1. Technical Field
The present disclosure relates to a technique for sensing and handling fraudulent frames transmitted within an in-vehicle network over which electronic control units perform communication.
2. Description of the Related Art
Systems in recent automobiles accommodate multiple devices called electronic control units (ECUs). A network connecting these ECUs is called an in-vehicle network. There exist multiple in-vehicle network standards. Among all these standards, a standard called CAN (Controller Area Network) specified in ISO 11898-1 is one of the most mainstream in-vehicle network standards (see CAN Specification 2.0 Part A, [online], CAN in Automation (CiA), [searched Nov. 14, 2014], the Internet (URL:http://www.can-cia.org/fileadmin/cia/specifications/CAN20A.pdf)).
In CAN, each communication path is constituted by two buses, and ECUs connected to the buses are referred to as nodes. Each node connected to a bus transmits and receives a message called a frame. A transmitting node that is to transmit a frame applies a voltage to two buses to generate a potential difference between the buses, thereby transmitting the value “1” called recessive and the value “0” called dominant. When a plurality of transmitting nodes transmit recessive and dominant values at completely the same timing, the dominant value is prioritized and transmitted. A receiving node transmits a frame called an error frame if the format of a received frame is anomalous. In an error frame, 6 consecutive dominant bits are transmitted to notify the transmitting nodes or any other receiving node of frame anomaly.
In CAN, furthermore, there is no identifier that designates a transmission destination or a transmission source. A transmitting node transmits frames each assigned an ID called a message ID (that is, sends signals to a bus), and each receiving node receives only a message ID determined in advance (that is, reads a signal from the bus). In addition, the CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) scheme is adopted, and arbitration based on message IDs is performed for simultaneous transmission of a plurality of nodes so that a frame with the value of the message ID being small is preferentially transmitted.
Incidentally, a connection of a fraudulent node to a bus in an in-vehicle network and a fraudulent transmission of a frame from the fraudulent node can possibly cause fraudulent control of the vehicle body. In order to block such control caused by fraudulent frame transmission, there is generally known a technique for adding a message authentication code (MAC) to the data field in a CAN frame before transmission (see Japanese Unexamined Patent Application Publication No. 2013-98719).
However, it is difficult to say that the data length of the MAC which can be stored in the data field in a CAN frame is sufficiently long. There is thus a concern of the possibility of a brute-force attack and the like on a MAC from a fraudulent node connected to bus.