JP2008189209A - Vehicle control device network and control device - Google Patents

Abstract

The present invention provides a network between vehicle control devices and a control device used for a network between vehicle control devices, which are compatible with security performance required as a network between vehicle control devices and handling performance of the control device.
A plurality of control devices having communication means participate in a network between vehicle control devices, and each control device is permitted to operate when it is confirmed that all the participating control devices have been prepared. A network between vehicle control devices in which operation of each control device is not permitted in a state where there is no operation, and an initial state before network connection of all participating control devices or some control devices is an operation permitted state.
[Selection] Figure 5

Description

  The present invention relates to a network between vehicle control devices and a control device, and more particularly to security on a network in which a plurality of control devices mounted on a vehicle such as an automobile are communicably connected to each other.

  In recent years, as the performance required for automobiles, such as power performance and environmental friendliness, has become more sophisticated and diversified, automobile systems have been composed of a large number of sensors and actuators, and related to these sensors and actuators. Networking of a plurality of control devices is progressing, and various communication protocols such as CAN (Control Area Network) and LIN (Local Interconnect Network) have been introduced.

  Such a network between vehicle control devices built in an automobile is a closed space network that exists in a limited area inside the vehicle, and does not require defense against attacks such as eavesdropping or tampering with information by the Service-to-Self. It has been said.

  However, in recent years, with the introduction of wireless technology and the advancement of technology such as vehicle ITS (Intelligent Transport System), the network between vehicle control devices has shifted to an open network, and security measures against various attacks have been proposed. .

  For example, in a vehicle having an immobilizer function, encryption authentication is performed between a value embedded in a key and a control device on the vehicle side, so that the vehicle cannot be started without a valid key. In recent years, it has been proposed to implement a brute force encryption attack (so-called brute force attack) that can be implemented practically, or to change the encryption key sequentially while synchronizing based on finite regularity. ing.

  In addition, in a vehicle having a vehicle system integrity confirmation function, there is a vehicle in which each control device authenticates each other in the network, and if an invalid one is found, the control device is not permitted to operate (for example, a patent) Reference 1). For this reason, if the control device in the network is replaced with an unauthorized one, or if the program inside the control device is rewritten with an unauthorized one, the vehicle system will not operate.

  Furthermore, in order to prevent accidental security accidents in vehicle development and manufacturing processes, such measures are often made effective from the initial state of the control device, and each control device is permitted to operate only after completion of vehicle assembly. It has become to.

JP 2005-1534 A

  With the security measures as described above, the security performance in the network between the vehicle control devices is improved, while the handling performance in the inspection of the control device is deteriorated.

  For example, if the control device before assembly of the vehicle is in an operation non-permitted state by an immobilizer function in the initial state, a mechanism that does not permit the operation of the immobilizer cannot be inspected in advance by a single control device. This means that, for example, when the immobilizer function disables the fuel injection control and ignition control of the control device, it can be confirmed only after the vehicle is assembled whether or not these controls perform correct output. .

  In general, a control device for a vehicle is provided from a component manufacturer to a manufacturer, and the manufacturer performs connection to the vehicle. The provided control device cannot be inspected. As a result, there is a delay in finding yield products of the control device, causing problems such as cost deterioration and quality deterioration at the vehicle manufacturing stage.

  In addition, even if a problem occurs after the vehicle is assembled and the suspicious control device must be removed from the network and inspected, the network integrity check function works when the device is removed from the network, and the removed control device does not operate. Since it is in a permitted state, there is a possibility that a desired inspection cannot be performed. For this reason, a suspicious control apparatus must be replaced unconditionally without being inspected, and there is a problem that a great cost is required for inspection after assembly and maintenance in the market.

  As described above, the security measures enhance the security of the network between the vehicle control devices, and the defense against malicious attacks is enhanced, while the handling performance of the control device that is in the initial state or disconnected from the network deteriorates. And cause cost and quality problems.

  The present invention has been made in view of the problems to be solved, and an object of the present invention is to provide a vehicle control device that achieves both security performance necessary for a network between vehicle control devices and handling performance of the control device. It is providing the control apparatus used for a network between vehicles and a network between vehicle control apparatuses.

  In order to achieve the above object, the inter-vehicle control device network according to the present invention allows a plurality of control devices having communication means to participate, and permits each control device to operate with confirmation that all of the participating control devices have been prepared, In a state where all participating control devices are not available, the network between vehicle control devices is set to disallow operation of each control device, and the initial state before network connection of all participating control devices or some control devices is permitted to operate. It is characterized by being in a state.

  In addition, the network between vehicle control devices according to the present invention preferably permits the detachment of one or a plurality of control devices from the network by an authentication action, and sets the control device permitted to detach by the authentication action to an operation-permitted state. This authentication action can be performed between a network-connected diagnostic tool and a control device.

  Further, the inter-vehicle control device network according to the present invention is more preferably characterized in that all control devices participating in the network other than the detached control device or a part of the control devices are in an operation non-permitted state.

  In order to achieve the above object, a control device according to the present invention is a control device used in a network between vehicle control devices, and is characterized in that an initial state before network connection is set to an operation-permitted state.

  According to the present invention, the control device is permitted to operate with the confirmation of completeness, and the control device is not permitted to operate when all the participating control devices are not available. Since the initial state before the network connection of some control devices is the operation permission state, the handling performance of the control device before the vehicle is attached is not hindered. As a result, it is possible to achieve both the security performance necessary for the network between vehicle control devices and the handling performance of the control device.

  An embodiment of a network between vehicle control devices and a control device according to the present invention will be described with reference to the drawings.

  FIG. 1 is a functional block diagram showing one embodiment of a control device (ECU) used in the network between vehicle control devices of this embodiment. The control device 1 controls the input signal detection means 3 for detecting the input signal from the sensors 2 attached to each part of the vehicle, the signal from the input signal detection means 3 and the calculation for control. A control means 4 for generating a command, an output circuit 6 for driving the control command from the control means 4 to each actuator 5, a communication means 8 connected to the communication bus 7 for transmitting and receiving signals to and from the network, Encryption / decryption means 9 for encrypting / decrypting transmission / reception signals exchanged by means 8, authentication means 10 for authenticating other network participants, and nonvolatile information for storing nonvolatile information necessary for control A non-volatile memory 11, a non-volatile memory 11, a control unit 4, an encryption / decryption unit 9, and an authentication unit 10.

  FIG. 2 is a block diagram showing a configuration of one embodiment of the control device (ECU) 1. The ECU 1 is an input / output interface 13 that is connected to the sensors 2 and the actuators 5 to control input / output, a communication interface 14 that is connected to the communication bus 7 to control signal transmission / reception, and a volatile memory that stores temporary information. A RAM 15, a ROM 16 that is a non-volatile memory for storing a control program and various control setting information, an EEPROM 17 that is a non-volatile memory, and a CPU 18 that controls and controls them are connected via a bus 19. Has been.

  Therefore, the control device 1 can also be configured by a microcomputer. The control means 4, the encryption / decryption means 9 for performing encryption / decryption, and the authentication means 10 are all stored as programs in the ROM 16, and these programs are read out and executed by the CPU 18 at the time of execution. Further, the communication means 8 is generally configured by a part of the physical layer and the data link layer based on the OSI reference model by an electronic circuit, and a higher layer by a program stored in the ROM 16.

  In the network between vehicle control devices of the present embodiment, ECU-A21, ECU-B22, ECU-C23, which are control devices having the configuration of the control device 1, and one or a plurality of control devices (not shown) use the communication bus 7. Are connected to each other, and data transmission between them is possible. The communication bus 7 used in this network is, for example, CAN.

  Next, the integrity confirmation performed in the vehicle control apparatus network of this embodiment is demonstrated using FIG. 4, FIG.

  In FIG. 4, a state A101 and a state B102 drawn in a circle indicate a temporary state, and a state “operation permission” 103 and a state “operation disapproval” 104 drawn in an ellipse indicate a permanent state. Yes. The temporary state is a state that is temporarily changed in the transition process to the permanent state and cannot stay. On the other hand, the constant state is a state in which it can stay constantly. A state 105 drawn with a black circle represents an initial state. Therefore, each control device (ECU-A21, ECU-B22, ECU-C23, etc.) participating in the network between vehicle control devices of the present embodiment is constantly in the operation permission state 103, the operation non-permission state 104, and the initial state. It is in one of the states 105.

  When each control device makes a transition from the initial state 105 to the state B102 by turning on the power for the first time, it determines whether its initial state is “operation permitted” or “operation not permitted”. If the control device is set to “operation permitted” in the initial state, the state transitions to the operation permitted state 103. On the other hand, if the control device is set to “operation not permitted” in the initial state, the state transitions to the operation not permitted state 104.

  When the control device in the operation permission state 103 monitors the state of the communication bus 7 and confirms the presence of another control device, the control device makes a transition to the state A101. The control device in the state A101 determines whether or not all control devices that should exist in the network in which the control device participates exist. When the presence of all the control devices can be confirmed, the operation returns to the operation permission state 103, and when the control device cannot be confirmed, the operation transitions to the operation disapproval state 104.

The control device in the operation disapproval state 104 monitors the state of the communication bus 7 and moves to state A101 when the presence of another control device can be confirmed. The control device in the state A101 determines whether or not all control devices that should exist in the network in which the control device participates exist.
When the presence of all the control devices can be confirmed, the operation returns to the operation permission state 103, and when the control device cannot be confirmed, the operation transitions to the operation disapproval state 104.

  In addition, for the confirmation of the existence of the other control devices described above, plain text communication may be used, or encryption communication such as common key encryption or public key encryption using encryption / decryption means 9 is used. Also good. In addition, the presence check of other control devices may be performed constantly, or may be performed based on a condition that it is performed only once after the power is turned on, or may be performed irregularly.

  The control means 4 (see FIG. 1) of the control device in the operation disapproval state 104 stops the control of the main actuators 5 connected to the control device through the output circuit 6 or the communication means 8, and the vehicle It works to forbid that it works as a system.

  If configured in this way, the setting of the initial state before network connection is set to “permitted” as necessary, and participation is performed after ensuring the handling performance such as inspecting the control device before assembling the vehicle. It is possible to achieve a so-called integrity guarantee function in which operation of each control device is permitted with confirmation that all the control devices have been prepared.

  For example, the network between control devices shown in FIGS. 5A to 5C is complete with the connection of four control devices (ECU-A21, ECU-B22, ECU-C23, ECU-D24). As shown in FIG. 5A, the ECU-B22, ECU-C23, and ECU-D24 are already connected to the communication bus (network) 7, and here, the initial state before the network connection is established. The ECU-A21 whose state is "operation permission" setting is going to be connected.

  In the state shown in FIG. 5 (a), the ECU-B22, ECU-C23, and ECU-D24 already connected to the network mutually confirm the existence of other control devices already connected to the network, Since the presence of the ECU-A 21 cannot be confirmed, it is in the operation non-permitted state 104 and operates to prohibit the vehicle from operating as a system by its main control output.

  Since the initial state before connection to the network is the “operation permitted” setting, the ECU-A 21 is in the operation permitted state 103 and can be inspected alone in this state. Thereby, the parts maker which produces ECU-A21 can test | inspect ECU-A21 before shipment.

  Here, as shown in FIG. 5B, when the ECU-A 21 is connected to the network, the ECU-A 21 confirms the existence of another control device already connected to the network, and performs all other controls. By confirming the presence of the device, it remains in the operation permission state 103. On the other hand, the ECU-B22, ECU-C23, and ECU-D24 that are already connected to the network can check all the control devices that should be connected to the network through the connection of the ECU-A21. .

  Thereby, since all the control devices (ECU-A21, ECU-B22, ECU-C23, ECU-D24) connected to the network are in the operation permission state 103, the vehicle operates as a system.

  As shown in FIG. 5C, when the ECU-A21 once connected is disconnected from the network again, the ECU-A21 cannot confirm the presence of another control device, so that the operation permission state is established. Stay at 103. On the other hand, since the ECU-B22, ECU-C23, and ECU-D24 connected to the network mutually confirm the existence of other connected control devices and cannot confirm the existence of the ECU-A21, the operation non-permitted state Transition to 104.

  Therefore, the control device (ECU-B22, ECU-C23, ECU-D24) staying in the vehicle network is not permitted to operate, and the separated control device (ECU-A21) can be inspected alone.

  As a result, a problem occurs after the vehicle is assembled, and it is possible to cope with a case where a suspicious control device must be removed from the network and inspected.

  In the network between control devices described above, as shown in FIG. 6, all control devices (ECU-A21, ECU-B22, ECU-C23, ECU-D24) connected to the network are disconnected from the network. Therefore, it is possible to set the state in all the control devices to “operation permission”.

  However, in many current vehicles, since a large number of controls operate depending on the network between the control devices, it is virtually impossible to expect normal operation of the vehicle system without any connection of the control device to the network. Therefore, it can be said that the network between the control devices in the vehicle according to the present invention has sufficient security performance to kill malicious intent to attack.

  As shown in FIG. 6, even if all the control devices are disconnected from the network, this measure will continue as a countermeasure when the vehicle network configuration is such that normal operation of the vehicle system is performed. The attachment / detachment of the control device by the authentication action performed in the network between the control devices in the vehicle according to the invention will be described with reference to FIGS.

  The network between control devices shown in FIG. 7 is assumed to be complete with the connection of four control devices (ECU-A21, ECU-B22, ECU-C23, ECU-D24), and is shown in FIG. 7 (a). As described above, it is assumed that all the control devices are already connected to the network and all the control devices are in the operation permission state 103.

  Here, as shown in FIG. 7B, the diagnostic tool 31 is connected to the network between the control devices as a new network node. The diagnostic tool 31 is a so-called diagnostic tester that can request a diagnostic service for each control device via a network. Here, it is assumed that the diagnostic tool 31 issues a command to leave the ECU-A 21 from the network via the network.

  When receiving the withdrawal command, the ECU-A 21 performs an authentication act with the diagnostic tool 31 in order to determine whether or not the withdrawal command is valid as shown in FIG. As a result of the authentication action, if it can be confirmed that the withdrawal command is valid, the ECU-A 21 is allowed to leave the network, and the leaving ECU-A 21 is set to the operation-permitted state. Then, as shown in FIG. 7D, the detached ECU-A 21 can be inspected as a single unit of the separated control device by “operation permission”.

  If the ECU-A 21 is disconnected from the network in a state where the authorization of a proper leaving instruction is not performed, the separated ECU-A 21 enters an “operation not permitted” state, and is illegally handled, for example, Defend against attacks such as eavesdropping and falsification of information by Service-to-Self.

  FIG. 8 shows the transition of the control state in each control device. When each control device makes a transition from the initial state 105 to the state B102 by turning on the power for the first time, it determines whether it is the initial state “operation permitted” or the initial state “operation not permitted”. If the control device is set to the initial state “permitted operation”, the state transitions to the provisional operation permitted state 106. On the other hand, if the control device is set to the initial state “operation not permitted”, the state transitions to the operation not permitted state 104.

  The control device in the provisional operation permission state 106 monitors the state of the communication bus 7 and transitions to the state A101 when the presence of another control device is confirmed. The control device in the state A101 determines whether or not all control devices that should exist in the network in which the control device participates exist. When the presence of all the control devices can be confirmed, the state transitions to the operation permission state 103, and when the presence cannot be confirmed, the state transitions to the operation disapproval state 104.

  When the control device in the operation permission state 103 monitors the state of the communication bus 7 and confirms the presence of another control device, the control device makes a transition to the state A101. The control apparatus in the state A101 determines whether or not all the control apparatuses that should exist in the network in which the control apparatus participates exist. When the presence of all the control devices can be confirmed, the operation returns to the operation permission state 103, and when the control device cannot be confirmed, the operation transitions to the operation disapproval state 104.

  The control device in the operation disapproval state 104 monitors the state of the communication bus 7 and moves to state A101 when the presence of another control device is confirmed. The control device in the state A101 determines whether or not all control devices that should exist in the network in which the control device participates exist. When the presence of all the control devices cannot be confirmed, the operation returns to the operation disapproval state 104, and when it is confirmed, the operation transitions to the operation permission state 103.

  When the control device in the operation permission state 103 receives a leave command from the network and confirms that the leave command is valid by the authentication action by the authentication means 10, the state transitions to the state C107. Here, it waits for the control device to be disconnected from the network, and when the control device is disconnected from the network, the state transits to the provisional operation permission state 106. When the presence of another control device in the operation permission state 103 cannot be confirmed, the state transitions to the operation disapproval state 104.

  Here, the control means 4 of the control device in the operation non-permission state 104 stops the control of the main actuators 5 connected to the control device through the output circuit 6 or the communication means 8, and the vehicle Operates to prohibit the system from operating.

  With this configuration, as shown in FIG. 6, even if all the control devices are disconnected from the network, it is possible to perform a valid authentication action to disconnect the control device once connected to the network from the network. Therefore, it is possible to protect against malicious attackers who do not have legitimate rights.

  Here, one embodiment of the authentication action performed by the authentication means 10 will be described with reference to FIG. Here, the encryption key k is a value stored in the nonvolatile memory 11 at the time of manufacture of the ECU-A 21 or after that, the same as the diagnostic tool 31.

  The ECU-A 21 that has received the withdrawal command from the diagnostic tool 31 generates a random number s, transmits it to the diagnostic tool 31 (step S51), and responds by the common key k shared with the random number s and the diagnostic tool 31. (S) is calculated (step S52).

  The diagnostic tool 31 that has received the random number s calculates the response g (s) using the random number s and the common key k shared with the ECU-A21, and sends the response g (s) back to the ECU-A21 (step S53).

  The ECU-A 21 compares the response f (s) calculated by itself with the response g (s) calculated by the diagnostic tool 31. If the common key k shared by the ECU-A 21 and the diagnostic tool 31 is the same as the calculation process, the responses obtained from the same random number s are the same and can be trusted (step S54). . Thus, the ECU-A 21 authenticates the diagnostic tool 31.

  In addition, although the authentication act by common key encryption was described here, it cannot be overemphasized that this authentication act can be implemented also in public key encryption.

  In the above-described embodiment, when the presence of another control device cannot be confirmed, it has been stated that the state is changed to “operation not permitted”. It is not necessary to disable all control devices remaining in the network other than the disconnected control device. That is, only a part of the control devices participating in the network other than the detached control device may be selectively prohibited.

  The effects of the present embodiment described above are summarized as follows.

  (1) In a network in which each control device is permitted to operate with confirmation of completeness and is not permitted to operate when all participating control devices are not available, all participating control devices or a part of the controls Since the initial state before the network connection of the device is the operation permission state, it is possible to adopt a configuration that does not disturb the handling of the control device before the vehicle is mounted while taking security measures by ensuring the integrity.

  (2) While taking the security measure by ensuring the integrity by permitting one or more control devices to leave the network by the prior authentication and permitting the control devices permitted to leave. It is possible to adopt a configuration that does not interfere with the handling of the control device removed from the network for some reason after the vehicle is assembled.

  (3) The vehicle side after removing some control devices from the network by disabling operation of all control devices participating in the network other than the detached control device, or some control devices. It is possible to take appropriate security for the remaining control devices.

  (4) By these things, the management performance of each control apparatus connected can be improved, maintaining sufficient and reasonable security as a network.

The functional block diagram which shows one Embodiment of the control apparatus which comprises the network between vehicle control apparatuses by this invention. The block diagram which shows the structure of one Embodiment of the control apparatus which comprises the network between vehicle control apparatuses by this invention. The block diagram which shows an example of the network between vehicle control apparatuses. The state transition diagram showing one embodiment of the integrity check performed in the network between vehicle control apparatuses by this invention. (A)-(c) is a figure showing the operation | movement aspect of the integrity confirmation in FIG. The figure showing the operation | movement aspect at the time of removing all the control apparatuses in the integrity confirmation in FIG. (A)-(d) is a figure showing the operation | movement aspect of one Embodiment of the control apparatus detachment | leave permission in the network between vehicle control apparatuses by this invention. FIG. 8 is a state transition diagram showing control device leave permission by authentication in FIG. The flowchart showing the authentication in FIG.

Explanation of symbols

1 Control unit (ECU)
DESCRIPTION OF SYMBOLS 2 Sensors 3 Input signal detection means 4 Control means 5 Actuators 6 Output circuit 7 Communication bus 8 Communication means 9 Encryption / decryption means 10 Authentication means 11 Non-volatile memory 12 Non-volatile memory access means 13 Input / output interface 14 Communication interface 15 RAM
16 ROM
17 EEPROM
18 CPU
19 Bus 21 ECU-A
22 ECU-B
23 ECU-C
24 ECU-D
31 Diagnostic tools

Claims (5)

A plurality of control devices having communication means participate, and each control device is permitted to operate with confirmation that all participating control devices have been prepared. A network between vehicle control devices,
A network between vehicle control devices, characterized in that an initial state before network connection of all participating control devices or some control devices is an operation-permitted state.   2. The vehicle control device according to claim 1, wherein one or a plurality of control devices are permitted to leave the network by an authentication act, and the control device permitted to leave by the authentication act is allowed to operate. network.   The network between vehicle control devices according to claim 2, wherein the authentication is performed between a diagnostic tool and a control device connected via a network.   The network between vehicle control devices according to claim 2 or 3, wherein all control devices participating in the network other than the detached control device or a part of the control devices are set in an operation non-permitted state. A control device used in a network between vehicle control devices,
A control device, wherein an initial state before network connection is set to an operation-permitted state.

Images