Fixed-Length Payload Encoding for Low-Jitter Controller Area Network Communication

The controller area network (CAN) bit stuffing mechanism, albeit essential to ensure proper receiver clock synchronization, introduces a significant, payload-dependent jitter on message response times, which may worsen the timing accuracy of a networked control system. Accordingly, several approaches to overcome this issue have been discussed in literature. This paper presents a novel software payload encoding scheme, which is able to guarantee that no stuff bits will ever be added to the data field by the CAN controller during transmission and, hence, lessens jitters considerably. Particular care has been put in its practical implementation and its subsequent evaluation to show how the simplicity and inherent high performance of the scheme make it suitable even for low-cost, embedded architectures

From Attack to Defense: Toward Secure In-vehicle Networks

New security breaches in vehicles are emerging due to software-driven Electronic Control Units (ECUs) and wireless connectivity of modern vehicles. These trends have introduced more remote surfaces/endpoints that an adversary can exploit and, in the worst case, use to control the vehicle remotely. Researchers have demonstrated how vulnerabilities in remote endpoints can be exploited to compromise ECUs, access in-vehicle networks, and control vehicle maneuvers. To detect and prevent such vehicle cyber attacks, researchers have also developed and proposed numerous countermeasures (e.g., Intrusion Detection Systems and message authentication schemes). However, there still remain potentially critical attacks that existing defense schemes can neither detect/prevent nor consider. Moreover, existing defense schemes lack certain functionalities (e.g., identifying the message transmitter), thus not providing strong protection for safety-critical ECUs against in-vehicle network attacks. With all such unexplored and unresolved security issues, vehicles and drivers/passengers will remain insecure. This dissertation aims to fill this gap by 1) unveiling a new important and critical vulnerability applicable to several in-vehicle networks (including the Controller Area Network (CAN), the de-facto standard protocol), 2) proposing a new Intrusion Detection System (IDS) which can detect not only those attacks that have already been demonstrated or discussed in literature, but also those that are more acute and cannot be detected by state-of-the-art IDSes, 3) designing an attacker identification scheme that provides a swift pathway for forensic, isolation, security patch, etc., and 4) investigating what an adversary can achieve while the vehicle’s ignition is off. First, we unveil a new type of Denial-of-Service (DoS) attack called the bus-off attack that, ironically, exploits the error-handling scheme of in-vehicle networks. That is, their fault-confinement mechanism — which has been considered as one of their major advantages in providing fault-tolerance and robustness — is used as an attack vector. Next, we propose a new anomaly-based IDS that detects intrusions based on the extracted fingerprints of ECUs. Such a capability overcomes the deficiency of existing IDSes and thus detects a wide range of in-vehicle network attacks, including those existing schemes cannot. Then, we propose an attacker identification scheme that provides a swift pathway for forensic, isolation, and security patch. This is achieved by fingerprinting ECUs based on CAN voltage measurements. It takes advantage of the fact that voltage outputs of each ECU are slightly different from each other due to their differences in supply voltage, ground voltage, resistance values, etc. Lastly, we propose two new attack methods called the Battery-Drain and the Denial-of-Body-control attacks through which an adversary can disable parked vehicles with the ignition off. These attacks invalidate the conventional belief that vehicle cyber attacks are feasible and thus their defenses are required only when the vehicles ignition is on.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/144125/1/ktcho_1.pd

A Novel Technique for Sample Point Discovery and Its Use in a Proposed Broadcast Confusion Attack on High-Speed Controller Area Networks

Over the last twenty-five years, the Controller Area Network, or CAN, has become ubiquitous in the automotive world as a communication network. That ubiquity is attributed to its high immunity to electrical interference and its resilience to data errors. CAN was designed to ensure data integrity during transmission and allow for multiple nodes to transmit information without a central device controlling that transmission. Given the ubiquity of CAN, much research has been performed to detect and protect against external intrusions on the network. In this paper, I present a methodology for the measurement of key CAN timing parameters. With the detection and understanding of these parameters, I demonstrate a proof of concept attack, dubbed the Broadcast Confusion Attack, which allows for the data integrity of the network to be weakened. Evolutions of this attack could be performed without being detected by two of the three categories of CAN intrusion detection systems. In the evolutions of the attack, devices could be completely overwritten by the attacker without any device (even the victim) knowing such an attack has occurred

Time synchronization for an emulated CAN device on a Multi-Processor System on Chip

The increasing number of applications implemented on modern vehicles leads to the use of multi-core platforms in the automotive field. As the number of I/O interfaces offered by these platforms is typically lower than the number of integrated applications, a solution is needed to provide access to the peripherals, such as the Controller Area Network (CAN), to all applications. Emulation and virtualization can be used to implement and share a CAN bus among multiple applications. Furthermore, cyber-physical automotive applications often require time synchronization. A time synchronization protocol on CAN has been recently introduced by AUTOSAR. In this article we present how multiple applications can share a CAN port, which can be on the local processor tile or on a remote tile. Each application can access a local time base, synchronized over CAN, using the AUTOSAR Application Programming Interface (API). We evaluate our approach with four emulation and virtualization examples, trading the number of applications per core with the speed of the software emulated CAN bus.</p

Trends in Automotive Communication Systems

http://www.ieee.org/International audienceThe use of networks for communications between the Electronic Control Units (ECU) of a vehicle in production cars dates from the beginning of the 90s. The specific requirements of the different car domains have led to the development of a large number of automotive networks such as LIN, J1850, CAN, TTP/C, FlexRay, MOST, IDB1394, etc.. This paper first introduces the context of in-vehicle embedded systems and, in particular, the requirements imposed on the communication systems. Then, a comprehensive review of the most widely used, as well as the emerging automotive networks is given. Next, the current efforts of the automotive industry on middleware technologies, which may be of great help in mastering the heterogeneity, are reviewed. Finally, we highlight future trends in the development of automotive communication systems

Event Notification in CAN-based Sensor Networks

Preventive and reactive maintenance require the collection of an ever-increasing amount of information from industrial plants and other complex systems, like those based on robotized cells, a need that can be fulfilled by means of a suitable event notification mechanism. At the same time, timing and delivery reliability requirements in those scenarios are typically less demanding than in other cases, thus enabling the adoption of best-effort notification approaches. This paper presents, evaluates, and compares some of those approaches, based on either standard CAN messaging or a recently proposed protocol extension called CAN XR. In the second case, the combined use of Bloom filters is also envisaged to increase flexibility. Results show that the latter approaches are advantageous in a range of event generation rates and network topologies of practical relevance

Arquitecturas de hardware para um veículo eléctrico

Tese de mestrado integrado. Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 201

Design and Architecture of a Hardware Platform to Support the Development of an Avionic Network Prototype

Résumé en français La récente évolution des architectures des systèmes avioniques a permis la création de réseaux avioniques modulaire embarqués (IMA) et l’augmentation du nombre de systèmes embarqués numériques dans chaque avion. Cette transition vers une nouvelle génération d’avions plus électriques permet une réduction du poids et de la consommation énergétique des aéronefs et aussi des couts de production et d’entretien. Pour atteindre une réduction du poids encore plus poussée et une amélioration de la bande passante des réseaux utilisés, des technologies innovatrices ont récemment été adoptées : ARINC 825 et AFDX qui permettent en fait une réduction du câblage nécessaire pour réaliser le réseau embarqué.Dans le cadre du projet AVIO 402, qui inclus plusieurs sujets de recherche qui concernent aussi les capteurs et leur interface avec le système IMA, une nouvelle architecture a été proposée pour la réalisation du réseau utilisé pour le système de contrôle de vol. Cette architecture est basée sur des bus ARINC 825 locaux, connectés entre eux en utilisant un réseau AFDX qui offre une meilleure bande passante ; les ponts entre les deux protocoles et les modules qui connectent les nœuds au réseau ont une structure générique pour supporter des protocoles différents et aussi plusieurs types des capteurs et actionneurs. Pour une évaluation des performances et une analyse des défis de son implémentation, la réalisation d’un prototype du réseau proposé est requise par le projet. Dans ce mémoire, le développement d’une plateforme matérielle pour soutenir la réalisation de ce prototype est traité et trois modules fondamentaux du prototype ont été conçus sous forme de "IP core" pour être subséquemment intégrés dans l’architecture du réseau qui sera implémenté en utilisant des FPGA. Les trois systèmes sont le contrôleur du bus CAN, utilisé comme base pour l’implémentation du protocole ARINC 825, le "End System" AFDX et le commutateur nécessaires pour la réalisation d’un réseau AFDX. Dans la première partie de ce mémoire, les objectifs visés sont présentés et une analyse des spécifications des protocoles considérés est fournie, cela permet d’identifier les fonctionnalités qui doivent être incluses dans chaque système et de déterminer si des solutions pour leur implémentation ont déjà été publiées et peuvent être réutilisées. Ensuite, le développement de chaque système est présenté et les choix de conception sont expliqués afin de montrer comment les fonctionnalités requises par les spécifications des deux protocoles peuvent être implémentées pour mieux répondre aux nécessités du projet AVIO 402.----------Abstract The objective of the present project is to design three modules for a hardware platform that will support the implementation of an avionic network prototype based on the FPGA technology. The considered network has been conceived to reduce cabling weight and to improve the available bandwidth, and it exploits the recently introduced ARINC 825 and AFDX protocols. In order to support the implementation of both these protocols, a CAN bus controller, an AFDX End System, and an AFDX Switch have been designed. After an extensive review of the existing literature about the two related avionic protocols, a study of the existing solutions for CAN and Ethernet protocols, on which they are based, has been done as well to identify what knowledge and technology could be reused. Because they are very similar, a flexible CAN controller has been implemented in hardware instead of an ARINC 825 one in order to support both these technologies and in order to reduce the IP core size. A combined HW/SW approach has been preferred for the AFDX End System architecture to leverage an existing UDP/IP protocol stack and the Ethernet layer included in the Linux kernel has been modified to create a portable and configurable implementation of AFDX. Since various problems have been encountered to reproduce an ARINC 653 compliant environment on the embedded system, the suggested design has been ported in a PC. Finally, an original solution for the implementation of the AFDX switch fabric has been finally presented; a space-division switching architecture has been chosen and tailored to meet the AFDX specification. Hardware parallelism is exploited to reduce the latency introduced on each frame by filtering them concurrently. Input buffers have been duplicated to separate high from low priority traffics, further reducing latency of critical frames and creating a redundancy that reduce the possibility of packet loss. Packet scheduling and double queuing guarantee that all critical frames are forwarded before low priority ones.Keywords: Avionic Full-Duplex Switched Ethernet, AFDX, ARINC 664, ARINC 825, CAN, Avionic Data Networks, Ethernet Switch, FPGA

Flexibilização em sistemas distribuídos: uma perspectiva holística

Doutoramento em Engenharia InformáticaEm sistemas distribuídos o paradigma utilizado para interacção entre tarefas é a troca de mensagens. Foram propostas várias abordagens que permitem a especificação do fluxo de dados entre tarefas, mas para sistemas de temporeal é necessário uma definição mais rigorosa destes fluxos de dados. Nomeadamente, tem de ser possível a especificação dos parâmetros das tarefas e das mensagens, e a derivação dos parâmetros não especificados. Uma tal abordagem poderia permitir o escalonamento e despacho automático de tarefas e de mensagens, ou pelo menos, poderia reduzir o número de iterações durante o desenho do sistema. Os fluxos de dados constituem uma abordagem possível ao escalonamento e despacho holístico em sistemas distribuídos de tempo-real, onde são realizadas diferentes tipos de análises que correlacionam os vários parâmetros. Os resultados podem ser utilizados para definir o nível de memória de suporte que é necessário em cada nodo do sistema distribuído. Em sistemas distribuídos baseados em FTT, é possível implementar um escalonamento holístico centralizado, no qual se consideram as interdependências entre tarefas produtoras/consumidoras e mensagens. O conjunto de restrições que garante a realização do sistema pode ser derivado dos parâmetros das tarefas e das mensagens, tais como os períodos e os tempos de execução/transmissão. Nesta tese, são estudadas duas perspectivas, uma perspectiva centrada na rede, i.e. em que o escalonamento de mensagens é feito antes do escalonamento de tarefas, e outra perspectiva centrada no nodo. Um mecanismo simples de despacho de tarefas e de mensagens para sistemas distribuídos baseados em CAN é também proposto neste trabalho. Este mecanismo estende o já existente em FTT para despacho de mensagens. O estudo da implementação deste mecanismo nos nodos deu origem à especificação de um núcleo de sistema operativo. Procurou-se que este introduzisse uma sobrecarga mínima de modo a poder ser incluído em nodos de baixo poder computacional. Neste trabalho, é apresentado um simulador, SimHol, para prever o cumprimento temporal da transmissão de mensagens e da execução das tarefas num sistema distribuído. As entradas para o simulador são os chamados fluxos de dados, que incluem as tarefas produtoras, as mensagens correspondentes e as tarefas que utilizam os dados transmitidos. Utilizando o tempo de execução no pior caso e o tempo de transmissão, o simulador é capaz de verificar se os limites temporais são cumpridos em cada nodo do sistema e na rede.In distributed systems the communication paradigm used for intertask interaction is the message exchange. Several approaches have been proposed that allow the specification of the data flow between tasks, but in real-time systems a more accurate definition of these data flows is mandatory. Namely, the specification of the required tasks’ and messages’ parameters and the derivation of the unspecified parameters have to be possible. Such an approach could allow an automatic scheduling and dispatching of tasks and messages or, at least, could reduce the number of iterations during the system’s design. The data streams present a possible approach to the holistic scheduling and dispatching in real-time distributed systems where different types of analysis that correlate the various parameters are done. The results can be used to define the level of buffering that is required at each node of the distributed system. In FTT-based distributed systems it is possible to implement a centralized holistic scheduling, taking into consideration the interdependences between producer/consumer tasks and messages. A set of constraints that guarantee the system feasibility can then be derived from tasks and messages’ parameters such as the periods and execution/transmission times. In this thesis the net-centric perspective, i.e., the one in which the scheduling of messages is done prior to the scheduling of tasks, and the node-centric perspectives are studied. A simple mechanism to dispatch tasks and messages for CAN-based distributed systems is also proposed in this work. This mechanism extends the one that exists in the FTT for the dispatching of messages. The study of the implementation of this mechanism in the nodes gave birth to the specification of a kernel. A goal for this kernel was to achieve a low overhead so that it could be included in nodes with low processing power. In this work a simulator to preview the timeliness of the transmission of messages and of the execution of tasks in a distributed system is presented. The inputs to the simulator are the so-called data streams, which include the producer tasks, the correspondent messages and the tasks that use the transmitted data. Using the worst-case execution time and transmission time, the simulator is able to verify if deadlines are fulfilled in every node of the system and in the network.Escola Superior de Tecnologia de Castelo BrancoPRODEP III, eixo 3, medida 5, acção 5.3FCTSAPIENS99 - POSI/SRI/34244/99IEETA da Universidade de AveiroARTIST - European Union Advanced Real Time System