On 20.10.20 18:07, Vincent Mailhol wrote:
I also did the test. I can send a CAN with a DLC of 13 on one controller and the other ones correctly received a frame of 8 bytes with a DLC of 13.
o_O You see me perplexed ...
After, I am not saying that absolutely all the controllers will allow DLC greater than 8. I would not be surprised to see some controllers attempting to do some sanitization (which would violate the ISO) and maybe you did your testing on such controllers. Only thing I can tell is that all the controllers I studied allowed it (I can give more examples upon request).
I believe you.
As for security testing, I worked as a security consultant in the automotive industry for the last three years and with our colleagues, we witnessed some ECUs that would completely stop responding after receiving some DLCs greater than 8 due to some buffer overflow. This is a real thing which can be found in production, I think it would be great to be able to test that using socket CAN.
Yes. That's a valid use-case. Many people are testing CAN setups based on SocketCAN. So getting every aspect of CAN available is needed to be able to provide a real OSS solution.
Some professional tools such as the CAN testing suite of Defensics by Synopsys also include these kind of tests. Because Socket CAN does not support this, Synopsys actually recommends to use the proprietary drivers from the Peak controller which do allow this (unfortunately, the Defensics documentation is not available publicly so I can not give you a link to support my claim on that last example).
Stephane from PEAK is working on the Linux driver (Mainline Linux & PEAK chardev), so I put him on CC. Or are you referring to the Windows driver?
I hope that I could highlight in this answer that I am more than just a hobbyist who got exited after ready the ISO and that I know this subject. What I explain here is well known in the niche community of automotive security researcher but outside of it I just think that people are not aware of it.
Well I have done a lot in automotive CAN security too - with message authentication and with CAN IDS - but this DLC thing was still new to me ...
From a first thought I would see a new flag CAN_CTRLMODE_RAW_DLC in the netlink interface of IFLA_CAN_CTRLMODE for the CAN controller driver.
This could switch the sanitizing AND the CAN controller can properly expose its ability to support this mode.
I think I have to pick a beer and look at some code ... :-) Best regards, Oliver
