CN117724734A - Computer-implemented method for updating software in a device for mitigating software manipulation - Google Patents
Computer-implemented method for updating software in a device for mitigating software manipulation Download PDFInfo
- Publication number
- CN117724734A CN117724734A CN202311208567.3A CN202311208567A CN117724734A CN 117724734 A CN117724734 A CN 117724734A CN 202311208567 A CN202311208567 A CN 202311208567A CN 117724734 A CN117724734 A CN 117724734A
- Authority
- CN
- China
- Prior art keywords
- software
- component
- mitigating
- manipulation
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000116 mitigating effect Effects 0.000 title claims abstract description 83
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000002085 persistent effect Effects 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 9
- 230000000712 assembly Effects 0.000 claims 1
- 238000000429 assembly Methods 0.000 claims 1
- 238000004891 communication Methods 0.000 description 26
- 230000006870 function Effects 0.000 description 4
- 230000006978 adaptation Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 2
- 208000003443 Unconsciousness Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000032258 transport Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R16/00—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
- B60R16/02—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Mechanical Engineering (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
Abstract
The present disclosure relates to a computer-implemented method of synchronizing a software reference state on a central device for mitigating software manipulations with software of a first component of a plurality of components of an on-board network of a vehicle, wherein the central device for mitigating software manipulations is part of the on-board network and is designed to mitigate software manipulations in each of the plurality of components of the on-board network. The method comprises updating the software of said first component by means of software update information and informing a central device for mitigating software manipulation of the updating of the software of said first component by means of the software update information.
Description
Background
Recently, vehicles have increasingly been integrated into open environments (i.e., vehicles have one or more interfaces via which data is received and/or transmitted during operation, which in turn is used to operate the vehicle). Furthermore, the complexity of vehicle components and in particular their software is increasing.
As a result, the possibilities of software for manipulating the vehicle components become more diversified.
To address this problem, various methods have been developed to detect and in particular mitigate (i.e., eliminate, thereby enabling manipulation of defined (safe or complete) state) software. For example, during a stay in the shop, the manipulated software of the component (e.g. the control device) may be reset and thus the manipulation may be eliminated. In other techniques, software may be requested from a remote computer system by means of which the manipulated software of a component (e.g., a control device) is reset and thereby the manipulation is eliminated. In both cases, there may be a significant period of time between detecting the maneuver and mitigating the maneuver. The operation of the vehicle during this period of time may be disturbed (e.g., the predetermined safety criteria are no longer met). Thus, new developments aim at making it possible for the vehicle to eliminate the manoeuvre by means of complete (i.e. non-manoeuvred) reference software stored in the vehicle. However, the diversification in the automotive field, particularly in software, requires periodic updating of components. Thus, there is a need for improved techniques to achieve mitigation by resetting software also in the context of new software versions.
Disclosure of Invention
A first general aspect of the present disclosure relates to a computer-implemented method of synchronizing a software reference state on a central device for mitigating software manipulations with software of a first component of a plurality of components of an on-board network of a vehicle, wherein the central device for mitigating software manipulations is part of the on-board network and is designed to mitigate software manipulations in each of the plurality of components of the on-board network. The method comprises updating the software of said first component by means of software update information and informing a central device for mitigating software manipulation of the updating of the software of said first component by means of the software update information.
A second general aspect of the present disclosure relates to a software-operated central device for mitigating multiple components of an on-board network of a vehicle.
A third general aspect of the present disclosure relates to an on-board network for a vehicle, the on-board network comprising a central device and a plurality of components for mitigating software manipulations.
A fourth general aspect of the present disclosure relates to a vehicle comprising an on-board network according to the third general aspect.
A fifth general aspect of the present disclosure relates to a computer program comprising instructions that when executed on a computer system cause the computer system to perform a computer-implemented method for synchronizing a reference state on a central device for mitigating software manipulation with software of a first component of a plurality of components of an on-board network of a vehicle.
A sixth general aspect of the present disclosure relates to a computer readable medium or signal storing and/or containing a computer program according to the fifth general aspect (or embodiments thereof).
In some cases, the techniques of the first through fourth general aspects of the present disclosure may have one or more of the following advantages.
One advantage of the techniques of the present disclosure may be that even if an update of software occurs in a component that is part of an in-vehicle network, the possibility of mitigating software manipulation may be maintained by resetting the software. The method enables to pass information to a central device for mitigating software manipulation in case the first component is updated to a new software version, e.g. via direct physical access (e.g. during a shop visit). The method here allows synchronizing the reference software on the central device for mitigating the software manipulation with the software of the first component. This may be advantageous in terms of mitigating manipulation, for example in the scope of network attacks. For example, this method is advantageous in cases where regular software updates are required, which will become a rule in the future rather than an exception due to the increasing digitalisation, especially in the vehicle field, since no further elaborate method is required to establish the software reference state on the central device for alleviating the software manipulation. This may save significant time, which is advantageous for both the service provider and for the final customer, for example during shop visits.
The method can be applied to various components in the in-vehicle network due to its design and is not limited to the first component described. Another advantage is scalability, i.e. the method can be applied to a larger number of components. The process can also be implemented in existing systems without modifying the hardware, which for example makes it easier to apply in older vehicles.
Some terms are used in this disclosure in the following manner:
a "component" in the present disclosure (of an in-vehicle network) has its own hardware resources including at least a processor for executing instructions and a memory for storing at least one software component. The term "processor" also includes a multi-core processor or a plurality of individual components that take on (and, if necessary, share) the tasks of the central processing unit of the electronic device. The components may independently perform tasks (e.g., measurement tasks, monitoring tasks, control tasks, communication tasks, and/or other work tasks). However, in some examples, one component may also be controlled by another component. The components may be physically bounded (e.g., have their own housing) or integrated into a superior system. The component may be a control device or a communication device of the vehicle. The component may be an embedded system.
A "(dedicated) control device" is a component that controls (only) one function of the vehicle. The control device may, for example, assume engine control, brake system control or auxiliary system control. Here, the "function" may be defined at different levels of the vehicle (e.g., a single sensor or actuator may be used for one function, but a large number of modules combined into a larger functional unit may also be used).
The term "software" or "software component" may in principle be any part of the software of the components (e.g. control means) of the present disclosure. In particular, the software component may be a firmware component of the components of the present disclosure. "firmware" is software embedded in (electronic) components and providing the basic functionality there. The firmware is functionally and fixedly bound to the corresponding hardware of the component (so that the firmware cannot be used without the corresponding hardware). The firmware may be stored in a non-volatile memory such as flash memory or EEPROM.
The term "update information" or "software update information" includes any data that forms a software component of a component according to the present disclosure, either directly or after a corresponding processing step. The update information may contain executable code or code to be compiled.
In this disclosure, the term "manipulation" includes any change to software, configuration, or data of a vehicle component. Such changes may be the result of an attack (i.e., a conscious impact by a third party), but may also be the result of accidental or unconscious impact.
"mitigation" or "mitigation measures" for software manipulation may generally be understood as measures that may be used to hit or eliminate the manipulation of the software or reset the software to a pre-manipulation state on the one hand. On the other hand, these measures may be used to reduce the consequences of software manipulation to the system or to other components or parts of the system that are not involved in the manipulation and to limit or mitigate damage to the system from the manipulation. To this end, the mitigation measures may include rules for specific events or forms of software manipulation.
A "vehicle" may be any device that transports passengers and/or cargo. The vehicle may be a motor vehicle (e.g. a passenger car or truck), but may also be a rail vehicle. The vehicle may also be a motorized, non-motorized and/or manually driven two-wheeled or three-wheeled vehicle. However, the floating and flying device may also be a vehicle. The vehicle may be operated at least partially autonomously or assisted.
An "on-board network" or "on-board network" may be any internal network of the vehicle via which components of the vehicle communicate. The component itself may be part of the in-vehicle network and/or be used, for example, as a communication node or network node. In some examples, the in-vehicle network is a short-range network. The in-vehicle network may employ one or more short-range communication protocols (e.g., two or more short-range communication protocols). The short-range communication protocol may be a wireless or wired communication protocol. The short-range communication protocol may include a bus protocol (e.g., CAN, LIN, MOST, flexRay or ethernet). The short-range communication protocol may include a bluetooth protocol (e.g., bluetooth 5 or higher version) or a WLAN protocol (e.g., a protocol of the IEEE-802.11 family, such as an 802.11h or higher version). The in-vehicle network may contain interfaces for communication with systems external to the vehicle and may thus also be integrated into other networks. However, the system and the other network outside the vehicle are not part of the on-board network.
Drawings
Fig. 1 schematically illustrates exemplary method steps of the present disclosure.
Fig. 2 schematically illustrates components of an on-board network of a vehicle that may use the techniques of this disclosure.
Detailed Description
A computer-implemented method 100 for synchronizing a software reference state on a central device 25 for mitigating software manipulations with software of a first component 27a of a plurality of components 27a-f of an on-board network of a vehicle 20 is disclosed, wherein the central device 25 for mitigating software manipulations is part of the on-board network and is designed to mitigate software manipulations in each of the plurality of components 27a-f of the on-board network. The method comprises updating 101 the software of the first component 27a by means of the software update information 32a and informing the central device 25 for mitigating software manipulation of the updating 101 of the software of the first component 27a by means of the software update information 32a. In a first step, reference is made to fig. 1, which shows the above and further possible steps of the method 100 (see explanation below). The steps particularly relating to the first component 27a of the plurality of components 27a-f are shown on the left side of fig. 1. The steps particularly related to the central device 25 for mitigating software manipulation are shown on the right side of fig. 1. The vehicle 20 has a central device 25 for mitigating software maneuvers, which recognizes the possibility of maneuvers. Thus, the central device is part of an on-board network (i.e. also part of the vehicle and moves with the vehicle). The central device 25 for mitigating software manipulation is designed to mitigate software manipulation in each of the plurality of components 21-24, 27a-f of the on-board network.
In some examples, the central device 25 for mitigating software manipulation is integrated into the central communication interface of the vehicle 20. The central communication interface may be designed to act as a data distributor for communication within the vehicle 20 and/or with the outside via the communication interfaces 21, 22. The central communication interface can support different communication protocols (for communication in the vehicle network or for communication with external systems) and/or implement security functions. In other examples, the central device 25 for mitigating software manipulation may be integrated into other components (further examples below) or may be designed as a stand-alone component.
In the example of fig. 2, a central device 25 for mitigating software manipulation is shown. In some cases, the vehicle may contain only one central device 25 for mitigating software manipulation, which is designed to mitigate manipulation of the plurality of components 21-24, 27a-f (e.g., all or a subset of the components of the vehicle that may eliminate software manipulation). In other examples, a vehicle may have multiple central devices for mitigating software manipulations that are part of the on-board network and that are respectively assigned to multiple components of the on-board network (i.e., manipulations in the software of the assigned components may be eliminated). In any case, however, the central device for mitigating software manipulation is separate from the assigned components. In some cases, the central device 25 for mitigating software manipulation may also be designed to manipulate its own software and/or software with components of the central device 25 integrated therein for mitigating software manipulation.
In the example of fig. 2, the plurality of components for which manipulation of software may be eliminated using the techniques of this disclosure include a plurality of control devices 27a-f. As already described, the technology of the present disclosure is not limited to the control device, but may in principle be used for each component of the on-board network of the vehicle 20. However, since the control devices 27a-f in a vehicle typically have only limited hardware resources and/or functionality, the techniques of this disclosure may be particularly advantageous for the control devices in some situations.
The central device 25 for mitigating software manipulations may be provided in addition to or as the only central device for mitigating software manipulations (see explanation above), for example, as part of a central communication interface of an on-board network. Further alternatively or additionally, the central device for mitigating software manipulation may be designed as part of the central control unit 23 of the vehicle. Further alternatively or additionally, the central device for mitigating software manipulation may be arranged as part of a main Unit (host Unit "in english) of an infotainment system (not shown in fig. 2) of the vehicle 20. Further alternatively or additionally, the central device 25 for mitigating software manipulation may be arranged as part of a central computer ("vehicle computer") of the on-board network (the on-board network may contain a plurality of central computers- "vehicle computers"). The central computer ("vehicle computer") may be (significantly) more powerful than the dedicated control devices of the on-board network and may take on the tasks of a plurality of control devices.
Furthermore, the updating 101 may comprise receiving 103 the software update information 32a from the external computing unit via a physical interface or a virtual interface and adapting 104 the software of the first component 27a based on the software update information 32a.
The receiving 103 of the software update information (23 c) may for example take place by means of a communication interface 21, the communication interface 21 for example being designed to communicate wirelessly with the back-end and to receive the software update information (23 c) and to forward it to the first component (27 a) for example via an in-vehicle network. In one example, receiving 103 the software update information (23 c) may also be via a physical interface that may be located in the vehicle. For example, the physical interface may be a CAN interface or a JTAG (Joint Test Action Group ) interface. The interface may be connected directly (e.g., via a wire connection) to the first component 27a, as illustrated by way of example in fig. 2 with interface 26. In one example, the interface may also be connected with the first component 27a via an on-board network, and may be disposed in a vehicle 29 at a spatially separated location from the first component, as illustrated by interface 22 for example. The communication CAN take place via a bus system, for example a CAN bus (english Controller Area Network, controller area network). In one example, the interface 22 may be or include an OBD-II interface (On-Board diagnostic) and/or connect with an On-Board network, for example. For example, as exemplarily shown in fig. 2, the connection between the first component 27a and the interface 22 (via the on-board network if necessary) may be guided via a central device 25 for mitigating software manipulation. In some cases, the software update information 32a may be sent (i.e., transmitted) directly to the first component 27a via the central device 25 for mitigating software manipulation without requiring confirmation or temporary storage of the software update information 32a. In one example, the software update information 32a may be contained in a data packet that is provided to the first component 27a from outside (i.e., outside the vehicle) by means of an external computing unit. In one example, the interfaces 22, 26 may be secure interfaces, i.e. interfaces that refuse the access if, for example, an external computing unit connected externally to the interface cannot pass verification of the backend before transmitting the data (the data shown contains the software update information 32 a).
In some examples, the software update information 32a may be contained in a software package or in a software container. The software package and/or the software container may comprise further software update information 32b-n for a plurality of components (e.g. control means 27 a-n) (i.e. the software update information is provided in a bundled manner).
For example, the software update information 32a may describe differences between an existing software version and a new software version on the first component 27a. The adaptation 104 may comprise, for example, comparing the state of the software of the first component (27 a) to date and compensating for differences between the software update information (32 a) and existing software code on the first component 27a. Compensating for the discrepancy may include, for example, overlaying an existing code line, adding a new code line, deleting a code line, or changing parameters and/or variables. In some cases, the software update information 32a may include a completely new software version, i.e., most or all of the code lines of the existing software version on the first component 27a are replaced or covered by code lines of the new software version. In some cases, the software update information 32a may also replace only a portion of the existing software or replace or overlay only individual software packages.
Furthermore, the central device 50 for mitigating software manipulation may comprise a central persistent memory 41, wherein the central persistent memory 41 is designed to store software components 42a, c-n of each of the plurality of components 27a-f simultaneously. The central persistent memory 41 may be a memory that stores its information in the vehicle 20 permanently, e.g., longer than a day or longer than a week and/or during stationary states of the vehicle. In some examples, persistent storage 41 may include flash memory. In the example of fig. 2, a central device 25 for mitigating software manipulation is arranged in the central communication interface of the vehicle 20. For example, the persistent memory 41 can likewise be arranged in the communication interface and connected directly to the central device 25 for mitigating software manipulation. Even if the central device for mitigating software manipulation is arranged (additionally or alternatively) in other components, the persistent memory may additionally or alternatively be arranged in the same component. In this way, the data stored in persistent storage 41 may be used by central device 25 for mitigating software manipulations to mitigate manipulations. However, in other examples, the central device for mitigating software manipulation and the persistent memory may also be disposed in different components of the in-vehicle network (and the central device for mitigating software manipulation may access the persistent memory via the network).
The central persistent storage 41 may be designed to store software components 42a, 42c-n for each of the plurality of components 27a-f simultaneously. To this end, persistent storage 41 may be designed to have a storage capacity of greater than 256MB (preferably greater than 5 GB). For example, if software in one or more of the plurality of components 27a-f is manipulated by an attack, the software of the one or more of the plurality of components 27a-f may be reset to a defined state by means of the software components 42a, 42c-n. For example, software components 42a, 42c-n stored in persistent storage 41 may be used to form reference states for software (e.g., firmware) for the plurality of components 27a-f.
However, if the first component 27a receives the software update information 32a, the software component 42a stored in the persistent memory 41 no longer represents a valid reference state reflecting the current state of the software of the first component 27a after updating 101 the software of the first component 27a. The techniques of the present disclosure facilitate reestablishing a valid reference state for the software of the first component 27a. If the first component 27a receives 103 the software update information 32a, a notification 102 may be provided to the central device 25 for mitigating software manipulation to notify the central device 25 for mitigating software manipulation that the software of the first component 27a is updated. In some cases, notification 102 may also be performed after adapting 104 the software of first component 27a. In one example, notification 102 may be performed by first component 27a (e.g., via an in-vehicle network). In some cases, the notification 102 for the central device 25 to mitigate software manipulation may be performed by an external computing unit that may be externally connected to the interface and provide the software update information 32a (e.g., via the interface and the in-vehicle network).
In addition, notification 102 may include forwarding 105 software update information 32a to central device 25 for mitigating software manipulation, and updating 106 software component 42a in central persistent storage 41 using software update information 32a. Forwarding 105 may be used to inform central device 25 for mitigating software manipulation of the scope of the software update of first component 27a. If necessary, the software update information 32a may be forwarded 105 to the central device 25 for mitigating software manipulation via a direct (wired) connection between the on-board network or the first component 27a and the central device 25 for mitigating software manipulation. The forwarded software update information 32a may be used to update 106 the software component 42a stored in the persistent memory 41 in the same manner as the software of the first component 27a. Updating 106 the software component 42a in the central persistent storage 41 is advantageous in providing a reference state for the software of the first component 27a to mitigate possible manipulation of the software of the first component 27a. For example, after the update 106, the software component 42a may be (approximately) identical to the software of the first component 27a and thus serve as a reference state with reduced manipulation of the software of the first component 27a.
Furthermore, the forwarding 105 of the software update information to the central device 25 for mitigating software manipulation may be performed by the external computing unit or the first component 27a. In some cases, the first component 27a may forward 105 the software update information (e.g., via an in-vehicle network) to the central device 25 for mitigating software manipulation. For example, forwarding 105 may occur after updating 101. In some examples, forwarding 105 of the software update information may be performed and/or initiated by an external computing unit. For example, as described above and as shown in fig. 2, the connection between the first component 27a and the interface 22 (via the on-board network if necessary) may be guided via the central device 25 for mitigating software manipulation. In this case, the forwarding 105 of the software update information 32a may be performed, for example, by an external computing unit, in such a way that in particular a copy of the software update information (32 a) may be intercepted directly during transmission to the first component 27a and used for updating 106 the corresponding software component 42a of the first component 27a.
Further, in the case that the software update information 32a may have a signature, the method 100 may comprise using the signature by the first component 27a and/or the central device 25 for mitigating software manipulation to check 107a, b the validity of the software update information 32a. For example, the signature may include a private certificate from the backend of the company that provided the software update information 32a or the software of the first component 27a. For example, it must be possible to exclude that the software update information 32a is from an untrusted source or from an attacker. To this end, the central device 25 and/or the first component 27a for mitigating software manipulation may check the signature and determine whether the software update information 32a is from a source determined for providing the software update information 32a. For example, the checks 107a, b may be performed before the adaptation 104 or the update 106.
Additionally or alternatively, the method 100 may include requesting 108a, b a signature from the backend for use by the first component 27a and/or the central device 25 for mitigating software manipulation to check the validity of the software update information 32a. If no signature is included in the software update information 32a, the central device 25 and/or the first component 27a for mitigating software manipulation may request a signature from a back-end (e.g., the back-end of the company providing the software update information 32 a) to check the validity of the software update information 32a. It is thereby ensured that the software update information 32a comes from a source determined for providing the software update information 32a. For example, the request 108a, b signature may be performed prior to the adaptation 104 or the update 106.
As already described above, the software component 42a stored in the central persistent memory 41 can be used to reset the software of the first component 27a in the scope of countermeasures for alleviating manipulation of the software of the first component 27a. The software component 42a may map the reference state of the software of the first component 27a on the central device 25 for mitigating software manipulation. The software component 42 may for example be used to reset the manipulated software of the first component 27a after a manipulation in the scope of a network attack, i.e. to bring the manipulated software into a defined state, which for example corresponds to a state before the manipulation, or into a state corresponding to a state at a specific point in time before the manipulation.
The present disclosure also relates to a software-operated central device 25 for mitigating a plurality of components 27a-f of an on-board network of a vehicle 20, the central device being designed to perform the steps of the method 100 of the present disclosure. In some cases, the central device 25 for mitigating software manipulation may be a stand-alone device (i.e., a dedicated module with its own hardware and software resources, which is part of the in-vehicle network and may communicate with other components of the in-vehicle network). However, in other cases, the central device for mitigating software manipulation will be integrated into other (already existing) components of the in-vehicle network. The central device for alleviating software manipulation may be designed here as a software module (which is inserted into the software of the component). In other cases, the central device 25 for mitigating software manipulation may include at least some dedicated hardware components (the central device sharing other hardware components of the components to which it is integrated). Also as described above, the other components may be a central communication interface of an in-vehicle network, a central computer ("vehicle computer"), or other components having relatively high performance hardware.
In some examples, an existing component of the in-vehicle network (e.g., a central communication interface of the vehicle or a domain of the vehicle, or a central computer of the vehicle, or a host unit of the infotainment system) may be provided as the central device 25 for mitigating software manipulation by updating software of the component of the in-vehicle network.
The central device 25 for mitigating software manipulation or other components to which it is integrated may include at least a processor (having multiple cores if necessary) and a memory including instructions that when executed by the processor perform the steps of the method 100 of the present disclosure.
The present disclosure also relates to an on-board network for a vehicle 20 comprising at least one central device 25 for mitigating software manipulation according to the present disclosure and a plurality of components 27a-f of the on-board network. In some cases, the central device 25 for mitigating software manipulation may detect manipulation of the software of the plurality of components 27a-f and introduce countermeasures.
The present disclosure also relates to a vehicle 20 comprising an on-board network according to the present disclosure.
Also disclosed is a computer program comprising instructions which, when executed on a computer system, cause the computer system to perform a computer-implemented method 100 for synchronizing a reference state on a central device 25 for mitigating software manipulation with software of a first component 27a of a plurality of components 27a-f of an on-board network of a vehicle 20. The computer program may for example be present in an interpretable or compiled form. The computer program may be (even partly) loaded into the RAM of a computer for execution, for example as a bit sequence or a byte sequence. The computer program may comprise a plurality of parts, at least one of which is executed on the first component 27a and a part of which is executed on the central device 25 for mitigating software manipulation.
A computer readable medium or signal storing and/or comprising the computer program or at least a part thereof is also disclosed. The medium may include, for example, one of RAM, ROM, EPROM, HDD, SDD …, on which the signal is stored. For example, the computer readable medium or portion thereof may be part of the first component 27a or part of the central device 25 for mitigating software manipulation.
Claims (14)
1. A computer-implemented method (100) of synchronizing a software reference state on a central device (25) for mitigating software manipulations with software of a first component (27 a) of a plurality of components (27 a-f) of an on-board network of a vehicle (20), wherein the central device (25) for mitigating software manipulations is part of an on-board network and is designed to mitigate software manipulations in each of the plurality of components (27 a-f) of the on-board network, the method comprising:
updating (101) the software of the first component (27 a) by means of software update information (32 a), and
-informing (102) the central device (25) for mitigating software manipulation of the software of the first component (27 a) to update (101) the software by means of software update information (32 a).
2. The computer-implemented method (100) of claim 1, the updating (101) comprising
Receiving (103) the software update information (32 a) from an external computing unit via a physical interface or a virtual interface, and
-adapting (104) the software of the first component (27 a) based on the software update information (32 a).
3. The computer-implemented method (100) according to claim 1 or 2, wherein the central device (50) for mitigating software manipulation comprises a central persistent memory (41), wherein the central persistent memory (41) is designed to store simultaneously software components (42 a, c-n) of each of the plurality of components (27 a-f).
4. A computer-implemented method (100) according to claim 1, 2 or 3, the notifying (102) comprising
Forwarding (105) the software update information (32 a) to the central device (25) for mitigating software manipulation, and
-updating (106) a software component (42 a) in the central persistent storage (41) using the software update information (32 a).
5. The computer-implemented method (100) of claim 4, wherein forwarding (105) of the software update information to the central device (25) for mitigating software manipulation is performed by the external computing unit or the first component (27 a).
6. The computer-implemented method (100) of claim 4 or 5,
wherein the software update information (32 a) has a signature, the method further comprising using the signature by the first component (27 a) and/or the central device (25) for mitigating software manipulation to check (107 a, b) the validity of the software update information (32 a).
7. The computer-implemented method (100) of claim 4 or 5, further comprising
-requesting (108 a, b) a signature from a back-end for use by said first component (27 a) and/or said central device (25) for mitigating software manipulation to check the validity of said software update information (32 a) using said signature.
8. The computer-implemented method (100) according to any one of claims 3 to 7, wherein a software component (42 a) stored in the central persistent memory (41) is used to reset software of the first component (27 a) within the scope of countermeasures for alleviating manipulation of the software of the first component (27 a).
9. The computer-implemented method (100) according to any one of claims 1 to 8, wherein the plurality of components (27 a-f) of the on-board network comprises one or more control devices, and/or wherein the first component (27 a) is a control device.
10. A software-operated central device (25) for mitigating a plurality of components (27 a-f) of an on-board network of a vehicle (20), the central device being designed to perform the steps of any one of the preceding claims 1 to 9.
11. An on-board network for a vehicle (20), comprising:
central apparatus (25) for mitigating software manipulation according to claim 10, and
a plurality of assemblies (27 a-f).
12. A vehicle (20) comprising an on-board network according to claim 11.
13. A computer program comprising instructions which, when executed on a computer system, cause the computer system to perform the computer-implemented method (100) according to any one of claims 1 to 9.
14. A computer readable medium or signal storing and/or containing a computer program according to claim 13.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102022209768.8 | 2022-09-16 | ||
| DE102022209768.8A DE102022209768A1 (en) | 2022-09-16 | 2022-09-16 | COMPUTER-IMPLEMENTED METHOD FOR UPDATING SOFTWARE IN A DEVICE FOR MITIGATION OF SOFTWARE MANIPULATION |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117724734A true CN117724734A (en) | 2024-03-19 |
Family
ID=90202270
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311208567.3A Pending CN117724734A (en) | 2022-09-16 | 2023-09-18 | Computer-implemented method for updating software in a device for mitigating software manipulation |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117724734A (en) |
| DE (1) | DE102022209768A1 (en) |
-
2022
- 2022-09-16 DE DE102022209768.8A patent/DE102022209768A1/en active Pending
-
2023
- 2023-09-18 CN CN202311208567.3A patent/CN117724734A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| DE102022209768A1 (en) | 2024-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106796538B (en) | Gateway device, in-vehicle network system, and firmware update method | |
| JP2019201423A (en) | Method of updating fraud detection rules, fraud detecting electronic control unit, and on-board network system | |
| US9560061B2 (en) | Motor vehicle with a driving behavior which can be modified at a later stage using an application program | |
| JP7280412B2 (en) | GATEWAY DEVICE, IN-VEHICLE NETWORK SYSTEM AND FIRMWARE UPDATE METHOD | |
| US20210237668A1 (en) | On-board communication device, on-board communication system, and specific processing prohibition method for a vehicle | |
| JP2019008618A (en) | Information processing apparatus, information processing method, and program | |
| CN111183412A (en) | Device for protecting diagnostic commands to a control unit and corresponding motor vehicle | |
| JP6060782B2 (en) | Relay device | |
| JP6386989B2 (en) | Control means, in-vehicle program rewriting device equipped with the same, and in-vehicle program rewriting method | |
| CN111788810B (en) | Control system for a motor vehicle, method for operating a control system and motor vehicle having such a control system | |
| US20210086790A1 (en) | Method for driving a motor vehicle in at least partially automated fashion | |
| CN117724734A (en) | Computer-implemented method for updating software in a device for mitigating software manipulation | |
| US20230267213A1 (en) | Mitigation of a manipulation of software of a vehicle | |
| US20230267206A1 (en) | Mitigation of a manipulation of software of a vehicle | |
| US20230267205A1 (en) | Mitigation of a manipulation of software of a vehicle | |
| US20230024817A1 (en) | Mitigation of vehicle software manipulation | |
| US20230267204A1 (en) | Mitigating a vehicle software manipulation | |
| US20230393842A1 (en) | Electronic circuit for a vehicle | |
| CN112204926B (en) | Data communication control device, nonvolatile memory, and vehicle control system | |
| CN116639141A (en) | Mitigating manipulation of vehicle software | |
| CN117728970A (en) | Technique for mitigating on-board network maneuvers | |
| CN115514743A (en) | Center, OTA manager, method, non-transitory storage medium, and vehicle | |
| WO2019221118A1 (en) | Electronic control unit and session establishment program | |
| CN112532678A (en) | In-vehicle control device, information processing device, network system for vehicle, application program providing method, and non-volatile storage medium | |
| JP2014512584A (en) | Method, computer program, and control apparatus for configuring automobile control apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |