Disclosure of Invention
The invention aims to provide a vehicle CAN bus fuzzy test method, a vehicle CAN bus fuzzy test system, an electronic equipment device and a computer readable storage medium, so as to discover potential bugs in a vehicle CAN network and improve the driving safety of a vehicle.
In order to achieve the aim, the invention provides a vehicle CAN bus fuzzy test method, which comprises the following steps: generating regular packet test data for regular data packets: legal data transmitted by a vehicle ECU on a CAN bus is obtained, and fuzzy variation is carried out on the legal data based on a fuzzy test principle to generate the conventional packet test data; generating diagnostic packet test data for the diagnostic data packet: generating diagnostic packet test data conforming to the UDS diagnostic protocol based on the UDS diagnostic protocol and a fuzzy test principle; and sending the test data of the conventional packet and the test data of the diagnosis packet to a tested CAN bus.
Specifically, the "obfuscating the legal data based on the obfuscation test principle" includes deleting, adding, and modifying at least one of partial bytes, and partial bytes of the legal data.
Preferably, the "generating the diagnostic packet test data conforming to the UDS diagnostic protocol based on the UDS diagnostic protocol and the fuzzy test principle" specifically includes: and generating diagnosis packet test data conforming to the unified diagnosis service table based on the unified diagnosis service table.
Preferably, the normal packet test data and/or the diagnosis packet test data are sent to the tested CAN bus, and simultaneously, the data layer of the CAN bus is monitored in real time to obtain the abnormality of the CAN bus.
In order to achieve the purpose, the invention provides a vehicle CAN bus fuzzy test system which comprises a conventional packet test data generator, a diagnosis packet test data generator and a data sending module. Wherein the regular packet test data generator is configured to generate regular packet test data for a regular data packet, which performs: legal data transmitted by the vehicle ECU on the CAN bus is obtained, and fuzzy variation is carried out on the legal data based on a fuzzy test principle to generate the conventional packet test data. The diagnostic packet test data generator is for generating diagnostic packet test data for a diagnostic data packet, which performs: and generating diagnostic packet test data conforming to the UDS diagnostic protocol based on the UDS diagnostic protocol and the fuzzy test principle. And the data sending module is used for sending the conventional packet test data and the diagnosis packet test data to the tested CAN bus.
Specifically, the regular packet test data generator performs fuzzy mutation on the legal data, including at least one of deleting partial bytes, adding partial bytes, and changing partial bytes of the legal data.
Preferably, the diagnostic package test data generator generates diagnostic package test data conforming to a unified diagnostic service table based on the unified diagnostic service table.
Preferably, the vehicle CAN bus fuzzy test system further comprises a monitor, wherein the monitor is used for monitoring a data layer of the CAN bus in real time to obtain the abnormality of the CAN bus while the regular packet test data and/or the diagnosis packet test data are transmitted to the tested CAN bus.
To achieve the above object, the present invention also provides an electronic device comprising one or more processors and a memory for storing one or more computer programs, which when executed by the one or more processors, perform the vehicle CAN bus fuzz testing method as described above.
To achieve the above object, the present invention also provides a computer-readable storage medium storing a computer program executable by a processor to perform the vehicle CAN bus fuzz testing method as described above.
Compared with the prior art, the method and the device generate the fuzzy test data suitable for the vehicle CAN network so as to discover the potential bugs in the vehicle CAN network, thereby improving the driving safety of the vehicle. In addition, the invention respectively generates test data for two different types of data packets in the CAN network based on different principles; for a conventional data packet, conventional packet test data is generated in a variation mode, and the variation data is legal data transmitted by a CAN network, so that the generated fuzz test data (the conventional packet test data) is closer to real data, the deception of the test data is improved, and the result of the fuzz test is more accurate; and for the diagnosis data packet, the diagnosis packet test data conforming to the UDS diagnosis protocol is generated based on the UDS diagnosis protocol, so that the problem that fuzzy test data (diagnosis packet test data) generated by adopting a random generation mode falls outside an effective range is avoided, and the test efficiency is improved.
Detailed Description
In order to explain technical contents and structural features of the present invention in detail, the following description is further made with reference to the accompanying drawings. It is to be understood that the described embodiments are merely a subset of embodiments of the invention and not all embodiments of the invention, with the understanding that the invention is not limited to the example embodiments described herein. All other embodiments, which can be derived by a person skilled in the art from the described embodiments without inventive effort, shall fall within the scope of protection of the invention.
An embodiment of the invention provides a vehicle CAN bus fuzzy test method to discover potential bugs in a vehicle CAN network and improve vehicle driving safety. The vehicle CAN bus fuzzy test method comprises the following steps:
generating conventional packet test data for a conventional data packet, specifically: legal data transmitted by the vehicle ECU on the CAN bus is acquired, and fuzzy variation is carried out on the legal data based on a fuzzy test principle to generate conventional packet test data.
Generating diagnostic packet test data for the diagnostic data packet, specifically: and generating diagnostic packet test data conforming to the UDS diagnostic protocol based on the UDS diagnostic protocol and the fuzzy test principle.
And sending the conventional packet test data and the diagnosis packet test data to the tested CAN bus, and simultaneously monitoring the data layer of the CAN bus in real time to obtain the influence of the test data on the data layer of the CAN bus, thereby realizing the monitoring of abnormal data of the data layer and discovering bugs existing in a CAN network of the vehicle. Furthermore, abnormal responses of the vehicle body can be observed simultaneously to evaluate the direct influence of the fuzzy test on the vehicle functions.
In this embodiment, for generating the diagnostic packet test data for the regular data packet, based on a legal input, a part of bytes in the diagnostic packet test data is mutated (for example, a part of bytes of the legal data is deleted, a byte is added to the legal data, a part of bytes of the legal data is changed, and the like) to obtain the regular packet test data, and then whether a corresponding security hole exists is obtained according to a response condition of the CAN network to the regular packet test data. Since the definition of the conventional packet encoding is completely dependent on the vehicle manufacturer, and no related application layer protocol limits the effective range of the data and the relationship between data bytes, the conventional packet test data can be generated by adopting a variation-based method. And because the conventional packet test data is from the legal data transmitted by the legal ECU in the vehicle in the CAN network in real time, the generated fuzz test data (the conventional packet test data) CAN be closer to the real data, the deception of the test data is improved, and the result of the fuzz test is more accurate.
As shown in fig. 2, generating the regular packet test data for the regular data packet specifically includes the following steps:
s101, receiving a frame of legal data.
At S102, a random number site (one frame of CAN data includes 8 bytes from 0 to 7) from 0 to 7 is randomly generated to determine the head position of the mutation data, pre _ site.
S103, generating a varied byte length len within the boundary range [1,8-site ] (since at least one byte is varied, the minimum value of len is 1, and the maximum value is limited by the difference between the maximum length 8 of a frame of CAN data and the first position site of the variation).
S104, generating random data of the current position site, and enabling pre _ site + 1.
S105, judging whether pre _ site is larger than pre _ site + len; if not, returning to the step S104; if yes, the process is ended.
Because the diagnostic data packet strictly follows the UDS diagnostic protocol, the UDS diagnostic protocol specifies that the first byte of the data frame is the effective length of the data frame, the second byte is the main service, the third byte is the sub-function, the definition of the first three bytes has already been defined into the effective range, if a complete random number generation method is adopted, the generated fuzzy test data CAN fall outside the effective range, and the vehicle CAN network CAN make a uniform rejection response to the diagnostic data packet beyond the range in most cases, so that the efficiency of the fuzzy test CAN be obviously reduced. Therefore, in the present embodiment, unlike the conventional packet test data, which uses a legal input as a starting point, the diagnostic packet test data for the diagnostic data packet, which uses a protocol or a file description as an initial input, by knowing the byte, the data type, the valid value, and the relationship between the byte and other bytes of the UDS diagnostic protocol, a partially valid input is created from the beginning, the problem that the fuzz test data (diagnostic packet test data) generated in a random generation manner falls outside the valid range is avoided, and the test efficiency is improved. Furthermore, since diagnostic packets are normally not present in the CAN network, which are only derived from the session between the diagnostic tool and the ECU, it is impractical to collect a large number of diagnostic packets from the vehicle itself for mutation, as is the generation of regular packet test data for regular packets.
To meet different requirements, a plurality of diagnostic services are specified in ISO14229-1, with a one-to-one correspondence between each service ID and service function. In this embodiment, the diagnostic packet test data conforming to the unified diagnostic service table is generated based on the unified diagnostic service table (a relational table of the main service ID, the sub function ID, and the service function which prescribe the UDS diagnostic protocol). Therefore, the validity of the test data CAN be ensured, the generation of invalid service or sub-functions which do not exist under the service CAN be avoided, the interference of the test data of the diagnosis packet to the CAN network is improved, and the test efficiency CAN be improved.
As shown in fig. 3, in this embodiment, generating the diagnostic packet test data for the diagnostic data packet specifically includes the following steps:
s201, randomly generating an effective Length in Byte0 (0 th Byte), where the effective Length is [0x02,0x07 ].
S202, query the valid host Service list and generate a host Service at Byte1 (Byte 1).
S203, judging whether the sub-functions are supported, if so, executing a step S204; if not, go to step S205.
S204, query the sub-function list in Service and generate sub-function sub-Service in Byte2 (Byte 2), and then execute step S206.
S205, the sub-function byte is randomly generated, and then step S206 is performed.
S206, if the current random Byte is 2, let Byte + 1.
S207, judging whether the Byte is more than or equal to the Length + 1; if yes, ending; if not, go to step S208.
S208, randomly generates the current byte, and returns to step S206.
Referring to fig. 1, an embodiment of the present invention further discloses a vehicle CAN bus fuzzy test system, which includes a fuzzy test engine, a data transmission module 330 and a monitor 340, wherein the fuzzy test engine includes a regular packet test data generator 310 and a diagnostic packet test data generator 320. Wherein the regular packet test data generator 310 is configured to generate regular packet test data for the regular data packet, and performs: legal data transmitted by the vehicle ECU on the CAN bus is acquired, and fuzzy variation is carried out on the legal data based on a fuzzy test principle to generate conventional packet test data. The diagnostic packet test data generator 320 is for generating diagnostic packet test data for the diagnostic data packet, which performs: and generating diagnostic packet test data conforming to the UDS diagnostic protocol based on the UDS diagnostic protocol and the fuzzy test principle. The data sending module 330 is configured to send the normal packet test data and the diagnostic packet test data to the tested CAN bus. The monitor 340 is configured to monitor the data layer of the CAN bus in real time to obtain an influence of the test data on the data layer of the CAN bus while the normal packet test data and/or the diagnostic packet test data are sent to the tested CAN bus, so as to monitor abnormal data of the data layer and discover a bug existing in the CAN network. Furthermore, abnormal responses of the vehicle body CAN be observed simultaneously to evaluate the influence of the fuzzy test on the vehicle function directly, and the abnormality of the CAN bus is obtained.
Specifically, in this embodiment, the regular packet test data generator 310 obtains the regular packet test data by mutating a part of bytes (for example, deleting a part of bytes of the legal data, adding bytes to the legal data, changing a part of bytes of the legal data, etc.) based on a legal input, and then obtains whether a corresponding security hole exists according to a response condition of the CAN network to the regular packet test data. Since the definition of the conventional packet encoding is completely dependent on the vehicle manufacturer, and no related application layer protocol limits the effective range of the data and the relationship between data bytes, the conventional packet test data can be generated by adopting a variation-based method. And because the conventional packet test data is from the legal data transmitted by the legal ECU in the vehicle in the CAN network in real time, the generated fuzz test data (the conventional packet test data) CAN be closer to the real data, the deception of the test data is improved, and the result of the fuzz test is more accurate.
More specifically, the functional blocks of the conventional packet test data generator 310 are shown in the following table:
submodule
|
Function(s)
|
Value range
|
Fuzz_recv
|
Receiving legal data for mutation
|
——
|
Fuzz_site
|
Determining the first position of variant data
|
site=[0,7]
|
Fuzz_len
|
Determining byte length of variant data
|
len=[1,8-site]
|
Fuzz_gen
|
Generating random data
|
data=[0x00,0xff] |
That is, the regular packet test data generator 310 includes sub-modules, such as Fuzz _ recv, Fuzz _ site, Fuzz _ len, and Fuzz _ gen. After receiving legal data from the CAN network using the Fuzz _ recv module, the Fuzz _ site module is first called to randomly generate a random number site of 0 to 7 for determining the head position of the variant data. And then calling a fuzzy _ Len module to randomly generate a variant byte length Len within a boundary range, wherein the minimum value of the Len is 1 and the maximum value is limited by the difference between the maximum length 8 of a frame of CAN DATA (the format example of a CAN DATA standard frame: ECUID:0x030 DATA:0x 800 x 000 x 210 x 000 x 000 x 920 x04 Len:08) and the first position site of the variant, namely the boundary range is [1,8-site ], because at least one byte is variant. And finally, sequentially generating random data of corresponding positions and lengths by a fuzzy _ gen module, and finally generating the test data of the conventional packet.
Because the diagnostic data packet strictly follows the UDS diagnostic protocol, the UDS diagnostic protocol specifies that the first byte of the data frame is the effective length of the data frame, the second byte is the main service, the third byte is the sub-function, the definition of the first three bytes has already been defined into the effective range, if a complete random number generation method is adopted, the generated fuzzy test data CAN fall outside the effective range, and the vehicle CAN network CAN make a uniform rejection response to the diagnostic data packet beyond the range in most cases, so that the efficiency of the fuzzy test CAN be obviously reduced. Therefore, in the present embodiment, unlike the conventional packet test data that starts with a legal input, the diagnostic packet test data generator 320 creates a partial valid input from the beginning by knowing the bytes, the data type, the valid value, and the relationship between the bytes and other bytes of the UDS diagnostic protocol, and thus avoids the problem that the fuzzy test data (diagnostic packet test data) generated in a random generation manner falls outside the valid range, and improves the test efficiency. Furthermore, since diagnostic packets are normally not present in the CAN network, which are only derived from the session between the diagnostic tool and the ECU, it is impractical to collect a large number of diagnostic packets from the vehicle itself for mutation, as is the generation of regular packet test data for regular packets.
To meet different requirements, a plurality of diagnostic services are specified in ISO14229-1, with a one-to-one correspondence between each service ID and service function. In the present embodiment, the diagnostic packet test data generator 320 generates the diagnostic packet test data conforming to the unified diagnostic service table based on the unified diagnostic service table (the relationship table of the main service ID, the sub-function ID and the service function which prescribes the UDS diagnostic protocol). Therefore, the validity of the test data CAN be ensured, the generation of invalid service or sub-functions which do not exist under the service CAN be avoided, the interference of the test data of the diagnosis packet to the CAN network is improved, and the test efficiency CAN be improved.
Specifically, the functional blocks of the diagnostic package test data generator 320 are shown in the following table:
that is, the diagnostic packet test data generator 320 includes sub-modules such as Fuzz _ Length, Fuzz _ Service, Fuzz _ SubService, and Fuzz _ AddByte. In the diagnostic packet test data generator 320, first, the 0 th Byte data (Byte0) of the Fuzz _ Length test data is called to generate the test data, which represents the valid Byte of the requested service, and since it occupies one Byte, the maximum valid Length is 0x07, and the main service and the sub-function each occupy one Byte, the valid Length is at least 0x 02. The fuzzy _ Service is used for generating a request main Service, and the fuzzy _ sub Service is used for generating a corresponding sub function. Since the main service code specified in the UDS diagnostic protocol is not numerically completely continuous and the sub-functions are completely dependent on the main service, the range of sub-functions under different main services is different, and the use of a random generation method will result in an invalid service or a sub-function that does not exist under the service; therefore, in this embodiment, Fuzz _ Service and Fuzz _ sub Service use table lookup (unified diagnostic Service table) to generate the main Service byte and the sub-function byte. The bytes (Byte 3-Byte 7) following the sub-function represent the specific function that the request service requires to implement, and the encoding of the data depends on the vehicle manufacturer definition, and thus is randomly generated by the fuzzy _ AddByte module.
Referring to fig. 4, the present invention also discloses an electronic device 400, which includes one or more processors 410 and a memory 420, wherein the memory 420 is used for storing one or more computer programs, such as a vehicle CAN bus fuzz test program. The vehicle CAN bus fuzz testing method described above is performed when one or more computer programs are executed by the one or more processors 410. Specifically, the electronic device 400 may be any computing device with data processing capability, such as a desktop computer, a notebook computer, and the like, and the electronic device 400 is not limited to include the processor 410 and the memory 420. Those skilled in the art will appreciate that the schematic diagram shown in fig. 4 is merely an example of the electronic device 400, and does not constitute a limitation of the electronic device 400, and may include more or less components than those shown, or combine certain components, or different components, such as may also include input-output devices, network access devices, buses, and the like.
Accordingly, the present invention also relates to a computer-readable storage medium storing a computer program, which when executed by the processor 410, performs the vehicle CAN bus fuzz testing method in the above embodiments. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable storage medium may include: any entity or device capable of carrying computer program code, recording medium, U.S. disk, removable hard disk, magnetic disk, optical disk, computer memory, Read Only Memory (ROM), Random Access Memory (RAM), or the like.
In the following, taking an actual vehicle as an example, the execution steps in the fuzzy test process are described:
first, connecting to an OBD interface of a vehicle using a data transceiver to access a CAN network of the vehicle; then, the regular package test data generator 310 and the diagnostic package test data generator 320 are driven to work at the same time, and the generated fuzzy test data (the regular package test data and the diagnostic package test data) are sent to the CAN network of the vehicle and are recorded and saved to a file at the same time; meanwhile, the drive monitor 340 acquires the response of the data layer of the CAN network to the test data in real time to evaluate the potential threat of the fuzzy test to the network system program, and meanwhile, the abnormal response of the vehicle body CAN be observed at the same time to evaluate the direct influence of the fuzzy test on the vehicle function.
The present invention has been described in connection with the preferred embodiments, but the present invention is not limited to the embodiments disclosed above, and is intended to cover various modifications, equivalent combinations, which are made in accordance with the spirit of the present invention.