Secure message filtering to vehicle electronic control units with secure provisioning of message filtering rules

US 9,419,802 B2
Filed: 12/01/2011
Issued: 08/16/2016
Est. Priority Date: 12/01/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a host processor associated with a vehicle, said host processor configured to receive an encrypted new or updated message filtering rule produced by a rule authenticating entity and a trusted manifest associated with said encrypted new or updated message filtering rule;

a bus configured to convey messages between said host processor and one or more electronic control units (ECUs) communicatively coupled to said bus;

a bus controller configured to;

filter messages from said host processor using one or more message filtering rules in a message filtering rule data repository, wherein filtering said messages includes receiving unfiltered messages from said host processor for transmission on said bus, generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of said vehicle using said one or more message filtering rules, and sending said filtered messages to said bus;

perform authentication operations to verify the authenticity of said encrypted new or updated message filtering rule with said trusted manifest and a trusted rule-signing key; and

when the encrypted new or updated message filtering rule is determined to be authentic, decrypt the encrypted new or updated message filtering rule using a combination of the trusted manifest and the trusted rule-signing key to produce a decrypted new or updated message filtering rule, and updating the message filtering rule data repository with said decrypted new or updated message filtering rule; and

wherein said bus controller is programmable through an interface that is inaccessible to said host processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method according to one embodiment includes the operations of configuring a host processor to receive a message filtering rule, the host processor associated with a vehicle; configuring a bus controller to verify authenticity of the message filtering rule, wherein the bus controller is programmed through an interface, the interface inaccessible from the host processor; filtering messages from the host processor using the verified message filtering rule, wherein the filtering is performed by the bus controller; and transmitting the filtered messages from the bus controller over a bus to one or more electronic control units (ECUs), the ECUs communicatively coupled to the bus.

28 Citations

View as Search Results

17 Claims

1. A system, comprising:
- a host processor associated with a vehicle, said host processor configured to receive an encrypted new or updated message filtering rule produced by a rule authenticating entity and a trusted manifest associated with said encrypted new or updated message filtering rule;
  
  a bus configured to convey messages between said host processor and one or more electronic control units (ECUs) communicatively coupled to said bus;
  
  a bus controller configured to;
  
  filter messages from said host processor using one or more message filtering rules in a message filtering rule data repository, wherein filtering said messages includes receiving unfiltered messages from said host processor for transmission on said bus, generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of said vehicle using said one or more message filtering rules, and sending said filtered messages to said bus;
  
  perform authentication operations to verify the authenticity of said encrypted new or updated message filtering rule with said trusted manifest and a trusted rule-signing key; and
  
  when the encrypted new or updated message filtering rule is determined to be authentic, decrypt the encrypted new or updated message filtering rule using a combination of the trusted manifest and the trusted rule-signing key to produce a decrypted new or updated message filtering rule, and updating the message filtering rule data repository with said decrypted new or updated message filtering rule; and
  
  wherein said bus controller is programmable through an interface that is inaccessible to said host processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein when said encrypted new or updated message filtering rule is determined to not be authentic, said bus controller ignores said encrypted new or updated message filtering rule.
  - 3. The system of claim 1, wherein when said encrypted new or updated message filtering rule is determined to not be authentic, said bus controller is configured to block messages from said host processor and signal an error.
  - 4. The system of claim 1, wherein said bus controller comprises a Field Programmable Gate Array (FPGA) and said programming interface comprises a Joint Test Action Group (JTAG) interface.
  - 5. The system of claim 1, wherein said bus comprises a Controller Area Network (CAN) bus.
  - 6. The system of claim 1, wherein said host processor comprises an In-Vehicle Infotainment (IVI) platform.
  - 7. The system of claim 1, wherein host processor is configured to receive said encrypted new or updated message filtering rule via a wireless connection from a source external to said vehicle.

8. A method, comprising:
- receiving, with a host processor associated with a vehicle, an encrypted new or updated message filtering rule produced by a rule authoring entity and a trusted manifest associated with the encrypted new or updated message filtering rule;
  
  filtering, with a bus controller of said vehicle, messages from said host processor based on message filtering rules in a message filtering data repository, wherein filtering said messages includes receiving unfiltered messages from said host processor for transmission on a bus, generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of said vehicle using said one or more message filtering rules, and sending said filtered messages to said bus;
  
  transmitting said filtered messages from said bus controller over said bus to one or more ECUs, said ECUs communicatively coupled to said bus;
  
  performing, with said bus controller, authentication operations to verify the authenticity of said encrypted new or updated message filtering rule at least in part with said trusted manifest and a trusted rule-signing key;
  
  when said authentication operations determine that the encrypted new or updated message filtering rule is authentic;
  
  decrypting said encrypted new or updated message filtering rule with said bus controller and using a combination of said trusted manifest and said trusted rule-signing key, thereby producing a decrypted new or updated message filtering rule; and
  
  updating said message filtering data repository with said decrypted new or updated message filtering rule;
  
  wherein said bus controller is programmable through an interface that is inaccessible by said host processor.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the method further comprises:
    - ignoring, with said bus controller, said encrypted new or updated message filtering rule when it is determined that the encrypted new or updated message filtering rule is not authentic.
  - 10. The method of claim 8, further comprising:
    - when said encrypted new or updated message filtering rule is determined to not be authentic, blocking messages from said host processor with said bus controller and signaling an error.
  - 11. The method of claim 8, wherein said bus controller comprises a Field Programmable Gate Array (FPGA) and said programming interface comprises a Joint Test Action Group (JTAG) interface.
  - 12. The method of claim 8, wherein said bus comprises a Controller Area Network (CAN) bus.
  - 13. The method of claim 8, wherein said host processor comprises an In-Vehicle Infotainment (IVI) platform.
  - 14. The method of claim 8, wherein said receiving is accomplished at least in part via a wireless connection between said host processor and a source external to said vehicle.

15. A non-transitory computer-readable storage medium having instructions stored thereon which when executed by a processor result in the following operations comprising:
- receiving, with a host processor associated with a vehicle, an encrypted new or updated message filtering rule produced by a rule authoring entity and a trusted manifest associated with the encrypted new or updated message filtering rule, wherein filtering said messages includes receiving unfiltered messages from said host processor for transmission on a bus, generating filtered messages by removing unfiltered messages that potentially include malicious code for altering operation of said vehicle using said one or more message filtering rules, and sending said filtered messages to said bus;
  
  filtering, with a bus controller of said vehicle, messages from said host processor based on message filtering rules in a message filtering data repository;
  
  transmitting said filtered messages from said bus controller over said bus to one or more ECUs, said ECUs communicatively coupled to said bus;
  
  performing, with said bus controller, authentication operations to verify the authenticity of said encrypted new or updated message filtering rule at least in part with said trusted manifest and a trusted rule-signing key;
  
  when said authentication operations determine that the encrypted new or updated message filtering rule is authentic;
  
  decrypting said encrypted new or updated message filtering rule with said bus controller and using a combination of said trusted manifest and said trusted rule-signing key, thereby producing a decrypted new or updated message filtering rule; and
  
  updating said message filtering data repository with said decrypted new or updated message filtering rule;
  
  wherein said bus controller is programmable through an interface that is inaccessible by said host processor.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein said operations further comprise:
    - ignoring, with said bus controller, said encrypted new or updated message filtering rule when it is determined that the encrypted new or updated message filtering rule is not authentic.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein said operations further comprise:
    - when said encrypted new or updated message filtering rule is determined to not be authentic, blocking messages from said host processor with said bus controller and signaling an error.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Lortz, Victor B., Rathi, Somya, Rangarajan, Anand P., Kesavan, Vijay Sarathi
Primary Examiner(s)
Gee, Jason K

Application Number

US13/992,304
Publication Number

US 20140195808A1
Time in Patent Office

1,720 Days
Field of Search

713/170
US Class Current

1/1
CPC Class Codes

G06F 15/177   Initialisation or configura...

H04L 63/0263   Rule management

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1466   Active attacks involving in...

H04L 67/12   specially adapted for propr...

H04L 67/34   involving the movement of s...

H04L 9/3247   involving digital signatures

H04W 4/80   Services using short range ...

Secure message filtering to vehicle electronic control units with secure provisioning of message filtering rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Secure message filtering to vehicle electronic control units with secure provisioning of message filtering rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others