 104 display a warning on the warning display unit 114 for a message, a control value, or the like input from the ECU-X 102 (P11, P12).
 これにより、ECU-X102に攻撃があった場合においても、ECU-A103およびECU-B104は、ECU-X102の攻撃に対してECU-A103およびECU-B104の安全性を確保しつつ、攻撃者の指示通りに攻撃が実行されているように攻撃者に見せかけることができる。 Accordingly, even when the ECU-X102 is attacked, the ECU-A103 and the ECU-B104 secure the safety of the ECU-A103 and the ECU-B104 against the attack of the ECU-X102, and The attacker can be pretended to be performing the attack as instructed.
 また、ECU-X102、ECU-A103およびECU-B104のECU-X、A、Bシナリオ定義情報110と、ECU-X102、ECU-A103およびECU-B104の動作状態を示す情報とを比較することにより、異常な状態に陥ることや、異常な制御値または異常なメッセージIDを入出力することなく、ECU-X102の不正操作が行われた場合においても、その不正操作を検知することができる。このため、HSMを持たないECU-X102、ECU-A103、ECU-B104および監視ECU105を使用する車載システムであっても、車載システムの乗っ取りや、外部機器のなりすまし等のセキュリティ脅威に対処することができる。 Also, by comparing the ECU-X, A-B, and B-scenario definition information 110 of the ECU-X102, the ECU-A103, and the ECU-B104 with the information indicating the operation states of the ECU-X102, the ECU-A103, and the ECU-B104. Even if an illegal operation of the ECU-X 102 is performed without entering an abnormal state or inputting / outputting an abnormal control value or an abnormal message ID, the illegal operation can be detected. Therefore, even an in-vehicle system using the ECU-X102, the ECU-A103, the ECU-B104, and the monitoring ECU 105 without the HSM can cope with security threats such as hijacking of the in-vehicle system and impersonation of external devices. it can.
 また、攻撃対象として設定されたECU-X102について、外部からの乗っ取りや、外部機器のなりすましによる不正操作等がないかを監視するために、ECU-A103、ECU-B104および監視ECU105は、ECU-X102のECU-Xシナリオ定義情報107xを保持すればよい。このため、ECU-X102、ECU-A103およびECU-B104の処理能力が低い等の理由でソフトウェアの機能追加が難しい場合においても、車載システムの乗っ取りや、外部機器のなりすまし等のセキュリティ脅威に対するセキュリティを保障することができる。 The ECU-A 103, the ECU-B 104, and the monitoring ECU 105 monitor the ECU-X 102, which is set as an attack target, in order to monitor whether the ECU-X 102 has been hijacked from the outside or an unauthorized operation due to impersonation of an external device. What is necessary is just to hold the ECU-X scenario definition information 107x of X102. Therefore, even when it is difficult to add software functions due to the low processing capacity of the ECU-X102, the ECU-A103, and the ECU-B104, security against security threats such as hijacking of an in-vehicle system and impersonation of an external device is ensured. Can be guaranteed.
 ここで、監視ECU105は、攻撃対象として設定されたECU-X102のECU-Xシナリオ定義情報107xだけでなく、ECU-Aシナリオ定義情報107AおよびECU-Bシナリオ定義情報107Bも保持している。これにより、監視ECU105は、攻撃対象として設定されたECU-X102の情報だけでなく、ECU-A103およびECU-B104の情報を加味することができ、攻撃対象として設定されたECU-X102が乗っ取られていないか、外部機器から不正操作されていないかをより高い精度で判定することができる。 Here, the monitoring ECU 105 holds not only the ECU-X scenario definition information 107x of the ECU-X 102 set as the attack target, but also the ECU-A scenario definition information 107A and the ECU-B scenario definition information 107B. This allows the monitoring ECU 105 to take into account the information of the ECU-A 103 and the ECU-B 104 as well as the information of the ECU-X 102 set as the attack target, and the ECU-X 102 set as the attack target is taken over. It is possible to determine with higher accuracy whether or not an unauthorized operation has been performed from an external device.
 例えば、攻撃者がECU-X102を経由してECU-A103を不正操作するものとする。この時、監視ECU105は、ECU-A103の動作状態を示す情報をECU-A103から取得し、ECU-A103のECU-Aシナリオ定義情報107Aと、ECU-A103の動作状態を示す情報とを比較することにより、ECU-X102との通信に起因するECU-A103の不正操作等がないかを判定することができる。 For example, it is assumed that an attacker illegally operates ECU-A103 via ECU-X102. At this time, the monitoring ECU 105 acquires information indicating the operation state of the ECU-A 103 from the ECU-A 103, and compares the ECU-A scenario definition information 107A of the ECU-A 103 with information indicating the operation state of the ECU-A 103. This makes it possible to determine whether or not there is any unauthorized operation of the ECU-A 103 due to communication with the ECU-X 102.
 図4は、第1実施形態に係る車載セキュリティシステムの異常判定処理を示すフローチャートである。
 図4のステップS101において、監視ECU105は、攻撃対象として設定されたECU-X102の異常判定処理を開始すると、ステップS102において、ECU-X102からECU-X102の動作状態を示す情報を取得する。 FIG. 4 is a flowchart illustrating an abnormality determination process of the vehicle-mounted security system according to the first embodiment.
In step S101 of FIG. 4, when the monitoring ECU 105 starts the abnormality determination processing of the ECU-X 102 set as an attack target, in step S102, the monitoring ECU 105 acquires information indicating the operation state of the ECU-X 102 from the ECU-X 102.
 次に、ステップS103において、監視ECU105は、ECU-A103からECU-A103の動作状態を示す情報を取得する。次に、ステップS104において、監視ECU105は、ECU-B104からECU-B104の動作状態を示す情報を取得する。 Next, in step S103, the monitoring ECU 105 acquires information indicating the operation state of the ECU-A103 from the ECU-A103. Next, in step S104, monitoring ECU 105 acquires information indicating the operation state of ECU-B104 from ECU-B104.
 次に、ステップS105において、監視ECU105は、ステップS102~S104で取得したECU-X102、ECU-A103およびECU-B104の動作状態を示す情報と、ECU-X、A、Bシナリオ定義情報110を比較する。そして、監視ECU105は、ステップS102~S104で取得したECU-X102、ECU-A103およびECU-B104の動作状態のいずれかを示す情報が、ECU-X、A、Bシナリオ定義情報110の内容から一定以上逸脱している場合、ECU-X102に異常がある判定する。 Next, in step S105, the monitoring ECU 105 compares the information indicating the operation states of the ECU-X102, ECU-A103, and ECU-B104 acquired in steps S102 to S104 with the ECU-X, A, B scenario definition information 110. I do. Then, the monitoring ECU 105 determines that the information indicating any one of the operation states of the ECU-X 102, the ECU-A 103, and the ECU-B 104 acquired in steps S102 to S104 is constant from the contents of the ECU-X, A, B scenario definition information 110. If the values deviate as described above, it is determined that the ECU-X102 has an abnormality.
 次に、ステップS106において、監視ECU105は、ステップS105で得られた判定結果をECU-A103およびECU-B104に通知する。その後、ステップS107において、ECU-X102の異常判定処理を終了する。 Next, in step S106, the monitoring ECU 105 notifies the ECU-A 103 and the ECU-B 104 of the determination result obtained in step S105. After that, in step S107, the abnormality determination processing of the ECU-X 102 ends.
 なお、監視ECU105によるECU-X102の異常判定は、任意のタイミングで実行が可能だが、乗っ取りや外部機器からのなりすましによる不正操作に対して、安全に対処できるタイミングで実行することが望ましい。例えば、基準となる特定の値が変化したタイミング、機能を実施する制御周期、または機能安全のFTTI(Fault Tolerant Time Interval)などのタイミングで実行することができる。基本的には、車載システムの処理負荷に影響が少なく、かつセキュリティが保障できるタイミングで実行することが望ましい。 The abnormality determination of the ECU-X 102 by the monitoring ECU 105 can be performed at an arbitrary timing. However, it is preferable that the abnormality determination is performed at a timing that can safely cope with an unauthorized operation due to takeover or impersonation from an external device. For example, it can be executed at a timing when a specific value serving as a reference changes, a control cycle for performing a function, or a timing such as FTTI (Fault \ Tolerant \ Time \ Interval) for functional safety. Basically, it is desirable to execute the processing at a timing that has little effect on the processing load of the on-vehicle system and that can guarantee security.
 図5は、第1実施形態に係る車載セキュリティシステムのシナリオ実行結果判定処理を示すフローチャートである。なお、図5の処理は、図4のステップS105の処理で実行することができる。
 図5のステップS201において、シナリオ実行結果判定処理部111は、シナリオ実行結果判定処理を開始すると、ステップS202において、実行手順の確認を行う。ここで、シナリオ実行結果判定処理部111は、ECU-X102、ECU-A103およびECU-B104から取得したECU-X102、ECU-A103およびECU-B104の動作時の実行手順情報と、ECU-X、A、Bシナリオ定義情報110で定義された機能の実行手順115を比較する。 FIG. 5 is a flowchart illustrating a scenario execution result determination process of the vehicle-mounted security system according to the first embodiment. Note that the process in FIG. 5 can be executed by the process in step S105 in FIG.
When the scenario execution result determination processing unit 111 starts the scenario execution result determination processing in step S201 of FIG. 5, in step S202, it checks the execution procedure. Here, the scenario execution result determination processing unit 111 executes execution procedure information at the time of operation of the ECU-X 102, the ECU-A 103, and the ECU-B 104 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104, and the ECU-X, The execution procedure 115 of the function defined by the A and B scenario definition information 110 is compared.
 そして、シナリオ実行結果判定処理部111は、ECU-Xシナリオ定義情報107xの機能の実行手順115に登録された実行手順通りにECU-X102の機能が実行されているかを確認することにより、ECU-X102に異常がないかを判定する。また、シナリオ実行結果判定処理部111は、ECU-X102からECU-A103に送信された送信データに基づいてECU-Aシナリオ定義情報107Aの機能の実行手順115に登録された実行手順通りにECU-A103の機能が実行されているかを確認することにより、ECU-X102に異常がないかを判定する。さらに、シナリオ実行結果判定処理部111は、ECU-X102からECU-B104に送信された送信データに基づいてECU-Bシナリオ定義情報107Bの機能の実行手順115に登録された実行手順通りにECU-B104の機能が実行されているかを確認することにより、ECU-X102に異常がないかを判定する。 Then, the scenario execution result determination processing unit 111 confirms whether or not the function of the ECU-X 102 is executed according to the execution procedure registered in the execution procedure 115 of the function of the ECU-X scenario definition information 107x. It is determined whether there is any abnormality in X102. Further, the scenario execution result determination processing unit 111 performs the ECU-A according to the execution procedure registered in the execution procedure 115 of the function of the ECU-A scenario definition information 107A based on the transmission data transmitted from the ECU-X 102 to the ECU-A 103. By checking whether the function of A103 is being executed, it is determined whether there is any abnormality in the ECU-X102. Further, based on the transmission data transmitted from ECU-X 102 to ECU-B 104, scenario execution result determination processing section 111 executes the ECU-B according to the execution procedure registered in execution procedure 115 of the function of ECU-B scenario definition information 107B. By checking whether the function of B104 is being executed, it is determined whether there is any abnormality in the ECU-X102.
 シナリオ実行結果判定処理部111は、ECU-X102、ECU-A103、ECU-B104のいずれかの機能の実行が、ECU-X、A、Bシナリオ定義情報110の機能の実行手順115に登録された実行手順から一定以上逸脱している場合、ECU-X102に異常があると判定することができる。 In the scenario execution result determination processing unit 111, execution of any of the functions of the ECU-X102, ECU-A103, and ECU-B104 is registered in the execution procedure 115 of the function of the ECU-X, A, and B scenario definition information 110. When deviating from the execution procedure by a certain amount or more, it can be determined that there is an abnormality in the ECU-X102.
 ECU-X、A、Bシナリオ定義情報110の機能の実行手順115に登録された実行手順通りにECU-X102、ECU-A103、ECU-B104のそれぞれの機能が実行されているかどうかを判断するために、例えば、機能の実行手順115で定義された実行可否を示す実行完了フラグが全て揃っているか、機能の実行手順115で定義された機能を実行する際のステータスは正しいか、機能の実行手順115で定義された指定の周期で実行しているかを判定することができる。 To determine whether the functions of the ECU-X 102, the ECU-A 103, and the ECU-B 104 are being executed according to the execution procedure registered in the execution procedure 115 of the function of the ECU-X, A, B scenario definition information 110. For example, whether all the execution completion flags indicating whether or not the execution is defined in the function execution procedure 115 are complete, whether the status at the time of executing the function defined in the function execution procedure 115 is correct, It is possible to determine whether the program is being executed at the specified cycle defined at 115.
 次に、ステップS203において、シナリオ実行結果判定処理部111は、制御値の変化の確認を行う。ここで、シナリオ実行結果判定処理部111は、ECU-X102、ECU-A103およびECU-B104から取得したECU-X102、ECU-A103およびECU-B104の動作時の制御値情報と、ECU-X、A、Bシナリオ定義情報110で定義されたECUで扱う重要な制御値の情報116を比較し、ECU-X102に異常がないかを判定する。これらの比較対象の具体例は、制御値の項目、制御項目の制御値の変化に対する適正値、変化量(範囲)や上下限値、制御値が更新されるタイミング情報である。 Next, in step S203, the scenario execution result determination processing unit 111 checks a change in the control value. Here, the scenario execution result determination processing unit 111 includes control value information at the time of operation of the ECU-X 102, the ECU-A 103, and the ECU-B 104 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104, and the ECU-X, A, B: The important control value information 116 handled by the ECU defined in the scenario definition information 110 is compared, and it is determined whether or not the ECU-X 102 has an abnormality. Specific examples of these comparison targets are items of control values, appropriate values for changes in control values of control items, amounts of change (ranges), upper and lower limit values, and timing information for updating control values.
 シナリオ実行結果判定処理部111は、ECU-X102から取得した制御値情報が、ECU-Xシナリオ定義情報107xに登録されたECUで扱う重要な制御値の情報116から一定以上逸脱している場合、ECU-X102に異常がある判定することができる。また、シナリオ実行結果判定処理部111は、ECU-A103から取得した制御値情報が、ECU-Aシナリオ定義情報107Aに登録されたECUで扱う重要な制御値の情報116から一定以上逸脱している場合、その逸脱がECU-X102からECU-A103に送信された送信データに起因する場合、ECU-X102に異常がある判定することができる。さらに、シナリオ実行結果判定処理部111は、ECU-B104から取得した制御値情報が、ECU-Bシナリオ定義情報107Bに登録されたECUで扱う重要な制御値の情報116から一定以上逸脱している場合、その逸脱がECU-X102からECU-A104に送信された送信データに起因する場合、ECU-X102に異常がある判定することができる。 When the control value information obtained from the ECU-X 102 deviates from the important control value information 116 handled by the ECU registered in the ECU-X scenario definition information 107x by a certain amount or more, It is possible to determine that the ECU-X102 is abnormal. In addition, the scenario execution result determination processing unit 111 determines that the control value information obtained from the ECU-A 103 deviates from the important control value information 116 handled by the ECU registered in the ECU-A scenario definition information 107A by a certain amount or more. In this case, if the deviation is caused by transmission data transmitted from the ECU-X 102 to the ECU-A 103, it is possible to determine that the ECU-X 102 is abnormal. Further, the scenario execution result determination processing unit 111 deviates the control value information acquired from the ECU-B 104 from the important control value information 116 handled by the ECU registered in the ECU-B scenario definition information 107B by a certain amount or more. In this case, if the deviation is caused by transmission data transmitted from the ECU-X 102 to the ECU-A 104, it is possible to determine that the ECU-X 102 is abnormal.
 制御値情報の比較では、例えば、ECU-Xシナリオ定義情報107xのECUで扱う重要な制御値の情報116で指定している値と、ECU-X102の実際の制御値がそれぞれ一致しているか、ECU-X10の制御値が一定時間上限値に張り付いていないか、ECU-X102の制御値の変化量が適切かを判定することができる。 In the comparison of the control value information, for example, whether the value specified in the important control value information 116 handled by the ECU of the ECU-X scenario definition information 107x and the actual control value of the ECU-X 102 match, It is possible to determine whether the control value of the ECU-X10 is not stuck to the upper limit for a certain period of time or whether the amount of change in the control value of the ECU-X102 is appropriate.
 具体的には、ECU-X102の制御値が通常10ずつ増加する場合、その制御値がその通り増加しているか、2周期に1回更新される制御値の場合、その制御値が指定の周期で更新されているかを判定することができる。 More specifically, if the control value of the ECU-X 102 normally increases by 10, the control value increases accordingly, or if the control value is updated once every two cycles, the control value becomes the specified cycle. It can be determined whether or not it has been updated.
 次に、ステップS204において、シナリオ実行結果判定処理部111は、通信項目の変化の確認を行う。ここで、シナリオ実行結果判定処理部111は、ECU-X102、ECU-A103およびECU-B104から取得したECU-X102の通信項目の内容と、ECU-X、A、Bシナリオ定義情報110で定義された各ECUとの通信項目の情報117を比較し、ECU-X102に異常がないかを判定する。 Next, in step S204, the scenario execution result determination processing unit 111 confirms a change in a communication item. Here, the scenario execution result determination processing unit 111 is defined by the contents of the communication items of the ECU-X 102 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104, and the ECU-X, A, B scenario definition information 110. The ECU 117 compares the information 117 of the communication items with the ECUs and determines whether there is any abnormality in the ECU-X102.
 シナリオ実行結果判定処理部111は、ECU-X102、ECU-A103およびECU-B104から取得したECU-X102の通信項目の内容が、ECU-X、A、Bシナリオ定義情報110に登録された各ECUとの通信項目の情報117から一定以上逸脱している場合、ECU-X102に異常がある判定することができる。 The scenario execution result determination processing unit 111 stores the contents of the communication items of the ECU-X 102 acquired from the ECU-X 102, the ECU-A 103, and the ECU-B 104 in each of the ECUs registered in the ECU-X, A, and B scenario definition information 110. If the value deviates from the communication item information 117 by a certain amount or more, it can be determined that there is an abnormality in the ECU-X102.
 通信項目の情報の比較では、例えば、特定のメッセージIDの通信回数が増えていないか、同じデータが続いていないか、データ長は適切か、指定の周期で通信を実施しているかなどを判定する。 In the comparison of the information of the communication items, for example, it is determined whether the number of times of communication of a specific message ID has not increased, whether the same data has continued, whether the data length is appropriate, whether communication is performed at a specified cycle, and the like. I do.
 次に、ステップS205において、シナリオ実行結果判定処理部111は、ステップSS202~ステップS204で確認した結果に異常がないか判定する。もし、異常がある場合は、ステップS206において、異常判定結果を格納する。ステップS202~ステップS204の確認で異常がない場合は、ステップS207でシナリオ実行結果判定処理を終了する。 Next, in step S205, the scenario execution result determination processing unit 111 determines whether there is any abnormality in the results confirmed in steps SS202 to S204. If there is an abnormality, an abnormality determination result is stored in step S206. If there is no abnormality in the confirmation in steps S202 to S204, the scenario execution result determination processing ends in step S207.
 ECU-A103およびECU-B104が、図4のステップS105で得られた判定結果を監視ECU105から受信すると、図1の異常対応処理部109A、109Bは、図6の異常対応処理109を実行する。 When the ECU-A 103 and the ECU-B 104 receive the determination result obtained in step S105 of FIG. 4 from the monitoring ECU 105, the abnormality handling units 109A and 109B of FIG. 1 execute the abnormality handling process 109 of FIG.
 図6は、第1実施形態に係る車載セキュリティシステムの異常対応処理の内容を示すブロック図である。
 図6において、異常対応処理109は、ECUステータス判定処理120、機能レベル定義情報121、機能レベル毎対応処理122、警告表示処理123およびダミー応答処理124を備える。 FIG. 6 is a block diagram illustrating the content of the abnormality handling process of the in-vehicle security system according to the first embodiment.
6, the abnormality handling process 109 includes an ECU status determination process 120, function level definition information 121, a function level handling process 122, a warning display process 123, and a dummy response process 124.
 ECUステータス判定処理120は、監視ECU105から通知されたECU-X102の異常判定結果を確認する。例えば、ECUステータス判定処理120は、車載ネットワーク101上のECU-X102が正常か異常かを示すフラグを確認する。そして、異常対応処理部109A、109Bは、正常であれば正規の処理を実施し、異常であれば異常に応じた処理を実行する。 (4) The ECU status determination processing 120 confirms the abnormality determination result of the ECU-X 102 notified from the monitoring ECU 105. For example, the ECU status determination processing 120 checks a flag indicating whether the ECU-X 102 on the vehicle-mounted network 101 is normal or abnormal. Then, the abnormality handling processing units 109A and 109B perform normal processing if normal, and execute processing according to the abnormality if abnormal.
 機能レベル定義情報121は、ECU-A103およびECU-B104が持つ機能を、機能の実行周期などの処理間隔を基にカテゴリ分けする。もし、ECU-A103およびECU-B104に異常が生じた場合、ECU-A103およびECU-B104が全ての機能に対し異常対応処理を実行すると、ECU-A103およびECU-B104の処理負荷が増加し、重要な機能に対して理想の異常対応処理ができない可能性がある。 The function level definition information 121 classifies the functions of the ECU-A 103 and the ECU-B 104 into categories based on processing intervals such as a function execution cycle. If an abnormality occurs in the ECU-A103 and the ECU-B104, and the ECU-A103 and the ECU-B104 execute abnormality handling processing for all functions, the processing load on the ECU-A103 and the ECU-B104 increases, Ideal failure handling may not be possible for important functions.
 そこで、各機能の実行周期などの処理間隔による機能レベルを機能レベル定義情報121で定義することにより、ECU-A103およびECU-B104は、異常対応処理までの時間を有効に使用することが可能となる。例えば、モータ回転数制御や高電圧制御など処理周期が短い機能を機能レベル高とする。バッテリの充電など処理周期が機能レベル高の機能より長い機能を機能レベル中とする。ワイパーやウィンドの動作など処理周期が機能レベル中の機能より長い機能を機能レベル低とする。機能レベル定義情報121は、これらの機能情報をデータベースとして定義する。 Therefore, by defining the function level based on the processing interval such as the execution cycle of each function in the function level definition information 121, the ECU-A103 and the ECU-B104 can effectively use the time until the abnormality handling processing. Become. For example, a function having a short processing cycle such as motor speed control or high voltage control is set to have a high function level. A function whose processing cycle is longer than a function whose function level is high, such as charging a battery, is defined as a function level. A function whose processing cycle is longer than a function in the function level, such as a wiper or a window operation, is set to a low function level. The function level definition information 121 defines such function information as a database.
 また、ECU-A103およびECU-B104ECUの機能上、異常が発生すると安全上の影響が大きいなどの機能は、実行周期が長くても、実行周期の機能レベルよりも高い機能レベルに定義することも可能である。機能レベルの定義に使用する基準として、機能の実行周期または機能の重要度以外にも、別の基準を使用するようにしてもよい。 In addition, in the functions of the ECU-A103 and the ECU-B104ECU, functions such as having a large safety impact when an abnormality occurs may be defined as a function level higher than the function level of the execution cycle even if the execution cycle is long. It is possible. As a criterion used for defining the function level, another criterion may be used in addition to the execution cycle of the function or the importance of the function.
 機能レベル毎対応処理122は、機能レベル定義情報121で定義した機能レベルに合わせた処理を実行する。例えば、機能レベル高の処理の場合、異常に対応するための時間の余裕が少ないため、初期値や前回値などを使用し、処理時間優先で実行する。機能レベル中および機能レベル低の処理の場合、ECU-X102から送信されたデータをチェックし、そのデータに問題がなければ通常処理を実施するなど、処理負荷を増加させないような異常処理を実行する。機能レベル中と機能レベル低の処理の差として、ECU-X102から送信されたデータをチェックする際の判定に用いる閾値に差を設けることで機能レベルに対する異常対応処理に差を設けることができる。判定に用いる閾値の例として、例えば、機能レベル中の処理の場合、本来の値の範囲は1~10だが、3~7の中間値の範囲とするなど、上限でも下限でもなく確実に動作できる範囲の値のみ通常処理を実行できるように定義する。 The function level corresponding process 122 executes a process corresponding to the function level defined by the function level definition information 121. For example, in the case of a process with a high function level, there is little time to cope with the abnormality, so that the process is executed with priority given to the process time using an initial value or a previous value. In the case of the processing of the middle or low function level, the data transmitted from the ECU-X 102 is checked, and if there is no problem in the data, the normal processing is performed, and the abnormal processing is performed so as not to increase the processing load. . As a difference between the processing at the middle of the function level and the processing at the low function level, a difference can be provided in the abnormality handling processing for the function level by providing a difference in the threshold value used for the determination when checking the data transmitted from the ECU-X102. As an example of the threshold value used for the determination, for example, in the case of processing during the function level, the original value range is 1 to 10, but the range is an intermediate value of 3 to 7, and neither the upper limit nor the lower limit can be operated reliably. Define so that normal processing can be executed only for the values in the range.
 警告表示処理123は、外部機器113Aおよび外部ネットワーク113Bと接続しない外部機器のなりすましや外部からの乗っ取りのリスクの低いECU-A103およびECU-B104で警告表示を実行する。実際に制御を実行するECU-A103およびECU-B104が警告表示処理123を直接実行することにより、外部機器のなりすましや外部からの乗っ取りにより異常状態になったECU-X102を介することなく、警告表示することができる。また、警告表示処理123は、ECU-A103およびECU-B104からの出力のみとし、外部からの入力をなくすことにより、外部機器のなりすましや外部からの乗っ取りのリスクを抑えることができる。 The warning display process 123 executes a warning display in the ECU-A 103 and the ECU-B 104, which have a low risk of impersonating the external device 113A and the external device not connected to the external network 113B or taking over from the outside. When the ECU-A 103 and the ECU-B 104 that actually execute the control directly execute the warning display processing 123, the warning display is performed without passing through the ECU-X 102 that has become abnormal due to impersonation of an external device or takeover from the outside. can do. In addition, the warning display process 123 includes only the output from the ECU-A 103 and the ECU-B 104, and eliminates an external input, thereby suppressing a risk of impersonating an external device or taking over from the outside.
 ダミー応答処理124は、外部機器のなりすましや外部からの乗っ取りなど異常状態にあるECU-X102から送信されたデータに対して、あたかも送信されたデータを使用してECU-A103およびECU-B104が機能や処理を実行したようにECU-X102に応答(ダミー応答と言う)を返す。例えば、本来、ECU-A103がデータ値10で実行する機能に対して、ECU-X102からECU-A103にデータ値15が送信されたものとする。この時、ECU-A103内部では実際にはデータ値10で機能を実行するが、ECU-X102からのデータ値15の送信に対するECU-X102への応答では、データ値15で実行したように見せかける応答をECU-X102に返す。 The dummy response process 124 is performed by the ECU-A 103 and the ECU-B 104 using data transmitted from the ECU-X 102 in an abnormal state, such as impersonation of an external device or takeover from the outside, using the transmitted data. A response (referred to as a dummy response) is returned to the ECU-X 102 as if the processing was executed. For example, it is assumed that the data value 15 is transmitted from the ECU-X 102 to the ECU-A 103 for the function that the ECU-A 103 originally executes with the data value 10. At this time, the function is actually executed with the data value 10 inside the ECU-A 103, but the response to the transmission of the data value 15 from the ECU-X 102 to the ECU-X 102 makes it appear that the execution is performed with the data value 15. Is returned to the ECU-X102.
 これにより、ECU-X102への攻撃に対し、車載システムが攻撃者の支配下にあると錯覚させつつ、実際には攻撃者の支配下から逃れることができる。このため、攻撃に失敗した時の攻撃者からの更なる攻撃や別の手段による新たな攻撃を防ぎ、その間に車載システムを安全な状態にするための処理を実行する時間を稼ぐことが可能となる。 This makes it possible to escape from the attacker's control while illusioning that the vehicle-mounted system is under the control of the attacker in response to the attack on the ECU-X102. As a result, it is possible to prevent further attacks from attackers and new attacks by other means when an attack fails, and to gain time to execute processing to secure the in-vehicle system during that time Become.
 図7は、第1実施形態に係る車載セキュリティシステムの異常対応処理を示すフローチャートである。
 図7のステップS301において、ECU-A103およびECU-B104は、異常対応処理を開始すると、ステップS302において、ECU-X102から送信されたメッセージデータを取得する。この時、ECU-A103およびECU-B104は、ECU-X102からの入力に対し、ECU-A103およびECU-B104の機能の実行に必要なデータを取得する。ECU-A103およびECU-B104は、例えば、メッセージバッファにあるデータを取得するようにしてもよいし、データ授受のインタフェース機能を使用して取得するようにしてもよいし、グローバルメモリに格納されたデータを取得するようにしてもよい。 FIG. 7 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the first embodiment.
When the ECU-A 103 and the ECU-B 104 start the abnormality handling process in step S301 in FIG. 7, in step S302, the ECU-A 103 and the ECU-B 104 acquire the message data transmitted from the ECU-X 102. At this time, the ECU-A 103 and the ECU-B 104 acquire data necessary for executing the functions of the ECU-A 103 and the ECU-B 104 in response to the input from the ECU-X 102. For example, the ECU-A 103 and the ECU-B 104 may obtain data in a message buffer, may obtain the data using an interface function of data transfer, or may store the data in a global memory. Data may be acquired.
 次に、ステップS303において、ECU-A103およびECU-B104は、図4のステップS106で監視ECU105から通知された判定結果に基づいて、ステップS302で取得したメッセージデータの送信元のECU-X102のステータスを判定する。例えば、ECU-A103およびECU-B104は、監視ECU105から送信されたECU-X102の状態を示すメッセージや、ECU-X102のステータスが格納された共通メモリなどからECU-X102の状態を取得し、その状態を基にECU-X102が正常か異常かを判定する。 Next, in step S303, the ECU-A 103 and the ECU-B 104 determine the status of the ECU-X 102 that has transmitted the message data acquired in step S302 based on the determination result notified from the monitoring ECU 105 in step S106 in FIG. Is determined. For example, the ECU-A 103 and the ECU-B 104 obtain the status of the ECU-X 102 from a message indicating the status of the ECU-X 102 transmitted from the monitoring ECU 105, a common memory storing the status of the ECU-X 102, and the like. It is determined whether the ECU-X 102 is normal or abnormal based on the state.
 ステップS303の判定結果が正常状態の場合、ステップS304に進み、通常処理を実行する。一方、ステップS303の判定結果が異常状態つまりECU-X102に対して外部機器のなりすましや外部からの乗っ取りがある場合、ステップS305に進み、ECU-A103およびECU-B104が実行する機能の機能レベルを判定する。 場合 If the result of the determination in step S303 is a normal state, the flow proceeds to step S304, and normal processing is executed. On the other hand, if the result of the determination in step S303 is an abnormal state, that is, if there is impersonation of an external device or takeover from the outside with respect to the ECU-X102, the process proceeds to step S305, and the function levels of the functions executed by the ECU-A103 and the ECU-B104 are changed. judge.
 次に、ECU-A103およびECU-B104は、ステップS305で判定した機能レベルに合わせた処理を実行する。すなわち、判定結果が機能レベル高の時、ステップS306において機能レベル高の処理を実行する。判定結果が機能レベル中の時、ステップS307において機能レベル中の処理を実行する。判定結果が機能レベル低の時、ステップS308において機能レベル低の処理を実行する。 Next, the ECU-A 103 and the ECU-B 104 execute a process according to the function level determined in step S305. That is, when the result of the determination is that the function level is high, the processing of the function level is performed in step S306. When the result of the determination is that the function level is in progress, the processing in the function level is executed in step S307. When the result of the determination is low, the process of low function level is executed in step S308.
 例えば、今回実行する制御がモータ回転数制御である場合、モータ回転数制御がどの機能レベルに属するかを判定する。そして、モータ回転数制御が機能レベル高として定義されている場合、機能レベル高の処理を実行する。 For example, when the control to be executed this time is the motor rotation speed control, it is determined to which function level the motor rotation speed control belongs. Then, when the motor speed control is defined as a high function level, a process of a high function level is executed.
 次に、ステップS309において、ECU-A103およびECU-B104は、必要に応じてユーザに対し警告表示を実行する。この時、例えば、ユーザに異常内容を通知し、ユーザが対策を選択できるようにしてもよい。あるいは、発生した異常毎に警告ランプの点灯やディスプレイによるメッセージ表示などを行い、ユーザに対応を促すようにしてもよい。 Next, in step S309, the ECU-A103 and the ECU-B104 display a warning to the user as necessary. At this time, for example, the abnormality may be notified to the user so that the user can select a measure. Alternatively, a warning lamp may be turned on or a message may be displayed on a display for each occurrence of an abnormality to urge the user to respond.
 次に、ステップS310において、ECU-A103およびECU-B104は、攻撃者が指定したデータを使用して機能を実行したように見せかけるダミー応答用データを作成する。例えば、本来、データ値10で実行する機能に対して、データ値15がECU-X102から送信された場合、ECU-A103およびECU-B104内部ではデータ値10で機能を実行したにもかかわらず、応答メッセージとしては、データ値15で実行したことを示すダミー応答用データを作成する。 Next, in step S310, the ECU-A 103 and the ECU-B 104 create dummy response data that makes it appear that the function has been executed using the data specified by the attacker. For example, when the data value 15 is transmitted from the ECU-X 102 for the function originally performed with the data value 10, the ECU-A103 and the ECU-B104 perform the function with the data value 10 even though the function is performed with the data value 10. As the response message, dummy response data indicating that the execution was performed with the data value 15 is created.
 次に、ステップS311において、ECU-A103およびECU-B104は、ECU-X102の通常状態または異常状態に応じて作成された応答をECU-X102に返し、ステップS312で異常対応処理を終了する。ECU-X102に応答を返す場合、例えば、車載ネットワーク101のプロトコルまたはインタフェース機能を用いることができる。 Next, in step S311, the ECU-A 103 and the ECU-B 104 return a response created according to the normal state or the abnormal state of the ECU-X 102 to the ECU-X 102, and ends the abnormality handling process in step S312. When returning a response to the ECU-X 102, for example, a protocol or an interface function of the vehicle-mounted network 101 can be used.
 図8は、図7の機能レベル高処理を示すフローチャートである。
 図8のステップS401において、ECU-A103およびECU-B104は、機能レベル高の処理を開始すると、ステップS402において、安全処理を実行する。安全処理では、外部からの乗っ取りまたは外部機器のなりすましによる不正操作により送信されたデータ値が無効になるような対策処理を実行することができる。例えば、正規の手順で機能を再実行したり、制御値や取得したデータ値を初期値に変更し動作を継続させたり、動作上問題のない値(中間値等)に設定し動作させたりすることができる。S402の安全処理を実行すると、ステップS403において、機能レベル高の処理を終了する。 FIG. 8 is a flowchart showing the function level high processing of FIG.
In step S401 in FIG. 8, when the ECU-A103 and the ECU-B104 start processing with a high function level, in step S402, they execute safety processing. In the safety process, it is possible to execute a countermeasure process in which a data value transmitted by invalid operation due to takeover from the outside or impersonation of an external device becomes invalid. For example, the function is re-executed in a regular procedure, the control value or the acquired data value is changed to the initial value to continue the operation, or the operation is set to a value (intermediate value or the like) having no problem in operation. be able to. After executing the safety processing of S402, the processing of the high function level ends in step S403.
 機能レベル高の機能は、処理の実行周期が短く重要な機能が多いため、処理をシンプルにして処理時間を短くし、安全かつ確実に処理を実行することができるデータ値を使用するような処理が望ましい。 Functions with a high function level have a short execution cycle and many important functions, so processing that simplifies processing, shortens processing time, and uses data values that can execute processing safely and reliably Is desirable.
 図9は、図7の機能レベル中処理および機能レベル低処理を示すフローチャートである。
 図9のステップS501において、ECU-A103およびECU-B104は、機能レベル中および機能レベル低の処理を開始すると、ステップS502において、ECU-A103およびECU-B104が使用するデータの確認を行う。ECU-A103およびECU-B104が使用するデータの値が適正範囲かつ異常なしの場合、ステップS503において通常処理を実行する。一方、ECU-A103およびECU-B104が使用するデータの値が適正範囲外または異常ありの場合は、ステップS504において安全処理を実行する。ステップS503の通常処理またはステップS504の安全処理を実行すると、ステップS505において機能レベル中または機能レベル低の処理を終了する。 FIG. 9 is a flowchart showing the mid-function level processing and the low function level processing of FIG.
In step S501 in FIG. 9, when the ECU-A103 and the ECU-B104 start processing in the middle and low function levels, in step S502, the ECU-A103 and the ECU-B104 confirm data used by the ECU-A103 and the ECU-B104. If the values of the data used by the ECU-A 103 and the ECU-B 104 are within the proper range and there is no abnormality, a normal process is executed in step S503. On the other hand, if the values of the data used by the ECU-A 103 and the ECU-B 104 are out of the proper range or abnormal, a safety process is executed in step S504. When the normal processing in step S503 or the safety processing in step S504 is executed, the processing in the function level middle or low function level is ended in step S505.
 機能レベル中および機能レベル低の処理は、基本的に処理フローは同じであるが、ステップS502の使用データの確認で使用する判定値の閾値が異なる。例えば、機能レベル中の処理の場合、データ値の±5まで許容するが、機能レベル低の処理の場合はデータ値の±10まで許容することができる。もしくは、通常の異常判定と同じ閾値などとし、判定値に差を設けるようにしてもよい。機能レベルに応じて判定基準に差を設けることで、安全処理までの時間を確保し、処理周期が短く優先度の高い機能の安全処理を優先的に実行することができる。 処理 The processing at the middle of the function level and the processing at the low function level have basically the same processing flow, but the threshold value of the judgment value used in the confirmation of the use data in step S502 differs. For example, in the case of processing during the function level, up to ± 5 of the data value is allowed, while in the processing of the low function level, up to ± 10 of the data value can be allowed. Alternatively, the same threshold value as that for normal abnormality determination may be used, and a difference may be provided between the determination values. By providing a difference in the criterion according to the function level, it is possible to secure the time until the safety processing, and to execute the safety processing of the function with a short processing cycle and high priority with priority.
 上述した第1実施形態では、監視ECU105は、ECU-X102の状態を判定するために、ECU-X102、ECU-A103およびECU-B104から情報を取得する方法について説明したが、ECU-X102のみから情報を取得するようにしてもよいし、ECU-A103のみから情報を取得するようにしてもよいし、ECU-B104のみから情報を取得するようにしてもよいし、ECU-A103およびECU-B104から情報を取得するようにしてもよい。あるいは、ECU-X102、ECU-A103およびECU-B104からだけではなく、それ以上の数のECUから情報を取得し、ECU-X102の異常を判定するようにしてもよい。ECUから取得する情報が多ければ多いほど、外部からの乗っ取りや外部機器のなりすましによる不正操作の判定精度を向上させることができる。 In the first embodiment described above, the method in which the monitoring ECU 105 acquires information from the ECU-X 102, the ECU-A 103, and the ECU-B 104 in order to determine the state of the ECU-X 102 has been described. The information may be obtained, the information may be obtained only from the ECU-A103, the information may be obtained only from the ECU-B104, or the ECU-A103 and the ECU-B104 may be obtained. The information may be obtained from. Alternatively, not only the ECU-X102, the ECU-A103, and the ECU-B104, but also information from more ECUs may be acquired to determine the abnormality of the ECU-X102. The more information obtained from the ECU, the more accurate the determination of unauthorized operation due to takeover from the outside or impersonation of the external device can be improved.
 また、上述した第1実施形態では、監視ECU105が、ECU-X102の異常を判定し、その判定結果をECU-A103およびECU-B104に通知する方法について説明したが、監視ECU105が持つ機能をECU-A103またはECU-B104に組込み、ECU-A103またはECU-B104がECU-X102の異常を判定するようにしてもよい。この時、監視ECU105を省略することができる。監視ECU105を省略した場合、複数のECUの情報を用いることでECU-X102の異常を判定するようにしてもよい。複数のECUの情報を用いる場合、1個でも異常判定したECUがあれば、ECU-X102に異常があると判定するようにしてもよいし、全てのECUが異常判定した時にECU-X102に異常があると判定するようにしてもよいし、複数のECUの多数決によってECU-X102の異常を判定するようにしてもよい。 Further, in the first embodiment described above, the method in which the monitoring ECU 105 determines the abnormality of the ECU-X 102 and notifies the ECU-A 103 and the ECU-B 104 of the determination result. The ECU-A103 or the ECU-B104 may be incorporated in the ECU-A103 or the ECU-B104 to determine whether the ECU-X102 is abnormal. At this time, the monitoring ECU 105 can be omitted. When the monitoring ECU 105 is omitted, the abnormality of the ECU-X 102 may be determined by using information of a plurality of ECUs. When information on a plurality of ECUs is used, if at least one ECU has been determined to be abnormal, it may be determined that there is an abnormality in the ECU-X102. May be determined, or the abnormality of the ECU-X 102 may be determined by majority decision of a plurality of ECUs.
 以上説明したように、上述した第1実施形態によれば、車載ネットワークを介して複数のECUが接続された車載システム上において、正常な制御値で制御され、動作異常と判定されないような車載システムの外部からの乗っ取りや外部機器のなりすましによる不正操作等のセキュリティ脅威に対して、外部からの乗っ取りや外部機器のなりすましによる不正操作を検知し、その不正操作に対する処理を攻撃者に知られないようすることが可能となり、攻撃者からの攻撃に対して、車載システムを安全に動作させるための時間を確保することが可能となる。 As described above, according to the above-described first embodiment, an in-vehicle system controlled by a normal control value on an in-vehicle system to which a plurality of ECUs are connected via an in-vehicle network is not determined to be abnormal. For security threats such as hijacking from outside and impersonation of external devices, etc., detect unauthorized operations by hijacking from outside or impersonating external devices, and prevent the attacker from knowing the processing for the illegal operations. This makes it possible to secure time for safely operating the in-vehicle system in response to an attack from an attacker.
 以下、通常の車載ネットワークとは別に、外部と接続されないバックアップ用の車載ネットワークを持つ第2実施形態について説明する。なお、異常の検知の方法や対処方法については、第1実施形態と同様の仕組みを持つことができる。 Hereinafter, a description will be given of a second embodiment having a backup in-vehicle network that is not connected to the outside, separately from a normal in-vehicle network. Note that a method of detecting an abnormality and a method of coping with the abnormality can have the same mechanism as in the first embodiment.
 図10は、第2実施形態に係る車載セキュリティシステムの構成を示すブロック図である。
 図10の構成では、図3のECU-A103、ECU-B104および監視ECU105の代わりに、ECU-A203、ECU-B204および監視ECU205を備える。また、図10の構成では、図3の車載ネットワーク101と別に、外部機器113Aおよび外部ネットワーク113Bと接続されないバックアップ用の車載ネットワーク125(以降、バックアップネットワークと称す)を備える。 FIG. 10 is a block diagram illustrating the configuration of the vehicle-mounted security system according to the second embodiment.
The configuration in FIG. 10 includes an ECU-A 203, an ECU-B 204, and a monitoring ECU 205 instead of the ECU-A 103, the ECU-B 104, and the monitoring ECU 105 in FIG. Further, in the configuration of FIG. 10, a backup vehicle-mounted network 125 (hereinafter, referred to as a backup network) not connected to the external device 113A and the external network 113B is provided separately from the vehicle-mounted network 101 of FIG.
 バックアップネットワーク125は、外部機器113Aおよび外部ネットワーク113Bと接続されないECU-A203、ECU-B204および監視ECU205のみを含み、外部機器113Aおよび外部ネットワーク113Bと接続されるECU-X102を含まない。このため、バックアップネットワーク125は、外部機器のなりすましや外部からの乗っ取りの発生リスクが少ないセキュアな車載ネットワークである。 The backup network 125 includes only the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 that are not connected to the external device 113A and the external network 113B, and does not include the ECU-X 102 that is connected to the external device 113A and the external network 113B. For this reason, the backup network 125 is a secure in-vehicle network with a small risk of spoofing of external devices or taking over from outside.
 ECU-A203、ECU-B204および監視ECU205は、ECU-X102に異常がない場合は、車載ネットワーク101を用いて通信を実行することができる。ECU-A203、ECU-B204および監視ECU205は、ECU-X102に異常がある場合は、ECU-X102との間では車載ネットワーク101を用いて通信を実行し、ECU-A203、ECU-B204および監視ECU205間ではバックアップネットワーク125を用いて通信を実行することができる。ECU-A203、ECU-B204および監視ECU205のその他の構成については、ECU-A103、ECU-B104および監視ECU105と同様である。 The ECU-A 203, the ECU-B 204, and the monitoring ECU 205 can execute communication using the in-vehicle network 101 when the ECU-X 102 has no abnormality. The ECU-A 203, the ECU-B 204, and the monitoring ECU 205 execute communication with the ECU-X 102 using the in-vehicle network 101 when the ECU-X 102 has an abnormality, and the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 Communication can be performed using the backup network 125 between them. Other configurations of the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 are the same as those of the ECU-A 103, the ECU-B 104, and the monitoring ECU 105.
 例えば、ECU-X102が外部機器のなりすましや外部からの乗っ取りをされた場合、ECU-A203、ECU-B204および監視ECU205は、異常状態にあるECU-X102が接続されている車載ネットワーク101に対しては、ダミー応答を常に送信し、バックアップネットワーク125にのみ正常なデータを送信することができる。このように、外部からの脅威がない独立したバックアップネットワーク125を備えることで、通信データ中に不正データと正常データが混在するのを防止することができ、セキュアな通信を行うことができる。また、不正データによる脅威に晒されるリスクを減らすことができ、処理負荷を軽減することも可能となる。 For example, when the ECU-X 102 is spoofed by an external device or hijacked from the outside, the ECU-A 203, the ECU-B 204, and the monitoring ECU 205 perform communication with the vehicle-mounted network 101 to which the abnormal ECU-X 102 is connected. Can always transmit a dummy response and transmit normal data only to the backup network 125. As described above, by providing the independent backup network 125 having no external threat, it is possible to prevent illegal data and normal data from being mixed in communication data, and to perform secure communication. In addition, the risk of exposure to threats from unauthorized data can be reduced, and the processing load can be reduced.
 図11は、第3実施形態に係る車載セキュリティシステムの異常対応処理を示すフローチャートである。
 図11のステップS601において、ECU-A203およびECU-B204は、異常対応処理を開始すると、ステップS602において、ECU-X102から送信されたメッセージデータを取得する。この時、ECU-A203およびECU-B204は、ECU-X102からの入力に対し、ECU-A203およびECU-B204の機能の実行に必要なデータを取得する。 FIG. 11 is a flowchart illustrating an abnormality handling process of the vehicle-mounted security system according to the third embodiment.
When the ECU-A 203 and the ECU-B 204 start the abnormality handling process in step S601 in FIG. 11, in step S602, the ECU-A 203 and the ECU-B 204 acquire the message data transmitted from the ECU-X. At this time, the ECU-A 203 and the ECU-B 204 acquire data necessary for executing the functions of the ECU-A 203 and the ECU-B 204 in response to the input from the ECU-X 102.
 次に、ステップS603において、ECU-A103およびECU-B104は、監視ECU205から通知された判定結果に基づいて、ステップS602で取得したメッセージデータの送信元のECU-X102のステータスを判定する。 Next, in step S603, the ECU-A 103 and the ECU-B 104 determine the status of the transmission source of the message data acquired in step S602, based on the determination result notified from the monitoring ECU 205.
 ステップS603の判定結果が正常状態の場合、ステップS604に進み、通常処理を実行する。一方、ステップS603の判定結果が異常状態である場合、ステップS605に進み、ECU-A203およびECU-B204が実行する機能の機能レベルを判定する。 (4) If the result of the determination in step S603 is a normal state, the flow proceeds to step S604, and normal processing is executed. On the other hand, if the result of the determination in step S603 is an abnormal state, the flow advances to step S605 to determine the function levels of the functions executed by the ECU-A 203 and the ECU-B 204.
 次に、ECU-A203およびECU-B204は、ステップS605で判定した機能レベルに合わせた処理を実行する。すなわち、判定結果が機能レベル高の時、ステップS606において機能レベル高の処理を実行する。判定結果が機能レベル中の時、ステップS607において機能レベル中の処理を実行する。判定結果が機能レベル低の時、ステップS608において機能レベル低の処理を実行する。 Next, the ECU-A 203 and the ECU-B 204 execute processing according to the function level determined in step S605. That is, when the result of the determination is that the function level is high, the processing of the function level is performed in step S606. When the determination result indicates that the function level is in progress, the processing in the function level is executed in step S607. If the result of the determination is low, the process of low function level is executed in step S608.
 次に、ステップS609において、ECU-A203およびECU-B204は、必要に応じてユーザに対し警告表示を実行する。この時、例えば、ユーザに異常内容を通知し、ユーザが対策を選択できるようにしてもよい。あるいは、発生した異常毎に警告ランプの点灯やディスプレイによるメッセージ表示などを行い、ユーザに対応を促すようにしてもよい。 Next, in step S609, the ECU-A 203 and the ECU-B 204 perform a warning display to the user as necessary. At this time, for example, the abnormality may be notified to the user so that the user can select a measure. Alternatively, a warning lamp may be turned on or a message may be displayed on a display for each occurrence of an abnormality to urge the user to respond.
 次に、ステップS610において、ECU-A203およびECU-B204は、バックアップネットワーク125を介し、ステップS605で判定した機能レベル毎対応処理に必要な値を送信または受信する通信処理を実行する。 Next, in step S610, the ECU-A 203 and the ECU-B 204 execute, via the backup network 125, a communication process of transmitting or receiving a value necessary for the processing corresponding to each function level determined in step S605.
 次に、ステップS611において、ECU-A203およびECU-B204は、攻撃者が指定したデータを使用して機能を実行したように見せかけるダミー応答用データを作成する。 Next, in step S611, the ECU-A 203 and the ECU-B 204 create dummy response data that makes it appear that the function has been executed using the data specified by the attacker.
 次に、ステップS612において、ECU-A203およびECU-B204は、ECU-X102の通常状態または異常状態に応じて作成された応答をECU-X102に返し、ステップS613で異常対応処理を終了する。ECU-X102に応答を返す場合、例えば、車載ネットワーク101のプロトコルまたはインタフェース機能を用いることができる。 Next, in step S612, the ECU-A 203 and the ECU-B 204 return a response created according to the normal state or the abnormal state of the ECU-X 102 to the ECU-X 102, and ends the abnormality handling process in step S613. When returning a response to the ECU-X 102, for example, a protocol or an interface function of the vehicle-mounted network 101 can be used.
 以上説明したように、上述した第2実施形態によれば、車載ネットワークを介して複数のECUが接続された車載システム上において、正常な制御値で制御され、動作異常と判定されないような車載システムの外部からの乗っ取りや外部機器のなりすましによる不正操作等のセキュリティ脅威に対して、外部からの乗っ取りや外部機器のなりすましによる不正操作を検知し、その不正操作に対する処理を攻撃者に知られないようにして、車載システムを安全に動作させるための時間を確保することが可能となるだけでなく、不正操作されたECUが接続されない独立したネットワークを使用することにより、不正データと正常データを混在させないセキュアな通信を実現することができる。 As described above, according to the above-described second embodiment, an in-vehicle system controlled by a normal control value on an in-vehicle system to which a plurality of ECUs are connected via an in-vehicle network is not determined to be abnormal. For security threats such as hijacking from outside and impersonation of external devices, etc., detect unauthorized operations by hijacking from outside or impersonating external devices, and prevent the attacker from knowing the processing for the illegal operations. Not only secures time for the in-vehicle system to operate safely, but also prevents unauthorized data and normal data from being mixed by using an independent network to which an unauthorized ECU is not connected. Secure communication can be realized.
 図12は、第3実施形態に係る車載セキュリティシステムの構成を示すブロック図である。
 図12の構成では、図3のECU-A103、ECU-B104および監視ECU105の代わりに、ECU-A303、ECU-B304および監視ECU305を備える。また、図12の構成では、図3の車載ネットワーク101の代わりに、車載ネットワーク126、127、301、325およびゲートウェイ128、129を備える。 FIG. 12 is a block diagram showing the configuration of the vehicle-mounted security system according to the third embodiment.
In the configuration of FIG. 12, an ECU-A 303, an ECU-B 304 and a monitoring ECU 305 are provided instead of the ECU-A 103, the ECU-B 104 and the monitoring ECU 105 of FIG. Further, in the configuration of FIG. 12, the vehicle-mounted networks 126, 127, 301, and 325 and the gateways 128 and 129 are provided instead of the vehicle-mounted network 101 of FIG.
 車載ネットワーク126、127、301、325はそれぞれ独立して設けられている。ECU-X102と監視ECU305とは、車載ネットワーク301、325をそれぞれ介して2重に接続されている。ECU-A303とECU-B304とは、車載ネットワーク126、127をそれぞれ介して2重に接続されている。車載ネットワーク301、126は、ゲートウェイ128を介して接続されている。車載ネットワーク325、127は、ゲートウェイ129を介して接続されている。 The in- vehicle networks 126, 127, 301, and 325 are provided independently of each other. The ECU-X 102 and the monitoring ECU 305 are doubly connected via in- vehicle networks 301 and 325, respectively. The ECU-A 303 and the ECU-B 304 are doubly connected via in- vehicle networks 126 and 127, respectively. The vehicle-mounted networks 301 and 126 are connected via a gateway 128. The in- vehicle networks 325 and 127 are connected via a gateway 129.
 監視ECU305は、ゲートウェイ128、129を切替制御する。ECU-A303およびECU-B304は、ECU-X102に異常がない場合は、車載ネットワーク126を介して通信を実行し、ECU-X102に異常がある場合は、車載ネットワーク126を介してECU-X102および監視ECU305と通信を実行し、車載ネットワーク127を介してECU-A303とECU-B304との間で通信を実行することができる。ECU-A303、ECU-B304および監視ECU305のその他の構成については、ECU-A103、ECU-B104および監視ECU105と同様である。 (4) The monitoring ECU 305 controls the switching of the gateways 128 and 129. The ECU-A 303 and the ECU-B 304 execute communication via the in-vehicle network 126 when there is no abnormality in the ECU-X 102, and execute the communication via the in-vehicle network 126 when the ECU-X 102 has abnormality. Communication with the monitoring ECU 305 can be performed, and communication can be performed between the ECU-A 303 and the ECU-B 304 via the in-vehicle network 127. Other configurations of the ECU-A 303, the ECU-B 304, and the monitoring ECU 305 are the same as those of the ECU-A 103, the ECU-B 104, and the monitoring ECU 105.
 ECU-X102に異常がない場合、ECU-X102、ECU-A303、ECU-B304および監視ECU305は、車載ネットワーク301、126を介して通信を行う。ECU-X102が乗っ取られていることを監視ECU305が検出すると、監視ECU305は、ECU-A303、ECU-B304に対して車載ネットワーク127、325間の接続を切断する旨を通知する。また、監視ECU305は、ゲートウェイ129に対し、車載ネットワーク127、325間の接続を切断するように指示する。監視ECU305から通知を受けたECU-A303、ECU-B304は、通常の応答を車載ネットワーク127に返し、ECU-X102へのダミー応答を車載ネットワーク126に返す。 (4) When there is no abnormality in the ECU-X 102, the ECU-X 102, the ECU-A 303, the ECU-B 304, and the monitoring ECU 305 perform communication via the on- vehicle networks 301 and 126. When the monitoring ECU 305 detects that the ECU-X 102 has been hijacked, the monitoring ECU 305 notifies the ECU-A 303 and the ECU-B 304 that the connection between the in- vehicle networks 127 and 325 is to be disconnected. Further, monitoring ECU 305 instructs gateway 129 to disconnect the connection between in- vehicle networks 127 and 325. The ECU-A 303 and the ECU-B 304 that have received the notification from the monitoring ECU 305 return a normal response to the vehicle-mounted network 127 and return a dummy response to the ECU-X 102 to the vehicle-mounted network 126.
 これにより、ECU-A303、ECU-B304は、ダミー応答が流れる範囲を車載ネットワーク126、301に限定しつつ、ECU-X102と切断された車載ネットワーク127を介して正常動作を継続することができ、システムの安定性を向上させることができる。 Thereby, the ECU-A 303 and the ECU-B 304 can continue the normal operation via the in-vehicle network 127 disconnected from the ECU-X 102 while limiting the range in which the dummy response flows to the in- vehicle networks 126 and 301. The stability of the system can be improved.
 図13は、第4実施形態に係る車載セキュリティシステムに用いられるECUのハードウェア構成を示すブロック図である。
 図13において、ECU10には、プロセッサ11、通信制御デバイス12、通信インタフェース13、主記憶デバイス14、外部記憶デバイス15および入出力インタフェース17が設けられている。プロセッサ11、通信制御デバイス12、通信インタフェース13、主記憶デバイス14、外部記憶デバイス15よび入出力インタフェース17は、内部バス16を介して相互に接続されている。主記憶デバイス14および外部記憶デバイス15は、プロセッサ11からアクセス可能である。 FIG. 13 is a block diagram illustrating a hardware configuration of an ECU used in the vehicle-mounted security system according to the fourth embodiment.
13, the ECU 10 is provided with a processor 11, a communication control device 12, a communication interface 13, a main storage device 14, an external storage device 15, and an input / output interface 17. The processor 11, the communication control device 12, the communication interface 13, the main storage device 14, the external storage device 15, and the input / output interface 17 are interconnected via an internal bus 16. The main storage device 14 and the external storage device 15 are accessible from the processor 11.
 また、ECU10の外部には、センサ20、表示部30およびアクチュエータ40が設けられている。センサ20、表示部30およびアクチュエータ40は、入出力インタフェース17を介して内部バス16に接続されている。センサ20は、例えば、空気吸入量を検出するエアフローメータ、吸気管圧力を検出する圧力センサ、スロットル開度を検出するスロットルセンサ、エンジン回転数を検出する回転数センサである。表示部30は、ネットワーク19を介して接続されている他のECUの乗っ取りなどが行われた時に警告メッセージなどを表示したり、ユーザが選択できる対策などを表示したりする。アクチュエータ40は、自車両のエンジン、変速機、ブレーキおよびステアリングなどを操作することで、自車両の加減速、制動および操舵などを実行する。 {Circle around (2)} The sensor 20, the display unit 30, and the actuator 40 are provided outside the ECU 10. The sensor 20, the display unit 30, and the actuator 40 are connected to the internal bus 16 via the input / output interface 17. The sensor 20 is, for example, an air flow meter that detects an air intake amount, a pressure sensor that detects an intake pipe pressure, a throttle sensor that detects a throttle opening, and a rotation speed sensor that detects an engine speed. The display unit 30 displays a warning message or the like when another ECU connected via the network 19 takes over, or displays a measure that can be selected by the user. The actuator 40 performs acceleration, deceleration, braking, steering, and the like of the host vehicle by operating the engine, transmission, brake, steering, and the like of the host vehicle.
 プロセッサ11は、ECU10全体の動作制御を司るハードウェアである。主記憶デバイス14は、例えば、SRAMまたはDRAMなどの半導体メモリから構成することができる。主記憶デバイス14には、プロセッサ11が実行中のプログラムを格納したり、プロセッサ11がプログラムを実行するためのワークエリアを設けることができる。 The processor 11 is hardware that controls the operation of the entire ECU 10. The main storage device 14 can be composed of, for example, a semiconductor memory such as an SRAM or a DRAM. The main storage device 14 can store a program being executed by the processor 11 or provide a work area for the processor 11 to execute the program.
 外部記憶デバイス15は、大容量の記憶容量を有する記憶デバイスであり、例えば、ハードディスク装置、SSD(Solid State Drive)またはフラッシュメモリである。外部記憶デバイス15は、各種プログラムの実行ファイルやプログラムの実行時に用いられるデータを保持することができる。 The external storage device 15 is a storage device having a large storage capacity, and is, for example, a hard disk device, SSD (Solid State Drive), or a flash memory. The external storage device 15 can hold executable files of various programs and data used when executing the programs.
 ECU10が、図1のECU-A103またはECU-B104である場合、外部記憶デバイス15には、攻撃対処プログラム15A、シナリオ定義情報15Bおよび機能レベル定義情報15Cを格納することができる。攻撃対処プログラム15Aは、ECU10にインストール可能なソフトウェアであってもよいし、ECU10にファームウェアとして組み込まれていてもよい。 When the ECU 10 is the ECU-A 103 or the ECU-B 104 in FIG. 1, the external storage device 15 can store an attack countermeasure program 15A, scenario definition information 15B, and function level definition information 15C. The attack countermeasure program 15A may be software that can be installed in the ECU 10, or may be incorporated in the ECU 10 as firmware.
 通信制御デバイス12は、外部との通信を制御する機能を有するハードウェアである。通信制御デバイス12は、通信インタフェース13を介してネットワーク19に接続される。ネットワーク19は、CAN、FlexRay、LIN、Ethernetなどの車載ネットワークを用いることができる。 The communication control device 12 is hardware having a function of controlling communication with the outside. The communication control device 12 is connected to a network 19 via a communication interface 13. As the network 19, a vehicle-mounted network such as CAN, FlexRay, LIN, and Ethernet can be used.
 プロセッサ11が攻撃対処プログラム15Aおよび機能レベル定義情報15Cを主記憶デバイス14に読み出し、機能レベル定義情報15Cを参照しつつ攻撃対処プログラム15Aを実行することにより、図7の異常対応処理を実現することができる。 The processor 11 reads the attack countermeasure program 15A and the function level definition information 15C into the main storage device 14, and executes the attack countermeasure program 15A while referring to the function level definition information 15C, thereby realizing the abnormality handling process of FIG. Can be.
 100x、100A、100B…センサ、101…車載ネットワーク、102…ECU-X、103…ECU-A、104…ECU-B、105…監視ECU、106x、106A、106B…アクチュエータ、107x、107A、107B、110…シナリオ定義情報、108x、108A、108B…シナリオ実行結果格納メモリ、109x、109A、109B…異常対応処理部、111…シナリオ実行結果判定処理部、112…判定結果通知処理部、113A…外部機器、113B…外部ネットワーク、114…警告表示部
  100x, 100A, 100B: sensor, 101: in-vehicle network, 102: ECU-X, 103: ECU-A, 104: ECU-B, 105: monitoring ECU, 106x, 106A, 106B: actuator, 107x, 107A, 107B, 110: scenario definition information, 108x, 108A, 108B: scenario execution result storage memory, 109x, 109A, 109B: abnormality handling processing unit, 111: scenario execution result determination processing unit, 112: determination result notification processing unit, 113A: external device , 113B: external network, 114: warning display unit

Claims (15)

  1.  第1電子制御装置と、
     前記第1電子制御装置と通信可能な第2電子制御装置とを備え、
     前記第2電子制御装置は、
     前記第1電子制御装置からの入力に対する第1処理を実行し、
     前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を前記第1電子制御装置に返す車載セキュリティシステム。     A first electronic control unit;
    A second electronic control unit capable of communicating with the first electronic control unit;
    The second electronic control unit includes:
    Performing a first process for an input from the first electronic control device;
    An in-vehicle security system that returns a response indicating that a second process different from the first process has been performed to the input to the first electronic control device.
  2.  前記第2電子制御装置は、
     前記第1電子制御装置が所定の動作から逸脱したことを検知し、
     前記検知結果に基づいて前記第1電子制御装置からの入力に対する前記第1処理を実行し、
     前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を前記第1電子制御装置に返す請求項1に記載の車載セキュリティシステム。     The second electronic control unit includes:
    Detecting that the first electronic control unit deviates from a predetermined operation,
    Executing the first processing for an input from the first electronic control device based on the detection result;
    The in-vehicle security system according to claim 1, wherein a response indicating that a second process different from the first process has been executed in response to the input is returned to the first electronic control device.
  3.  前記第1処理は、前記第1電子制御装置からの入力に対する安全処理であり、
     前記第2処理は、前記第1電子制御装置からの入力の指示通りに実行した処理である請求項1に記載の車載セキュリティシステム。     The first process is a safety process for an input from the first electronic control device,
    2. The in-vehicle security system according to claim 1, wherein the second process is a process executed as instructed by an input from the first electronic control device.
  4.  前記第2電子制御装置は、前記第1電子制御装置からの入力に対し、予め定義された処理の機能レベルに応じて前記第1処理を実行する請求項1に記載の車載セキュリティシステム。 2. The in-vehicle security system according to claim 1, wherein the second electronic control device executes the first process in response to an input from the first electronic control device according to a function level of a predefined process. 3.
  5.  前記機能レベルは、前記第1処理の処理周期または処理内容に応じて定義されている請求項4に記載の車載セキュリティシステム。 5. The in-vehicle security system according to claim 4, wherein the function level is defined according to a processing cycle or a processing content of the first processing.
  6.  前記第2電子制御装置は、前記第1処理に使用されるデータに基づいて、前記安全処理を実行するか通常処理を実行するかを決定する請求項3に記載の車載セキュリティシステム。 4. The in-vehicle security system according to claim 3, wherein the second electronic control device determines whether to execute the safety processing or the normal processing based on data used for the first processing.
  7.  前記第2電子制御装置は、前記第1電子制御装置を含まない通信ネットワークを介して前記検知結果に応じた警告を行う請求項2に記載の車載セキュリティシステム。 3. The in-vehicle security system according to claim 2, wherein the second electronic control device issues a warning according to the detection result via a communication network that does not include the first electronic control device.
  8.  前記第1電子制御装置および前記第2電子制御装置と通信可能な第3電子制御装置を備え、
     前記第3電子制御装置は、
     前記第1電子制御装置が所定の動作から逸脱したことを検知し、
     前記検知結果を前記第2電子制御装置に通知し、
     前記第2電子制御装置は、
     前記第3電子制御装置から通知された検知結果に基づいて前記第1電子制御装置からの入力に対する前記第1処理を実行し、
     前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を前記第1電子制御装置に返す請求項1に記載の車載セキュリティシステム。     A third electronic control unit capable of communicating with the first electronic control unit and the second electronic control unit;
    The third electronic control unit includes:
    Detecting that the first electronic control unit deviates from a predetermined operation,
    Notifying the second electronic control device of the detection result,
    The second electronic control unit includes:
    Executing the first processing for an input from the first electronic control device based on a detection result notified from the third electronic control device;
    The in-vehicle security system according to claim 1, wherein a response indicating that a second process different from the first process has been executed in response to the input is returned to the first electronic control device.
  9.  前記第1電子制御装置、前記第2電子制御装置および前記第3電子制御装置を含む第1車載ネットワークと、
     前記第2電子制御装置および前記第3電子制御装置を含み、前記第1電子制御装置を含まない第2車載ネットワークとを備える請求項8に記載の車載セキュリティシステム。     A first in-vehicle network including the first electronic control device, the second electronic control device, and the third electronic control device;
    The in-vehicle security system according to claim 8, further comprising a second in-vehicle network including the second electronic control device and the third electronic control device, and not including the first electronic control device.
  10.  前記第1電子制御装置および前記第3電子制御装置を含む第1車載ネットワークと、
     前記第1電子制御装置および前記第3電子制御装置を含む第2車載ネットワークと、
     前記第2電子制御装置を含む第3車載ネットワークと、
     前記第2電子制御装置を含む第4車載ネットワークと、
     前記第1車載ネットワークと前記第3車載ネットワークとを接続可能な第1ゲートウェイと、
     前記第2車載ネットワークと前記第4車載ネットワークとを接続可能な第2ゲートウェイとを備える請求項8に記載の車載セキュリティシステム。     A first in-vehicle network including the first electronic control device and the third electronic control device;
    A second vehicle-mounted network including the first electronic control device and the third electronic control device;
    A third in-vehicle network including the second electronic control unit;
    A fourth in-vehicle network including the second electronic control unit;
    A first gateway capable of connecting the first vehicle-mounted network and the third vehicle-mounted network;
    The in-vehicle security system according to claim 8, further comprising a second gateway capable of connecting the second in-vehicle network and the fourth in-vehicle network.
  11.  プロセッサを備える攻撃対処方法であって、
     前記プロセッサは、
     攻撃時の入力に対する第1処理を実行し、
     前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を返す攻撃対処方法。     An attack response method having a processor,
    The processor comprises:
    Execute the first process for the input at the time of the attack,
    An attack countermeasure method that returns a response indicating that a second process different from the first process has been performed on the input.
  12.  前記第1処理は、前記攻撃時の指示に対してフェールセーフ側の処理であり、
     前記第2処理は、前記攻撃時の指示通りの処理である請求項11に記載の攻撃対処方法。     The first process is a process on the fail safe side in response to the instruction at the time of the attack,
    The attack handling method according to claim 11, wherein the second process is a process as instructed at the time of the attack.
  13.  攻撃対象となる機能に要求される機能レベルに応じて前記第1処理を実行する請求項11に記載の攻撃対処方法。 12. The attack countermeasure method according to claim 11, wherein the first process is executed according to a function level required for a function to be attacked.
  14.  攻撃対象となる第1プロセッサと、
     前記第1プロセッサとネットワークを介して接続された第2プロセッサとを備え、
     前記第2プロセッサは、
     前記第1プロセッサからの入力に対する前記第1処理を実行し、
     前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を前記第1プロセッサに返す請求項11に記載の攻撃対処方法。     A first processor to be attacked,
    A second processor connected to the first processor via a network,
    The second processor comprises:
    Performing the first processing on an input from the first processor;
    12. The attack countermeasure method according to claim 11, wherein a response indicating that a second process different from the first process has been executed to the input is returned to the first processor.
  15.  前記第1プロセッサとネットワークを介して接続された第3プロセッサとを備え、
     前記第3プロセッサは、
     前記第1プロセッサが所定の動作から逸脱したことを検知し、
     前記検知結果を前記第2プロセッサに通知し、
     前記第2プロセッサは、
     前記第3プロセッサから通知された検知結果に基づいて前記第1プロセッサからの入力に対する前記第1処理を実行し、
     前記入力に対して前記第1処理と異なる第2処理を実行したことを示す応答を前記第1プロセッサに返す請求項14に記載の攻撃対処方法。
          A third processor connected to the first processor via a network,
    The third processor includes:
    Detecting that the first processor deviates from a predetermined operation,
    Notifying the second processor of the detection result,
    The second processor comprises:
    Executing the first processing for an input from the first processor based on a detection result notified from the third processor;
    15. The attack countermeasure method according to claim 14, wherein a response indicating that a second process different from the first process has been executed to the input is returned to the first processor.
PCT/JP2019/024208 2018-07-06 2019-06-19 On-board security system and attack dealing method WO2020008872A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-128914 2018-07-06
JP2018128914A JP2021167985A (en) 2018-07-06 2018-07-06 On-vehicle security system and attack countermeasure method

Publications (1)

Publication Number Publication Date
WO2020008872A1 true WO2020008872A1 (en) 2020-01-09

Family

ID=69060579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/024208 WO2020008872A1 (en) 2018-07-06 2019-06-19 On-board security system and attack dealing method

Country Status (2)

Country Link
JP (1) JP2021167985A (en)
WO (1) WO2020008872A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023286331A1 (en) * 2021-07-16 2023-01-19 日立Astemo株式会社 In-vehicle system and electronic control unit

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2023112819A (en) 2022-02-02 2023-08-15 株式会社オートネットワーク技術研究所 Monitoring device, vehicle monitoring system, and vehicle monitoring method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002111726A (en) * 2000-09-29 2002-04-12 Kddi Corp Illegal invasion preventing system
JP2002342279A (en) * 2001-03-13 2002-11-29 Fujitsu Ltd Filtering device, filtering method and program for making computer execute the method
JP2014183395A (en) * 2013-03-18 2014-09-29 Hitachi Automotive Systems Ltd On-vehicle network system
WO2016189841A1 (en) * 2015-05-27 2016-12-01 日本電気株式会社 Security system, security method, and recording medium for storing program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002111726A (en) * 2000-09-29 2002-04-12 Kddi Corp Illegal invasion preventing system
JP2002342279A (en) * 2001-03-13 2002-11-29 Fujitsu Ltd Filtering device, filtering method and program for making computer execute the method
JP2014183395A (en) * 2013-03-18 2014-09-29 Hitachi Automotive Systems Ltd On-vehicle network system
WO2016189841A1 (en) * 2015-05-27 2016-12-01 日本電気株式会社 Security system, security method, and recording medium for storing program

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HARIU, TAKEO: "Security Intelligence for Malware Countermeasures to Support NTT Group's Security Business", NTT GIJUTU JOURNAL, vol. 27, no. 10, 1 October 2015 (2015-10-01), pages 18 - 22 *
NAKANO, GAKU: "Automotive Information Security, first edition", FIRST EDITION, NIKKEI BUSINESS PUBLICATIONS, INC., MOCHIZUKI, YOSUKE, 27 December 2013 (2013-12-27), pages 144-147 - 152-160 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023286331A1 (en) * 2021-07-16 2023-01-19 日立Astemo株式会社 In-vehicle system and electronic control unit

Also Published As

Publication number Publication date
JP2021167985A (en) 2021-10-21

Similar Documents

Publication Publication Date Title
EP3264718B1 (en) System and method for detection and prevention of attacks on in-vehicle networks
JP2018157463A (en) On-vehicle communication system, communication management device, and vehicle controller
WO2019159615A1 (en) Vehicle monitoring system
WO2018135098A1 (en) Monitoring device, monitoring method, and computer program
JP6782444B2 (en) Monitoring equipment, monitoring methods and computer programs
US11784871B2 (en) Relay apparatus and system for detecting abnormalities due to an unauthorized wireless transmission
JP2018160786A (en) Monitor system, monitoring method and computer program
US10721241B2 (en) Method for protecting a vehicle network against manipulated data transmission
US10873600B2 (en) Information processing device, information processing system, information processing method, and information processing program
WO2020008872A1 (en) On-board security system and attack dealing method
CN101369141B (en) Protection unit for a programmable data processing unit
US20230087311A1 (en) System and method for detection and prevention of cyber attacks at in-vehicle networks
US10917387B2 (en) Information processing device, information processing system, information processing method, and information processing program
CN114834393A (en) Vehicle control system
US11012453B2 (en) Method for protecting a vehicle network against manipulated data transmission
US12039050B2 (en) Information processing device
JP7439669B2 (en) log analysis device
CN114007906A (en) Safety processing device
CN112806034A (en) Device, method and computer program for providing communication for a control device of a vehicle, method, central device and computer program for providing an update, control device and vehicle
JP2017168993A (en) Monitoring device and communication system
JP2021076949A (en) Vehicle control device
JP7403728B2 (en) Intrusion detection system
JP7408033B2 (en) In-vehicle control device
JP2020096320A (en) Illegal signal processing device
US20230267206A1 (en) Mitigation of a manipulation of software of a vehicle

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19830529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19830529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP