From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
To: Vincent MAILHOL <mailhol.vincent@wanadoo.fr>
Cc: Jimmy Assarsson <jimmyassarsson@gmail.com>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Jimmy Assarsson <extja@kvaser.com>,
linux-can <linux-can@vger.kernel.org>
Subject: Re: [Question] Sending CAN error frames
Date: Thu, 4 Feb 2021 08:38:39 +0100 [thread overview]
Message-ID: <20210204073839.GA24787@x1.vandijck-laurijssen.be> (raw)
In-Reply-To: <CAMZ6RqLHGapeEk4oK2mTOZAa4fwMDNP_WVZbRRYBOh50eLU4Bg@mail.gmail.com>
On Thu, 04 Feb 2021 13:13:18 +0900, Vincent MAILHOL wrote:
> Hi Kurt,
>
> On Tues 4 Feb. 2021 at 05:06, Kurt Van Dijck
> <dev.kurt@vandijck-laurijssen.be> wrote:
> > On Wed, 03 Feb 2021 17:26:11 +0900, Vincent MAILHOL wrote:
> > > On Wed. 3 Feb 2021 at 15:42, Jimmy Assarsson <jimmyassarsson@gmail.com> wrote:
> > > > >
> > > > > Of course we might also provide some pump gun mode which just sends an error flag at some (any) time.
> > > >
> > > > As above.
> > > >
> > > > > But for what reason?
> > > >
> > > > Testing purpose, e.g if you develop software where you want to keep track of bus errors, this makes it possible to test such software in a controlled way.
> > > > We also use this ourselves when testing the transitions ERROR_ACTIVE <-> ERROR_WARNING <-> ERROR_PASSIVE, for Rx.
> > >
> > > I think that there are two axes in this discussion: the attacker
> > > point of view and the functional testing point of view.
> > >
> > > From the attacker point of view, you are mostly interested in
> > > destroying the transmitter frames.
> > >
> > > For the functional testing, it is about covering the all the
> > > aspects of the standard: make sure that all the TX and RX counters
> > > are correctly incremented, test the transitions between the
> > > different states and that for all offsets. And to confirm all
> > > aspects, you might want to inject both the active and the passive
> > > error flags and do it at all possible positions.
> > >
> > > That said, my vision on functional testing is an uneducated
> > > guess. I never worked on that and my personal focus is more the
> > > attacker point of view.
> >
> > Looking back to it, my first interest would be to fire N error frames,
> > so to control other nodes' rx error counters.
>
> It is slightly more complex.
>
> Let's consider three nodes all on the same bus.
>
> A: Test node, sends error flags
> B: Normal node, send normal frames
> C: Normal node, only receiving
>
> ___ ___ ___
> | _ | | _ | | _ |
> ||A|| ||B|| ||C||
> |___| |___| |___|
> | | |
> | Sends | Sends | Only
> | error | normal | receives
> | flags | frames |
> | | |
> --------------------------------------- CAN bus
>
> A waits for B to start sending its frame and trigger the error
> flag. This error flag will eventually overwrite one of B's recessive
> bit into a dominant one and thus B has his TX error count increased.t
>
> C who is a spectator will just have its RX error count increased.
Right, I understand. I was too quick with my conclusion.
Thanks for explaining.
[...]
> > The attacker point of view indeed could require a more elaborate API,
> > but I still doubt we can deliver what is required for attacking.
>
> This is interesting because we have an opposite view of the attacker
> and functional testing approaches.
>
> For the attacker, I am thinking of:
> https://youtu.be/oajtDFw_t3Q
> In a nutshell, it is an elaborate technique in which you first DoS the
> target node by increasing its TX counter until it gets in bus-off
> state. Once done, the attacker can send messages in place of
> the genuine node. This way, contrary to an simple injection attack
> on which the bus contains both the genuine and the attacker frames,
> here, only the attacker speaks on the bus.
> This attack does not really care when the error flag occurs as long as
> the error counter increases.
Yep, I see.
I tend to program the nodes to recover from bus-off in 10msec
magnitude. The scenario you describe, if I understand well, is hard to
implement you need to repeat it every 10msec.
Am I mistaken?
Or is 10msec order rather stupid to recover and does everyone apply much
longer delays before recovery?
>
> My vision of the functional testing is more: does the controller
> react correctly in all situations? You could imagine an implementation
> issue that would cause the error count to not correctly behave only on
> a specific field. How would you test for such implementation issues
> other than injecting the error flag at each offset of the frame?
ok
>
>
> Yours sincerely,
> Vincent
next prev parent reply other threads:[~2021-02-04 7:39 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-31 6:22 [Question] Sending CAN error frames Vincent MAILHOL
[not found] ` <87e3dd54-50ab-1190-efdb-18ddb3b21a02@hartkopp.net>
2021-01-31 14:12 ` Vincent MAILHOL
2021-01-31 20:42 ` Jimmy Assarsson
2021-02-01 14:19 ` Vincent MAILHOL
2021-02-01 15:41 ` Jimmy Assarsson
2021-02-02 0:22 ` Vincent MAILHOL
2021-02-02 7:35 ` Marc Kleine-Budde
2021-02-02 8:23 ` Kurt Van Dijck
2021-02-02 8:41 ` Marc Kleine-Budde
2021-02-02 9:00 ` Oliver Hartkopp
2021-02-02 9:05 ` Marc Kleine-Budde
2021-02-02 9:16 ` Oliver Hartkopp
2021-02-02 10:00 ` Vincent MAILHOL
2021-02-02 10:14 ` Oliver Hartkopp
2021-02-02 11:12 ` Vincent MAILHOL
2021-02-02 19:19 ` Oliver Hartkopp
2021-02-03 6:42 ` Jimmy Assarsson
2021-02-03 8:26 ` Vincent MAILHOL
2021-02-03 20:06 ` Kurt Van Dijck
2021-02-04 4:13 ` Vincent MAILHOL
2021-02-04 7:38 ` Kurt Van Dijck [this message]
2021-02-04 9:42 ` Vincent MAILHOL
2021-02-02 12:14 ` Jimmy Assarsson
2021-02-02 9:59 ` Jimmy Assarsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210204073839.GA24787@x1.vandijck-laurijssen.be \
--to=dev.kurt@vandijck-laurijssen.be \
--cc=extja@kvaser.com \
--cc=jimmyassarsson@gmail.com \
--cc=linux-can@vger.kernel.org \
--cc=mailhol.vincent@wanadoo.fr \
--cc=mkl@pengutronix.de \
--cc=socketcan@hartkopp.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).