CAN的安全隐患课件

1、can的安全隐患1can的安全隐患an undiscovered safety related fault in can-消极报错节点不能正常收发real bus off state of error passive node杨福宇杨福宇 fuyu yangemail:can的安全隐患2can的安全隐患3引用的标准引用的标准liso/tc 22/sc3. international standard: iso -11898-1, 2003,”road vehicles-controller area network (can) part1: data link layer and physic

2、al signaling”liso/tc 22/sc3. international standard: iso 16845, 2004 ”road vehicles-controller area network (can)-conformance test plan” lrobert bosch gmbh. can specification version 2.0, september 1991can的安全隐患4问题的根源在标准（一）问题的根源在标准（一）l” in order to terminate an error frame correctly, an error passive

3、 node may need the bus to be bus idle for at least 3 bit times (if there is a local error at an error passive receiver). therefore the bus should not be loaded to 100%.” -bosch can 2.0a 3.1.3l即使负载率小，也无法保证即使负载率小，也无法保证3bit3bit总线空闲总线空闲can的安全隐患5问题的根源在标准（二）问题的根源在标准（二）l“a message, which is pending for tra

4、nsmission during the transmission of another message, is started in the first bit following intermission.” l最坏的情况是所有的消息都挂起在那里等待发最坏的情况是所有的消息都挂起在那里等待发送送can的安全隐患6问题的根源在标准（三）问题的根源在标准（三）l消极报错帧分界符的长度是消极报错帧分界符的长度是8 8位隐位位隐位l消极报错帧分界符内的显位是格式错，它要引消极报错帧分界符内的显位是格式错，它要引起新的消极报错帧起新的消极报错帧liso 16845 :7.5.6 form error

5、 in passive iso 16845 :7.5.6 form error in passive error delimiter error delimiter (receiver)(receiver)liso 16845 :8.5.13 form error in passive iso 16845 :8.5.13 form error in passive error delimiter error delimiter (transmitter)(transmitter)can的安全隐患77.5.67.5.6内容（内容（8.5.138.5.13相同）相同）l7.5.6.1 purpos

6、e and limits of test case测试设备将报错分界符的8个隐位之一用显位代替 the lt replace one of the eight recessive bits of the error delimiter by a dominant bit. l7.5.6.2 test case organization 在接收报错分界符时测试设备按7.5.6.1款制造一个格式错，然后等（6+7）位再送一个显位破坏报错分界符的最后一位，被测设备在测试设备送的最后一个显位后开始一个过载帧during the reception of the error delimiter, the

7、 lt creates a form error according to 7.5.6.1. after creating the form error, the lt waits for (6+7) bit time before sending a dominant bit, corrupting the last bit of the error delimiter. the iut shall generate an overload frame starting at the position following the last dominant bit sent by lt.ca

8、n的安全隐患8可能造成此类故障的情况超过可能造成此类故障的情况超过boschbosch预计预计l消极报错接收节点的本地故障引起（消极报错接收节点的本地故障引起（boschbosch提提到）到）l消极报错发送节点的本地故障引起消极报错发送节点的本地故障引起l偶尔主动报错节点的本地故障引起偶尔主动报错节点的本地故障引起l避免故障要求的空闲时间要更多避免故障要求的空闲时间要更多(10 bit (10 bit 而不而不是是3 bit)3 bit)can的安全隐患9出错情况举例出错情况举例l消极报错接收节点因本地故障（如干扰）有误判消极报错接收节点因本地故障（如干扰）有误判时时c r cri. mp.

9、e. d eloverl appi ngerror founda c knofl ag8354d 7n ew fram epassi ve errorerror foundn ew error foundso feo ferror passi ve nodeerror acti ve noded r r r r r r r rlocal faul t i n error passi ve recei cer fi gure 1can的安全隐患10出错情况举例出错情况举例 消极报错接收节点有一次漏判时消极报错接收节点有一次漏判时7d4 538bbi. mp. e. fl agp. e. d el

10、a . e. d ela . e. fl agrrrrrrrrdddddderror acti ve nodeerror passi ve nodeerror foundso fn ew error founderror foundn ew fram eg l obal bi t stuffi ng error wi th l ocal faul t i n error passi ve recei cer fi gure 2can的安全隐患11出错情况举例出错情况举例l消极报错接收节点误判发生在消极报错接收节点误判发生在eofeof域，至少域，至少10bit10bit总线空闲才能使它与其它节

11、点同步总线空闲才能使它与其它节点同步p. e. fram ec r cdrrr r r dr r r r r r rso fnew fram eb b b b654321eo fform error founda c kerror acti ve nodeserror not foundi. m .bbeo fa c kbbfi gure 3 local faul t i n error passi ve recei ver onl ycan的安全隐患12出错情况举例出错情况举例l消极报错发送节点误判消极报错发送节点误判ackack位位i. m .bbbbnew fram eso frrrrr

12、rrfounda c k errorp. e. d eldrrrrr rc r cp. e. fl agb ba c keo fb bi. m .error acti ve nodeserror not foundfoundform errorfi gure 4can的安全隐患13出错情况举例出错情况举例l消极报错发送节点在消极报错发送节点在crccrc分界符处误判分界符处误判foundform errorerror acti ve nodeserror not foundi. m .bbeo fa c kbbp. e. fl agc r cddrr r r dp. e. d elform e

13、rror foundr r r r r r rso fnew fram eb b b bi. m .fi gure 5 local faul t of error passi ve transm i tter onl ycan的安全隐患14出错情况举例出错情况举例l消极报错发送节点在消极报错发送节点在ackack分界符有误判分界符有误判bbbbnew fram eso frrrrrrrfoundform errorp. e. d eldrrrdr dc r cp. e. fl agb ba c keo fb bi. m .error acti ve nodeserror not founda

14、c kfoundform errorlocal faul t of error passi ve transm i tter onl yfi gure 6can的安全隐患15出错情况举例出错情况举例l当系统小，只留下一个主动报错节点时，它的误判引起消极报错节点不同步a . e. d ela . e. fl agr r rrrrrdnew fram eso frddddddrrri. m .berror acti ve nodeerror foundp. e. fl agp. e. d eli. m .error foundfi gure 7 l ocal faul t i n error ac

15、ti ve node causes fai l ure i n error passi ve node.can的安全隐患16总的出错情况总的出错情况l出错后消极报错节点与其它节点同步的情况有很多l出错情况造成消极报错节点不同步的例子还有很多can的安全隐患17消极报错节点不同步后续情形（一）o新帧中有全局错，节点在主动报错帧结束时同新帧中有全局错，节点在主动报错帧结束时同步步o连续出错的概率小，意味着此种情况概率小连续出错的概率小，意味着此种情况概率小error founda l l error acti ve node b d d d d d d r rrrr r r rfi g. 8a)p

16、. e. d ela . e. fl aga . e. d elbb bbbi. merror founderror passi ve noden ew fram eoverl appi ngfl agpassi ve errorp. e. d eldso ferror passi ve node i s synchroni zed at an acti ve error fram eso fn ew fram ecan的安全隐患18消极报错节点不同步后续情形（二）o新帧结束后空闲时间足够长后同步新帧结束后空闲时间足够长后同步o这是事件触发协议无法保证的这是事件触发协议无法保证的n ew fr

17、am eri. mp. e . d eloverlappinge rror founda c knoflag8354d7b us idlepassive e rrore rror foundso fe o fe rror passive nodee rror active noded r r r r r r r rfig. 8b)e rror passive node is synchronized at bus idle tim ep. e . d elso fdo verload fram e requestm in.6i. mcan的安全隐患19消极报错节点不同步后续情形（三）o新帧正常结束后又有新帧新帧正常结束后又有新帧o只要挂起帧未送完，消极报错节点就一直错只要挂起帧未送完，消极报错节点就一直错error foundnoerror act