CN110460573B

CN110460573B - ECU security upgrade management system and method applied to automobile

Info

Publication number: CN110460573B
Application number: CN201910610375.2A
Authority: CN
Inventors: 肖文平; 何敖东; 王学栋; 陈斌; 张航
Original assignee: Shanghai Hinge Electronic Technologies Co Ltd
Current assignee: Heqian Automotive Technology (Shenzhen) Co.,Ltd.
Priority date: 2019-07-08
Filing date: 2019-07-08
Publication date: 2022-05-20
Anticipated expiration: 2039-07-08
Also published as: CN110460573A

Abstract

The invention provides a security upgrade management system and method applied to an automobile ECU, including a security management module, an intrusion detection module, a central gateway, a protection ECU, a vulnerability ECU, and the intrusion detection module monitors the in-vehicle network in real time. When the upgrade is attacked, the attack information can be fed back to the security management module in time. The security management module will issue control commands to the protection ECU, and the protection ECU will send the resistance strategy to the ECU that may be attacked or has been attacked to resist the attack and upgrade the upgrade. The upgrade file in the process introduces a smaller make-up package. By introducing the make-up package to replace the patch package of different historical versions, the size of the data package required for the upgrade can be greatly reduced, and the transmission time of the ECU upgrade patch package can also be saved.

Description

A system and method for safety upgrade management of automotive ECU

技术领域technical field

本发明涉及汽车ECU领域，尤其涉及一种应用于汽车ECU的安全升级管理系统及其方法。The invention relates to the field of automobile ECUs, in particular to a safety upgrade management system and a method thereof applied to the automobile ECUs.

背景技术Background technique

随着汽车的普及，越来越多的汽车进入千家万户，但由此也带来关于汽车的安全问题。近来了，许多汽车厂家以及研究结构都在推广智能汽车，使汽车趋于智能化、人性化。在汽车行业中，无人驾驶汽车和先进驾驶员辅助系统(ADAS)、ABS(防抱死制动系统)等发展已经变得今后技术的发展方向。当这些功能安装在车辆中时，汽车中的电子控制单元(ECU)的数量正在增加，控制车辆系统需要100多个ECU(电子控制单元)，这增加了软件尺寸和逻辑复杂性。此外，安装在车辆中的软件变得越来越大和越来越复杂。由于bug的存在，如果不及时修复，会发生较大的危险性。由软件引起的召回次数正在增加，一旦检测到错误就快速修复错误是非常重要的，修复和新特性的加入导致应用程序的更新升级变得非常频繁结果。目前，车辆ECU通过车辆网络连接，车辆网络用于更新ECU软件。将来，随着联网车辆越来越普及，车辆将增加新功能以提供各种服务，例如智能手机应用程序下载。但是，通过将车辆连接到互联网，它可能成为网络攻击的目标。实际上，可以通过利用无线接口利用其漏洞来远程操作车辆，并且已经存在这种情况已经发展成大规模召回。With the popularization of automobiles, more and more automobiles enter thousands of households, but this also brings about the safety problems of automobiles. Recently, many car manufacturers and research organizations are promoting smart cars, making cars more intelligent and humanized. In the automotive industry, the development of driverless cars and advanced driver assistance systems (ADAS), ABS (anti-lock braking system), etc. has become the direction of future technology development. As these functions are installed in vehicles, the number of Electronic Control Units (ECUs) in automobiles is increasing, and more than 100 ECUs (Electronic Control Units) are required to control vehicle systems, which increases software size and logic complexity. In addition, the software installed in vehicles is becoming larger and more complex. Due to the existence of bugs, if they are not fixed in time, there will be great danger. The number of recalls caused by software is increasing, it is very important to fix bugs quickly as soon as they are detected, fixes and new features are added causing updates and upgrades of applications to become very frequent as a result. Currently, vehicle ECUs are connected through the vehicle network, which is used to update the ECU software. In the future, as connected vehicles become more commonplace, new functions will be added to the vehicles to provide various services, such as smartphone app downloads. However, by connecting the vehicle to the internet, it could be the target of a cyberattack. In fact, the vehicle can be operated remotely by exploiting its vulnerabilities by exploiting the wireless interface, and there has been a situation where this has developed into a mass recall.

由于增加了新功能，纠正缺陷和应对安全风险，ECU软件更新的频率和重要性将会增加。传统的ECU软件bug修复由用户将车辆带到经销商处执行，其中工程师使用专用诊断设备通过有线连接执行修复。然而，传统方法有两个缺点。首先，在传统方法中，用户必须将汽车带到经销商处以安装新软件，并且如果软件更新的频率在将来增加，则这可能是用户的负担。其次，可以一次更新的车辆数量是有限的，因为软件更新需要专用设备和停放车辆的地方。在更新发布或在生产线上更新后，此类限制立即成为障碍。结果，执行更新所需的时间显着增加。已经开发了用于更新车载软件的空中(OTA)方法。如果可以使用无线通信(移动网络，Wi-Fi等)，则可以通过OTA进行更新。因此，可以减少由软件更新引起的负担，因为用户可以在不去经销商的情况下进行更新。另外，通过使用无线通信，可以同时更新多个车辆时间。因此，可以在不受设备数量或停放车辆数量限制的情况下执行更新。在ECU软件更新期间，如果传输速度过慢以及数据包过大，都会造成ECU软件升级所用的时间增加。此时，用户是不能进行使用车辆的。用户使用车辆是危险的。因此，在车辆停放时执行ECU软件更新。用户在软件更新期间无法使用汽车，因此有必要缩短软件更新时间。The frequency and importance of ECU software updates will increase as new functions are added, defects are corrected and security risks are addressed. Traditional ECU software bug fixes are performed by the user taking the vehicle to the dealership, where engineers perform the fix over a wired connection using dedicated diagnostic equipment. However, the traditional method has two disadvantages. First, in the conventional method, the user has to take the car to the dealership to install the new software, and this may be a burden on the user if the frequency of software updates increases in the future. Second, the number of vehicles that can be updated at one time is limited because software updates require specialized equipment and a place to park the vehicle. Such restrictions become obstacles immediately after an update is released or on the production line. As a result, the time required to perform the update increases significantly. Over-the-air (OTA) methods have been developed for updating in-vehicle software. If wireless communication is available (mobile network, Wi-Fi, etc.), the update can be done via OTA. Therefore, the burden caused by the software update can be reduced because the user can update without going to the dealer. In addition, by using wireless communication, multiple vehicle times can be updated simultaneously. Therefore, the update can be performed without being limited by the number of devices or the number of parked vehicles. During the ECU software update, if the transmission speed is too slow and the data packet is too large, the time taken for the ECU software update will increase. At this time, the user cannot use the vehicle. It is dangerous for the user to use the vehicle. Therefore, the ECU software update is performed while the vehicle is parked. The user cannot use the car during the software update, so it is necessary to shorten the software update time.

现有技术中，即使新包与旧包只有略微的差别，每次版本的升级仍下载完整的新安装包进行替换安装，这种全量更新的方式不仅浪费了较多的客户端网络流量，同时也增加了升级过程所耗费的时间。用户在这段ECU修复的时间内是无法使用车辆的，这必然给用户带来用车的不便，因此压缩ECU修复的时间是目前需要迫切解决的技术问题。同时也有必要告知车辆ECU软件的修复时间，让用户根据自己的时间安排选择合适的时间段进行升级，而压缩升级时间带来的挑战来源于尽可能的降低升级包的尺寸。另一方面，尽可能的避免系统受到黑客的攻击，当发现车内网络受到黑客攻击时，能够尽早发现，采取解决措施，从而解决将攻击受到的损害降到最低。In the prior art, even if there is only a slight difference between the new package and the old package, a complete new installation package is still downloaded for replacement and installation for each version upgrade. This full update method not only wastes a lot of client network traffic, but also. It also increases the time taken by the upgrade process. The user cannot use the vehicle during this period of ECU repair, which will inevitably bring inconvenience to the user in using the vehicle. Therefore, compressing the time for ECU repair is a technical problem that needs to be urgently solved at present. At the same time, it is also necessary to inform the repair time of the vehicle ECU software, so that users can choose a suitable time period to upgrade according to their own schedule, and the challenge of compressing the upgrade time comes from reducing the size of the upgrade package as much as possible. On the other hand, try to avoid the system from being attacked by hackers as much as possible. When it is found that the in-vehicle network is attacked by hackers, it can be discovered as soon as possible and take measures to minimize the damage to the attack.

发明内容SUMMARY OF THE INVENTION

基于现有技术中存在的缺陷，为了实现上述目的，本发明提供一种应用于汽车ECU升级文件的方法，能够解决目前升级数据包较大且升级过程中容易遭受黑客攻击的技术问题，具体为：Based on the defects in the prior art, in order to achieve the above purpose, the present invention provides a method applied to an automobile ECU upgrade file, which can solve the technical problem that the current upgrade data package is large and is easily attacked by hackers during the upgrade process. :

一种应用于汽车ECU安全升级管理方法，至少包括：A method for safety upgrade management applied to an automotive ECU, at least including:

车内的中央网关接收到来自服务器的升级文件，升级文件经中央网关传输到需要升级的ECU进行升级；The central gateway in the car receives the upgrade file from the server, and the upgrade file is transmitted to the ECU that needs to be upgraded through the central gateway for upgrade;

入侵检测模块对车内网络进行实时监控，当发现升级文件中含有攻击代码的数据包时或汽车网络受到攻击时，入侵检测模块将检测到攻击信息反馈给安全管理模块；The intrusion detection module monitors the in-vehicle network in real time. When it finds a data packet containing attack code in the upgrade file or the car network is attacked, the intrusion detection module feeds back the detected attack information to the security management module;

安全管理模块接收到来自入侵检测模块反馈的攻击信息时，安全管理模块给防护模块下发控制指令防止目标ECU被入侵；When the security management module receives the attack information fed back from the intrusion detection module, the security management module issues a control command to the protection module to prevent the target ECU from being intruded;

所述防护模块被配置为与安全模块相对应，能够根据安全模块下发的控制指令采取相应的抵抗攻击策略并发送给目标ECU；The protection module is configured to correspond to the security module, and can adopt a corresponding anti-attack strategy according to the control instruction issued by the security module and send it to the target ECU;

所述ECU包括抵抗模块，抵抗模块被配置为具有与抵抗攻击策略相匹配的功能，当目标ECU受到攻击时，ECU内的抵抗模块能够根据防护模块发出的抵抗攻击策略调用匹配应用程序进行抵抗入侵；The ECU includes a resistance module, and the resistance module is configured to have a function matching the attack resistance strategy. When the target ECU is attacked, the resistance module in the ECU can call the matching application to resist the intrusion according to the attack resistance strategy issued by the protection module. ;

所述抵抗攻击策略包括目标ECU安全重置策略、目标节点网关的安全重置策略、丢弃含有攻击代码的数据包策略；The attack resistance strategy includes the target ECU security reset strategy, the security reset strategy of the target node gateway, and the discarding data packet strategy containing the attack code;

所述攻击代码的数据包至少包括符合CAN报文格式的数据；The data packet of the attack code at least includes data conforming to the CAN message format;

防护模块被配置为防护ECU，丢弃含有攻击代码的数据包策略具体包括：安全管理模块将含有攻击代码的数据发送到安装在特定域中的防护ECU中，防护ECU将含有CAN消息标识符的攻击数据包的信息广播到同一域中的所有ECU中，ECU通过抵抗模块调用应用程序丢弃包含相应CAN消息标识符的数据包。The protection module is configured as a protection ECU, and the strategy of discarding data packets containing attack codes specifically includes: the security management module sends data containing attack codes to the protection ECU installed in a specific domain, and the protection ECU sends the attack code containing the CAN message identifier. The information of the packet is broadcast to all ECUs in the same domain, and the ECU calls the application through the resistance module to discard the packet containing the corresponding CAN message identifier.

一种应用于汽车ECU安全升级管理方法，进一步地，所述目标ECU安全重置策略包括以下步骤：A method for safety upgrade management applied to an automotive ECU, further, the target ECU safety reset strategy includes the following steps:

目标ECU接收到安全重置策略时，目标ECU自动重启后进入安全模式，所述安全模式至少包括：When the target ECU receives the safe reset policy, the target ECU automatically restarts and enters a safe mode, where the safe mode at least includes:

被配置为允许基本驾驶操作以保证车辆的安全，仅允许处理经过安全验证的CAN消息，或被配置为需要对接收的数据进行完整性检查及数据加密。Configured to allow basic driving operations to keep the vehicle safe, to only allow processing of security-validated CAN messages, or to require integrity checking and data encryption of received data.

一种应用于汽车ECU安全升级管理方法，进一步地，A safety upgrade management method applied to an automotive ECU, further,

当攻击结束时，防护ECU再次广播包含正常的相应CAN消息标识符的数据包。When the attack is over, the protection ECU again broadcasts a packet containing the normal corresponding CAN message identifier.

一种应用于汽车ECU安全升级管理方法，进一步地，当车内网络采用车载以太网进行传输并且设置节点网关与多种域进行连接，发生攻击时，安全管理模块向受到攻击的目标节点网关发送控制指令以指示目标节点网关采取抵抗攻击策略进行抵抗；A security upgrade management method applied to an automobile ECU, further, when the in-vehicle network adopts the in-vehicle Ethernet for transmission and a node gateway is set to connect with various domains, when an attack occurs, the security management module sends a message to the attacked target node gateway The control instruction is used to instruct the target node gateway to adopt the attack resistance strategy to resist;

所述抵抗攻击策略包括目标节点网关的安全重置策略，节点网关的安全重置策略包括节点网关自动重启后进入安全模式，所述节点网关的安全模式至少包括：被配置为允许基本驾驶操作以保证车辆的安全，仅允许处理经过安全验证的CAN消息，或被配置为需要对接受数据进行完整性检查以及数据加密。The attack resistance strategy includes a security reset strategy of the target node gateway, the security reset strategy of the node gateway includes entering a safe mode after the node gateway automatically restarts, and the security mode of the node gateway at least includes: being configured to allow basic driving operations to The vehicle is secured and only allows processing of security-validated CAN messages, or is configured to require integrity checking of received data and data encryption.

一种应用于汽车ECU安全升级管理方法，进一步地，所述CAN报文格式至少包括CAN消息地址、远程请求位；A method for safety upgrade management applied to an automobile ECU, further, the CAN message format includes at least a CAN message address and a remote request bit;

远程请求位用于区分远程帧和数据帧的字段，数据帧用于在CAN总线上进行数据传输，对于数据帧必须是显性，远程请求位用0表示；The remote request bit is used to distinguish the fields of the remote frame and the data frame. The data frame is used for data transmission on the CAN bus. For the data frame, it must be dominant, and the remote request bit is represented by 0;

远程帧用于发送请求并且不含有载荷数据信息，对于远程请求帧必须是隐性1，远程请求位用1表示。The remote frame is used to send a request and does not contain payload data information. It must be a recessive 1 for the remote request frame, and the remote request bit is represented by 1.

一种应用于汽车ECU安全升级管理方法，进一步地，所述丢弃含有攻击代码的数据包括以下步骤：A method for security upgrade management applied to an automobile ECU, further, the discarding of the data containing the attack code comprises the following steps:

安全管理模块下发丢弃数据包的指令给防护ECU，防护ECU将符合CAN报文格式并且含有CAN消息地址的攻击代码的数据包中的远程请求位从显性0更改为隐性1，然后再将该更改后的数据包以广播的形式发送给所有的ECU；The security management module sends an instruction to discard the data packet to the protection ECU, and the protection ECU changes the remote request bit in the data packet that conforms to the CAN message format and contains the attack code of the CAN message address from a dominant 0 to a recessive 1, and then Send the changed data packet to all ECUs in the form of broadcast;

ECU仅在接收到CAN消息地址是与其关联的CAN消息地址时才进行相应，无关联时则直接将该数据包进行丢弃；The ECU only responds when the received CAN message address is the CAN message address associated with it, and directly discards the data packet when there is no association;

所述显性与隐性的变换是通过CAN总线上的电压控制CAN_H高电压，CAN_L低电压进行更改远程请求位的值而实现。The conversion between the dominant and recessive is realized by changing the value of the remote request bit by controlling the CAN_H high voltage and CAN_L low voltage on the CAN bus.

一种应用于汽车ECU安全升级管理方法，进一步地，入侵检测模块检测车内网络时，还包括对漏洞ECU的检测，漏洞ECU使含有攻击代码的数据包易于被入侵检测模块检测到。A security upgrade management method applied to an automobile ECU. Further, when an intrusion detection module detects an in-vehicle network, it also includes detection of a vulnerability ECU, and the vulnerability ECU makes a data packet containing an attack code easy to be detected by the intrusion detection module.

一种应用于汽车ECU安全升级管理方法，进一步地，所述升级文件至少包括补丁包，补丁包是通过将基准补丁包与待升级ECU匹配的弥补包进行合成；A method for safety upgrade management applied to an automobile ECU, further, the upgrade file includes at least a patch package, and the patch package is synthesized by synthesizing a benchmark patch package and a make-up package matching the ECU to be upgraded;

所述基准补丁包与弥补包的形成方法包括：The method for forming the benchmark patch package and the make-up package includes:

步骤1：将新文件分别与旧文件通过差异分析，分别找出新文件与旧文件的差异，获取新文件与旧文件的差异数据包并将差异数据包进行提取打包后组成补丁包；重复步骤1，直至获得新文件分别与所有的不同历史版本的旧文件对应的补丁包；Step 1: Analyze the difference between the new file and the old file respectively, find out the difference between the new file and the old file, obtain the difference data package between the new file and the old file, extract and package the difference data package to form a patch package; repeat the steps 1, until the patch packages corresponding to the new files and all the old files of different historical versions are obtained;

步骤2：在多个补丁包选择其中一个作为基准补丁包；Step 2: Select one of the multiple patch packages as the baseline patch package;

步骤3：将所选的基准补丁包与补丁包进行差异对比，找出基准补丁包与补丁包的差异，获取基准补丁包与补丁包的差异数据包并将差异数据包提取打包压缩后形成弥补包；重复步骤3，直至获得基准补丁包分别与所有的不同历史版本的旧文件对应的弥补包。Step 3: Compare the difference between the selected benchmark patch package and the patch package, find out the difference between the benchmark patch package and the patch package, obtain the difference data package between the benchmark patch package and the patch package, and extract, pack and compress the difference data package to form a compensation package. package; Step 3 is repeated until the base patch package and all the old files of different historical versions corresponding to the make-up packages are obtained.

一种应用于汽车ECU安全升级管理方法，进一步地，所述获取新文件与旧文件的差异数据包包括以下步骤：A method for safety upgrade management applied to an automobile ECU, further, the obtaining of the difference data package between the new file and the old file includes the following steps:

步骤S200：利用后缀数组方法对旧文件与新文件进行排序形成字符串组；Step S200: using the suffix array method to sort the old file and the new file to form a string group;

步骤S201：然后根据所形成的字符串组将新文件与旧文件进对比；Step S201: then compare the new file with the old file according to the formed string group;

步骤S202：利用二分法查询旧文件与新文件之间的相同部分；Step S202: use the dichotomy method to query the same part between the old file and the new file;

步骤S203：找出新文件与旧文件的最大公共子序列并确定差异部分；Step S203: find out the maximum common subsequence of the new file and the old file and determine the difference;

步骤S204：找出新文件与旧文件的额外部分；Step S204: Find out the extra parts of the new file and the old file;

步骤S205:将差异部分和额外部分以及控制字进行压缩；Step S205: compress the difference part, the extra part and the control word;

步骤S206：形成补丁包。Step S206: forming a patch package.

所述新文件与旧文件中的数据存储的地址采用4个字节，操作代码在每个地址下存储固定8个字节。The addresses for data storage in the new file and the old file use 4 bytes, and the operation code stores fixed 8 bytes under each address.

一种应用于汽车ECU安全升级管理方法，进一步地，所述弥补包获取包括以下步骤：A method for security upgrade management applied to an automobile ECU, further, the acquisition of the compensation package includes the following steps:

步骤S300：将基准补丁包与补丁包的文件进行解压分别获得基准补丁包和补丁包的解压文件，解压后文件都分别包括三部分：控制字文件、差异文件、额外文件，即基准补丁包与补丁包都分别包括：控制字文件、差异文件、额外文件；Step S300: Decompress the benchmark patch package and the files of the patch package to obtain the decompressed files of the benchmark patch package and the patch package, respectively, and the decompressed files include three parts respectively: a control word file, a difference file, and an extra file, that is, the benchmark patch package and the patch package. The patch package includes: control word file, difference file, extra file;

步骤S301：去掉基准补丁包的控制字文件，保留补丁包的控制字文件并将基准补丁包中差异文件、额外文件与补丁包中的差异文件、额外文件利用BSDIFF算法进行差异化分析；Step S301: remove the control word file of the benchmark patch package, retain the control word file of the patch package, and utilize the BSDIFF algorithm to perform differential analysis on the difference file in the benchmark patch package, the extra file, and the difference file and extra file in the patch package;

步骤S302：通过BSDIFF算法形成相应的子差异文件、子额外文件、子控制字文件；Step S302: form corresponding sub-difference files, sub-additional files, and sub-control word files through the BSDIFF algorithm;

步骤S303：将所形成的子差异文件、子额外文件、子控制字文件以及所保留的补丁包的控制字文件进行打包后压缩形成弥补包。Step S303: Compress the formed sub-difference file, sub-additional file, sub-control word file and the reserved control word file of the patch package to form a supplementary package.

一种应用于汽车ECU安全升级管理方法，进一步地，通过基准补丁包与弥补包合成补丁包包括以下步骤：A method for security upgrade management applied to an automotive ECU, further, synthesizing a patch package through a benchmark patch package and a make-up package includes the following steps:

步骤S400：将弥补包与基准补丁包分别进行解压缩并分别获得解压后文件，弥补包解压后的文件包括：子差异文件、子额外文件、子控制字文件以及所保留的补丁包的控制字文件，基准补丁包解压后获得文件包括：差异文件、额外文件、控制字文件；Step S400: Decompress the compensation package and the benchmark patch package respectively and obtain the decompressed files respectively. The decompressed files of the compensation package include: a sub-difference file, a sub-extra file, a sub-control word file and the reserved control word of the patch package Files, the files obtained after decompressing the benchmark patch package include: difference files, extra files, and control word files;

步骤S401：去掉基准补丁包的控制字文件，保留补丁包的控制字文件并将并根据子控制字文件中的指引信息将子差异文件、子额外文件通过添加和插入放入基准补丁中的差异文件、额外文件中还原形成补丁包中的差异文件、额外文件；Step S401: Remove the control word file of the benchmark patch package, keep the control word file of the patch package and add and insert the sub-difference file and the sub-extra file into the difference in the benchmark patch according to the guide information in the sub-control word file. The files and extra files are restored to form the difference files and extra files in the patch package;

步骤S402：将所形成的补丁包中的差异文件、额外文件以及所保留补丁包中的控制字文件进行打包形成补丁包。Step S402: Packing the difference files, additional files in the formed patch package, and control word files in the reserved patch package to form a patch package.

本发明还提供了一种应用于汽车ECU安全升级管理系统，其特征在于，包括中央网关、入侵检测模块、安全管理模块、多个ECU，其中安全管理模块与入侵检测模块分别中央网关电连接；The present invention also provides a security upgrade management system applied to an automobile ECU, which is characterized by comprising a central gateway, an intrusion detection module, a security management module, and a plurality of ECUs, wherein the security management module and the intrusion detection module are electrically connected to the central gateway respectively;

中央网关，至少用于与车内内部与外部之间的通信或数据处理或车内网络管理；A central gateway, at least for communication or data processing between the interior and exterior of the vehicle or for network management in the vehicle;

入侵检测模块，被配置为监控模块或监控设备，用于对车内网络安全进行实时监控，当检测车内网络受到攻击时，能够将攻击信息反馈给安全管理模块；安全管理模块，一种控制设备或控制模块，能够在入侵检测模块检测到汽车网络攻击时减轻网络攻击造成的损害；The intrusion detection module, which is configured as a monitoring module or monitoring device, is used for real-time monitoring of the in-vehicle network security. When it is detected that the in-vehicle network is attacked, the attack information can be fed back to the security management module; the security management module, a control A device or control module capable of mitigating the damage caused by a cyber attack when an intrusion detection module detects an automotive cyber attack;

安全管理模块，被配置为控制设备或控制模块，能够在入侵检测模块检测到车内网络受到攻击时下发控制指令并使目标采取抵抗攻击策略进行抵抗；The security management module, which is configured as a control device or a control module, can issue control instructions when the intrusion detection module detects that the in-vehicle network is attacked and make the target adopt a strategy to resist the attack;

防护模块，被配置为能够根据安全管模块下发的控制指令采取抵抗攻击策略并发送给ECU，防护模块通过CAN总线与中央网关电连接；The protection module is configured to be able to adopt an attack resistance strategy according to the control instructions issued by the security management module and send it to the ECU, and the protection module is electrically connected to the central gateway through the CAN bus;

所述安全管理模块和入侵检测模块能够作为独立的硬件存在或以软件模块的方式集成到中央网关中；The security management module and the intrusion detection module can exist as independent hardware or be integrated into the central gateway in the form of software modules;

当不存在节点网关时，各ECU通过CAN总线与中央网关电连接。When there is no node gateway, each ECU is electrically connected to the central gateway through the CAN bus.

本发明还提供了一种应用于汽车ECU安全升级管理系统，进一步地，所述防护模块被配置为防护ECU，防护ECU与其它ECU一起通过CAN总线接入CAN网络中。The invention also provides a security upgrade management system applied to an automobile ECU. Further, the protection module is configured as a protection ECU, and the protection ECU and other ECUs are connected to a CAN network through a CAN bus.

本发明还提供了一种应用于汽车ECU安全升级管理系统，进一步地，还包括：节点网关，所述节点网关通过车载以太网总线与中央网关电连接，各ECU通过CAN网络数据总线与节点网关电连接。The invention also provides a security upgrade management system applied to an automobile ECU, further comprising: a node gateway, the node gateway is electrically connected to the central gateway through the vehicle Ethernet bus, and each ECU is connected to the node gateway through the CAN network data bus electrical connection.

本发明还提供了一种应用于汽车ECU安全升级管理系统，进一步地，还包括漏洞ECU，所述漏洞ECU，漏洞ECU被配置为具有较多安全漏洞的ECU，使含有攻击代码的数据包易于被入侵检测模块检测；The present invention also provides a security upgrade management system applied to an automobile ECU, and further includes a vulnerability ECU. The vulnerability ECU is configured as an ECU with more security vulnerabilities, so that data packets containing attack codes can be easily Detected by the intrusion detection module;

还包括服务器、通信模块，服务器通过通信模块与中央网关电连接，其中，服务器用于存储升级所需的升级文件，通信模块设置于车内，通过车载以太网与中央网关电连接，通信模块与服务器通过有线或者无线的方式电连接。It also includes a server and a communication module. The server is electrically connected to the central gateway through the communication module, wherein the server is used to store the upgrade files required for the upgrade. The communication module is arranged in the vehicle and is electrically connected to the central gateway through the vehicle Ethernet. The servers are electrically connected in a wired or wireless manner.

本发明还提供了一种应用于汽车ECU安全升级管理系统，进一步地，包括权上述应用于汽车ECU安全升级管理升级方法。The present invention also provides a safety upgrade management system applied to an automobile ECU, further including the above-mentioned method applied to the safety upgrade management and upgrade of an automobile ECU.

本发明有益效果：Beneficial effects of the present invention:

1.安全管理模块与入侵检测模块的使用，并且ECU含有抵抗模块和防护ECU引入，在车内网络受到黑客的攻击时，入侵检测模块能够及时的将攻击信息及时的反馈给安全管理模块，安全管理模块能够下发控制指令给防护ECU，防护ECU能够及时的采取抵抗策略使可能被入侵的ECU进行抵抗，降低因为受到攻击而使ECU受到损坏的风险。确保升级过程中各ECU不被攻击，及时监测系统的安全以便做出对策。1. The use of the security management module and the intrusion detection module, and the ECU contains the resistance module and the introduction of the protection ECU. When the in-vehicle network is attacked by hackers, the intrusion detection module can timely feedback the attack information to the security management module. The management module can issue control commands to the protection ECU, and the protection ECU can adopt a resistance strategy in time to make the ECU that may be invaded resist, reducing the risk of damage to the ECU due to attack. Ensure that each ECU is not attacked during the upgrade process, and monitor the security of the system in time to make countermeasures.

2.漏洞ECU的引入，使得黑客进行攻击时，漏洞ECU容易被最先攻击，当其被攻击时，能够使入侵检测模块更容易检测到系统被攻击并及时的反馈消息给安全管理模块。2. The introduction of the vulnerability ECU makes the vulnerable ECU easy to be attacked first when hackers attack. When it is attacked, the intrusion detection module can more easily detect that the system is attacked and timely feedback messages to the security management module.

3.相比于现有技术，通过引用基准补丁包以及弥补包，本发明能够同时满足不同版本的ECU升级，最大限度的降低ECU升级包的大小。3. Compared with the prior art, by citing the benchmark patch package and the make-up package, the present invention can simultaneously satisfy ECU upgrades of different versions, and minimize the size of the ECU upgrade package.

4.相比于现有技术，本发明由于引入的基准补丁包以及弥补包后，由于基准补丁包以及多个弥补包相比于采用多个不同版本的补丁包，其基准补丁包和弥补包所占存储空间要远小于多个补丁包所占的存储空间，因此，本发明可以直接在将升级所需的基准补丁包和弥补包直接下载到中央网关或者车载主机中，并不会增加系统的负荷，同时也节省ECU升级补丁包的传输时间，而不必每次都需要从服务器下载。4. Compared with the prior art, after the introduction of the benchmark patch package and the make-up package, the benchmark patch package and the multiple make-up packages are compared with patch packages of multiple different versions. The storage space occupied is much smaller than the storage space occupied by multiple patch packages. Therefore, the present invention can directly download the benchmark patch package and make-up package required for the upgrade to the central gateway or the vehicle-mounted host, without increasing the system It also saves the transmission time of the ECU upgrade patch package without having to download it from the server every time.

5.相比于现有技术，在对新文件与旧文件进行差异分析时，采用了4byte表示存储地址，每个存储地址下采用了固定的8byte对操作代码进行存储。与采用ARM平台的ECU中的8,16,32-bit的CPU进行结合，不仅能够降低补丁包尺寸，还能够提供运行效率。5. Compared with the prior art, when the difference analysis is performed between the new file and the old file, 4 bytes are used to represent the storage address, and a fixed 8 bytes are used to store the operation code under each storage address. Combined with the 8, 16, 32-bit CPU in the ECU using the ARM platform, it can not only reduce the size of the patch package, but also improve the operating efficiency.

附图说明Description of drawings

以下附图仅对本发明做示意性说明和解释，并不限定本发明的范围。The following drawings merely illustrate and explain the present invention schematically, and do not limit the scope of the present invention.

图1本发明实施例中一安全升级管理系统示意图；1 is a schematic diagram of a security upgrade management system in an embodiment of the present invention;

图2本发明实施例中含有节点网关一安全升级管理系统示意图；2 includes a schematic diagram of a node gateway-security upgrade management system in an embodiment of the present invention;

图3本发明CAN报文格式中，数据帧和远程帧的报文格式示意图；Fig. 3 in the CAN message format of the present invention, the message format schematic diagram of data frame and remote frame;

图4a至4c本发明实施例中补丁包、弥补包以及新文件的形成与合成过程中示意，图4a为补丁包合成，图4b为弥补包合成，图4c为根据补丁包、弥补包、旧文件合成新文件示意图；4a to 4c are schematic diagrams of the formation and synthesis process of the patch package, the make-up package and the new file in the embodiment of the present invention, FIG. 4a is the synthesis of the patch package, FIG. Schematic diagram of file synthesis new file;

图5本发明实施例中获取新文件与旧文件的差异数据数据包的流程图；Fig. 5 is the flow chart of obtaining the difference data packet of new file and old file in the embodiment of the present invention;

图6本发明实施例中补丁包形成过程的示意图；6 is a schematic diagram of a patch package formation process in an embodiment of the present invention;

图7本发明实施例中现有的非固定位数的操作代码示意图；7 is a schematic diagram of an existing non-fixed number of operation codes in an embodiment of the present invention;

图8本发明实施例中固定位数的操作代码示意图；8 is a schematic diagram of an operation code of a fixed number of digits in an embodiment of the present invention;

图9本发明实施例中获取基准补丁包与补丁包的差异数据包方法流程图；9 is a flowchart of a method for obtaining a difference data packet between a reference patch package and a patch package in an embodiment of the present invention;

图10本发明实施例中弥补包的形成过程实例；Figure 10 is an example of the formation process of the compensation package in the embodiment of the present invention;

图11本发明实施例中补丁包的合成方法；Fig. 11 synthesizing method of patch package in the embodiment of the present invention;

图12本发明实施例中基准补丁包与弥补包合成补丁包的过程示例；12 is an example of a process for synthesizing a patch package from a benchmark patch package and a make-up package in an embodiment of the present invention;

图13本发明实施例中服务器存储补丁包以及基准补丁包、弥补包示例。FIG. 13 is an example of a server storing a patch package, a reference patch package, and a make-up package in an embodiment of the present invention.

具体实施方式Detailed ways

为了对本发明的技术特征、目的和效果有更加清楚的理解，现对照附图说明本发明的具体实施方式，在各图中相同的标号表示相同的部分。为使图面简洁，各图中的只示意性地表示出了与本发明相关部分，而并不代表其作为产品的实际结构。另外，以使图面简洁便于理解，在有些图中具有相同结构或功能的部件，仅示意性地绘示了其中的一个，或仅标出了其中的一个。In order to have a clearer understanding of the technical features, objects and effects of the present invention, specific embodiments of the present invention will now be described with reference to the accompanying drawings, in which the same reference numerals denote the same parts. In order to make the drawings concise, only the relevant parts of the present invention are schematically shown in each drawing, and do not represent the actual structure of the product. In addition, in order to make the drawings concise and easy to understand, in some drawings, only one of the components having the same structure or function is schematically shown, or only one of them is marked.

关于控制系统，本领域技术人员熟知的是，其可以采用任何适当的形式，既可以是硬件也可以是软件，既可以是离散设置的多个功能模块，也可以是集成到一个硬件上的多个功能单元。作为最简单的形式，所述控制系统可以是控制器，例如组合逻辑控制器、微程序控制器等，只要能够实现本申请描述的操作即可。当然，控制系统也可以作为不同的模块集成到一个物理设备上，这些都不偏离本发明的基本原理和保护范围。As for the control system, it is well known to those skilled in the art that it can take any appropriate form, either hardware or software, or a plurality of discretely arranged functional modules, or a plurality of functional modules integrated into one hardware. functional unit. In the simplest form, the control system may be a controller, such as a combinational logic controller, a microprogram controller, etc., as long as the operations described in this application can be implemented. Of course, the control system can also be integrated into a physical device as different modules, which do not deviate from the basic principles and protection scope of the present invention.

实施例1：Example 1:

本实施例提供了一种应用于汽车的安全管理方法，具体包括：This embodiment provides a safety management method applied to an automobile, which specifically includes:

防护模块被配置为与安全模块相对应，能够根据安全模块下发的控制指令采取相应的抵抗攻击策略并发送给目标ECU；The protection module is configured to correspond to the security module, and can adopt a corresponding anti-attack strategy according to the control instructions issued by the security module and send it to the target ECU;

ECU包括抵抗模块，抵抗模块被配置为具有与抵抗攻击策略相匹配的功能，当目标ECU受到攻击时，ECU内的抵抗模块能够根据防护模块发出的抵抗攻击策略调用匹配应用程序进行抵抗入侵；The ECU includes a resistance module, and the resistance module is configured to have a function matching the attack resistance strategy. When the target ECU is attacked, the resistance module in the ECU can call the matching application to resist the intrusion according to the attack resistance strategy issued by the protection module;

抵抗攻击策略包括目标ECU安全重置策略、目标节点网关的安全重置策略、丢弃含有攻击代码的数据包策略；Anti-attack strategies include the security reset strategy of the target ECU, the security reset strategy of the target node gateway, and the strategy of discarding data packets containing attack codes;

攻击代码的数据包至少包括符合CAN报文格式的数据，还可以包括病毒类型、攻击方式等The data packet of the attack code includes at least data that conforms to the CAN message format, and can also include virus type, attack method, etc.

具体地，目标ECU接收到安全重置策略时，目标ECU自动重启后进入安全模式，所述安全模式至少包括：被配置为允许基本驾驶操作以保证车辆的安全，仅允许处理经过安全验证的CAN消息，或被配置为需要对接收的数据进行完整性检查及数据加密。Specifically, when the target ECU receives the safety reset policy, the target ECU automatically restarts and then enters a safety mode, where the safety mode at least includes: being configured to allow basic driving operations to ensure the safety of the vehicle, and only allowing processing of safety-verified CAN message, or is configured to require integrity checking and data encryption of received data.

具体地，防护模块可以被配置为防护ECU，从ECU中任意选择一个作为防护ECU，但是为了安全期间，一般都选择不担任与安全责任紧密相关的ECU，如刹车、发动机相关的ECU。也可以设置一个ECU，其与车身控制无直接关系，单纯的作为防护ECU。此时，丢弃含有攻击代码的数据包策略具体包括：安全管理模块将含有攻击代码的数据发送到安装在特定域中的防护ECU中，防护ECU将含有CAN消息标识符(CAN ID)的攻击数据包的信息广播到同一域中的所有ECU中，ECU通过抵抗模块调用应用程序丢弃包含相应CAN消息标识符的数据包；Specifically, the protection module can be configured as a protection ECU, and one of the ECUs can be arbitrarily selected as the protection ECU. However, for the sake of safety, ECUs that are not closely related to safety responsibilities are generally selected, such as brake and engine-related ECUs. It is also possible to set up an ECU, which has no direct relationship with the body control, and is simply used as a protection ECU. At this time, the strategy of discarding the data packet containing the attack code specifically includes: the security management module sends the data containing the attack code to the protection ECU installed in a specific domain, and the protection ECU sends the attack data containing the CAN message identifier (CAN ID). The information of the packet is broadcast to all ECUs in the same domain, and the ECU calls the application through the resistance module to discard the data packet containing the corresponding CAN message identifier;

具体地的，需要说明的是，本发明可以将汽车的众多ECU进行分类，如分为动力控制段、车身段、安全段、娱乐段等，每个段都设置有防护ECU和漏洞ECU。Specifically, it should be noted that the present invention can classify numerous ECUs of automobiles, such as power control section, body section, safety section, entertainment section, etc. Each section is provided with a protection ECU and a vulnerability ECU.

本实施例中的另一种方式，车载以太网具有根据车辆的功能形成域的结构，车内网络采用车载以太网进行传输并且设置节点网关与多种域进行连接，发生攻击时，安全管理模块向受到攻击的目标节点网关发送控制指令以指示目标节点网关采取抵抗攻击策略进行抵抗。在由节点网关存在的情况下，与节点网关直接连接的ECU与节点网关组成特定的域，如动力控制域、车身域、安全域、娱乐域，每个域都设置有防护ECU和漏洞ECU。每个防护ECU和漏洞ECU对应一个域。In another way in this embodiment, the vehicle Ethernet has a structure of forming domains according to the functions of the vehicle. The vehicle network adopts the vehicle Ethernet for transmission and sets up node gateways to connect with various domains. When an attack occurs, the security management module Send a control instruction to the attacked target node gateway to instruct the target node gateway to adopt an attack resistance strategy to resist. In the presence of node gateways, the ECUs directly connected to the node gateways and the node gateways form specific domains, such as power control domain, body domain, safety domain, and entertainment domain. Each domain is provided with protection ECUs and vulnerability ECUs. Each protection ECU and vulnerability ECU corresponds to a domain.

抵抗攻击策略包括目标节点网关的安全重置策略，节点网关的安全重置策略包括节点网关自动重启后进入安全模式，节点网关的安全模式至少包括：被配置为允许基本驾驶操作以保证车辆的安全，仅允许处理经过安全验证的CAN消息，或被配置为需要对接受数据进行完整性检查以及数据加密。The attack resistance strategy includes the security reset strategy of the target node gateway. The security reset strategy of the node gateway includes entering a safe mode after the node gateway automatically restarts. The security mode of the node gateway includes at least: being configured to allow basic driving operations to ensure the safety of the vehicle , which only allows processing of security-authenticated CAN messages, or is configured to require integrity checking of received data and data encryption.

具体地，需要说明的是，入侵检测模块检测车内网络时，还包括对漏洞ECU的检测，漏洞ECU被配置为具有较多安全漏洞的ECU，漏洞ECU使含有攻击代码的数据包易于被入侵检测模块检测到。漏洞ECU为认为设置的，其不参与对车内的概况进行控制，其目的在于在设置该ECU时，故意的留下较多的bug、后门，使其最先受到攻击，一旦其受到攻击，入侵检测模块就能更容易的检测到有恶意代码的存在，使安全模块能够及时的做出响应。Specifically, it should be noted that when the intrusion detection module detects the in-vehicle network, it also includes detection of vulnerable ECUs. The vulnerable ECUs are configured as ECUs with more security vulnerabilities, and the vulnerable ECUs make data packets containing attack codes easy to be invaded. Detection module detected. The vulnerability ECU is considered to be set, and it does not participate in the control of the general situation in the car. Its purpose is to deliberately leave more bugs and backdoors when setting the ECU, so that it will be attacked first. The intrusion detection module can more easily detect the existence of malicious code, so that the security module can respond in time.

实施例2：Example 2:

本实施例提供了一种使ECU丢失含有恶意代码的数据包的方法，具体包括：参见图3。图3a为CAN报文中数据帧的格式，图3b为CAN报文中远程帧的格式，This embodiment provides a method for causing an ECU to lose a data packet containing malicious code, which specifically includes: refer to FIG. 3 . Figure 3a is the format of the data frame in the CAN message, Figure 3b is the format of the remote frame in the CAN message,

图3a中，CAN报文中数据帧的格式为标准帧，帧起始，用1个bit表示；In Figure 3a, the format of the data frame in the CAN message is a standard frame, and the start of the frame is represented by 1 bit;

仲裁段包含11bit的ID(CAN消息标识符)以及远程请求位(Remote TransmissionRequest，RTR)，ID分布于ID28到ID18，禁止高7bit全都为隐性；RTR：远程请求位，显性(0)表示数据帧，隐性(1)表示远程帧。The arbitration segment contains an 11-bit ID (CAN message identifier) and a remote request bit (Remote TransmissionRequest, RTR). The ID is distributed from ID28 to ID18, and the prohibition of high 7 bits is all recessive; RTR: remote request bit, dominant (0) means Data frame, recessive (1) means remote frame.

控制段：由6个bit组成，指示要传输信息的数据字节数，包含预留位IDE/r1、r0(1bit)，DLC(4bit)。Control segment: consists of 6 bits, indicating the number of data bytes to be transmitted, including reserved bits IDE/r1, r0 (1bit), DLC (4bit).

IDE：Identifier Extension Bit，标识符扩展位，它在标准帧中位于控制场,始终处于显性。在扩展帧中位于仲裁场，始终处于显性。r0、r1：保留位必须以显性电平传送，然而，在接收侧可以接收显性、隐性集任意组合的电平。DLC：数据的字节数必须是0-8个字节，但接收方对DLC＝9-15的情况并不视为错误。IDE: Identifier Extension Bit, the identifier extension bit, it is located in the control field in the standard frame and is always dominant. Arbitration field in extended frame, always dominant. r0, r1: The reserved bits must be transmitted at the dominant level, however, the receiving side can receive the level of any combination of dominant and recessive sets. DLC: The number of bytes of data must be 0-8 bytes, but the receiver does not regard DLC=9-15 as an error.

数据段：由0到8个字节组成，用于负载传输的数据。Data segment: It consists of 0 to 8 bytes and is used to load the transmitted data.

循环冗余校验码段(CRC，Cyclic Redundancy Check,CRC)：由15bit CRCSequence和1bit CRC Delimiter组成，用来检查帧是否有传输错误。CRC Sequence：CRC序列，计算范围是SOF，仲裁域，控制域和数据域。CRC Delimiter：CRC界定符，是一个常态隐性位。Cyclic Redundancy Check (CRC, Cyclic Redundancy Check, CRC): composed of 15bit CRCSequence and 1bit CRC Delimiter, used to check whether the frame has transmission errors. CRC Sequence: CRC sequence, the calculation range is SOF, arbitration field, control field and data field. CRC Delimiter: The CRC delimiter is a normal recessive bit.

应答场(ACK)：ACK(应答场)长度为2个bit。包括ACK Slot和ACK Delimiter。ACKSlot：应答间隙，发送节点送数据时，会将ACK Slot及ACK Delimiter全部置为隐性，接收节点计算CRC Sequence正确无误后，会在ACK Slot期间向发送方发送一个显性位以示应答。ACK Delimiter：ACK界定符，是一个常态隐性位。ACK field (ACK): ACK (ACK field) length is 2 bits. Including ACK Slot and ACK Delimiter. ACKSlot: acknowledgment gap. When the sending node sends data, it will set all ACK Slot and ACK Delimiter to recessive. After the receiving node calculates the CRC Sequence correctly, it will send a dominant bit to the sender during the ACK Slot to indicate the response. ACK Delimiter: The ACK delimiter is a normal recessive bit.

如果总线上有2个以上的接收节点，只要它们当中任意一个正常接收到消息，就会有ACK被返回，如果总线上没有节点能够正常接收信息，则NO ACK被返回。另外发送节点不发送ACK；If there are more than 2 receiving nodes on the bus, as long as any one of them receives the message normally, an ACK will be returned. If no node on the bus can receive the message normally, NO ACK will be returned. In addition, the sending node does not send ACK;

帧结束：指示帧的结束，由7个隐性位组成。End of frame: Indicates the end of the frame, consisting of 7 recessive bits.

图3b中，CAN报文中远程帧的格式，其与数据帧的报文格式区别在于远程帧中并不包括数据段，其余段都有，用于区别数据帧与远程帧标识依靠远程请求位(RTR)用来标识，当RTR显示为0是，标识数据帧帧，此时是显性。当RTR显示为1时，为远程帧，此时为隐性。In Figure 3b, the format of the remote frame in the CAN message is different from the message format of the data frame in that the remote frame does not include the data segment, and the rest of the segment is there, which is used to distinguish the data frame and the remote frame. The ID depends on the remote request bit (RTR) is used to identify, when RTR is displayed as 0, it identifies the data frame frame, which is dominant at this time. When the RTR is displayed as 1, it is a remote frame, and it is recessive at this time.

本实施例中对于其余报文格式不做要求，仅要求CAN报文格式至少包括CAN消息标识符(CAN ID)、远程请求位(RTR)；In this embodiment, there is no requirement for the other message formats, and only the CAN message format is required to include at least a CAN message identifier (CAN ID) and a remote request bit (RTR);

安全管理模块下发丢弃数据包的指令给防护ECU，防护ECU将符合CAN报文格式并且含有CAN消息标识符的攻击代码的数据包中的远程请求位从显性0更改为隐性1，然后再将该更改后的数据包以广播的形式发送给所有的ECU；The security management module sends an instruction to discard the data packet to the protection ECU, and the protection ECU changes the remote request bit in the data packet conforming to the CAN message format and containing the attack code of the CAN message identifier from a dominant 0 to a recessive 1, and then Then send the changed data packet to all ECUs in the form of broadcast;

具体地，防护ECU接受到含有CAN消息标识符的数据包时，其会根据安全模块下发给它的指令进行判断该数据包中的CAN消息标识符是否与含有攻击的代码的CAN消息标识符相同，如果确认相同，防护ECU会将收到含有攻击代码的CAN消息标识符的数据包进行报文格式的修改，其将RTR从0改为1，这样，就把数据帧改为远程帧。作为远程帧发送后，ECU仅在接收到CAN消息标识符是与其关联的CAN消息标识符时才进行相应，无关联时则直接将该数据包进行丢弃。尽管此时含有攻击的数据包带有数据，但是由于其RTR显示为1表示远程帧，关联的ECU收到该远程帧后并不会接受数据，仅是发送一个基于请求的响应，避免了这些ECU被攻击。而无关联的ECU仅不会接收该数据，直接将该数据进行丢失。Specifically, when the protection ECU receives a data packet containing a CAN message identifier, it will judge whether the CAN message identifier in the data packet is the same as the CAN message identifier containing the attack code according to the instruction issued to it by the security module. The same, if the confirmation is the same, the protection ECU will modify the message format of the data packet receiving the CAN message identifier containing the attack code, and it will change the RTR from 0 to 1, so that the data frame will be changed to a remote frame. After being sent as a remote frame, the ECU only responds when it receives that the CAN message identifier is the CAN message identifier associated with it, and directly discards the data packet when it is not associated. Although the data packet containing the attack has data at this time, since its RTR is displayed as 1 to indicate a remote frame, the associated ECU will not accept the data after receiving the remote frame, but only sends a request-based response to avoid these ECU was attacked. The unrelated ECU will not receive the data, but will directly lose the data.

显性与隐性的变换是通过CAN总线上的电压控制CAN_H(3.5V)高电压，CAN_L(1.5V)低电压进行更改远程请求位的值而实现。The conversion between dominant and recessive is achieved by changing the value of the remote request bit by controlling the CAN_H (3.5V) high voltage and CAN_L (1.5V) low voltage on the CAN bus.

实施例3：Example 3:

参见图4a至图4c，其描述了本实施例中提供了实施例1获取实施例1的升级包的方法，所述升级文件至少包括补丁包，补丁包是通过将基准补丁包与待升级ECU匹配的弥补包进行合成，Referring to FIG. 4a to FIG. 4c, it is described that the method for obtaining the upgrade package of Example 1 provided in Example 1 is provided in this embodiment. The upgrade file includes at least a patch package, and the patch package is obtained by combining the benchmark patch package with the ECU to be upgraded. The matching make-up packets are synthesized,

基准补丁包与弥补包的形成方法包括：The formation method of the baseline patch package and the make-up package includes:

具体地，在ECU的bug的修复过程中，不可能一劳永逸，其bug的修复是不断完善的，因此在不同的用户手中，其升级的旧文件可能存在多个版本，如车厂原始的某个ECU的旧文件从V0版本逐渐更新到V6版本，但是车主的选择众多，未必都更新到最新版本V6。此时，可能存在有些车主使用V2版本旧文件，有些使用V3版本的旧文件等。假设最近的开发出新版本的V7新文件，此时需要对这些车主进行升级，因此旧文件含有多版本，本次升级时，都需要考虑不同旧文件与新文件之间的版本差异。所以旧文件存在多个，与此相应的补丁包也存在多个。其中一种差异分析方式为，例如：假设有V0至V6个旧文件，有一个V7新文件，则形成7个补丁包B0至B6。B0代表V7与V0形成的补丁包，以此类推，B6代表V7与V6形成的补丁包。Specifically, in the process of fixing ECU bugs, it is impossible to fix them once and for all. The bug fixes are constantly improved. Therefore, in the hands of different users, there may be multiple versions of the upgraded old files, such as the original ECU of the car factory. The old files of the car are gradually updated from the V0 version to the V6 version, but there are many choices for car owners, and they may not all be updated to the latest version V6. At this time, there may be some car owners using the old files of the V2 version, and some using the old files of the V3 version, etc. Assuming that a new version of V7 new files has been developed recently, these car owners need to be upgraded at this time, so the old files contain multiple versions, and the version differences between different old files and new files need to be considered during this upgrade. Therefore, there are multiple old files, and there are multiple corresponding patch packages. One of the differences analysis methods is, for example, assuming that there are old files from V0 to V6 and a new file of V7, 7 patch packages B0 to B6 are formed. B0 represents the patch package formed by V7 and V0, and so on, B6 represents the patch package formed by V7 and V6.

步骤2：在多个补丁包选择其中一个作为基准补丁包，Step 2: Select one of the multiple patch packages as the baseline patch package,

步骤3：将所选的基准补丁包分别与多个补丁包通过差异分析方法，找出新文件与旧文件的差异，形成多个弥补包；Step 3: Find out the difference between the new file and the old file through the difference analysis method between the selected benchmark patch package and multiple patch packages, and form multiple make-up packages;

具体地，由于旧文件存在多个版本，因此形成的补丁包也存在多个版本，将多个版本中选择其中一个作为基准补丁包，基准补丁包为任意一个补丁包。但是考虑到大多数用户会根据车厂的提示进行升级到当的最新旧文件版本(即尚未升级前的最新版本，例如：原先存在V0版本至V6版本，目前有最新版本的V7需要升级，此时定义V6为最新旧文件，V7为新文件)。通常情况下，选择新文件与最新旧文件进行差异分析后的补丁包为基准补丁包，即V7与V6形成的补丁包作为基准补丁包B6。然后将基准补丁包分别与补丁包进行差异分析，形成多个弥补包。例如：B6分别与B0至B5形成弥补包，记为M0至M5。Specifically, since there are multiple versions of the old file, the formed patch package also has multiple versions, and one of the multiple versions is selected as the benchmark patch package, and the benchmark patch package is any patch package. However, considering that most users will upgrade to the latest and old file versions according to the car manufacturer's prompts (that is, the latest version before the upgrade, for example: the V0 version to the V6 version originally existed, and the latest version of V7 needs to be upgraded at this time. Define V6 as the latest old file and V7 as the new file). Under normal circumstances, the patch package after the difference analysis between the new file and the latest and old files is selected as the benchmark patch package, that is, the patch package formed by V7 and V6 is used as the benchmark patch package B6. Then, the differences between the benchmark patch package and the patch package are analyzed to form multiple make-up packages. For example: B6 and B0 to B5 form supplementary packets, denoted as M0 to M5.

具体地，在新文件与旧文件中的补丁包以及弥补包都是在服务器端完成，本发明所指的服务器是一种广义的概念，其可以只云服务器，也可以为本地的PC电脑或者本地服务器，或者可以进行补丁包和弥补包进行运算的设备。Specifically, the patch package and the make-up package in the new file and the old file are all completed on the server side. The server referred to in the present invention is a broad concept, which can be only a cloud server, or a local PC or computer. A local server, or a device that can perform operations on patch packages and make-up packages.

ECU升级所补丁包的合成方法包括：The synthesis method of the patch package for the ECU upgrade includes:

将基准补丁包与相对应的弥补包进行数据包合成，形成与待升级的ECU对应的补丁包；Synthesize the base patch package and the corresponding make-up package to form a patch package corresponding to the ECU to be upgraded;

具体地，如存储有基准补丁包和多个弥补包，如基准补丁包B6，多个弥补包为M0，M1，M2，M3，M4，M5。若当前需要升级的ECU为最新旧文件为V6版本，基准补丁包为B6，由于B6其正好对应于最新版本的补丁包，此时，无须进行合成，直接采用基准补丁包升级即可。若当前需要升级的ECU版本不是最新的旧文件，则根据当前最新旧文件的版本，找出对应版本的弥补包，然后将基准补丁包与该弥补包进行合成并生成与最新旧文件对应的补丁包。例如：当前ECU的最近旧文件版本为V4，则对应的弥补包为M4，将M4与基准补丁包B6进行数据合成为补丁包M4。Specifically, if the benchmark patch package and a plurality of supplementary packages are stored, such as the benchmark patch package B6, the multiple supplementary packages are M0, M1, M2, M3, M4, and M5. If the current ECU that needs to be upgraded is the latest and old file version V6, and the benchmark patch package is B6, since B6 just corresponds to the latest version of the patch package, at this time, there is no need to synthesize, and the benchmark patch package can be used directly to upgrade. If the current ECU version to be upgraded is not the latest old file, find out the corresponding version of the make-up package according to the current version of the latest and old files, and then synthesize the baseline patch package with the make-up package to generate a patch corresponding to the latest and old files Bag. For example, if the latest old file version of the current ECU is V4, the corresponding patch package is M4, and the data of M4 and the benchmark patch package B6 are synthesized into patch package M4.

将待升级的ECU对应的补丁包与ECU中的旧文件进行数据包合成并形成需要升级的新文件。The patch package corresponding to the ECU to be upgraded is combined with the old file in the ECU to form a new file that needs to be upgraded.

具体地，通过形成的补丁包，与当前ECU中的旧文件合成为最新的升级文件包,如V7版本的文件包，然后通过启动升级程序，对ECU进行升级。Specifically, the patch package formed is combined with the old files in the current ECU into the latest upgrade file package, such as the file package of the V7 version, and then the ECU is upgraded by starting the upgrade program.

弥补包与补丁包的生成以及补丁包和新文件的还原可能处于不同设备，此时，可以通过有线或者无线通信的方式将数据包进行各中转站之间的转移。The generation of the make-up package and the patch package and the restoration of the patch package and the new file may be in different devices. In this case, the data package can be transferred between the transit stations through wired or wireless communication.

将形成的多个弥补包与基准补丁包通过网络传输给本地中转站；Transmit the formed multiple patch packages and benchmark patch packages to the local transit station through the network;

具体地，在服务端完成弥补包与基准补丁包之后，通过无线网络或者有限网络传给中转站，本发明所指的中转站定义为可以将数据包传输给ECU端的设备，其可以为车载主机，也可以为带有数据处理的网关等设备。Specifically, after the server completes the compensation package and the reference patch package, it is transmitted to the transfer station through a wireless network or a limited network. The transfer station referred to in the present invention is defined as a device that can transmit data packets to the ECU, which can be a vehicle-mounted host. , it can also be a gateway with data processing and other equipment.

实施例4：Example 4:

获取新文件与旧文件的差异数据包尽可能多的利用旧文件中已有的内容，尽可能少的加入新的内容来构建新文件。例如：对旧文件和新文件做子字符串匹配或使用hash技术，提取公共部分，将新文件中剩余的部分打包成补丁包或者弥补包。在合成阶段中，用添加(ADD)和插入(insertion)两个基本操作即可将旧文件和补丁包合成新文件。Get the difference data package between the new file and the old file. Use as much of the existing content in the old file as possible, and add as little new content as possible to build the new file. For example: do substring matching on old files and new files or use hash technology, extract common parts, and package the remaining parts of the new files into patch packages or make-up packages. In the synthesis stage, the old files and patch packages can be synthesized into new files with the two basic operations of addition (ADD) and insertion (insertion).

获取新文件与旧文件的差异数据包具体步骤包括：The specific steps to obtain the difference data package between the new file and the old file include:

具体地，首先是字符串索引的生成，采用基于二分思想的Faster Suffix Sorting(更快的后缀排序)算法来进行索引的生成。后缀数组即一个一维数组，保存了i(1…n)的某个排列I,并且保证suffix(I)<suffix(I[i+1]),即将S的n个后缀从小到大进行排序之后，把有序的后缀的开头位置顺次放入I中。Specifically, the first is the generation of the string index, and the Faster Suffix Sorting (faster suffix sorting) algorithm based on the idea of dichotomy is used to generate the index. The suffix array is a one-dimensional array, which saves a certain arrangement I of i(1...n), and ensures that suffix(I)<suffix(I[i+1]), that is, the n suffixes of S are sorted from small to large. After that, put the beginning positions of the ordered suffixes into I in sequence.

步骤S203：找出最大新文件与旧文件的最大公共子序列并确定差异部分；Step S203: find out the largest common subsequence between the largest new file and the old file and determine the difference;

步骤S204：找出额外部分；Step S204: Find the extra part;

步骤S206：形成补丁包Step S206: forming a patch package

具体的，参见图6：Specifically, see Figure 6:

如：假设新文件为：abedefsdfaoiutkllklllFor example: Suppose the new file is: abedefsdfaoiutkllklll

旧文件为：abcdefsdfaoiukerThe old file is: abcdefsdfaoiuker

通过比较新文件和旧文件，新文件中的“abcdefsdfaoiu”与旧文件中的“abrdefsdfaoiu”仅在第三位不同，因此差异部分[00200000000],由于差异部分含有大量的0，因此可以高效的被压缩。额外部分为：tjkllklll。由于在后续数据包合成过程中是通过复制和插入操作进行的，插入操作会引起大量的指针变动和修改，要记录这些值才能在Patch阶段给修改过的区域重新定位。因此在形成差异部分与额外部分时，需要记录的指针控制字的数值。BSDiff通过引入差异文件的概念，大大减少了要记录的指针控制字的数目，从而使得补丁包更小。By comparing the new file and the old file, "abcdefsdfaoiu" in the new file is different from "abrdefsdfaoiu" in the old file only in the third position, so the difference part [00200000000], because the difference part contains a lot of 0, it can be efficiently compression. The extra part is: tjkllklll. Since the subsequent data packet synthesis process is performed by copying and inserting operations, the inserting operations will cause a large number of pointer changes and modifications, and these values must be recorded to relocate the modified area in the Patch phase. Therefore, when forming the difference part and the extra part, the value of the pointer control word needs to be recorded. By introducing the concept of difference files, BSDiff greatly reduces the number of pointer control words to be recorded, thus making the patch package smaller.

在差异分析阶段以及数据存储阶段，对于数据包进行了以下处理，现有技术中，参见图7，其数据文件的存储中，其地址采用了8位数表示，每一个地址用来对数据存储，其采用非固定大小的存储方法。如图7中，地址为80484b4,存储的代码为8b 45f0,存储的代码为6位，地址为80484ba，存储的代码为e8 a1 ff ff ff。存储的代码为10为字节(byte)。但是ECU是基于ARM的CPU进行集成的，这种架构下，拥有8位、16位、32位比特(bit)的处理器，例如，32位比特的处理器一次能够处理的最大二进制数为32位(bit)的操作代码。为了更好降低数据包的大小，目前汽车的ECU升级包相比PC系统等，其数据包的大小非常小，因此，将地址改为4位byte，将原有的代码改为能够存储8byte的固定长度的代码。参见图8，如旧文件的其中一个地址为：8400，该地址存储的代码：ebffffba,下一个地址：8404，该地址存储的代码：e3a03000。新文件中，其中一个为地址8418，该地址存储的代码：ebffffb4，另一个为地址841c，该地址存储的代码：e51b200c。通过采用固定的长度的代码存储，降低用于表示地址的位数，并且固定长度为8byte，这样一方面能够节省空间，降低数据包的大小。另一方面，由于存储代码的固定长度为8byte，其为CPU的识别最大二进制文件的倍数。使得处理效率高。In the difference analysis stage and the data storage stage, the following processing is performed on the data packet. In the prior art, referring to FIG. 7 , in the storage of the data file, its address is represented by 8 digits, and each address is used to store the data. , which uses a non-fixed-size storage method. As shown in Figure 7, the address is 80484b4, the stored code is 8b 45f0, the stored code is 6 bits, the address is 80484ba, and the stored code is e8 a1 ff ff ff. The stored code is 10 bytes (byte). However, the ECU is integrated based on the ARM CPU. Under this architecture, it has 8-bit, 16-bit, and 32-bit processors. For example, the maximum binary number that a 32-bit processor can process at a time is 32. Bit (bit) operation code. In order to better reduce the size of the data packet, the current car ECU upgrade package has a very small data packet size compared to the PC system. Therefore, the address is changed to 4 bytes, and the original code is changed to be able to store 8 bytes. Fixed-length code. Referring to Figure 8, if one of the addresses of the old file is: 8400, the code stored at this address is: ebffffba, the next address is: 8404, and the code stored at this address is: e3a03000. In the new file, one of them is address 8418, the code stored at this address: ebffffb4, and the other is address 841c, and the code stored at this address: e51b200c. By adopting a fixed length of code storage, the number of bits used to represent the address is reduced, and the fixed length is 8 bytes, which on the one hand can save space and reduce the size of the data packet. On the other hand, since the fixed length of the stored code is 8 bytes, it is a multiple of the largest binary file recognized by the CPU. Makes the processing efficiency high.

另一方面，存储地址部分中出现许多差异，这些差异是由滑动参考地址引起的。最初，Bsdiff通过存储地址对新文件与旧文件的相似部分进行分类，并按不同代码的百分比对新代码进行分类。此外，如果连续不同的操作代码长度超过8个字节，则该部分被定义为不相似。On the other hand, there are many discrepancies in the memory address part, which are caused by sliding reference addresses. Initially, Bsdiff classifies similar parts of new and old files by storage address, and new codes by percentage of different codes. Also, if consecutively distinct opcodes are longer than 8 bytes, the section is defined as dissimilar.

对于固定代码，以更改此百分比以进行优化。在许多情况下，32位固定操作代码只更改了8位。因此，阈值应为75％，而不是50％。For fixed code, change this percentage for optimization. In many cases, the 32-bit fixed opcode changes only 8 bits. So the threshold should be 75%, not 50%.

实施例5：Example 5:

由实施例3和实施例4形成的补丁包至少包括三部分构成：第一是一个包含了添加(ADD)和插入(INSERT)指令的控制字文件，添加指令指定旧文件中的偏移量和长度，从旧文件读取适当的字节数，并将其添加到差异文件中的相同字节数，插入指令只是指定一个长度，指定的字节数是从额外的文件中读取的；第二是一个包含了概率匹配中不同字节内容的差异文件；第三是一个包含了不属于概略匹配中内容的额外的文件。每一个ADD指令指定了旧文件中的偏移位置和长度，从旧文件中读取相应数量的字节内容并且从差异文件中读取相同字节的内容添加进去。INSERT指令仅仅制定一个长度，用于从额外文件中读取指定数量的字节内容。The patch package formed by Embodiment 3 and Embodiment 4 is composed of at least three parts: the first is a control word file containing add (ADD) and insert (INSERT) instructions, and the add instructions specify the offset in the old file and length, read the appropriate number of bytes from the old file and add it to the same number of bytes in the difference file, the insert instruction just specifies a length, the specified number of bytes are read from the extra file; The second is a diff file that contains the content of the different bytes in the probabilistic match; the third is an extra file that contains content that is not part of the probabilistic match. Each ADD instruction specifies an offset and length in the old file, reads the corresponding number of bytes from the old file and adds the same bytes from the difference file. The INSERT instruction only specifies a length for reading the specified number of bytes from the extra file.

在实施例中的步骤2中，弥补包的形成方法，参见图9至图10，具体过程包括获取基准补丁包与补丁包的差异数据包，差异数据包的获取包括以下步骤：In step 2 in the embodiment, the method for forming the compensation package is shown in FIGS. 9 to 10. The specific process includes acquiring the difference data package between the reference patch package and the patch package, and the acquisition of the difference data package includes the following steps:

步骤S300：将基准补丁包与补丁包的文件进行解压分别获得基准补丁包和补丁包的解压文件，解压文件分别包括三部分：控制字文件、差异文件、额外文件；Step S300: decompressing the benchmark patch package and the files of the patch package to obtain the decompressed files of the benchmark patch package and the patch package, respectively, and the decompressed files respectively include three parts: a control word file, a difference file, and an extra file;

基准补丁包与补丁包都分别包括：控制字文件、差异文件、额外文件，其中基准补丁包记为控制字文件1、差异文件1、额外文件1，补丁包：控制字文件2、差异文件2、额外文件2。Both the benchmark patch package and the patch package respectively include: control word file, difference file, and extra file, among which the benchmark patch package is marked as control word file 1, difference file 1, extra file 1, patch package: control word file 2, difference file 2 , Extra file 2.

步骤S301：去掉基准补丁包的控制字文件1，保留补丁包的控制字文件2并将基准补丁包中差异文件1、额外文件1与补丁包中的差异文件2、额外文件2利用BSDIFF算法进行差异化分析；Step S301: remove the control word file 1 of the benchmark patch package, retain the control word file 2 of the patch package, and use the BSDIFF algorithm to carry out the difference file 1, the extra file 1 and the difference file 2 and the extra file 2 in the patch package in the benchmark patch package. Differentiation analysis;

具体地，当需要升级的ECU版本与基准补丁包对应时，直接使用基准补丁包进行升级即可。当需要升级的ECU版本与基准补丁包不对应，需要找到相应的补丁包进行升级。因此，若需要升级的ECU版本与基准不对应时，基准版本的控制字文件是无用的文件，为了节省空间，在步骤S301，将基准补丁包的控制字文件1进行移除而完全保留与升级的ECU版本对应的补丁包中的控制字文件2。Specifically, when the ECU version that needs to be upgraded corresponds to the benchmark patch package, the benchmark patch package can be used to upgrade directly. When the ECU version to be upgraded does not correspond to the baseline patch package, you need to find the corresponding patch package to upgrade. Therefore, if the ECU version to be upgraded does not correspond to the benchmark, the control word file of the benchmark version is a useless file. In order to save space, in step S301, the control word file 1 of the benchmark patch package is removed and completely retained and upgraded. Control word file 2 in the patch package corresponding to the ECU version.

步骤S303：将所形成的子差异文件、子额外文件、子控制字文件以及所保留的补丁包的控制字文件2进行打包后压缩形成弥补包。Step S303: Compress the formed sub-difference file, sub-extra file, sub-control word file and the reserved control word file 2 of the patch package to form a supplementary package.

弥补包有多个版本，需要每个对应版本的弥补包都需要重复步骤S300至S303进行形成。There are multiple versions of the make-up package, and steps S300 to S303 need to be repeated for each corresponding version of the make-up package.

通过基准补丁包和相应弥补包合成当前ECU升级所需对应的补丁包的方法至少包括以下步骤：参见图11至图12。The method for synthesizing the corresponding patch package required for the current ECU upgrade by using the reference patch package and the corresponding make-up package at least includes the following steps: refer to FIG. 11 to FIG. 12 .

步骤S400：将弥补包与基准补丁包分别进行解压缩并分别获得解压后文件，弥补包解压后的文件为：子差异文件、子额外文件、子控制字文件以及所保留的补丁包的控制字文件2，基准补丁包解压后获得文件包括：差异文件1、额外文件1、控制字文件1；Step S400: Decompress the compensation package and the benchmark patch package respectively and obtain the decompressed files respectively. The decompressed files of the compensation package are: sub-difference file, sub-extra file, sub-control word file and the reserved control word of the patch package File 2, the files obtained after decompressing the benchmark patch package include: difference file 1, extra file 1, control word file 1;

具体地，弥补包需要选择与当前ECU版本对应升级对应的弥补包。本实施例中尽管对弥补包和基准补丁包进行解压缩，实际上，如果弥补包与基准补丁包如果传输过程中并没有被解压缩，此过程中无须解压，直接获得数据包文件。因此解压缩并未是必须步骤。Specifically, the make-up package needs to select the make-up package corresponding to the corresponding upgrade of the current ECU version. In this embodiment, although the compensation package and the reference patch package are decompressed, in fact, if the compensation package and the reference patch package are not decompressed during transmission, the data package file can be obtained directly without decompression during this process. So decompression is not a necessary step.

步骤S401：去掉基准补丁包的控制字文件1，保留补丁包的控制字文件2并将并根据子控制字文件中的记录将子差异文件、子额外文件通过添加和插入放入基准补丁中的差异文件1、额外文件1中还原形成补丁包中的差异文件2、额外文件2；Step S401: remove the control word file 1 of the benchmark patch package, keep the control word file 2 of the patch package and put the sub-difference file and the sub-extra file into the benchmark patch by adding and inserting the sub-difference file and the sub-extra file according to the records in the sub-control word file. The difference file 1 and extra file 1 are restored to form the difference file 2 and extra file 2 in the patch package;

步骤S402：将所形成的补丁包中的差异文件2、额外文件2所保留补丁包中的控制字文件2进行打包合成补丁包。Step S402: Packing the difference file 2 in the formed patch package and the control word file 2 in the patch package reserved by the additional file 2 to synthesize a patch package.

形成当前ECU版本对应升级的补丁包之后，需要将当前补丁包与当前版本的旧文件进行数据包合成为相应的新文件。After the patch package corresponding to the upgrade of the current ECU version is formed, the current patch package and the old files of the current version need to be packaged into corresponding new files.

具体地，通过补丁包的控制字文件2并根据控制字文件中的记录位置将差异文件2、额外文件2通过添加和插入放入当前旧文件中形成相应的升级新文件。Specifically, through the control word file 2 of the patch package and according to the record position in the control word file, the difference file 2 and the extra file 2 are added and inserted into the current old file to form a corresponding new upgrade file.

实施例6：Example 6:

本实施例提供了一种车载ECU安全升级系统，参见图1至图2。This embodiment provides a vehicle-mounted ECU security upgrade system, see FIG. 1 to FIG. 2 .

具体包括：中央网关、入侵检测模块、安全管理模块、多个ECU，其中安全管理模块与入侵检测模块分别中央网关电连接；Specifically, it includes: a central gateway, an intrusion detection module, a security management module, and a plurality of ECUs, wherein the security management module and the intrusion detection module are electrically connected to the central gateway respectively;

安全管理模块和入侵检测模块能够作为独立的硬件存在或以软件模块的方式集成到中央网关中；The security management module and the intrusion detection module can exist as independent hardware or be integrated into the central gateway in the form of software modules;

防护模块被配置为防护ECU，防护ECU与其它ECU一起通过CAN总线接入CAN网络中。具体地，防护模块可以被配置为防护ECU，从ECU中任意选择一个作为防护ECU，但是为了安全期间，一般都选择不担任与安全责任紧密相关的ECU，如刹车、发动机相关的ECU。也可以设置一个ECU，其与车身控制无直接关系，单纯的作为防护ECU。此时，丢弃含有攻击代码的数据包策略具体包括：安全管理模块将含有攻击代码的数据发送到安装在特定域中的防护ECU中，防护ECU将含有CAN消息标识符(CAN ID)的攻击数据包的信息广播到同一域中的所有ECU中，ECU通过抵抗模块调用应用程序丢弃包含相应CAN消息标识符的数据包；The protection module is configured as a protection ECU, and the protection ECU and other ECUs are connected to the CAN network through the CAN bus. Specifically, the protection module can be configured as a protection ECU, and one of the ECUs can be arbitrarily selected as the protection ECU. However, for the sake of safety, ECUs that are not closely related to safety responsibilities are generally selected, such as brake and engine-related ECUs. It is also possible to set up an ECU, which has no direct relationship with the body control, and is simply used as a protection ECU. At this time, the strategy of discarding the data packet containing the attack code specifically includes: the security management module sends the data containing the attack code to the protection ECU installed in a specific domain, and the protection ECU sends the attack data containing the CAN message identifier (CAN ID). The information of the packet is broadcast to all ECUs in the same domain, and the ECU calls the application through the resistance module to discard the data packet containing the corresponding CAN message identifier;

本实施中，还包括另一种结构方式，在车内网络中含有节点网关，节点网关通过车载以太网总线与中央网关电连接，各ECU通过CAN网络数据总线与节点网关电连接。In this implementation, another structural mode is included, the in-vehicle network includes a node gateway, the node gateway is electrically connected to the central gateway through the vehicle Ethernet bus, and each ECU is electrically connected to the node gateway through the CAN network data bus.

具体地，还包括漏洞ECU，漏洞ECU被配置为具有较多安全漏洞的ECU，使含有攻击代码的数据包易于被入侵检测模块检测；具体地，需要说明的是，入侵检测模块检测车内网络时，还包括对漏洞ECU的检测，漏洞ECU被配置为具有较多安全漏洞的ECU，漏洞ECU使含有攻击代码的数据包易于被入侵检测模块检测到。漏洞ECU为认为设置的，其不参与对车内的概况进行控制，其目的在于在设置该ECU时，故意的留下较多的bug、后门，使其最先受到攻击，一旦其受到攻击，入侵检测模块就能更容易的检测到有恶意代码的存在，使安全模块能够及时的做出响应。Specifically, the vulnerability ECU is also included, and the vulnerable ECU is configured as an ECU with many security vulnerabilities, so that the data packets containing the attack code are easily detected by the intrusion detection module; specifically, it should be noted that the intrusion detection module detects the in-vehicle network It also includes the detection of vulnerable ECUs. The vulnerable ECUs are configured as ECUs with more security vulnerabilities. The vulnerable ECUs make data packets containing attack code easy to be detected by the intrusion detection module. The vulnerability ECU is considered to be set, and it does not participate in the control of the general situation in the car. Its purpose is to deliberately leave more bugs and backdoors when setting the ECU, so that it will be attacked first. The intrusion detection module can more easily detect the existence of malicious code, so that the security module can respond in time.

具体地，还包括服务器、通信模块，服务器通过通信模块与中央网关电连接，其中，服务器用于存储升级所需的升级文件，通信模块设置于车内，通过车载以太网与中央网关电连接，通信模块与服务器通过有线或者无线的方式电连接。Specifically, it also includes a server and a communication module, the server is electrically connected to the central gateway through the communication module, wherein the server is used to store the upgrade files required for the upgrade, the communication module is arranged in the vehicle, and is electrically connected to the central gateway through the vehicle-mounted Ethernet, The communication module is electrically connected with the server in a wired or wireless manner.

通信模块可以为T-box智能天线。The communication module can be a T-box smart antenna.

具体地，还包括车载主机，车载主机通过车载以太网总线与中央网关电连接。Specifically, the vehicle-mounted host is also included, and the vehicle-mounted host is electrically connected to the central gateway through the vehicle-mounted Ethernet bus.

若ECU所需升级补丁包并不在存储于服务上时，服务器调用应用程序将相应的弥补包与基准补丁包进行合成为当前ECU升级相匹配的补丁包或通过通信模块将相应弥补包和基准补丁包下载到中央网关或车载主机中进行合成为当前ECU升级相匹配的补丁包。If the upgrade patch package required by the ECU is not stored in the service, the server invokes the application to synthesize the corresponding patch package and the baseline patch package into a patch package that matches the current ECU upgrade, or the corresponding patch package and baseline patch through the communication module The package is downloaded to the central gateway or in-vehicle host to synthesize the patch package that matches the current ECU upgrade.

或实施例3中的补丁包、弥补包的形成可以在服务器中进行加工处理完成，也可以通过本地PC电脑加工处理完成后在传到服务中，也可以在PC电脑加工完成后通过有线或者无线的方式将数据传给ECU、传感器、摄像头等进行升级，此时，PC也相当于服务器。车载以太网的传输带宽为100Mbps/s，有效载荷(payload)的传输容量为46～1518byte。而CAN总线的传输带宽为1Mbps/s,有效载荷(payload)的传输速率为0～8byte。因此，CAN网络的速率比车载以太网要小很多，CAN网络属于制约ECU升级时间的最大限制因素。而基于CAN网络的协议传输速率时，为了数据的可靠性，其不能同时进行数据传输，数据是逐个传输的，在ECU的升级阶段，占用时间最长。Or the formation of the patch package and the make-up package in Embodiment 3 can be processed in the server, or can be processed by the local PC computer and then transmitted to the service, or can be processed by wired or wireless after the PC computer is completed. In this way, the data is transmitted to the ECU, sensors, cameras, etc. for upgrade. At this time, the PC is also equivalent to a server. The transmission bandwidth of the in-vehicle Ethernet is 100 Mbps/s, and the transmission capacity of the payload is 46 to 1518 bytes. The transmission bandwidth of the CAN bus is 1Mbps/s, and the transmission rate of the payload is 0-8byte. Therefore, the rate of the CAN network is much lower than that of the vehicle Ethernet, and the CAN network is the biggest limiting factor restricting the ECU upgrade time. When the protocol transmission rate based on the CAN network is used, for the reliability of the data, it cannot transmit data at the same time, and the data is transmitted one by one. In the upgrade stage of the ECU, it takes the longest time.

具体地，参见图13实施例中服务器存储补丁包以及基准补丁包、弥补包示例。Specifically, see an example of the server storing the patch package, the reference patch package, and the make-up package in the embodiment of FIG. 13 .

图13a表示当只有补丁包存在的情况时，服务器存储了所有历史版本中的补丁包文件，图13b表示有基准补丁包与所有历史版本相对应的弥补包。基准补丁包时从所有历史版本的补丁包中任选一个版本作为基准补丁包都可以，通常情况下，选择未升级前ECU的最新版本对应的补丁包为基准补丁包，由于每次升级版本的更新都是在历史版本上进行更改，其变动不大。因此ECU升级所需的补丁包与其对应版本的弥补包的所占存储空间相比，补丁包所占的存储空间远大于弥补包。因此采用本发明弥补包的方法，所有历史版本升级所需的ECU升级包为基准补丁包和多个弥补包，其数据包较小。较大的减少的存储器的存储负荷，更有利于数据的传输，尤其是在中央网关和车载主机中具有较小的存储空间环境中，较小的数据包尺寸可以直接传输到车载主机或者中央网关，通过在车载主机或中央网关进行补丁包的合成，进一步的降低传输时间以及系统所消耗的资源。Fig. 13a shows that when only the patch package exists, the server stores the patch package files in all historical versions, and Fig. 13b shows that there are make-up packages corresponding to the reference patch package and all the historical versions. For the benchmark patch package, you can choose any one of the patch packages of all historical versions as the benchmark patch package. Usually, the patch package corresponding to the latest version of the ECU before the upgrade is selected as the benchmark patch package. Updates are all changes made on the historical version, and the changes are not large. Therefore, compared with the storage space occupied by the patch package required for ECU upgrade and its corresponding version of the make-up package, the storage space occupied by the patch package is much larger than that of the make-up package. Therefore, by adopting the method for making up the package of the present invention, all the ECU upgrade packages required for the upgrade of the historical version are the reference patch package and a plurality of make-up packages, and the data packages thereof are relatively small. The larger storage load of the memory is reduced, which is more conducive to the transmission of data, especially in the environment with small storage space in the central gateway and the on-board host, the smaller data packet size can be directly transmitted to the on-board host or the central gateway , by synthesizing the patch package on the vehicle host or the central gateway, the transmission time and the resources consumed by the system are further reduced.

Claims

1. A safety upgrading management method applied to an automobile ECU is characterized by at least comprising the following steps:

a central gateway in the vehicle receives an upgrade file from a server, and the upgrade file is transmitted to an ECU (electronic control unit) to be upgraded through the central gateway;

the intrusion detection module monitors the in-vehicle network in real time, and when finding a data packet containing an attack code in the upgrade file or when the in-vehicle network is attacked, the intrusion detection module feeds back the detected attack information to the security management module;

when the intrusion detection module detects the in-vehicle network, the detection of the vulnerability ECU is also included, and the detection of the vulnerability ECU enables the data packet containing the attack code to be easily detected by the intrusion detection module;

when the security management module receives attack information fed back by the intrusion detection module, the security management module sends a control instruction to the protection module to prevent the target ECU from being intruded;

the protection module is configured to correspond to the security module, and can adopt a corresponding attack resisting strategy according to a control instruction sent by the security module and send the strategy to the target ECU;

the target ECU comprises a resisting module, wherein the resisting module is configured to have a function matched with an attack resisting strategy, and when the target ECU is attacked, the resisting module in the target ECU can call a matched application program to resist invasion according to the attack resisting strategy sent by the protecting module;

the attack resisting strategy comprises a target ECU security resetting strategy, a security resetting strategy of a target node gateway and a data packet strategy containing attack codes;

when the target ECU receives the safety reset strategy, the target ECU enters a safety mode after being automatically restarted, and the safety mode at least comprises the following steps:

is configured to allow basic driving operations to secure the safety of the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking and data encryption of received data;

the data packet of the attack code at least comprises data conforming to a CAN message format;

the CAN message format at least comprises a CAN message identifier and a remote request bit;

the remote request bit is used for distinguishing a remote frame and a field of a data frame, the data frame is used for data transmission on the CAN bus, the data frame must be dominant, and the remote request bit is represented by 0;

the remote frame is used for sending requests and does not contain payload data information, the remote request frame must be an implicit 1, and a remote request bit is represented by 1;

the explicit and implicit conversion is realized by changing the value of a remote request bit through the voltage control CAN _ H high voltage and the CAN _ L low voltage on the CAN bus;

the protection module is configured to protect the ECU, and the strategy of discarding the data packet containing the attack code specifically includes: the security management module sends data containing the attack code to a protection ECU installed in a specific domain, the protection ECU broadcasts information of an attack data packet containing a CAN message identifier to all target ECUs in the same domain, and the target ECUs call an application program through a resisting module to discard the data packet containing the corresponding CAN message identifier;

the safety management module issues a data packet discarding instruction to the protection ECU, the protection ECU changes a remote request bit in a data packet which accords with a CAN message format and contains an attack code of a CAN message identifier from explicit 0 to implicit 1, and then sends the changed data packet to all target ECUs in a broadcasting mode;

the target ECU only responds when the CAN message identifier is the CAN message identifier associated with the target ECU, and the target ECU directly discards the data packet when the CAN message identifier is not associated with the target ECU.

2. The ECU security upgrade management method applied to the automobile according to claim 1,

when the attack is over, the protection ECU broadcasts again a data packet containing the normal corresponding CAN message identifier.

3. The automobile ECU security upgrade management method according to claim 1, wherein when an in-vehicle network transmits by using a vehicle-mounted Ethernet and a node gateway is set to connect with various domains, and an attack occurs, the security management module sends a control instruction to the attacked target node gateway to instruct the target node gateway to adopt the security reset strategy resistance of the target node gateway;

the security reset strategy of the node gateway comprises that the node gateway enters a security mode after being automatically restarted, and the security mode of the node gateway at least comprises the following steps: is configured to allow basic driving operations to secure the vehicle, only allows the processing of a safety-verified CAN message, or is configured to require integrity checking of received data and data encryption.

4. The automobile ECU security upgrading management method according to claim 1, wherein the upgrading file at least comprises a patch package, and the patch package is synthesized by matching a reference patch package with a compensation package of the ECU to be upgraded;

the method for forming the reference patch package and the compensation package comprises the following steps:

step 1: respectively carrying out difference analysis on the new file and the old file, respectively finding out the difference between the new file and the old file, obtaining a difference data packet of the new file and the old file, and extracting and packaging the difference data packet to form a patch packet; repeating the step 1 until patch packages corresponding to the new files and all old files with different historical versions are obtained;

step 2: selecting one of the plurality of patch packages as a reference patch package;

and step 3: comparing the difference of the selected reference patch package with the difference of the selected patch package, finding out the difference of the reference patch package and the patch package, obtaining the difference data package of the reference patch package and the patch package, extracting, packaging and compressing the difference data package to form a compensation package; and repeating the step 3 until a compensation package of the reference patch package corresponding to all the old files with different historical versions is obtained.

5. The automobile ECU security upgrade management method according to claim 4, wherein the obtaining of the difference data packet of the new file and the old file comprises the following steps:

step S200: sequencing the old file and the new file by using a suffix array method to form a character string group;

step S201: then, comparing the new file with the old file according to the formed character string group;

step S202: querying the same part between the old file and the new file by utilizing a dichotomy;

step S203: finding out the maximum public subsequence of the new file and the old file and determining a difference part;

step S204: finding out additional parts of the new file and the old file;

step S205, compressing the difference part, the extra part and the control word;

step S206: forming a patch package;

the addresses of data storage in the new file and the old file are 4 bytes, and the operation code stores fixed 8 bytes under each address.

6. The automobile ECU security upgrade management method according to claim 4, wherein the patch package acquisition comprises the following steps:

step S300: decompressing the files of the reference patch package and the patch package to obtain decompressed files of the reference patch package and the patch package respectively, wherein the decompressed files respectively comprise three parts: the control word file, the difference file and the additional file, namely the reference patch package and the patch package respectively comprise: control word files, difference files, extra files;

step S301: removing the control word file of the reference patch package, reserving the control word file of the patch package, and performing differential analysis on the difference file and the extra file in the reference patch package and the difference file and the extra file in the patch package by using a BSDIFF algorithm;

step S302: forming corresponding sub difference files, sub extra files and sub control word files by a BSDIFF algorithm;

step S303: and packaging the formed sub difference file, the sub additional file, the sub control word file and the control word file of the reserved patch package, and then compressing to form the patch package.

7. The automobile ECU security upgrading management method according to claim 6, wherein the step of forming the patch pack by the reference patch pack and the compensation pack comprises the following steps:

step S400: respectively decompressing the compensation package and the reference patch package to respectively obtain decompressed files, wherein the decompressed files of the compensation package comprise: the sub difference file, the sub extra file, the sub control word file and the reserved control word file of the patch package, wherein the file obtained after the standard patch package is decompressed comprises: difference files, extra files, control word files;

step S401: removing the control word file of the standard patch package, reserving the control word file of the patch package, and restoring the sub difference file and the sub extra file into the difference file and the extra file in the standard patch package by adding and inserting the difference file and the extra file into the standard patch according to the guide information in the sub control word file to form the difference file and the extra file in the patch package;

step S402: and packaging the difference file, the additional file and the control word file in the reserved patch package to form the patch package.

8. A safety upgrading management system applied to automobile ECUs is characterized by comprising a central gateway, an intrusion detection module, a safety management module and a plurality of ECUs, wherein the safety management module is electrically connected with the intrusion detection module through the central gateway respectively;

the central gateway is at least used for communication or data processing or in-vehicle network management between the interior and the exterior of the vehicle;

the intrusion detection module is configured as a monitoring module or monitoring equipment and used for monitoring the safety of the in-vehicle network in real time, and when the in-vehicle network is detected to be attacked, the attack information can be fed back to the safety management module; the security management module is control equipment or a control module, and can reduce damage caused by network attack when the intrusion detection module detects the automobile network attack;

the safety management module is configured as a control device or a control module and can issue a control instruction and enable a target to adopt an attack resisting strategy for resisting when the intrusion detection module detects that the network in the vehicle is attacked;

the protection module is configured to adopt an attack resisting strategy according to a control instruction issued by the safety management module and send the strategy to the target ECU, and the protection module is electrically connected with the central gateway through the CAN bus;

the security management module and the intrusion detection module can exist as independent hardware or are integrated into a central gateway in a software module mode;

when the node gateway does not exist, each ECU is electrically connected with the central gateway through the CAN bus;

the safety upgrading management system is applied to the automobile ECU safety upgrading management upgrading method according to any one of claims 1 to 7.

9. The system as claimed in claim 8, wherein the protection module is configured to protect the ECU, and the protection ECU is connected to the CAN network together with other ECUs through the CAN bus.

10. The ECU security upgrade management system for vehicles according to claim 8, further comprising: and the node gateways are electrically connected with the central gateway through a vehicle-mounted Ethernet bus, and each ECU is electrically connected with the node gateways through a CAN network data bus.

11. The system for managing the security upgrade of the automobile ECU according to claim 8, further comprising a vulnerability ECU, wherein the vulnerability ECU is configured as an ECU with more security vulnerabilities, so that a data packet containing an attack code is easy to be detected by the intrusion detection module;

the system comprises a vehicle-mounted Ethernet, a central gateway and a server, and is characterized by further comprising the server and a communication module, wherein the server is electrically connected with the central gateway through the communication module, the server is used for storing upgrade files required by upgrade, the communication module is arranged in the vehicle and is electrically connected with the central gateway through the vehicle-mounted Ethernet, and the communication module is electrically connected with the server in a wired or wireless mode.