CSP channels for CAN-bus connected embedded control systems

Closed loop control system typically contains multitude of sensors and actuators operated simultaneously. So they are parallel and distributed in its essence. But when mapping this parallelism to software, lot of obstacles concerning multithreading communication and synchronization issues arise. To overcome this problem, the CT kernel/library based on CSP algebra has been developed. This project (TES.5410) is about developing communication extension to the CT library to make it applicable in distributed systems. Since the library is tailored for control systems, properties and requirements of control systems are taken into special consideration. Applicability of existing middleware solutions is examined. A comparison of applicable fieldbus protocols is done in order to determine most suitable ones and CAN fieldbus is chosen to be first fieldbus used. Brief overview of CSP and existing CSP based libraries is given. Middleware architecture is proposed along with few novel ideas

Comparative Reliability Analysis for Single and Dual CAN (FD) Systems

This work was supported by Hanns-Seidel-Foundation grant funded by the German Federal Ministry of Education and Research (BMBF).Modern cyber-physical systems, such as autonomous vehicles, advanced driver assistance systems, automation systems and battery management systems, result in extended communi- cation requirements regarding the reliability and the availability. The Controller Area Network (CAN) is a broadcast-based protocol which is still used as a standard for serial communication between individual microcontrollers due to its reliability and low power consumption. In addition, it provides mechanisms for detecting transmission errors and retransmitting messages in the event of an error. The enhancement CAN Flexible Data-Rate (CAN FD) offers increased data rates and transmission rates in order to meet the data throughput requirements. In this paper, the mechanisms for reliable data transmission in a CAN FD network are analyzed. To improve reliability, a second identical CAN-FD network is added to the system, using the additional CAN interface already available on common microcontrollers. The redundant communication network is examined in terms of failure rates and the mean time to failure. The reliability over the operation time is calculated for the single and the redundant version of the CAN FD network using the failure rate limits of the ASIL levels

Quantifying the Resiliency of Fail-Operational Real-Time Networked Control Systems

In time-sensitive, safety-critical systems that must be fail-operational, active replication is commonly used to mitigate transient faults that arise due to electromagnetic interference (EMI). However, designing an effective and well-performing active replication scheme is challenging since replication conflicts with the size, weight, power, and cost constraints of embedded applications. To enable a systematic and rigorous exploration of the resulting tradeoffs, we present an analysis to quantify the resiliency of fail-operational networked control systems against EMI-induced memory corruption, host crashes, and retransmission delays. Since control systems are typically robust to a few failed iterations, e.g., one missed actuation does not crash an inverted pendulum, traditional solutions based on hard real-time assumptions are often too pessimistic. Our analysis reduces this pessimism by modeling a control system\u27s inherent robustness as an (m,k)-firm specification. A case study with an active suspension workload indicates that the analytical bounds closely predict the failure rate estimates obtained through simulation, thereby enabling a meaningful design-space exploration, and also demonstrates the utility of the analysis in identifying non-trivial and non-obvious reliability tradeoffs

Fault Tolerant Services for Safe In-Car Embedded Systems

http://www.taylorandfrancis.com/Due to the increasing criticality of the functions in terms of safety, embedded automotive systems must now respect stringent dependability constraints despite the faults that may occur in a very harsh environment. In a context where critical functions are distributed over the network, the communication system plays a major role. First, we discuss the main services and functionalities that a communication system should offer for easying the design of fault-tolerant applications in the automotive context. Then, we review the features of the protocols that are currently considered for being used and, finally, we highlight areas where developments are still needed

Utilização de Algorítmos Genéticos na Otimização do Escalonamento de Mensagens Proprietárias do Protocolo SAE J1939 sobre CAN bus.

A competição entre processos pelos recursos de um processador é muito explorada na ciência da computação, gerando um grande número de algoritmos de escalonamento. A mesma competição ocorre em uma rede embarcada onde as mensagens competem pelo acesso ao barramento. Este trabalho mostra uma visão sobre as métricas temporais de uma mensagem na rede Controller Area Network, CAN, e como o escalonamento de mensagens está relacionado com as técnicas de cálculo temporal aplicadas ao protocolo J1939, publicado pela Sociedade de Engenharia Automotiva, Society of Automotive Engineering, SAE. Para tal, foram estudados os modelos matemáticos propostos por diferentes trabalhos. A aplicação destes modelos é feita em um conjunto de mensagens SAE J1939 sobre CAN Bus e os resultados são analisados. O resultado das análises temporais indicam que em determinados casos a otimização é necessária. A aplicação de algoritmos genéticos é estudada, neste trabalho, com a finalidade de otimização do escalonamento de mensagens SAE J1939. Para isto, é proposta uma correlação entre a teoria de algoritmos genéticos e as características do protocolo, fazendo com que seja possível representar o problema pelo método de otimização escolhido. Este trabalho apresenta também a implementação do algoritmo genético para solucionar o problema detectado na análise temporal. Os resultados das simulações são apresentados e analisados

Sistema de comunicações tolerante a falhas e de baixa complexidade para um veículo eléctrico

Tese de mestrado. Mestrado integrado em Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 201

Services for safety-critical applications on dual-scheduled TDMA networks

Tese de doutoramento. Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 200

CAN FD: a communication network for future avionic systems

Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidade de Lisboa, Faculdade de Ciências, 2019A presente dissertação incide sobre o protocolo de tempo real apelidado Controller Area Network with Flexible Data Rate, comumente designado como CAN FD, que opera ao nível da camada de Ligação de Dados do modelo OSI. Este protocolo é uma versão revista e melhorada (essencialmente em aspetos que envolvem a sua eficiência) do protocolo Controller Area Network (CAN), lançado em 1986 por uma equipa de engenheiros da Robert Bosch GmbH. O desenvolvimento do protocolo CAN FD tem por base dois grandes objetivos: Em primeiro lugar, aumentar a velocidade de transmissão de dados na rede (de 1 para 15 Mbps); em segundo, permitir o envio de mensagens com um campo de dados superior ao do seu antecessor (de 8 para 64 bytes). No entanto, para conseguir implementar estas melhorias foi necessário introduzir alterações significativas à estrutura e funcionamento do protocolo original. Estas alterações tiveram vários tipos de impacto no protocolo, desde o tempo de transmissão de mensagens à forma como identifica e lida com erros. Isto faz com que a vasta literatura científica que atualmente acompanha o CAN (e que contribuiu grandemente para a confiança que existe em torno deste protocolo) não tenha necessariamente aplicabilidade direta ao CAN FD. Sobre esta perspetiva, a questão central passa por entender o impacto não óbvio que as alterações efetuadas têm, e o caminho para o conseguir determinar envolve, numa primeira instância, a reprodução de alguns dos estudos efetuados sobre o CAN. O Controller Area Network, enquanto rede de tempo real, conheceu diversas aplicações, desde a indústria automóvel, para a qual foi inicialmente desenhado, até à engenharia aeroespacial e ao controlo industrial. Se tivermos de escolher um fator comum a muitos dos sistemas onde usualmente o CAN é implementado, poderíamos escolher a sua criticidade. Se um dos sistemas de suporte ao voo de um avião falhar, este pode afetar negativamente o piloto ou outros sistemas, induzindo-os em erro ou limitando as suas capacidades. Da mesma forma, uma falha numa linha de montagem industrial pode ter consequências desastrosas para todos os envolvidos. Neste sentido, é importante saber como os sistemas detetam e tratam erros e deve-se estudar o seu comportamento na presença e ausência destes erros. Se o máximo delay é o pior cenário de transmissão na ausência de erros para um protocolo como o CAN, o máximo delay somado ao tempo de identificação e recuperação de um erro dá-nos o pior cenário de transmissão na presença de um erro. Em sistemas críticos é esta última abordagem que devemos utilizar e acautelar. O conceito de inacessibilidade representa o tempo que uma rede de transmissão de dados está inoperacional (a recuperar de um erro) e mede-se desde o início da transmissão de uma mensagem, onde é identificado um erro, até ao retorno do protocolo ao normal funcionamento. No CAN, foi efetuado um estudo sobre os diversos tempos de inacessibilidade em função do tipo de erro que o protocolo poderia experienciar. No CAN FD, esse estudo está ainda por realizar e é esse o primeiro objetivo deste trabalho. Como foi referido, as melhorias introduzidas pelo CAN FD obrigaram a certas readaptações no formato das tramas e em alguns mecanismos nativos do protocolo. Após um levantamento exaustivo destas modificações, conseguimos determinar qual o impacto direto que elas tiveram no tempo de transmissão de uma mensagem. Consequentemente, e tendo especial atenção a pequenas alterações introduzidas nos mecanismos de deteção e sinalização de erros do CAN FD, foi possível observar como este protocolo responde perante a existência de erros durante a transmissão de uma mensagem, derivando fórmulas matemáticas simples que permitem descrever o seu comportamento. Por sua vez, estas fórmulas matemáticas possibilitou-nos colocar um valor real sobre o tempo de inacessibilidade da rede quando esta é afetada por cada um dos tipos de erro definidos na especificação do protocolo. O resultado final deste estudo permitiu-nos fazer uma análise comparativa com os resultados de um outro, efetuado sobre o CAN original, uma vez que ambos partem dos mesmos pressupostos iniciais. A simplicidade e “elegância” do CAN original sempre foram um fator de distinção relativamente a outros protocolos. Contudo, o processo de desenvolvimento do CAN FD trouxe consigo uma camada de complexidade adicional. Em alguns casos, as opções tomadas pela equipa de engenheiros responsável pelo desenho do CAN FD poderão ser vistas como polémicas ou discutíveis, muito devido à escassez de argumentos apresentados ou à ausência de estudos que as sustentem. Atentos a este facto, tomámos a decisão de mergulhar na cronologia de acontecimentos que levaram a cada uma das modificações observadas no CAN FD, com o intuito de nos pronunciarmos sobre se os meios utilizados realmente justificam os fins a que se propõe. A análise crítica e detalhada das modificações impostas pelo CAN FD é o segundo objetivo deste trabalho. A pesquisa exaustiva das razões que antecederam algumas das alterações adotadas aquando do desenvolvimento do CAN FD levou-nos ao encontro de casos de escape em que a possibilidade de ocorrência de determinados erros mina toda a robustez anunciada do protocolo. Neste documento fica latente que a correção deste tipo de situações foi uma das prioridades da equipa por detrás do CAN FD, não tivesse a sua correção o impacto que teve no protocolo. Curiosamente, durante este processo de indagação acabámos por tropeçar num novo tipo de erro que afeta todas as versões do protocolo (CAN e CAN FD). As condições necessárias para a sua emergência e a forma como este afeta as transmissões de dados envolvem a conjugação de vários fatores, o que, hipoteticamente, diminui a probabilidade de observarmos a sua ocorrência num cenário de implementação real. Não obstante, existe validade teórica que suporta a sua existência e, como tal, deve ser identificado e comunicado. A explicação de como este erro ocorre e de quais as consequências que pode encerrar é o último tema abordado nesta dissertação.The present dissertation focuses on the real-time protocol Controller Area Network with Flexible Data Rate, commonly referred to as CAN FD, which operates at the level of the Data Link layer of the OSI model. This protocol is a revised and improved version (essentially in terms of efficiency) of the Controller Area Network (CAN) protocol, launched in 1986 by a team of engineers at Robert Bosch GmbH. The development of the CAN FD protocol is based on two main objectives: First, to increase the speed of data transmission in the network (from 1 to 15 Mbps); second, to allow messages to be sent with a data field higher than its predecessor (from 8 to 64 bytes). However, in order to implement these improvements it was necessary to introduce significant changes to the structure and operation of the original protocol. These changes had several types of impact on the protocol, from the time of message transmission to the way it identifies and handles errors. This makes the vast scientific literature that currently accompanies CAN (and which contributed greatly to the confidence that exists around this protocol) does not necessarily have direct applicability to the CAN FD. On this perspective, the central issue is to understand the nonobvious impact that the modifications have, and the way to determine it involves, in a first instance, the reproduction of some of the studies carried out on CAN. The Controller Area Network, as a real-time network, has seen a variety of applications, from the automotive industry to which it was initially designed, to aerospace engineering and industrial control. If we have to choose a factor common to many of the systems where CAN is usually implemented, we could choose its criticality. If one of the flight support systems of an airplane fails, it may adversely affect the pilot or other systems, misleading them or limiting their capabilities. Likewise, a failure in an industrial assembly line can have disastrous consequences to everyone involved. In this sense, it is important to know how systems detect and treat errors and to study their behavior in the presence and absence of these errors. If the maximum delay is the worst transmission scenario in the absence of errors for a protocol like CAN, the maximum delay added to the time for identification and recovery of an error gives us the worse transmission scenario in the presence of an error. In critical systems is this last approach that we must use and caution. The concept of inaccessibility represents the time that a data transmission network is inoperative (to recover from an error) and is measured from the beginning of the transmission of a message, where an error is identified, until the return of the protocol to normal operation. In the CAN, a study was performed on the various inaccessibility times due to the type of error that the protocol could experience. In CAN FD, this study is still to be carried out and is the first objective of this work. As mentioned, the improvements introduced by CAN FD have forced some adaptations in the format of the frames and in some native mechanisms of the protocol. After an exhaustive survey of these changes, we were able to determine the direct impact they had on the transmission time of a message. Consequently, and with special attention to small changes introduced in the detection and signaling mechanisms of the CAN FD protocol, it was possible to observe how it responds to the existence of errors during the transmission of a message, deriving simple mathematical formulas that allow the description of its behavior. In turn, these mathematical formulas permitted to place a real value on the network inaccessibility time when it is affected by each one of the error types defined in the protocol specification. The final result of this study allowed us to make a comparative analysis with the results of another one, carried out on the original CAN, since both start from the same initial assumptions. The simplicity and "elegance" of the original CAN protocol has always been a distinguishing factor compared to others. However, the CAN FD development process has brought with it a layer of additional complexity. In some cases, the options taken by the team of engineers responsible for the design of the CAN FD may be seen as controversial or debatable due to the lack of arguments presented or to the lack of studies that support them. With this in mind, we decided to investigate the events that led to each of the modifications observed in CAN FD, in order to decide whether the means really justify the purposes. The critical and detailed analysis of the modifications imposed by the CAN FD protocol is the second objective of this work. The exhaustive research of the reasons that preceded some of the changes adopted during the development of the CAN FD led us to find escape cases in which the possibility of occurrence of certain errors undermines all the announced robustness of the protocol. In this document it becomes clear that the correction of this type of situations was one of the priorities of the team behind CAN FD. Curiously, during this examination process we ended up stumbling over a new type of error that affects all versions of the protocol (CAN and CAN FD). The conditions required for its emergence and the way it affects data transmissions involve the combination of several factors, which, hypothetically, decreases the probability of observing its occurrence in a real implementation scenario. Nevertheless, there is theoretical validity that supports its existence and, as such, it must be identified and communicated. The explanation of how this error occurs and of what consequences it may contain is the last topic addressed in this work

From Attack to Defense: Toward Secure In-vehicle Networks

New security breaches in vehicles are emerging due to software-driven Electronic Control Units (ECUs) and wireless connectivity of modern vehicles. These trends have introduced more remote surfaces/endpoints that an adversary can exploit and, in the worst case, use to control the vehicle remotely. Researchers have demonstrated how vulnerabilities in remote endpoints can be exploited to compromise ECUs, access in-vehicle networks, and control vehicle maneuvers. To detect and prevent such vehicle cyber attacks, researchers have also developed and proposed numerous countermeasures (e.g., Intrusion Detection Systems and message authentication schemes). However, there still remain potentially critical attacks that existing defense schemes can neither detect/prevent nor consider. Moreover, existing defense schemes lack certain functionalities (e.g., identifying the message transmitter), thus not providing strong protection for safety-critical ECUs against in-vehicle network attacks. With all such unexplored and unresolved security issues, vehicles and drivers/passengers will remain insecure. This dissertation aims to fill this gap by 1) unveiling a new important and critical vulnerability applicable to several in-vehicle networks (including the Controller Area Network (CAN), the de-facto standard protocol), 2) proposing a new Intrusion Detection System (IDS) which can detect not only those attacks that have already been demonstrated or discussed in literature, but also those that are more acute and cannot be detected by state-of-the-art IDSes, 3) designing an attacker identification scheme that provides a swift pathway for forensic, isolation, security patch, etc., and 4) investigating what an adversary can achieve while the vehicle’s ignition is off. First, we unveil a new type of Denial-of-Service (DoS) attack called the bus-off attack that, ironically, exploits the error-handling scheme of in-vehicle networks. That is, their fault-confinement mechanism — which has been considered as one of their major advantages in providing fault-tolerance and robustness — is used as an attack vector. Next, we propose a new anomaly-based IDS that detects intrusions based on the extracted fingerprints of ECUs. Such a capability overcomes the deficiency of existing IDSes and thus detects a wide range of in-vehicle network attacks, including those existing schemes cannot. Then, we propose an attacker identification scheme that provides a swift pathway for forensic, isolation, and security patch. This is achieved by fingerprinting ECUs based on CAN voltage measurements. It takes advantage of the fact that voltage outputs of each ECU are slightly different from each other due to their differences in supply voltage, ground voltage, resistance values, etc. Lastly, we propose two new attack methods called the Battery-Drain and the Denial-of-Body-control attacks through which an adversary can disable parked vehicles with the ignition off. These attacks invalidate the conventional belief that vehicle cyber attacks are feasible and thus their defenses are required only when the vehicles ignition is on.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/144125/1/ktcho_1.pd