Automotive ECU controller and data network having security features for protection from malware transmission
First Claim
1. A system for data communication for the operation of an automobile, the system comprising:
- the automobile, the automobile comprising;
a first electronic control unit (ECU) being directly accessible to external networks that are outside of the automobile;
a second ECU that is not directly accessible to the external networks that are outside of the automobile;
a control area network (CAN) bus that communicably couples the first ECU and the second ECU such that the first ECU and the second ECU can pass data communications within the automobile;
wherein the first ECU that is directly accessible to the external networks that are outside of the automobile is configured to;
operate either in a normal mode or in a first safe-mode, wherein;
the normal mode and first safe-mode are defined in a security policy for the first ECU, andthe first safe-mode restricts the actions of the first ECU more than the normal mode based on predefined permitted contexts, wherein at least one of the predefined permitted contexts defines whether software changes to the first ECU are permitted;
while operating in the normal mode, detect an attempted attack on the automobile;
responsive to detecting the attempted attack on the automobile, determine that the detected attempted attack is indicative of attempted malicious execution by malware;
responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, change modes from the normal mode to the first safe-mode;
responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, transmit over the CAN bus a safe-mode alert;
wherein the second ECU that is not directly accessible to the external networks that are outside of the automobile is configured to;
operate in either the normal mode or a second safe-mode, wherein;
the normal mode and second safe-mode are defined in a security policy for the second ECU, andthe second safe-mode restricts the actions of the second ECU more than the normal mode, andthe second safe-mode comprises different security policies than the first safe-mode;
while operating in the normal mode, receive the safe-mode alert from the first ECU over the CAN bus; and
responsive to receiving the safe-mode alert, change modes from the normal mode to the second safe-mode.
2 Assignments
0 Petitions
Accused Products
Abstract
In one implementation, a method for providing security on controllers includes detecting, by a given controller, an attempted security attack on the given controller; in response to detecting the attempted attack, entering a safe mode of operation for the given controller in which at least one process performed by the given controller is restricted such that the at least one process is performed only when a current context of the controller matches a permitted context that is associated with the given controller; in response to detecting the attempted attack, transmitting a safe mode alert to one or more other controllers; and for at least one of the one or more other controllers, in response to receiving the safe mode alert, entering a safe mode of operation for the other controller.
5 Citations
19 Claims
-
1. A system for data communication for the operation of an automobile, the system comprising:
-
the automobile, the automobile comprising; a first electronic control unit (ECU) being directly accessible to external networks that are outside of the automobile; a second ECU that is not directly accessible to the external networks that are outside of the automobile; a control area network (CAN) bus that communicably couples the first ECU and the second ECU such that the first ECU and the second ECU can pass data communications within the automobile; wherein the first ECU that is directly accessible to the external networks that are outside of the automobile is configured to; operate either in a normal mode or in a first safe-mode, wherein; the normal mode and first safe-mode are defined in a security policy for the first ECU, and the first safe-mode restricts the actions of the first ECU more than the normal mode based on predefined permitted contexts, wherein at least one of the predefined permitted contexts defines whether software changes to the first ECU are permitted; while operating in the normal mode, detect an attempted attack on the automobile; responsive to detecting the attempted attack on the automobile, determine that the detected attempted attack is indicative of attempted malicious execution by malware; responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, change modes from the normal mode to the first safe-mode; responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, transmit over the CAN bus a safe-mode alert; wherein the second ECU that is not directly accessible to the external networks that are outside of the automobile is configured to; operate in either the normal mode or a second safe-mode, wherein; the normal mode and second safe-mode are defined in a security policy for the second ECU, and the second safe-mode restricts the actions of the second ECU more than the normal mode, and the second safe-mode comprises different security policies than the first safe-mode; while operating in the normal mode, receive the safe-mode alert from the first ECU over the CAN bus; and responsive to receiving the safe-mode alert, change modes from the normal mode to the second safe-mode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for data communication for the operation of an automobile, the system comprising:
-
a first electronic control unit (ECU) configured to be placed within an automobile, the first ECU being directly accessible to external networks that are outside of the automobile; a second ECU that is not directly accessible to the external networks that are outside of the automobile; wherein the first ECU and the second ECU are configured to connect to a control area network (CAN) bus that communicably couples the first ECU and the second ECU such that the first ECU and the second ECU can pass data communications within the automobile; wherein the first ECU that is directly accessible to the external networks that are outside of the automobile is configured to; operate either in a normal mode or in a first safe-mode, wherein; the normal mode and first safe-mode are defined in a security policy for the first ECU, and the first safe-mode restricts the actions of the first ECU more than the normal mode based on predefined permitted contexts, wherein at least one of the predefined permitted contexts defines whether software changes to the first ECU are permitted; while operating in the normal mode, detect an attempted attack on the automobile; responsive to detecting the attempted attack on the automobile, determine that the detected attempted attack is indicative of attempted malicious execution by malware; responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, change modes from the normal mode to the first safe-mode; responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, transmit over the CAN bus a safe-mode alert; wherein the second ECU is configured to; operate in either the normal mode or a second safe-mode, wherein; the normal mode and second safe-mode are defined in a security policy for the second ECU, and the second safe-mode restricts the actions of the second ECU more than the normal mode, and the second safe-mode comprises different security policies than the first safe-mode; while operating in the normal mode, receive the safe-mode alert from the first ECU over the CAN bus; and responsive to receiving the safe-mode alert, change modes from the normal mode to the second safe-mode. - View Dependent Claims (17, 18)
-
-
19. A method for data communication for the operation of an automobile, the system comprising:
-
detecting, by a first electronic control unit (ECU) an attempted attack on an automobile while operating in a normal mode, wherein; the first ECU is configured to operate either in the normal mode or in a first safe-mode, wherein; the normal mode and first safe-mode are defined in a security policy for the first ECU, and the first safe-mode restricts the actions of the first ECU more than the normal mode based on predefined permitted contexts, wherein at least one of the predefined permitted contexts defines whether software changes to the first ECU are permitted; the first ECU is in the automobile and the first ECU is directly accessible to external networks that are outside of the automobile; a second ECU is in the automobile and the second ECU is not directly accessible to the external networks that are outside of the automobile; a control area network (CAN) bus communicably couples the first ECU and the second ECU such that the first ECU and the second ECU can pass data communications within the automobile; responsive to detecting the attempted attack on the automobile, determining, by the first ECU, that the detected attempted attack is indicative of attempted malicious execution by malware; responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, changing modes, by the first ECU, from the normal mode to the first safe-mode; responsive to determining that the detected attempted attack is indicative of attempted malicious execution by malware, transmit, by the first ECU over the CAN bus a safe-mode alert; and while operating in the save mode, receiving, by the second ECU, the safe-mode alert from the first ECU over the CAN bus, wherein the second ECU is configured to operate in either the normal mode or a second safe-mode, wherein; the normal mode and second safe-mode are defined in a security policy for the second ECU, and the second safe-mode restricts the actions of the second ECU more than the normal mode, and the second safe-mode comprises different security policies than the first safe-mode.
-
Specification