CAN安全隐患.ppt

CAN的安全隐患An Undiscovered Safety Related Fault in CAN ---消极报错节点不能正常收发 Real bus off state of error passive node 杨福宇 Fuyu Yang Email:yfy812@163.com 成熟的CAN有问题的严重性 2006年一年CAN售出5亿片 ”CAN in Automation celebrates first 15 years”, 15-year-cia.pdf 2007年中国生产880万辆车 对安全，环保，节能的影响 引用的标准 ISO/TC 22/SC3. International standard: ISO -11898-1, 2003,”Road Vehicles-Controller Area Network (CAN) –part1: Data link layer and physical signaling” ISO/TC 22/SC3. International standard: ISO 16845, 2004 ”Road Vehicles-Controller Area Network (CAN)-Conformance test plan” Robert Bosch GmbH. CAN Specification Version 2.0, September 1991 问题的根源在标准（一） ” In order to terminate an ERROR FRAME correctly, an ’error passive’ node may need the bus to be ’bus idle’ for at least 3 bit times (if there is a local error at an ’error passive’ receiver). Therefore the bus should not be loaded to 100%.” ---Bosch CAN 2.0A 3.1.3 即使负载率小，也无法保证3bit总线空闲 问题的根源在标准（二） “A message, which is pending for transmission during the transmission of another message, is started in the first bit following INTERMISSION.” 最坏的情况是所有的消息都挂起在那里等待发送 问题的根源在标准（三） 消极报错帧分界符的长度是8位隐位 消极报错帧分界符内的显位是格式错，它要引起新的消极报错帧 ISO 16845 :7.5.6 Form error in passive error delimiter (receiver) ISO 16845 :8.5.13 Form error in passive error delimiter (transmitter) 7.5.6内容（8.5.13相同） Purpose and limits of test case …测试设备将报错分界符的8个隐位之一用显位代替 …The LT replace one of the eight recessive bits of the error delimiter by a dominant bit. … Test case organization …在接收报错分界符时测试设备按款制造一个格式错，然后等（6+7）位再送一个显位破坏报错分界符的最后一位，被测设备在测试设备送的最后一个显位后开始一个过载帧…During the reception of the error delimiter, the LT creates a form error according to . After creating the form error, the LT waits for (6+7) bit time before sending a dominant bit, corrupting the last bit of the error delimiter. The IUT shall generate an overload frame starting at the position following the last dominant bit sent by LT. 可能造成此类故障的情况超过Bosch预计 消极报错接收节点的本地故障引起（Bosch提到） 消极报错发送节点的本地故障引起 偶尔主动报错节点的本地故障引