linux-can.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
To: Vincent MAILHOL <mailhol.vincent@wanadoo.fr>
Cc: Jimmy Assarsson <jimmyassarsson@gmail.com>,
	Oliver Hartkopp <socketcan@hartkopp.net>,
	Marc Kleine-Budde <mkl@pengutronix.de>,
	Jimmy Assarsson <extja@kvaser.com>,
	linux-can <linux-can@vger.kernel.org>
Subject: Re: [Question] Sending CAN error frames
Date: Thu, 4 Feb 2021 08:38:39 +0100	[thread overview]
Message-ID: <20210204073839.GA24787@x1.vandijck-laurijssen.be> (raw)
In-Reply-To: <CAMZ6RqLHGapeEk4oK2mTOZAa4fwMDNP_WVZbRRYBOh50eLU4Bg@mail.gmail.com>

On Thu, 04 Feb 2021 13:13:18 +0900, Vincent MAILHOL wrote:
> Hi Kurt,
> 
> On Tues 4 Feb. 2021 at 05:06, Kurt Van Dijck
> <dev.kurt@vandijck-laurijssen.be> wrote:
> > On Wed, 03 Feb 2021 17:26:11 +0900, Vincent MAILHOL wrote:
> > > On Wed. 3 Feb 2021 at 15:42, Jimmy Assarsson <jimmyassarsson@gmail.com> wrote:
> > > > >
> > > > > Of course we might also provide some pump gun mode which just sends an error flag at some (any) time.
> > > >
> > > > As above.
> > > >
> > > > > But for what reason?
> > > >
> > > > Testing purpose, e.g if you develop software where you want to keep track of bus errors, this makes it possible to test such software in a controlled way.
> > > > We also use this ourselves when testing the transitions ERROR_ACTIVE <-> ERROR_WARNING <-> ERROR_PASSIVE, for Rx.
> > >
> > > I think that there are two axes in this discussion: the attacker
> > > point of view and the functional testing point of view.
> > >
> > > From the attacker point of view, you are mostly interested in
> > > destroying the transmitter frames.
> > >
> > > For the functional testing, it is about covering the all the
> > > aspects of the standard: make sure that all the TX and RX counters
> > > are correctly incremented, test the transitions between the
> > > different states and that for all offsets. And to confirm all
> > > aspects, you might want to inject both the active and the passive
> > > error flags and do it at all possible positions.
> > >
> > > That said, my vision on functional testing is an uneducated
> > > guess. I never worked on that and my personal focus is more the
> > > attacker point of view.
> >
> > Looking back to it, my first interest would be to fire N error frames,
> > so to control other nodes' rx error counters.
> 
> It is slightly more complex.
> 
> Let's consider three nodes all on the same bus.
> 
> A: Test node, sends error flags
> B: Normal node, send normal frames
> C: Normal node, only receiving
> 
>    ___            ___            ___
>   | _ |          | _ |          | _ |
>   ||A||          ||B||          ||C||
>   |___|          |___|          |___|
>     |              |              |
>     | Sends        | Sends        | Only
>     | error           | normal       | receives
>     | flags        | frames       |
>     |              |              |
>   --------------------------------------- CAN bus
> 
> A waits for B to start sending its frame and trigger the error
> flag. This error flag will eventually overwrite one of B's recessive
> bit into a dominant one and thus B has his TX error count increased.t
> 
> C who is a spectator will just have its RX error count increased.

Right, I understand. I was too quick with my conclusion.
Thanks for explaining.

[...]

> > The attacker point of view indeed could require a more elaborate API,
> > but I still doubt we can deliver what is required for attacking.
> 
> This is interesting because we have an opposite view of the attacker
> and functional testing approaches.
> 
> For the attacker, I am thinking of:
> https://youtu.be/oajtDFw_t3Q
> In a nutshell, it is an elaborate technique in which you first DoS the
> target node by increasing its TX counter until it gets in bus-off
> state. Once done, the attacker can send messages in place of
> the genuine node. This way, contrary to an simple injection attack
> on which the bus contains both the genuine and the attacker frames,
> here, only the attacker speaks on the bus.
> This attack does not really care when the error flag occurs as long as
> the error counter increases.

Yep, I see.

I tend to program the nodes to recover from bus-off in 10msec
magnitude. The scenario you describe, if I understand well, is hard to
implement you need to repeat it every 10msec.

Am I mistaken?
Or is 10msec order rather stupid to recover and does everyone apply much
longer delays before recovery?

> 
> My vision of the functional testing is more: does the controller
> react correctly in all situations? You could imagine an implementation
> issue that would cause the error count to not correctly behave only on
> a specific field. How would you test for such implementation issues
> other than injecting the error flag at each offset of the frame?

ok

> 
> 
> Yours sincerely,
> Vincent

  reply	other threads:[~2021-02-04  7:39 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-31  6:22 [Question] Sending CAN error frames Vincent MAILHOL
     [not found] ` <87e3dd54-50ab-1190-efdb-18ddb3b21a02@hartkopp.net>
2021-01-31 14:12   ` Vincent MAILHOL
2021-01-31 20:42   ` Jimmy Assarsson
2021-02-01 14:19     ` Vincent MAILHOL
2021-02-01 15:41       ` Jimmy Assarsson
2021-02-02  0:22         ` Vincent MAILHOL
2021-02-02  7:35           ` Marc Kleine-Budde
2021-02-02  8:23             ` Kurt Van Dijck
2021-02-02  8:41               ` Marc Kleine-Budde
2021-02-02  9:00                 ` Oliver Hartkopp
2021-02-02  9:05                   ` Marc Kleine-Budde
2021-02-02  9:16                     ` Oliver Hartkopp
2021-02-02 10:00                       ` Vincent MAILHOL
2021-02-02 10:14                         ` Oliver Hartkopp
2021-02-02 11:12                           ` Vincent MAILHOL
2021-02-02 19:19                             ` Oliver Hartkopp
2021-02-03  6:42                               ` Jimmy Assarsson
2021-02-03  8:26                                 ` Vincent MAILHOL
2021-02-03 20:06                                   ` Kurt Van Dijck
2021-02-04  4:13                                     ` Vincent MAILHOL
2021-02-04  7:38                                       ` Kurt Van Dijck [this message]
2021-02-04  9:42                                         ` Vincent MAILHOL
2021-02-02 12:14                         ` Jimmy Assarsson
2021-02-02  9:59           ` Jimmy Assarsson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210204073839.GA24787@x1.vandijck-laurijssen.be \
    --to=dev.kurt@vandijck-laurijssen.be \
    --cc=extja@kvaser.com \
    --cc=jimmyassarsson@gmail.com \
    --cc=linux-can@vger.kernel.org \
    --cc=mailhol.vincent@wanadoo.fr \
    --cc=mkl@pengutronix.de \
    --cc=socketcan@hartkopp.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).