Re: Linux CAN: security layer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Romain,

On 19.02.19 12:00, Romain Forlot [IoT.bzh] wrote:
Does anyone knowing if the kernel CAN modules implements some security measures against malicious attack and such things like data injection or malformed CAN frames? To my knowledge, kernel does not implements such protections and handles malformed CAN frames if they aren't conform with the protocol used but that's all. 

Is there anyone knowing something about that ?


in general CAN has no security measures. It is all about reliability.
Malformed CAN frames are no issue as CAN controllers drop any kind of non-compliant bitstreams on the bus (and send error frames).
As you have a multi-master network any node can send any kind of CAN frames or CAN IDs - even if your architecture defined something else. Usually a sent CAN ID can be assigned to a specific node.
Due to the CAN filters you can select the CAN IDs you want to receive for every socket/application.
You may try a DoS by sending high prio CAN IDs or just short the CAN lines (or put them to a dominant state which has the same result). 

Long story short:

1. You can cut/shorten/set to dominant state -> no data transfer
2. You can filter for CAN ID -> attacker can use this CAN ID too
3. You can detect different cycle times -> just an intrusion *detection*
4. You can crypt the CAN data -> mostly not needed to 'hide' content
5. You can add a MAC (message authentication code) -> needs data space

Examples for '4' and '5': CANcrypt https://www.cancrypt.eu
Example for '5': MaCAN https://github.com/CTU-IIG/macan
It is questionable to put one of these into kernel space as you need to handle multiple crypto keys for the different communication nodes and there is no commonly agreed industry standard (and there probably will never be any).
I programmed all of the approaches above - but number '4' - hands-on and it was the right thing to implement it on application level in user space. You don't have a performance issue there and you need to handle many state machines and all the crypto/key stuff. Even '3' can be checked very convenient in user space by comparing the high resolution timestamps that come with each CAN frame. 

Best regards,
Oliver
[Index of Archives]     [Automotive Discussions]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [CAN Bus]

  Powered by Linux