CN110750790B - CAN bus vulnerability detection method and device, terminal equipment and medium - Google Patents
CAN bus vulnerability detection method and device, terminal equipment and medium Download PDFInfo
- Publication number
- CN110750790B CN110750790B CN201910843042.4A CN201910843042A CN110750790B CN 110750790 B CN110750790 B CN 110750790B CN 201910843042 A CN201910843042 A CN 201910843042A CN 110750790 B CN110750790 B CN 110750790B
- Authority
- CN
- China
- Prior art keywords
- bus
- data
- data frame
- detected
- target automobile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2205—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
- G06F11/221—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test buses, lines or interfaces, e.g. stuck-at or open line faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L12/40006—Architecture of a communication node
- H04L12/40026—Details regarding a bus guardian
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention belongs to the technical field of computers, and particularly relates to a method and a device for detecting CAN bus bugs, terminal equipment and a medium. The method comprises the steps of obtaining a first CAN bus data packet when a target automobile component is in a first preset state within first preset time and a second CAN bus data packet when the target automobile component is in a second preset state within second preset time; determining a data frame to be detected based on the CAN bus data packet; and sending the data frame to be detected in the CAN bus of the target automobile component, detecting the state change of the target automobile component, and determining the leak detection result of the CAN bus according to the state change of the target automobile component. Therefore, the method and the device have the advantages that the attribute of the data frame to be detected can be deduced by detection personnel according to some characteristics of state change of the target automobile part, the loophole detection result is further determined, and the method and the device are good in accuracy and high in efficiency.
Description
Technical Field
The application belongs to the technical field of computers, and particularly relates to a method and a device for detecting a CAN bus bug, terminal equipment and a computer readable storage medium.
Background
CAN is an abbreviation of Controller Area Network (Controller Area Network) and is a serial communication protocol that is ISO international standardized. In the automotive industry, CAN has gradually become the standard protocol for automotive networks. However, because the CAN is a serial communication network and adopts a communication mode of plaintext transmission, the CAN bus network is very easy to be attacked by the network, thereby threatening the safety of the whole automobile.
Generally, a vehicle safety tester needs to spend a lot of time planning a CAN bus network attack path and completing the detection of the CAN bus network bugs. The scheme has poor accuracy and low efficiency, and a large amount of manpower and material resources can be consumed.
Disclosure of Invention
In view of this, embodiments of the present application provide a method and an apparatus for detecting a CAN bus vulnerability, a terminal device, and a computer readable storage medium, so as to solve the problems of poor accuracy and low detection efficiency of the existing CAN bus network vulnerability detection method.
In a first aspect of the embodiments of the present application, a method for detecting a CAN bus bug is provided, including:
when a target automobile part is in a first preset state, acquiring a first CAN bus data packet within first preset time;
when the target automobile part is in a second preset state, acquiring a second CAN bus data packet within second preset time;
determining a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet;
sending the data frame to be detected in a CAN bus of the target automobile component, and detecting the state change of the target automobile component;
and determining the leak detection result of the CAN bus according to the state change of the target automobile part.
In some embodiments of the present application, before the acquiring the first CAN bus packet within the first predetermined time when the target automobile component is in the first predetermined state, the method further includes:
searching and determining the network interface position of the CAN bus in the target automobile component;
and connecting a CAN sniffer with a CAN bus in the target automobile component through the network interface position, wherein the CAN sniffer is used for acquiring a CAN bus data packet.
In some embodiments of the present application, the determining a data frame to be detected according to the first CAN bus packet and the second CAN bus packet includes:
analyzing the first CAN bus data packet and the second CAN bus data packet to obtain a first data frame set and a second data frame set;
searching each data frame in the second data frame set, and determining whether the data frame is matched with any data frame in the first data frame set;
if not, adding the data frame to a third data frame set;
and after the searching of each data frame in the second data frame set is finished, selecting N data frames from the third data frame set as the data frames to be detected, wherein N is a positive integer.
In some embodiments of the present application, after the end of searching for each data frame in the second data frame set, selecting N data frames from the third data frame set as the data frames to be detected includes:
counting the frequency of each data frame in the third data frame set;
sequencing the data frames according to the sequence of the frequency from high to low to obtain a data frame list;
and selecting the first N data frames from the data frame list as the data frames to be detected.
In some embodiments of the present application, the sending the data frame to be detected in a CAN bus of a target automobile component and detecting a state change of the target automobile component includes:
inputting the data frame to be detected into a CAN sniffer, wherein the CAN sniffer is connected with a CAN bus in a target automobile part;
sequentially sending the data frames to be detected to a CAN bus of a target automobile component according to a preset interval time;
detecting a change in state of the target automotive component during transmission of a data frame to be detected.
In some embodiments of the present application, the determining a leak detection result of the CAN bus according to the state change of the target automobile component includes:
when the state change of the target automobile part is detected, determining a current data frame to be detected corresponding to the state change moment, and correspondingly adding the current data frame to be detected and the state change of the target automobile part into a vulnerability detection result of the CAN bus; and
and when detecting that the target automobile part has no state change, skipping the current data frame to be detected and continuing to transmit the next data frame to be detected.
In some embodiments of the present application, after detecting the state change of the target automobile part during the transmission of the data frame to be detected, the method further includes:
after all the data frames to be detected are sent, if the state change times of the target automobile part are lower than a preset threshold value, removing the detected data frames from the data frames to be detected;
and adding undetected data frames in the third data frame set into the data frames to be detected, and sequentially sending the detected data frames to a CAN bus of a target automobile component for secondary test according to preset interval time.
In a second aspect of the embodiments of the present application, a device for detecting a CAN bus bug is provided, including:
the first data acquisition unit is used for acquiring a first CAN bus data packet within first preset time when the target automobile component is in a first preset state;
the second data acquisition unit is used for acquiring a second CAN bus data packet within second preset time when the target automobile component is in a second preset state;
the data analysis unit is used for determining a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet;
the transmitting unit is used for transmitting the data frame to be detected in a CAN bus of a target automobile component and detecting the state change of the target automobile component;
and the determining unit is used for determining the leak detection result of the CAN bus according to the state change of the target automobile component.
Optionally, the device for detecting a CAN bus leak further includes:
the searching unit is used for searching and determining the network interface position of the CAN bus in the target automobile component;
and the connecting unit is used for connecting the CAN sniffer with the CAN bus in the target automobile part through the network interface position, and the CAN sniffer is used for acquiring a CAN bus data packet.
Optionally, the data parsing unit may include:
the data analysis subunit is used for analyzing the first CAN bus data packet and the second CAN bus data packet to obtain a first data frame set and a second data frame set;
the searching and matching subunit is used for searching each data frame in the second data frame set and determining whether the data frame is matched with any data frame in the first data frame set;
an adding subunit, configured to add the data frame to a third set of data frames if the data frames do not match;
and the selecting subunit is configured to select N data frames from the third data frame set as the data frames to be detected after the search for each data frame in the second data frame set is finished, where N is a positive integer.
Optionally, the sending unit may include:
the input subunit is used for inputting the data frame to be detected into a CAN sniffer, and the CAN sniffer is connected with a CAN bus in a target automobile component;
the sending detection subunit is used for sequentially sending the data frames to be detected to a CAN bus of a target automobile component according to preset interval time; detecting a change in state of the target automotive component during transmission of a data frame to be detected.
In a third aspect of the embodiments of the present application, a terminal device is provided, which includes a memory, a processor, and computer readable instructions stored in the memory and executable on the processor, where the processor implements the steps of any one of the above methods for detecting a CAN bus leak when executing the computer readable instructions.
In a fourth aspect of the embodiments of the present application, a computer-readable storage medium is provided, where computer-readable instructions are stored, and when executed by a processor, the computer-readable instructions implement the steps of any one of the above methods for detecting a CAN bus leak.
Compared with the prior art, the embodiment of the application has the advantages that: according to the embodiment of the application, when a target automobile part is in a first preset state, for example, when an automobile door is closed, a first CAN bus data packet in first preset time is acquired; when the target automobile part is in a second preset state, if the automobile door is opened, acquiring a second CAN bus data packet within second preset time; determining a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet; and sending the data frame to be detected in the CAN bus of the target automobile part, detecting the state change of the target automobile part, and determining the leak detection result of the CAN bus according to the state change of the target automobile part if the automobile door is changed from closing to opening. Therefore, the method and the device have the advantages that the attribute of the data frame to be detected can be deduced by detection personnel according to some characteristics of state change of the target automobile part, the loophole detection result is further determined, and the method and the device are good in accuracy and high in detection efficiency.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a flowchart of a method for detecting a CAN bus leak in an embodiment of the present application;
FIG. 2 is a flowchart illustrating the step S130 according to an embodiment of the present application;
fig. 3 is a flowchart illustrating step S1304 in an embodiment of the present application;
fig. 4 is a flowchart of a method for detecting a CAN bus leak according to another embodiment of the present disclosure;
FIG. 5 is a flowchart illustrating the step S140 according to an embodiment of the present application;
fig. 6 is a structural diagram of an embodiment of a device for detecting a CAN bus leak according to an embodiment of the present disclosure;
fig. 7 is a schematic block diagram of a terminal device in an embodiment of the present application.
Detailed Description
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
In addition, in the description of the present application, the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, a method for detecting a CAN bus bug according to an embodiment of the present invention may include:
step S110, when the target automobile part is in a first preset state, acquiring a first CAN bus data packet within first preset time;
the target automobile component may be a door, a lamp, a trunk, or the like of an automobile, and may be determined according to actual conditions. The first predetermined state may be a general state of the target automobile component, and may be determined according to actual conditions. For example, when the target automotive component is a door, the first predetermined state thereof may be a closed state. The first predetermined time can be set according to actual conditions, but should not be set too long or too short. If the setting is too long, it may happen that too many first CAN-bus packets are acquired, so that the whole detection process takes too much time. If the setting is too short, the acquired first CAN bus data packet may be too few, which affects the accuracy of the detection result. For example, the first predetermined time may be set to 30s or 60 s.
It is understood that the CAN, an abbreviation of Controller Area Network (Controller Area Network), is a standardized bus system mainly used for connecting bus and truck ECUs (Electronic Control units). The ECU is also called a traveling computer, a vehicle-mounted computer and the like. The CAN bus network is made up of two twisted pair wires, CAN _ H and CAN _ L, respectively. The nodes on the bus communicate with differential signals. In the CAN bus network, each node has no master-slave part and is equal in status. When the bus is idle, any node can send message to the bus, and the node which sends message to the bus first obtains the bus sending right. If a plurality of nodes send messages simultaneously, arbitration is carried out according to the ID (identity) of the ECU, the node with high priority obtains the sending right, and the smaller the ID is, the higher the priority is.
The Packet (Packet) is a unit of data in TCP/IP protocol communication transmission, and is generally called a "data Packet". The CAN bus data packet refers to a data packet obtained by capturing a data packet transmitted in a CAN network by using a CAN sniffer, such as network packet analysis software like Wireshark, and the data packet CAN realize control of an automobile. The first CAN bus data packet is particularly used for acquiring the CAN bus data packet within first preset time when the target automobile component is in a first preset state. For example, when the target automobile component is a door, and the first predetermined state is a closed state, a data packet transmitted in the CAN network is captured by a CAN sniffer, such as Wireshark, within 30s, and the data packet is obtained.
Step S120, when the target automobile component is in a second preset state, acquiring a second CAN bus data packet within second preset time;
it is understood that the second predetermined state may be an abnormal state of the target automobile component, and may be determined according to actual conditions. For example, when the target automotive component is a door, the second predetermined state thereof may be an open state. The second predetermined time can be set according to actual conditions, but should not be set too long or too short. If the setting is too long, it may happen that too many second CAN-bus packets are acquired, so that the whole detection process takes too much time. If the setting is too short, the obtained second CAN bus data packet is too few, and the accuracy of the detection result is influenced. For example, the second predetermined time may be set to 30s or 60 s.
Preferably, the second predetermined time is the same as the first predetermined time. For example, the first predetermined time and the second predetermined time are both 30 s. The advantage of doing so is, make the CAN bus data package quantity difference of twice acquireing not too big, be convenient for carry out the analysis to the CAN bus data package of twice acquireing.
It should be noted that the division of the predetermined state of the target automobile component is only for illustration, and actually, the application does not limit the number and the variation of the predetermined state of the target automobile component, and may be determined according to a specific application scenario.
Step S130, determining a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet;
as shown in fig. 2, in one embodiment of the present invention, step S130 includes the following steps:
step S1301, analyzing the first CAN bus data packet and the second CAN bus data packet to obtain a first data frame set and a second data frame set;
it CAN be understood that the first data frame set is a set of corresponding data frames after the first CAN bus data packet is decoded; and the second data frame set is a set of corresponding data frames after the second CAN bus data packet is decoded. By utilizing network packet analysis software such as Wireshark and the like, the data packet transmitted in the CAN network CAN be captured and analyzed, and the analyzed data frame is obtained.
Step S1302, searching each data frame in the second data frame set, and determining whether the data frame matches any data frame in the first data frame set;
it will be appreciated that by comparing the difference between the data frames contained in the second set of data frames and the data frames contained in the first set of data frames, a changed data frame may be determined. For example, the first set of data frames is 100 data frames, and the second set of data frames is 120 data frames. Changes in the second set of data frames relative to the first set of data frames may be determined by comparing whether 120 data frames in the second set of data frames are present in the first set of data frames. Specifically, information such as the content, the transmission destination address, and the transmission source address of each data frame needs to be compared to determine whether the two data frames are the same. In this example, 20 data frames of the second set of data frames are not present in the first set of data frames.
Step S1303, if the data frames are not matched, adding the data frames to a third data frame set;
still as explained in the above example, if 20 data frames in the second set of data frames do not appear in the first set of data frames, the 20 data frames are added to the third set of data frames. The third set of data frames is a subset of the second set of data frames.
Preferably, the third set of data frames is an empty set in an initial state. The advantage of doing so is that prevent that original data frame in the third data frame set from producing the interference to subsequent step, thereby influence the accuracy of CAN network leak detection.
Step S1304, after the search of each data frame in the second data frame set is finished, selecting N data frames from the third data frame set as the data frames to be detected, where N is a positive integer.
As shown in fig. 3, in one embodiment of the present invention, step S1304 includes the following steps:
step 13041, counting the frequency of each data frame appearing in the third data frame set;
still as illustrated in the above example, the second set of data frames has 20 data frames, including data frames a, B, C, D, E, F, G, H. Counting the occurrence frequency of each data frame, in this example, the occurrence frequency of a, B, C, D, E, F, G, H is: 4,2,1,3,1,5,3,1.
Step 13042, sorting the data frames according to the sequence of the frequency from high to low to obtain a data frame list;
still as explained in the above example, the data frames are in order from high to low in frequency: f: 5, A: 4, D: 3, G: 3, B: 2, C: 1, E: 1, H: 1. the data frame list may include information such as a data frame name and the number of occurrences.
Step 13043, selecting the first N data frames from the data frame list as the data frames to be detected.
Still in the above example, the data frames are sequentially selected as the data frames to be detected according to the number of occurrences. The data frames to be detected can be combined into a data frame list to be detected. The value of N may be determined according to actual conditions, in this example, N may be set to 5, and then F, a, D, G, and B are selected as the data frame to be detected. And the 5 data frames to be detected form a data frame list to be detected.
Step S140, sending the data frame to be detected in a CAN bus of the target automobile component, and detecting the state change of the target automobile component;
as shown in fig. 4, in an embodiment of the present application, before acquiring the first CAN bus packet within the first predetermined time when the target automobile component is in the first predetermined state, the method further includes the following steps:
s100, searching and determining the network interface position of a CAN bus in the target automobile part;
the network interface of the CAN bus is an On-board diagnostic (OBD) interface, and the interface is generally located below a steering wheel of an automobile and above an accelerator and a brake pedal. In different vehicle models, the positions of the vehicle models are slightly different. The OBD interface has 16 pin pins,
and S105, connecting a CAN sniffer with a CAN bus in the target automobile component through the network interface position, wherein the CAN sniffer is used for acquiring CAN bus data packets.
It should be noted that the CAN sniffer CAN be connected to the vehicle CAN network via the network interface of the CAN bus. When the network interface position of the CAN bus is searched, the universal meter CAN be used for searching. By measuring the voltage across the network line, it CAN be inferred whether the network line is a CAN bus. For example, if the voltages of two network lines are measured to be within a predetermined range, such as 3.5V at one end and 1.5V at the other end, the two network lines may be CAN lines. Of course, the method for finding the network interface location of the CAN bus is already in the scope of the prior art, so the present application does not give much description.
It is understood that the CAN sniffer, a software device that monitors the operation of CAN network data, monitors network traffic in the CAN network, captures and analyzes data packets, monitors network resource utilization, executes network security operating rules, evaluates and analyzes network data, and diagnoses and repairs network problems, etc.
As shown in fig. 5, in one embodiment of the present application, step S140 includes the steps of:
step S1401, inputting the data frame to be detected into a CAN sniffer, wherein the CAN sniffer is connected with a CAN bus in a target automobile part;
it CAN be understood that the manner of inputting the data frame to be detected into the CAN sniffer may be determined according to actual situations, which is not limited in the present application.
Step S1402, the data frames to be detected are sequentially sent to a CAN bus of a target automobile component according to preset interval time;
it CAN be understood that the CAN sniffer may release the data frame to be detected into the CAN bus network according to a predetermined interval time for the ECU controller connected to the CAN network to capture, and after capturing the data frame to be detected, the ECU controller may selectively receive or respond to the data frame to be detected and determine whether to send a corresponding execution command to the target component of the vehicle.
The predetermined interval time can be set according to actual conditions, but should not be set too long or too short. If set too long, the entire detection process may take too much time. If the setting is too short, the response of the ECU controller may not be timely, so that an erroneous detection result occurs, and the accuracy of the detection result is affected. For example, the predetermined interval time may be set to 0.5 s.
Step S1403, detecting a state change of the target automobile component during transmission of the data frame to be detected.
It should be noted that the sending period of the data frame to be detected refers to a time period from a sending start point of a certain data frame to be detected to a sending start point of a next data frame to be detected. For example, when the data frames to be detected are F, A, D, G and B in sequence, the transmission period of F is 0-0.2s, the transmission period of A is 0.2-0.4s, the transmission period of D is 0.4-0.6s, the transmission period of G is 0.6-0.8s, and the transmission period of B is 0.8-1 s.
The state change of the target automobile component means that the target automobile component changes from one state to another state. For example, when the target automobile component is a door, the door is changed from a normal state in which the door is closed to an abnormal state in which the door is opened.
And S150, determining a leak detection result of the CAN bus according to the state change of the target automobile component.
In one embodiment of the present application, step S150 includes the steps of:
when the state change of the target automobile part is detected, determining a current data frame to be detected corresponding to the state change moment, and correspondingly adding the current data frame to be detected and the state change of the target automobile part into a vulnerability detection result of the CAN bus; and
and when detecting that the target automobile part has no state change, skipping the current data frame to be detected and continuing to transmit the next data frame to be detected.
It will be appreciated that in a CAN bus network, each target automotive component employs an acceptance filter mechanism to receive data frames on the CAN bus network. The ECU controller is connected to the CAN network, and selectively sends corresponding instructions for receiving or responding the data frame to each target automobile component according to the data frame information, and each target automobile component receives or responds to the instructions of the data frame, executes corresponding actions and completes the state change process.
The leak detection result of the CAN bus CAN be an information list, and relevant information of data frames to be detected, which cause the state change of each target automobile part, is recorded. For example, the data list may include: data frame F to be detected, transmission period: 0-0.2s, target automotive part: door, state change: from off to on. Data frame a to be detected, transmission period: 0.2-0.4s, target automotive part: vehicle lamp, state change: from off to on.
In an embodiment of the present application, after step S1403, the method further includes:
after all the data frames to be detected are sent, if the state change times of the target automobile component is lower than a preset threshold value, removing the detected data frames from the data frames to be detected, and/or adding undetected data frames in a third data frame set as the data frames to be detected, and sending the detected data frames to a CAN bus of the target automobile component in sequence for secondary test according to preset interval time.
It will be appreciated that the preset threshold may be set according to the actual situation, and that different thresholds may be set for different target vehicle components. In principle, it should not be set too large or too small. For example, when the target automobile part is a door, the preset threshold is 3; when the target automotive component is a lamp, the preset threshold is 5.
It should be noted that the step of removing the detected data frame from the data frame to be detected means that the data frame to be detected which does not cause the state change of each target automobile component is removed from the data frame list to be detected and is no longer used as the data frame in the data frame list to be detected for the next test. Adding the undetected data frame in the third data frame set as the data frame to be detected means that the undetected data frame in the third data frame set is added into the data frame list to be detected, and the data frame is used as the data frame in the data frame list to be detected for the next test. For example, the data frames C, E, and H in the above example are not selected as the data frames to be detected at the time of the first test. However, after the detection is finished, the three data frames may be added to the data frame list to be detected.
In summary, in the embodiment of the application, when a target automobile part is in a first preset state, for example, when an automobile door is closed, a first CAN bus data packet within a first preset time is acquired; when the target automobile part is in a second preset state, if the automobile door is opened, acquiring a second CAN bus data packet within second preset time; determining a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet; and sending the data frame to be detected in a CAN bus of a target automobile part, detecting the state change of the target automobile part, and determining the leak detection result of the CAN bus according to the state change of the target automobile part if the automobile door is changed from closing to opening. Therefore, the method and the device have the advantages that the attribute of the data frame to be detected can be deduced by detection personnel according to some characteristics of state change of the target automobile part, the loophole detection result is further determined, and the method and the device are good in accuracy and high in detection efficiency.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Fig. 6 shows an embodiment of a structure diagram of a device for detecting a CAN bus bug according to an embodiment of the present application.
In this embodiment, a detection apparatus for a CAN bus bug may include:
the first data acquisition unit 601 is used for acquiring a first CAN bus data packet within first preset time when the target automobile component is in a first preset state;
the second data acquisition unit 602 is configured to acquire a second CAN bus data packet within a second predetermined time when the target automobile component is in a second predetermined state;
the data analysis unit 603 is configured to determine a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet;
a sending unit 604, configured to send the data frame to be detected in a CAN bus of the target automobile component, and detect a state change of the target automobile component;
and the determining unit 605 is configured to determine a leak detection result of the CAN bus according to the state change of the target automobile component.
Optionally, the device for detecting a CAN bus leak further includes:
the searching unit is used for searching and determining the network interface position of the CAN bus in the target automobile component;
and the connecting unit is used for connecting the CAN sniffer with the CAN bus in the target automobile part through the network interface position, and the CAN sniffer is used for acquiring a CAN bus data packet.
Optionally, the data parsing unit may include:
the data analysis subunit is used for analyzing the first CAN bus data packet and the second CAN bus data packet to obtain a first data frame set and a second data frame set;
the searching and matching subunit is used for searching each data frame in the second data frame set and determining whether the data frame is matched with any data frame in the first data frame set;
an adding subunit, configured to add the data frame to a third set of data frames if the data frames do not match;
and the selecting subunit is configured to select N data frames from the third data frame set as the data frames to be detected after the search for each data frame in the second data frame set is finished, where N is a positive integer.
Optionally, the sending unit may include:
the input subunit is used for inputting the data frame to be detected into a CAN sniffer, and the CAN sniffer is connected with a CAN bus in a target automobile component;
the sending detection subunit is used for sequentially sending the data frames to be detected to a CAN bus of a target automobile component according to preset interval time; detecting a change in state of the target automotive component during transmission of a data frame to be detected.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, units and sub-units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Fig. 7 shows a schematic block diagram of a terminal device according to an embodiment of the present invention, and for convenience of description, only the relevant parts related to the embodiment of the present invention are shown.
In this embodiment, the terminal device 7 may be a computing device such as a desktop computer, a notebook, a palm computer, and a cloud server. The terminal device 7 may include: a processor 70, a memory 71, and computer readable instructions 72 stored in the memory 71 and executable on the processor 70, such as computer readable instructions to perform the above-described method of CAN bus hole detection. The processor 70, when executing the computer readable instructions 72, implements the steps in the above-described embodiments of the method for detecting a CAN bus hole, such as the steps S110 to S150 shown in fig. 1. Alternatively, the processor 70, when executing the computer readable instructions 72, implements the functions of the modules/units in the above-described device embodiments, such as the functions of the modules 601 to 605 shown in fig. 6.
Illustratively, the computer readable instructions 72 may be partitioned into one or more modules/units that are stored in the memory 71 and executed by the processor 70 to implement the present invention. The one or more modules/units may be a series of computer-readable instruction segments capable of performing specific functions, which are used to describe the execution of the computer-readable instructions 72 in the terminal device 8.
The Processor 70 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 71 may be an internal storage unit of the terminal device 7, such as a hard disk or a memory of the terminal device 7. The memory 71 may also be an external storage device of the terminal device 7, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the terminal device 7. Further, the memory 71 may also include both an internal storage unit and an external storage device of the terminal device 7. The memory 71 is used for storing the computer readable instructions and other instructions and data required by the terminal device 7. The memory 71 may also be used to temporarily store data that has been output or is to be output.
Each functional unit in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
In an exemplary embodiment of the present application, there is also provided a computer program medium having stored thereon computer readable instructions which, when executed by a processor of a computer, cause the computer to perform the method described in the above method embodiment section.
According to an embodiment of the present disclosure, there is also provided a program product for implementing the method in the above method embodiment, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (9)
1. A method for detecting CAN bus loopholes is characterized by comprising the following steps:
when a target automobile part is in a first preset state, acquiring a first CAN bus data packet within first preset time;
when the target automobile part is in a second preset state, acquiring a second CAN bus data packet within second preset time; the first bus data packet and the second bus data packet are data packets obtained by capturing data packets transmitted in a CAN network by using a CAN sniffer;
analyzing the first CAN bus data packet and the second CAN bus data packet to obtain a first data frame set and a second data frame set;
searching each data frame in the second data frame set, and determining whether the data frame is matched with any data frame in the first data frame set;
if not, adding the data frame to a third data frame set;
after searching each data frame in the second data frame set is finished, selecting N data frames from the third data frame set as data frames to be detected, wherein N is a positive integer;
sending the data frame to be detected in a CAN bus of the target automobile component by using the CAN sniffer, and detecting the state change of the target automobile component;
and determining the leak detection result of the CAN bus according to the state change of the target automobile part.
2. The method of detecting a CAN bus leak as set forth in claim 1, further comprising, before the obtaining the first CAN bus packet within the first predetermined time when the target automotive component is in the first predetermined state:
searching and determining the network interface position of the CAN bus in the target automobile component;
and connecting a CAN sniffer with a CAN bus in the target automobile component through the network interface position, wherein the CAN sniffer is used for acquiring a CAN bus data packet.
3. The method according to claim 1, wherein the selecting N data frames from the third data frame set as the data frames to be detected after the end of searching for each data frame in the second data frame set comprises:
counting the frequency of each data frame in the third data frame set;
sequencing the data frames according to the sequence of the frequency from high to low to obtain a data frame list;
and selecting the first N data frames from the data frame list as the data frames to be detected.
4. The method for detecting the CAN bus leak according to claim 1, wherein the sending the data frame to be detected in the CAN bus of the target automobile component and detecting the state change of the target automobile component includes:
inputting the data frame to be detected into a CAN sniffer, wherein the CAN sniffer is connected with a CAN bus in a target automobile part;
sequentially sending the data frames to be detected to a CAN bus of a target automobile component according to a preset interval time;
detecting a change in state of the target automotive component during transmission of a data frame to be detected.
5. The method for detecting the CAN bus leak according to claim 1, wherein the determining the leak detection result of the CAN bus according to the state change of the target automobile component includes:
when the state change of the target automobile part is detected, determining a current data frame to be detected corresponding to the state change moment, and correspondingly adding the current data frame to be detected and the state change of the target automobile part into a vulnerability detection result of the CAN bus; and
and when detecting that the target automobile part has no state change, skipping the current data frame to be detected and continuing to transmit the next data frame to be detected.
6. The method for detecting the CAN bus leak according to claim 5, wherein after the detecting the state change of the target automobile component during the sending of the data frame to be detected, the method further comprises:
after all the data frames to be detected are sent, if the state change times of the target automobile part are lower than a preset threshold value, removing the detected data frames from the data frames to be detected;
and adding undetected data frames in the third data frame set into the data frames to be detected, and sequentially sending the detected data frames to a CAN bus of a target automobile component for secondary test according to preset interval time.
7. The utility model provides a detection apparatus of CAN bus leak which characterized in that includes:
the first data acquisition unit is used for acquiring a first CAN bus data packet within first preset time when the target automobile component is in a first preset state;
the second data acquisition unit is used for acquiring a second CAN bus data packet within second preset time when the target automobile component is in a second preset state; the first bus data packet and the second bus data packet are data packets obtained by capturing data packets transmitted in a CAN network by using a CAN sniffer;
the data analysis unit is used for determining a data frame to be detected according to the first CAN bus data packet and the second CAN bus data packet;
the transmitting unit is used for transmitting the data frame to be detected in a CAN bus of the target automobile component by using the CAN sniffer and detecting the state change of the target automobile component;
the determining unit is used for determining the leak detection result of the CAN bus according to the state change of the target automobile component;
wherein the data analysis unit comprises:
the data analysis subunit is used for analyzing the first CAN bus data packet and the second CAN bus data packet to obtain a first data frame set and a second data frame set;
the searching and matching subunit is used for searching each data frame in the second data frame set and determining whether the data frame is matched with any data frame in the first data frame set;
an adding subunit, configured to add the data frame to a third set of data frames if the data frames do not match;
and the selecting subunit is configured to select N data frames from the third data frame set as the data frames to be detected after the search for each data frame in the second data frame set is finished, where N is a positive integer.
8. A terminal device comprising a memory, a processor and computer readable instructions stored in the memory and executable on the processor, characterized in that the processor when executing the computer readable instructions implements the steps of the method for detecting CAN bus bugs according to any one of claims 1 to 6.
9. A computer readable storage medium storing computer readable instructions, which when executed by a processor implement the steps of the method of detecting a CAN bus leak of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910843042.4A CN110750790B (en) | 2019-09-06 | 2019-09-06 | CAN bus vulnerability detection method and device, terminal equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910843042.4A CN110750790B (en) | 2019-09-06 | 2019-09-06 | CAN bus vulnerability detection method and device, terminal equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110750790A CN110750790A (en) | 2020-02-04 |
| CN110750790B true CN110750790B (en) | 2021-09-24 |
Family
ID=69276097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910843042.4A Active CN110750790B (en) | 2019-09-06 | 2019-09-06 | CAN bus vulnerability detection method and device, terminal equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110750790B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111049716A (en) * | 2019-12-19 | 2020-04-21 | 深圳市华翼智能有限公司 | Automobile CAN data decryption method and device |
| CN111552597A (en) * | 2020-03-27 | 2020-08-18 | 深圳开源互联网安全技术有限公司 | Automobile CAN bus network safety test system and method |
| CN111865717B (en) * | 2020-07-03 | 2021-12-24 | 深圳开源互联网安全技术有限公司 | CAN bus conventional packet reverse test method, system, electronic device and storage medium |
| CN114448744B (en) * | 2022-01-28 | 2024-05-03 | 航天科工火箭技术有限公司 | CAN data analysis method, device, equipment and medium for multiplexing identification numbers |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104301177A (en) * | 2014-10-08 | 2015-01-21 | 清华大学 | CAN message abnormality detection method and system |
| CN108989319A (en) * | 2018-07-27 | 2018-12-11 | 北京梆梆安全科技有限公司 | CAN bus based vehicle intrusion detection method and vehicle invasion detecting device |
| CN110007658A (en) * | 2019-03-12 | 2019-07-12 | 百度在线网络技术(北京)有限公司 | The method for monitoring abnormality and device of vehicle CAN bus |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106364424B (en) * | 2015-07-24 | 2018-09-28 | 广州汽车集团股份有限公司 | A kind of vehicle abnormality information transmission system, method and intelligent vehicle-carried box |
| US10193903B1 (en) * | 2016-04-29 | 2019-01-29 | Symantec Corporation | Systems and methods for detecting suspicious microcontroller messages |
| CN108803572B (en) * | 2018-06-27 | 2021-04-06 | 深圳市元征科技股份有限公司 | Method, system and device for positioning automobile communication data |
| CN109688152B (en) * | 2019-01-03 | 2021-01-12 | 南京邮电大学 | Message injection type attack detection method facing vehicle-mounted CAN bus |
-
2019
- 2019-09-06 CN CN201910843042.4A patent/CN110750790B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104301177A (en) * | 2014-10-08 | 2015-01-21 | 清华大学 | CAN message abnormality detection method and system |
| CN108989319A (en) * | 2018-07-27 | 2018-12-11 | 北京梆梆安全科技有限公司 | CAN bus based vehicle intrusion detection method and vehicle invasion detecting device |
| CN110007658A (en) * | 2019-03-12 | 2019-07-12 | 百度在线网络技术(北京)有限公司 | The method for monitoring abnormality and device of vehicle CAN bus |
Non-Patent Citations (1)
| Title |
|---|
| 基于智能网联汽车的CAN总线攻击与防御检测技术研究;杨宏;《中国优秀硕士学位论文全文数据库•工程科技Ⅱ辑》;20171015;C035-55 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110750790A (en) | 2020-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110750790B (en) | CAN bus vulnerability detection method and device, terminal equipment and medium | |
| CN110515366B (en) | Fault diagnosis method and device | |
| CN111061250B (en) | Automobile CAN bus information safety testing method | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| WO2017000424A1 (en) | Protocol detection method and apparatus | |
| CN111897724B (en) | Automatic testing method and device suitable for cloud platform | |
| CN111290958B (en) | Method and device for debugging intelligent contract | |
| US11868222B2 (en) | System and method for integration testing | |
| CN113608518B (en) | Data generation method, device, terminal equipment and medium | |
| KR20190102427A (en) | Fuzzing system for verifying security/quality of can device and fuzzing method thereof | |
| CN112818569A (en) | Attribute-driven security protocol symbolization model detection method and system | |
| US9646252B2 (en) | Template clauses based SAT techniques | |
| Boigelot et al. | Model checking in practice: An analysis of the access. bus™ protocol using spin | |
| CN114488997B (en) | ECU (electronic control Unit) refreshing method and device, electronic equipment and storage medium | |
| CN111917692A (en) | Fuzzy test method, device, equipment and computer readable storage medium | |
| CN115550228A (en) | Internet of vehicles bus communication network test method and system | |
| Lee et al. | Collecting big data from automotive ECUs beyond the CAN bandwidth for fault visualization | |
| US20210042394A1 (en) | Extracting temporal specifications of features for functional compatibility and integration with oems | |
| Nyamdelger et al. | Fuzz testing and safe framework development for vehicle security analysis | |
| CN108288135B (en) | System compatibility method and device, computer readable storage medium and electronic equipment | |
| CN110442370A (en) | A kind of test case querying method and device | |
| CN118051920B (en) | Vulnerability verification request packet generation method, device, equipment and storage medium | |
| Zhang et al. | Verv: A temporal and data-concerned verification framework for the vehicle bus systems | |
| CN112087346B (en) | Diagnostic conversion box state determination method, upper computer and storage medium | |
| CN112468358A (en) | Protocol detection method, system, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |