SECURE MESSAGE FILTERING TO VEHICLE ELECTRONIC CONTROL UNITS WITH SECURE PROVISIONING OF MESSAGE FILTERING RULES

US 20160359903A1
Filed: 08/15/2016
Published: 12/08/2016
Est. Priority Date: 12/01/2011
Status: Abandoned Application

First Claim

Patent Images

1. A system, comprising:

a bus controller configured to communicatively couple to one or more vehicle-based electronic control units (ECUs) via a first bus, the bus controller configured to;

receive a plurality of unfiltered bus messages for transmission via the first bus;

identify at least one bus message of the plurality of bus messages as unauthorized for transmission via the first bus based on one or more message filtering rules, the message filtering rules being configured to identify potentially malicious code for altering operation of a vehicle;

filter the plurality of bus messages to remove the at least one identified unauthorized bus message; and

send each of the filtered plurality of bus messages via the first bus.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method according to one embodiment includes the operations of configuring a host processor to receive a message filtering rule, the host processor associated with a vehicle; configuring a bus controller to verify authenticity of the message filtering rule, wherein the bus controller is programmed through an interface, the interface inaccessible from the host processor; filtering messages from the host processor using the verified message filtering rule, wherein the filtering is performed by the bus controller; and transmitting the filtered messages from the bus controller over a bus to one or more electronic control units (ECUs), the ECUs communicatively coupled to the bus.

7 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a bus controller configured to communicatively couple to one or more vehicle-based electronic control units (ECUs) via a first bus, the bus controller configured to;
  
  receive a plurality of unfiltered bus messages for transmission via the first bus;
  
  identify at least one bus message of the plurality of bus messages as unauthorized for transmission via the first bus based on one or more message filtering rules, the message filtering rules being configured to identify potentially malicious code for altering operation of a vehicle;
  
  filter the plurality of bus messages to remove the at least one identified unauthorized bus message; and
  
  send each of the filtered plurality of bus messages via the first bus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising:
    - a host processor associated with a vehicle, the host processor configured to receive an encrypted new or updated message filtering rule produced by a rule authenticating entity and a trusted manifest associated with the encrypted new or updated message filtering rule.
  - 3. The system of claim 2, wherein the bus controller is configured to receive the plurality of bus messages from the host processor, and wherein filtering the plurality of bus messages by the bus controller further includes using one or more message filtering rules from a message filtering rule data repository to filter the plurality of bus messages, and wherein filtering the plurality of bus messages includes generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of the vehicle using the one or more message filtering rules, and sending the filtered messages to at least one of the one or more vehicle-based ECUs via the first bus.
  - 4. The system of claim 2, wherein the bus controller is further configured to:
    - perform authentication operations to verify the authenticity of the encrypted new or updated message filtering rule with the trusted manifest and a trusted rule-signing key; and
      
      when the encrypted new or updated message filtering rule is determined to be authentic, decrypt the encrypted new or updated message filtering rule using a combination of the trusted manifest and the trusted rule-signing key to produce a decrypted new or updated message filtering rule, and updating a message filtering rule data repository with the decrypted new or updated message filtering rule; and
      
      wherein the bus controller is programmable through an interface that is inaccessible to the host processor.
  - 5. The system of claim 4, wherein the bus controller comprises a Field Programmable Gate Array (FPGA) and the programming interface comprises a Joint Test Action Group (JTAG) interface.
  - 6. The system of claim 2, wherein when the encrypted new or updated message filtering rule is determined to not be authentic, the bus controller ignores the encrypted new or updated message filtering rule.
  - 7. The system of claim 2, wherein when the encrypted new or updated message filtering rule is determined to not be authentic, the bus controller is configured to block messages from the host processor and signal an error.
  - 8. The system of claim 2, wherein the host processor is configured to receive the encrypted new or updated message filtering rule via a wireless connection from a source external to the vehicle.
  - 9. The system of claim 1, wherein the first bus comprises a Controller Area Network (CAN) bus.
  - 10. The system of claim 1, further comprising a host processor associated with a vehicle, wherein the host processor comprises an In-Vehicle Infotainment (IVI) platform.

11. A method comprising:
- receiving, by a bus controller, a plurality of unfiltered bus messages for transmission via a first bus to one or more vehicle-based electronic control units (ECUs);
  
  identifying, by the bus controller, at least one bus message of the plurality of bus messages as unauthorized for transmission via the first bus based on one or more message filtering rules, the message filtering rules being configured to identify potentially malicious code for altering operation of a vehicle;
  
  filtering, by the bus controller, the plurality of bus messages to remove the at least one identified unauthorized bus message; and
  
  sending, by the bus controller, each of the filtered plurality of bus messages via the first bus.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - receiving, by a host processor associated with a vehicle, an encrypted new or updated message filtering rule produced by a rule authenticating entity and a trusted manifest associated with the encrypted new or updated message filtering rule.
  - 13. The method of claim 12, further comprising receiving, by the bus controller, the plurality of bus messages from the host processor, and wherein filtering the plurality of bus messages by the bus controller further includes using one or more message filtering rules from a message filtering rule data repository to filter the plurality of bus messages, and wherein filtering the plurality of bus messages includes generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of the vehicle using the one or more message filtering rules.
  - 14. The method of claim 12, further comprising:
    - performing, by the bus controller, authentication operations to verify the authenticity of the encrypted new or updated message filtering rule with the trusted manifest and a trusted rule-signing key; and
      
      when the encrypted new or updated message filtering rule is determined to be authentic, decrypting, by the bus controller, the encrypted new or updated message filtering rule using a combination of the trusted manifest and the trusted rule-signing key to produce a decrypted new or updated message filtering rule, andupdating, by the bus controller, a message filtering rule data repository with the decrypted new or updated message filtering rule,wherein the bus controller is programmable through an interface that is inaccessible to the host processor.
  - 15. The method of claim 12, wherein when the encrypted new or updated message filtering rule is determined to not be authentic, blocking, by the bus controller, messages from the host processor and signal an error.

16. A non-transitory computer-readable storage medium having instructions stored thereon which when executed by at least one processor cause a process to be carried out, the process comprising:
- receiving a plurality of unfiltered bus messages for transmission via a first bus to one or more vehicle-based electronic control units (ECUs);
  
  identifying at least one bus message of the plurality of bus messages as unauthorized for transmission via the first bus based on one or more message filtering rules, the message filtering rules being configured to identify potentially malicious code for altering operation of a vehicle;
  
  filtering the plurality of bus messages to remove the at least one identified unauthorized bus message; and
  
  sending each of the filtered plurality of bus messages via the first bus.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the process further comprises receiving the plurality of bus messages from a host processor, and wherein filtering the plurality of bus messages further includes using one or more message filtering rules from a message filtering rule data repository to filter the plurality of bus messages.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein filtering the plurality of bus messages includes generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of the vehicle using the one or more message filtering rules.
  - 19. The non-transitory computer-readable storage medium of claim 16, receiving an encrypted new or updated message filtering rule.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the process further comprises:
    - when the encrypted new or updated message filtering rule is determined to not be authentic, blocking messages from a host processor and signaling an error.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Lortz, Victor B., Rathi, Somya, Rangarajan, Anand P., Kesavan, Vijay Sarathi

Application Number

US15/236,557
Publication Number

US 20160359903A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 15/177   Initialisation or configura...

H04L 63/0263   Rule management

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1466   Active attacks involving in...

H04L 67/12   specially adapted for propr...

H04L 67/34   involving the movement of s...

H04L 9/3247   involving digital signatures

H04W 4/80   Services using short range ...

SECURE MESSAGE FILTERING TO VEHICLE ELECTRONIC CONTROL UNITS WITH SECURE PROVISIONING OF MESSAGE FILTERING RULES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE MESSAGE FILTERING TO VEHICLE ELECTRONIC CONTROL UNITS WITH SECURE PROVISIONING OF MESSAGE FILTERING RULES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links