CAN Bus
Aggregazione dei criteri
Assistente AI
Trascrizione
00:00:640alessandro.brighente@unipd.it: Okay. Hi, everyone
00:21:476alessandro.brighente@unipd.it: so glad to see that a lot of you is still here.
00:28:630alessandro.brighente@unipd.it: Let's see how this goes.
00:30:930alessandro.brighente@unipd.it: So we'll we move on with the with the canvas. Right? So just some other information on how that works.
00:39:580alessandro.brighente@unipd.it: So we're going to see here the the feasible way
00:44:40alessandro.brighente@unipd.it: in which the canvas works, and then we'll move to the frame structures content of packets.
00:49:670alessandro.brighente@unipd.it: The more
00:51:170alessandro.brighente@unipd.it: computer science way of seeing things. If you want. Okay? So as the 1st thing here we are checking how the canvas
01:00:846alessandro.brighente@unipd.it: transmit signals right as we said the last time when we talk about the canvas, we have a couple of wires right? And we have to depend voltage values on these couple of wires. And this is what we use to actually send information on the canvas itself.
01:16:810alessandro.brighente@unipd.it: So when we talk about the kind of communication that we have on canvas. We have something that is called differential wired and signals. Okay, so the properties that these couple of voltage values that we apply these 2 cables need to apply need to satisfy certain conditions.
01:37:860alessandro.brighente@unipd.it: Alright. So when we talk about these 2 cables that we set yeah, as we said last time we saw from the figure
01:46:248alessandro.brighente@unipd.it: we have the one on top, which is the kind of high, and then the kind low, right? So as you can imagine. We have a different voltage value where that we can apply on these 2 wires
01:59:350alessandro.brighente@unipd.it: and based on the amount.
02:02:250alessandro.brighente@unipd.it: the voltage value that we have on top of these wires, we can have either a Recessive state or a dominant state.
02:11:760alessandro.brighente@unipd.it: Okay, so these 2 states are defined, based on which voltage value is higher, in which wire
02:20:980alessandro.brighente@unipd.it: right? So it means that whenever we have the voltage value on current high is higher than the voltage value on can low. We have a dominant state, or when the can high is lower on equal and the can low, then we have
02:38:386alessandro.brighente@unipd.it: the Recessive State. Okay, what? What does it mean? For us when we talk about active sorry when we talk about dominant and Recessive state this means the beat that we are transmitting on the on the bus right. So whenever we see a dominant state, or whenever the the transceiver that we saw assigned this part of the issue.
02:58:730alessandro.brighente@unipd.it: since it's not in the State and knows that we are associated with the 0 bit
03:03:840alessandro.brighente@unipd.it: valued 0 when instead, it's Recessive, we see that it's associated with the big one. So this is a bit counterintuitive. So if you need to remember about this, it's just the opposite of what you would say. Right? I mean for me the denominant data. I think about it as something higher for big one. Instead. Here we have the opposite. But maybe it's logical for you this way, and
03:27:350alessandro.brighente@unipd.it: I'm just saying nothing.
03:29:830alessandro.brighente@unipd.it: And then
03:31:640alessandro.brighente@unipd.it: we can split these differential wire and signal according to the 2 colors that that you have in there. Right? The differential means something. The wire dander means something different differential refers to the to how we apply the voltage value on the 2 wires wire dander instead refers to the to the logic that we apply to these
03:54:230alessandro.brighente@unipd.it: the signals. So let's start from the differential one. So here, you have a kind of simplified depiction of what you will have on the canvas. Okay? So let's assume that the transmitter is sending these squared wave that you have on the left, right, just these
04:14:380alessandro.brighente@unipd.it: thingy there. And we have the 2 wires right. The one on top, for instance, is kind of high, and the one on the bottom is kind of low.
04:24:420alessandro.brighente@unipd.it: So what kind of signals does. does it need to apply? Well, you, you have something that is differential. It means that at the receiver, before having the actual signal you need to apply this difference in here. Okay, so it means that when you are transmitting something on one end, you're going to transmit exactly the same signal. Right? No, no changes left.
04:49:550alessandro.brighente@unipd.it: And, on the other hand, you are inverting the signal right, apply a minus sign
04:55:310alessandro.brighente@unipd.it: to to the values of the of the signal.
04:58:950alessandro.brighente@unipd.it: and then at the receiver, you see that you are going to sum the non inverted version
05:06:140alessandro.brighente@unipd.it: of the transmitted signal and subtract the inverted version of the signal. So the receiver, you have something that
05:14:190alessandro.brighente@unipd.it: whose shape is exactly the one that you that you transmitted right, we still have a squared wave in these.
05:23:30alessandro.brighente@unipd.it: this figure is here, and you see that the the amplitude is just higher, right? So due to how these are treated, due to the type of modulation that you have on the canvas. You don't really care about amplitude, right? You just care about whether it's above, or below a certain value. But we'll get to the
05:46:458alessandro.brighente@unipd.it: to this in a couple of slides. Okay, so this is just to give you a hint on what differentiation seeing this mean.
05:54:90alessandro.brighente@unipd.it: why do we do something like that? Right? It seems kind of important in the end. You're transmitting something with a certain shape, right the square wave, and at the end you have something again with the same shape. So why bothering about having these 2 types of signal inverting once? Well, what has been proved? We don't.
06:13:350alessandro.brighente@unipd.it: We don't go through the details. But if you want, I can give you some reference to this but basically, if you do this kind of things right if you do use this differential modulation. This is very robust to external disturbances. Right? So if you have, some electromagnetic disturbances
06:33:680alessandro.brighente@unipd.it: that might affect the shape of your signal or the amplitude of your signal. If you use this kind of things, then you get rid of them right, or at least you ensure that what you get in the receiver is, is robust, maintains the same shape, for instance.
06:49:324alessandro.brighente@unipd.it: and this is something that that is very critical. Since we're talking about this kind of system where I mean,
06:57:630alessandro.brighente@unipd.it: in situation a car finds it in might be disturbed by
07:06:430alessandro.brighente@unipd.it: any reason, by any means. Right? So you want to ensure this kind of reliability? Something else that is really important is the fact that here we are talking about canvas in general, and we are talking about canvas in the domain of the automotive and cars. But this is not the
07:25:800alessandro.brighente@unipd.it: the only place where can bus is used. Right? So we are talking about something that is a robust, and is very tailored for
07:36:440alessandro.brighente@unipd.it: critical applications. And so you find the combat also in ships and airplanes and industrial control systems.
07:44:400alessandro.brighente@unipd.it: Right? So
07:46:250alessandro.brighente@unipd.it: he needs to resist different kind of adverse conditions. And again, this thing about using differential modulation helps you
07:52:740alessandro.brighente@unipd.it: with that.
07:54:820alessandro.brighente@unipd.it: Then the second part, the the wired end. As we said before, the one end refers to the logic that we apply.
08:01:610alessandro.brighente@unipd.it: Okay, so here, basically, you have the the 2 input values. And you want to get your output values. And so if you treat the these 2 inputs as as bits as these values.
08:14:414alessandro.brighente@unipd.it: Then you have exactly that the table, right? That defines which kind of values you should have. In order to get a simple output and you see here, basically the the norm dominance
08:30:870alessandro.brighente@unipd.it: of the bit 0, right? Because whenever you have a a 0 and a 1 or one and a 0, the output will always be 0. Okay, so that that's the logic that we apply. And this is something that is really important, because whenever
08:46:106alessandro.brighente@unipd.it: so, as we said last time, the canvas is
08:49:720alessandro.brighente@unipd.it: it's a bus, right? It's a a broadcast communication medium. And
08:54:180alessandro.brighente@unipd.it: potentially all of these use can shop can. Yeah, can try to transmit at the same time.
09:00:990alessandro.brighente@unipd.it: Right? So who wins right? And you have a shared communication media, and everyone is trying to transmit something. Well, whoever has the largest amount of zeros if you want gets to win the the share of the communication channel. So whenever you need to decide, okay, this issue is transmitting bit 0. And this issue is transmitting bit one, the one that is transmitting the bit 0 is going to win right? So on the canvas, you will actually measure the bit 0
09:29:420alessandro.brighente@unipd.it: again, the dominance of the specific state.
09:37:860alessandro.brighente@unipd.it: Great. So
09:40:00alessandro.brighente@unipd.it: let's go into some more details about this this thing about the the voltage value.
09:45:580alessandro.brighente@unipd.it: Just to give you an idea on how it works. We said that we have the recessus data and the dominant state. Right? So
09:55:50alessandro.brighente@unipd.it: this is the the kind of voltage values that you can find on the 2 wires, they can hide and low
10:00:230alessandro.brighente@unipd.it: for the 2 different States. Right? So when we have the Recessive State, it means that we apply the same voltage value on both wires. Right to both of them. We're going to apply 2 dot 5 voltage value.
10:14:80alessandro.brighente@unipd.it: If, instead, we have a dominant state. It means that on can high, we're going to apply the 3 dot 5.
10:21:490alessandro.brighente@unipd.it: And here on the condor, there around the 5. So we have different voltage values. Okay?
10:28:300alessandro.brighente@unipd.it: And as we said before, this translates into into bits. Okay, so this is how you're going to associate
10:36:770alessandro.brighente@unipd.it: the voltage values with the bits right from the logic
10:41:676alessandro.brighente@unipd.it: of what you are transmitting or receiving from the combus. So, as we said before, when the 2 voltage values are the same right? The kind of high and hello are the same.
10:51:820alessandro.brighente@unipd.it: Here, for instance, the red curve is the voltage values that we have on account high.
10:59:00alessandro.brighente@unipd.it: and the green curve is the voltage value that we have on the current low. And we said, whenever they are the same value on both wires. Then we have the Recessive State right, which is associated to bit one.
11:12:330alessandro.brighente@unipd.it: And whenever we have this difference in here, right, the 2 different voltage value. It's a dominant state. And so we have a bit 0. So based on the oscillations based on how this voltage value change, you can basically get the the mapping between voltage value and beats and from beats to voltage value.
11:32:760alessandro.brighente@unipd.it: Okay? And as you remember, last time we said that that we have specific controllers in the issue
11:39:600alessandro.brighente@unipd.it: that need to care about this kind of stuff. So the transceiver in the Cu is exactly performing this kind of mapping right. So whenever it senses some voltage values on the, on the 2 wires it's going to convert them into bits, and whenever it needs to transmit some bits right? It comes from the, from the controller of the Cu. It knows which voltage values. It needs to apply to the 2 wires on the canvas.
12:10:470alessandro.brighente@unipd.it: Does this seem clear? Any question?
12:15:615alessandro.brighente@unipd.it: Yes.
12:20:122alessandro.brighente@unipd.it: for both of them coming? 0.
12:32:710alessandro.brighente@unipd.it: That's that's part of the attack that we're going to see later on.
12:36:720alessandro.brighente@unipd.it: Winds in there, right usually so talking about regular operations that happen in canvas. So no attack
12:46:555alessandro.brighente@unipd.it: usually application is not based on a single bit. Right? You have multiple bids that define the Id. The priority of the package that you're going to send. So you're going to see which one has the most leaders, and the one with the most leaders get to occupy the bus and and the transition of the one will go through. That's how basically it works.
13:07:340alessandro.brighente@unipd.it: But if I want to launch an account, that's exactly the thing that I can exploit right. The fact that I know that if I apply a 0 on the canvas, I'm going to win. I'm going to send something in there.
13:18:30alessandro.brighente@unipd.it: Hope we get back to this.
13:20:310alessandro.brighente@unipd.it: No spoilers.
13:21:920alessandro.brighente@unipd.it: It's awesome.
13:25:340alessandro.brighente@unipd.it: This is decentralized, right? So each one checks the priority of whatever packets sent by others. Yes, so you speak for the time. If you want to send something. You can just send the maximum priority, and everyone is going to accept it like that.
13:48:590alessandro.brighente@unipd.it: But then this is something that you really want to do. So it depends on what kind of a pack you're going to deliver. Right? So if you
14:01:440alessandro.brighente@unipd.it: yes, if you have the idea that it's a bunch of Zeros, that's all. You know that your package is going to be there.
14:07:830alessandro.brighente@unipd.it: But then, who receives this packet? And who is going to end us on how the content of that packet and what the content of the packet is
14:15:760alessandro.brighente@unipd.it: defines your stuff. Right? If you know this kind of stuff. Okay, great, you can do something.
14:21:380alessandro.brighente@unipd.it: But then you need to to understand which kind of issues receiver
14:25:210alessandro.brighente@unipd.it: that kind of id, I do not necessarily going to treat.
14:36:650alessandro.brighente@unipd.it: Okay? So moving on so you have a couple of standards in here. As we said, the the canvas has become a standard from Iso so you have the 1189,
14:51:490alessandro.brighente@unipd.it: 8 1. That describes the data link layer. While the 2 describes the the physical layer. Okay, so what does that mean?
15:00:432alessandro.brighente@unipd.it: Physical layer means the the things that you have in here. Right? So everything that is related with the the physics of the communication.
15:11:440alessandro.brighente@unipd.it: how we apply voltage value, which kind of voltage value how the physical structure of the combus should should be
15:19:870alessandro.brighente@unipd.it: okay. And so here are some of these specifications, some of which we already seen something that is interesting in here is that we have 2 versions on the canvas right? The regular canvas allows for about rates up to one megabit per second. Right? There's the communication speed that you can achieve.
15:41:218alessandro.brighente@unipd.it: And you have an improved. If you want version of the canvas, which is kind of deep which gets up to 5 megabits per second. Okay, again, it's not that much, but we are not talking about sharing multimedia stuff or this kind of communication. So
15:59:670alessandro.brighente@unipd.it: it's definitely sufficient. And then you have information about the maximum cable lens and the terminations
16:08:00alessandro.brighente@unipd.it: that you need to have on both the wives. Right? The resistance that we've seen
16:11:770alessandro.brighente@unipd.it: from the from the figure.
16:14:760alessandro.brighente@unipd.it: Then talking about the the package that we send on the canvas. Right? This is exactly what we will actually exploit for
16:23:880alessandro.brighente@unipd.it: for security purposes.
16:26:198alessandro.brighente@unipd.it: So the 1st thing that we need to understand is, okay.
16:30:160alessandro.brighente@unipd.it: what do we transmit in the canvas? Right? Or how do we? Do we form packets? Okay? So here you have the whole campaign divided into how many bits per field and the different fields? Right? So you see that we have some frame identifier Rti control blah blah, and we're going to to see all of them.
16:49:30alessandro.brighente@unipd.it: And for each of them you have a specific number of associated bits. Right? So you know that the 1st bit is going to be the solar train? Then you have the identifier, which is going to be 11 bits, and so on. So forth. Okay, so this is the the complete structure of the paper of the sorry of the
17:09:920alessandro.brighente@unipd.it: the brain.
17:13:540alessandro.brighente@unipd.it: we have again 2 versions for frames. It canvas standard definition.
17:20:409alessandro.brighente@unipd.it: We have the 2 dot 0 e, and 2 dot 0 B, whose main difference is in the lambda of the id field. Okay, so this this thing in here.
17:34:300alessandro.brighente@unipd.it: So what do these different fields mean? So this other frame is a dominant 0 bit, right? That just communicates to the others. Okay, look here, it's going to start upon frame.
17:46:930alessandro.brighente@unipd.it: Okay, of course, it needs to be. The the dominant bit needs to be a bit 0 because we said that he's the one that gets actually to win the share. And
17:56:250alessandro.brighente@unipd.it: it's sure that it will be transmitted
17:59:820alessandro.brighente@unipd.it: great after the southern frame, we have the 11 B's identifier and the Id field.
18:05:210alessandro.brighente@unipd.it: So what is it really important? When we talk about the canvas? Is that the
18:10:700alessandro.brighente@unipd.it: differently from everything you learned up to now identify here does not actually identify
18:16:290alessandro.brighente@unipd.it: the issue. Okay, so no way, it tells you who the transmitter is
18:22:624alessandro.brighente@unipd.it: what it does is to tell you the pre the priority of that packet. Okay. So, as we said before, a packet whose id is a bunch of zeros. All zeros has the highest priority, because it's composed by on the dominant piece, right? So that one is actually going to be transmitted on the combus irrespectively of who's transmitting other than that?
18:47:410alessandro.brighente@unipd.it: Okay? So again, Id doesn't stand for the identifier of the issue. But stands for the priority of the package.
18:57:490alessandro.brighente@unipd.it: Why don't we have this user identifier? Right? So usually. When you transmit something, you know that you have a certain addresses that are associated to to the transmitter, because you want to know who transmitted the packet here. We don't really care right? We have a broadcast and share communication medium. In which, you care about the content of the packet? Right? So if you receive something you don't really care when it has been originated. But you just want to know, the content of the packet information that that it provides
19:27:615alessandro.brighente@unipd.it: and so for this we have no id, but you see that from our perspective, from security perspective, this is kind of bad because you don't know who is actually submitted right? And so, for instance.
19:43:210alessandro.brighente@unipd.it: you cannot have a
19:45:90alessandro.brighente@unipd.it: id based authentication protocols. If you're going to have a package structure like this, you need to modify somehow the package structure.
19:55:330alessandro.brighente@unipd.it: But yeah, that's what we have.
19:59:300alessandro.brighente@unipd.it: Then. You have the successive field, which is the Rpr. And more transmission request.
20:06:382alessandro.brighente@unipd.it: It tells them
20:08:410alessandro.brighente@unipd.it: whether a specific packet is sending data, or whether it's requesting for data.
20:15:595alessandro.brighente@unipd.it: Again, it does will not request data from a specific issue. But it will request data related to a specific event, right? A specific component part of the of the vehicle of the system that is, of interest for taking actions for that issue.
20:36:390alessandro.brighente@unipd.it: Then the next field is the control filter
20:42:420alessandro.brighente@unipd.it: which contains a
20:44:499alessandro.brighente@unipd.it: some of the acronyms that you're seeing here identify extension Vitalan code.
20:52:820alessandro.brighente@unipd.it: basically what it tells. This control packet is the amount of data that will be transmitted with this specific can frame. Okay, so how much things you can expect.
21:06:20alessandro.brighente@unipd.it: Nice, as you see, we're doing web security, apparently.
21:10:197alessandro.brighente@unipd.it: Bye, bye.
21:13:693alessandro.brighente@unipd.it: then other fields data field. Okay, the actual content of the of the campaign tells you, the information that you need to care about.
21:25:10alessandro.brighente@unipd.it: and then you have the Crc stands for secret without check. Right? This kind of
21:31:854alessandro.brighente@unipd.it: it's an integrity control set. You want to see whether what you receive there is actually what has been transmitted right? That
21:40:240alessandro.brighente@unipd.it: has not been entered during the the transmission phase.
21:48:00alessandro.brighente@unipd.it: What's the proposal of having Crc in here? Again the the proposal is not for for security, although it might be handy for security purposes. It's not. It's
22:01:00alessandro.brighente@unipd.it: it's main proposed right? The why? The reason why we have Crc in there is because we want to be sure that the packet that gets received is the one that has actually been transmitted. If I'm sending the break comment, I want to be sure the break comment gets exactly as it is at the receiver, the break itself right?
22:21:45alessandro.brighente@unipd.it: And so we need these kind of checks. And then we have the acknowledgement indicates
22:29:340alessandro.brighente@unipd.it: kind of self explanatory, but indicates whether an order has received correctly a certain package.
22:36:640alessandro.brighente@unipd.it: and then we have, the end of frame which tells to the receiver from this point on. There's nothing more to listen related to this specific campaign.
22:52:450alessandro.brighente@unipd.it: But of course we want these timeframes to to be valid somehow. Right? So we have the Crc check that we said before, it is the 1st form of validity, you know validity check, because it's just the the integrity
23:09:771alessandro.brighente@unipd.it: of the packet itself. But then we might have errors. Right? I mean, it's despite being very robust
23:20:290alessandro.brighente@unipd.it: combus is not error. 3. We we can always have errors in there.
23:24:950alessandro.brighente@unipd.it: So we have a different kind of errors, right? That are represented by different conditions in the sequence of bit that that, you observe
23:33:970alessandro.brighente@unipd.it: and based on the address
23:37:400alessandro.brighente@unipd.it: issues can or cannot participate the communication they they need to detect whether the error comes from issue itself or from other issues.
23:51:270alessandro.brighente@unipd.it: And
23:54:800alessandro.brighente@unipd.it: and this basically means that
23:58:650alessandro.brighente@unipd.it: again, related to safety conditions if I am an issue, and I'm transmitting a lot of packets, and I see that all of my packets contain errors.
24:08:360alessandro.brighente@unipd.it: Right? It means that there's something wrong with the my working condition. So it means that I should not be allowed to participate in the communication anymore. At least I should not be allowed to send the
24:20:431alessandro.brighente@unipd.it: send package right? Maybe I can receive something, but they should not. Send anything. Okay? So we can define different States for for this user. Okay, in particular, this is related to their error state. Okay? And we have these states in here. And if you can be in the error. Active state can be in error, passive state, or it can be possible. Okay.
24:48:30alessandro.brighente@unipd.it: And again, these depends on the address that that we observe
24:53:160alessandro.brighente@unipd.it: how can assume now the tech, whether the error comes from itself or for some or from other issues.
25:03:460alessandro.brighente@unipd.it: So when this you is transmitting, we said. It's applying certain voltage values on the on the 2 wires of the canvas. Right? So
25:12:240alessandro.brighente@unipd.it: this you knows the sequence of bits that it's supposed to send right, and it knows the mapping between this sequence of bits and the voltage values that should be applied on the canvas.
25:23:840alessandro.brighente@unipd.it: At the same time. This, you can sense the voltage values that have been applied on the combus right. And therefore
25:31:200alessandro.brighente@unipd.it: the data sequence of data out of that.
25:34:950alessandro.brighente@unipd.it: If the 2 sequence of bits do not match. It means that there's an error right? There's an error coming from the issue itself. What I tried to send is not what they sense from the canvas.
25:45:490alessandro.brighente@unipd.it: and therefore
25:46:940alessandro.brighente@unipd.it: there's something wrong with the with my state.
25:50:500alessandro.brighente@unipd.it: So we need to to handle these
25:54:230alessandro.brighente@unipd.it: kind of error. Right. If you said the error comes from from under this user, it means that there's something different I can detect. But we'll go into the details of the different kinds of error in a couple of slides.
26:06:200alessandro.brighente@unipd.it: How do we transition between the different States? Now? Right? We say, we have the interactive other passive and bus of states that define. The. If you want the quality of the interaction of this, you with the combus
26:19:897alessandro.brighente@unipd.it: well, in order to transition between these different States. We have, error counters, right counters
26:26:815alessandro.brighente@unipd.it: and we have 2 kind of error counters, because we said that errors might originate from the issue itself when it's transmitting, or it might be errors in reception, right that receive something from other issues that contains error. So I have these 2 different counters. I have the transmitter counter, tc, and the receive error counter rec.
26:47:630alessandro.brighente@unipd.it: And somehow we want to
26:53:20alessandro.brighente@unipd.it: give different priorities to these 2 errors right? Because if I am applying errors right? If the errors come from me as a transmitting issue.
27:05:120alessandro.brighente@unipd.it: this is bad. I I want to take
27:07:880alessandro.brighente@unipd.it: somehow more immediate actions to remediate, and not to affect too much the communications on the canvas. So whenever an error, of course, in transmission.
27:20:320alessandro.brighente@unipd.it: my transmission, every counter gets increased by 8. Okay.
27:24:630alessandro.brighente@unipd.it: if, instead of I have an error in reception, it means that I'm not the cause of the error, and if the error comes from something else. See if there's an error that should not be there.
27:35:410alessandro.brighente@unipd.it: and my counter gets increased by one.
27:41:540alessandro.brighente@unipd.it: Of course, if my error counter increases. That's not necessarily going to be the end for me as an issue.
27:49:115alessandro.brighente@unipd.it: But whenever there's a success in transmission or success in reception, I can decrease my counters. Okay, so let's say that in the in the previous round I had a transmission error right in the previous round my Tc. Got increased by 8.
28:05:710alessandro.brighente@unipd.it: At this round I get to transmit something error free, right? It means that being good and I can decrease my transmit error counter
28:14:258alessandro.brighente@unipd.it: the thing that should serve in here is that whenever we decrease the error counters we decrease them by one. Okay, so irrespectively of the fact that we are talking about Tc, or IC,
28:24:900alessandro.brighente@unipd.it: they I would decrease my error counter just by one.
28:32:250alessandro.brighente@unipd.it: Where do we see you start from? Of course we will have a 0. Our counters right whenever I 1st enter the the combus network.
28:42:440alessandro.brighente@unipd.it: I'm good. There's no reason for me to be penalized for anything. Right? So my error counters are 0, and I am, in the error. Active state, right? I can do whatever I want with the with the combustion in the transmission I can generate my package, I can send them
28:59:250alessandro.brighente@unipd.it: everything.
29:01:210alessandro.brighente@unipd.it: Then errors might start to to increase, and this brings me possibly to to the ever passive state right? And we have certain threshold values.
29:11:700alessandro.brighente@unipd.it: So we say that the node transitions to the error passive state.
29:16:840alessandro.brighente@unipd.it: if the value of the counter exceeds a hundred 27.
29:21:570alessandro.brighente@unipd.it: Okay, so if I have errors and errors and errors and errors, and the the amount of errors that they do is significantly higher than the number of successful transmission reception they have. It means that I should not be allowed to do something, and then I move to the to the other passive state.
29:44:730alessandro.brighente@unipd.it: So what can I do in the error? Passive state? Right? And I don't have the freedom to do everything that I want, as I had the interactive say, but I can only write Recessive error flags.
29:58:900alessandro.brighente@unipd.it: Okay? What does it mean? It means that if my flag is excessive, I'm not going to rewrite anything on the bus right? If I try to transmit this error and something that is more dominant, that my frame is currently being transmitted on the canvas. My error is not going to to go through.
30:21:720alessandro.brighente@unipd.it: so I don't affect them.
30:23:930alessandro.brighente@unipd.it: The bus traffic with additional errors.
30:26:510alessandro.brighente@unipd.it: Okay, I can say in the States, right? I can be error passive for a certain amount of time. And let's say that I behave right. I don't have any other errors I can get to decrease my counter and get back to the aroductive state, or if the situation is really bad, my counters
30:45:730alessandro.brighente@unipd.it: continuously increase right up to the point where I should not be allowed to do anything with the Comboss.
30:51:740alessandro.brighente@unipd.it: So we have the transition between the error, passive state, and the boss of State. When my counter exceeds the value 250 feet, 255. Okay, we have this second traction value.
31:07:820alessandro.brighente@unipd.it: When I get to the bus of state, I'm no longer part of of the canvas. I cannot participate to communications anymore. And it's kind of
31:18:940alessandro.brighente@unipd.it: they see who is disconnected from from the network itself.
31:23:750alessandro.brighente@unipd.it: When I get to bus sofa. Usually what happens is that, although I might be able to behave from that point on.
31:31:660alessandro.brighente@unipd.it: I cannot decrease my error counters right and deemed as bad somehow. And the 4, th there's nothing I can do so usually what happens is when and it still gets to the bus off stated, it means that we need to go to the
31:48:68alessandro.brighente@unipd.it: guitar shop or any mechanics somehow. That resets these use and make sure that everything is fine before connecting that again.
31:58:235alessandro.brighente@unipd.it: To the, to the bus, to the campus.
32:04:80alessandro.brighente@unipd.it: So here you have a finite state machine that tells you how you transition between the different States. Right? You have the 3 States a reactive, a repulsive and soft.
32:17:00alessandro.brighente@unipd.it: Okay? So this is exactly what the I told you before.
32:22:110alessandro.brighente@unipd.it: you start from the interactive right? And you start to counter your Tc. Or IC.
32:29:110alessandro.brighente@unipd.it: If one of them.
32:31:370alessandro.brighente@unipd.it: either Tc or Idc gets above a hundred 27. You transition to other passive. Then, if I behave and get to try to to reduce my error counters.
32:44:20alessandro.brighente@unipd.it: I can get back to the attractive. If you see here that the condition is different, both of them should be lower or equal to 127.
32:56:100alessandro.brighente@unipd.it: If, instead, I don't behave and still have a lot of errors. If my Tc. Is above 255, I transition to the boss of state.
33:07:60alessandro.brighente@unipd.it: So again, as I mentioned before. When you are in both of state, there's nothing you can do unless you have certain
33:15:100alessandro.brighente@unipd.it: certain implementations of the the canvas
33:19:390alessandro.brighente@unipd.it: where you might have a hundred 28 of currencies of 11 consecutive Recessive bits which lets you transition back to the interactive state. But this is something.
33:33:520alessandro.brighente@unipd.it: yeah, that means that this you kind of healed it somehow.
33:41:870alessandro.brighente@unipd.it: but yeah. So again, why do we care about this thing.
33:48:560alessandro.brighente@unipd.it: I start to see something interesting in here. As we said before, if I am the attacker and get to transmit something on the bus.
33:56:810alessandro.brighente@unipd.it: we have no identifier, right? So whatever it was, meter
34:01:554alessandro.brighente@unipd.it: gets accepted on the on the combus is valid as long as the the frame of the the
34:09:510alessandro.brighente@unipd.it: the format of the campaign is consistent with the standard. It means that they can impersonate other issues right? They can send packets on behalf of of other issues.
34:20:60alessandro.brighente@unipd.it: Maybe I can get to increase the counters of other issues right?
34:25:320alessandro.brighente@unipd.it: And maybe I'm so good and doing that exploit the fact that I have control over priorities of messages sent over the campus that I
34:37:310alessandro.brighente@unipd.it: managed to get an issue to only increase the error counters. And so you see that here
34:44:570alessandro.brighente@unipd.it: we can have an issue that gets
34:47:850alessandro.brighente@unipd.it: disabled from the top right? Like, if I
34:52:150alessandro.brighente@unipd.it: I'm the attacker, I manipulate package. I increase the other counters of an issue and bring it to the boss of State. And, as we said before, including boss of state.
35:00:610alessandro.brighente@unipd.it: DC. Was disconnected from the network.
35:02:940alessandro.brighente@unipd.it: Okay, so
35:05:330alessandro.brighente@unipd.it: this is one of the things that we're going to exploit. And this is why this diagram here is, really important to understand how these this kind of attacks work. But
35:15:920alessandro.brighente@unipd.it: of course we get
35:17:310alessandro.brighente@unipd.it: into the details of this.
35:21:27alessandro.brighente@unipd.it: Again, something on the bus off.
35:26:440alessandro.brighente@unipd.it: Okay? So sometimes what you might have.
35:31:780alessandro.brighente@unipd.it: while transitioning to the bustle.
35:40:860alessandro.brighente@unipd.it: It's 128 occurrences to research.
35:45:360alessandro.brighente@unipd.it: Yeah, we'll get we'll get into this in a short while, when we see how the the errors are counted on the on the canvas, because you have different types of error based on the sequence of bits that you observe, and there's a specific shape for the sequence of bits to be there in order not to have errors. And this is something that is related with that. So we can play this
36:09:350alessandro.brighente@unipd.it: later on.
36:17:240alessandro.brighente@unipd.it: Okay, so
36:19:760alessandro.brighente@unipd.it: yeah. As I was mentioning when the issue is in base off, you should not participate to the
36:25:884alessandro.brighente@unipd.it: to the network anymore, to the communication anymore. But still we're talking about somehow, safety critical systems. Right? If this, you that gets to bus off is again the one that controls the break.
36:38:850alessandro.brighente@unipd.it: Maybe I don't want to disconnect the from from from my network, right? I still want to be able to break. So
36:47:472alessandro.brighente@unipd.it: we have this thing
36:50:920alessandro.brighente@unipd.it: which is called the link home, which is this particular states that this use can enter in, whether in bus or modem where they're allowed to have a
37:01:700alessandro.brighente@unipd.it: very minimal functionalities that helps the driver get to a safe place right again. Here we're talking about drivers and cars, because we have something like that. You you can imagine that this not only holds true for for cars, I'd say particular conditions might happen also in industrial facilities, or these other places where we use
37:25:287alessandro.brighente@unipd.it: the canvas. So what happens in the limp mode limp mode we have
37:31:310alessandro.brighente@unipd.it: reduce functionalities. Very basic, say safety related functionalities. We have some warning means that turn on on the dashboard right of your of your car, and it might be disabled right when you actually disconnect the issue from
37:52:647alessandro.brighente@unipd.it: on the network. But I mean that's really bad. You should go and fix that before this happens.
38:03:190alessandro.brighente@unipd.it: Great.
38:04:910alessandro.brighente@unipd.it: So I have. Let's have a short break here, and then we get the
38:10:360alessandro.brighente@unipd.it: theaters in Palm Springs.
38:33:131alessandro.brighente@unipd.it: Okay, let's get back to the error, though.
38:44:950alessandro.brighente@unipd.it: Let's get back to connecting the laptop to the the Monitor
38:58:830alessandro.brighente@unipd.it: oops.
38:59:720alessandro.brighente@unipd.it: hey? So.
39:02:250alessandro.brighente@unipd.it: as I mentioned before. We have different types of error that can occur
39:06:730alessandro.brighente@unipd.it: on Comboss.
39:08:700alessandro.brighente@unipd.it: and we have no less than 5 type providers.
39:13:968alessandro.brighente@unipd.it: So here's the the list of address, basically. So the 1st one is a bit error
39:21:68alessandro.brighente@unipd.it: which is the thing I was mentioning before I I transmit something, I sense something, and if there's a mismatch mismatch between what the transmitter and what I
39:32:450alessandro.brighente@unipd.it: sensor from the canvas.
39:34:380alessandro.brighente@unipd.it: then we talk about a bit harder.
39:38:661alessandro.brighente@unipd.it: Here you have something that is kind of
39:43:110alessandro.brighente@unipd.it: again. Spoiler ish, in a sense that we did not talk about arbitration yet, but it's the process by which I get to understand whether I'm allowed to send something on the canvas. So we'll get back to the little bit error later on.
39:58:582alessandro.brighente@unipd.it: But yeah, for the time being. Let's say that I'm transmitting the
40:06:180alessandro.brighente@unipd.it: the train, the packet on the camp bus.
40:08:810alessandro.brighente@unipd.it: I'm allowed to do that, so I should be the one with the with the share and transmit.
40:14:290alessandro.brighente@unipd.it: And there's a mismatch
40:16:210alessandro.brighente@unipd.it: between what I transmit and what I sense. And then I get a bit better.
40:20:130alessandro.brighente@unipd.it: Stop error this is something that is related with the
40:25:830alessandro.brighente@unipd.it: a synchronization mechanism that we have on canvas
40:29:610alessandro.brighente@unipd.it: that basically says that every time you have a certain number of leads with the same polarity.
40:34:770alessandro.brighente@unipd.it: you should add the beta with inverse polarity to keep synchronization. Okay? So in particular, what we have is that if we just meet the
40:45:730alessandro.brighente@unipd.it: more than 5 bits with the same polarity
40:51:90alessandro.brighente@unipd.it: after the 5th one, I should add the
40:54:990alessandro.brighente@unipd.it: an inverse polarity bit. So let's say that they need to just meet the 6 zeros.
41:00:120alessandro.brighente@unipd.it: What I will do is to transmit 5 zeros, then a 1, and then the last 0. Okay? And this again is
41:07:428alessandro.brighente@unipd.it: to maintain soft synchronization between the different issues. Right? They know. When beta, of course. And if this thing does not happen right? If we have 6 or more bits with the same polarity, then we talk about something error.
41:26:850alessandro.brighente@unipd.it: Csc. Adder. Of course, if the the computation that we have on the Crc doesn't match with the frame it's associated with. Then we have a Crc adder right? Like again, the Crc should check the integrity of the frame. That it comes with right? So at the end of the frame we have. The Crc
41:45:310alessandro.brighente@unipd.it: crc is something that you compute over the packet right? And basically, these computation should pull through at the receiver. And the comparison between what I compute and what is written in the Crc. Should be the same. Am I talking about something you never heard before.
42:02:840alessandro.brighente@unipd.it: or does it make sense to you?
42:06:570alessandro.brighente@unipd.it: No. So
42:10:240alessandro.brighente@unipd.it: Let's say that I have a very simple packet. I just have my content right? The what I want to transmit.
42:17:600alessandro.brighente@unipd.it: and at the end of that I have a value that certifies that this content
42:23:800alessandro.brighente@unipd.it: has not been changed. Right? So what do I do about that? I, for instance, I can send my packet and have a very, very simple form of crc, which maybe is not also correct, but for the sake of the example it's fine, right? So what they attach. The end of my packet is the hash of the content of the packet.
42:45:80alessandro.brighente@unipd.it: Alright good. So now I'm transmitting my packet. These are content, and the hasher are the unique packet. It's everything that gets to to be transmitted
42:53:540alessandro.brighente@unipd.it: and that should be received.
42:55:450alessandro.brighente@unipd.it: The receiver. Now, what the receiver does in order to to compute integrity and to see whether everything went good. On this transmission
43:05:890alessandro.brighente@unipd.it: the the receiver would just simply redo the same operation right? So take the packet, discard the Crc part, take only the content, right, the the actual content of the communication. Compute a ha hash of it right with the same algorithm, of course.
43:21:80alessandro.brighente@unipd.it: and then compare the the hash that the receiver obtained with that container in the pocket.
43:27:480alessandro.brighente@unipd.it: Right? So if everything went went good, there was no error. The 2 hashes should match because they have been computed with the same algorithm on top of the same data.
43:37:610alessandro.brighente@unipd.it: Right? If this doesn't, mat doesn't occur. If there's no match between these 2 values that I computed, it means that something wrong happened in the communication that led to to changing the actual content of the packet, and therefore the hash that I computed
43:53:20alessandro.brighente@unipd.it: is different from the one that has been created
43:56:20alessandro.brighente@unipd.it: and the transmitter itself
43:59:770alessandro.brighente@unipd.it: be better.
44:02:590alessandro.brighente@unipd.it: Okay?
44:04:202alessandro.brighente@unipd.it: Good. So this is exactly what happens with the with the canvas frames. Right? So we have this algorithm that computes
44:12:60alessandro.brighente@unipd.it: this function of the content of the packet, and that tells us whether it has been modified.
44:17:310alessandro.brighente@unipd.it: If the crc at the receiver doesn't match
44:22:959alessandro.brighente@unipd.it: with the one that is actually contained in the packet. Then we talk about the Crc header.
44:35:05alessandro.brighente@unipd.it: Okay, form error. Okay, this is something that happens that is related with the with the with bits. Okay? And in particular to we refer to specific specific fields of the canvas train.
44:51:385alessandro.brighente@unipd.it: So, for instance, here we have the the example on the end of frame. Right? We have some. It's clearly defined. We know how many beats should be there.
45:01:854alessandro.brighente@unipd.it: And if we sense another on this end of frame.
45:08:370alessandro.brighente@unipd.it: we want to raise an error. And this is actually the phone. Ever something that is well defined and should be like that. It's not like that. And therefore something wrong happened.
45:18:790alessandro.brighente@unipd.it: And the last one is the acknowledgement error. Right? We said that we have acknowledgments in the package
45:24:933alessandro.brighente@unipd.it: so what happens in here? If
45:30:220alessandro.brighente@unipd.it: So I'm receiving packet right? If I receive a packet I would send dominant Beta with the acknowledgement frame
45:39:160alessandro.brighente@unipd.it: and the error that we have in here is related to the fact that maybe I'm transmitting something.
45:45:570alessandro.brighente@unipd.it: Nobody receives that nobody acknowledges my packet, and it means that something wrong occurred right that led to the fact that my packet was not delivered to to anyone, and therefore I have this kind of of acknowledgment error.
46:07:400alessandro.brighente@unipd.it: Okay, so how do
46:11:60alessandro.brighente@unipd.it: that count against the bank for the year?
46:15:40alessandro.brighente@unipd.it: No.
46:16:490alessandro.brighente@unipd.it: no, no, no, they're discarded. Yes, yes, yes, you know that this is something that shouldn't happen whenever so you just can't meet, sir. You see the virtual life. You say, Okay, I'm synchronized with that. Just remove that, and then
46:30:200alessandro.brighente@unipd.it: but how do you know if we.
46:32:540alessandro.brighente@unipd.it: the staffing bid, is a staffing bid, or at least normal, for the content of the time.
46:39:210alessandro.brighente@unipd.it: How do you go
46:41:42alessandro.brighente@unipd.it: me? Neither, I should say.
46:47:870alessandro.brighente@unipd.it: let me think
46:51:370alessandro.brighente@unipd.it: if I want to send. No, it's there, absolutely get it.
46:59:270alessandro.brighente@unipd.it: I was thinking, if you have a 5 bits, with the singularity then inverted one, and then
47:05:690alessandro.brighente@unipd.it: other bits with the singularities.
47:07:870alessandro.brighente@unipd.it: it might be the stuffing one, and might not be the stuffing one like.
47:11:290alessandro.brighente@unipd.it: yeah, no, I should check. I will tell you next time.
47:17:960alessandro.brighente@unipd.it: Okay, so these different errors of course, deal with the with the state of the issue itself, right? Whether it's in a error, active or error. Faster mode
47:29:970alessandro.brighente@unipd.it: and we said that whenever we are in error, active. It means that we can actually send something on the on the canvas
47:38:530alessandro.brighente@unipd.it: and notify other issues about errors that occurred.
47:44:90alessandro.brighente@unipd.it: I saw how that goes. It means that we need to just meet some dominant bids.
47:51:250alessandro.brighente@unipd.it: And somehow we want to
47:55:930alessandro.brighente@unipd.it: other issues realize
47:58:650alessandro.brighente@unipd.it: about the advert.
48:00:340alessandro.brighente@unipd.it: And we said that one of the ways in which we can have errors is related with staffing. Right?
48:06:380alessandro.brighente@unipd.it: So if I want to raise an error at the at the receiving issue. I can do this thing about something, right? I can just send the 6 dominant bits as the the error flag.
48:18:150alessandro.brighente@unipd.it: Okay? And of course this would be an active way of delivering error flags right? I'm sending dominant bits. I'm overwriting whatever is there on the canvas at that moment, and I know for sure that these 6 bits will be treated as an error at the receiver due to the bit stopping policy right? The 6 bit should not be. With the same polarity, it should be an inverse one.
48:42:40alessandro.brighente@unipd.it: Okay, so this this is something that happens in a reductive mode again, because it's active. And I want to be able to to send something
48:53:298alessandro.brighente@unipd.it: so of course, when nodes will receive these 6 dominant bits they will have their their
49:03:60alessandro.brighente@unipd.it: staffing rule. It's something good to be violated. This will cause an error, and whenever you have an error of this kind would just simply stop any ongoing communication. Right? So you can you, you want to stop any ongoing
49:19:560alessandro.brighente@unipd.it: transmission or or reception?
49:24:00alessandro.brighente@unipd.it: Okay, so
49:25:270alessandro.brighente@unipd.it: good we are, actively successfully delivered the error. So here you have, an example on how this stuff will work. Just a visual example of what I already mentioned.
49:38:440alessandro.brighente@unipd.it: Alright. So the fact that you have a a certain number of dominant bits that you want to transmit.
49:52:400alessandro.brighente@unipd.it: Okay, so here you have 5 login bits right? 5 bits with the with similarity. At the end of that you send the resulting bit right? So this is something that happens every time you have 5 consecutive bits with the same
50:12:356alessandro.brighente@unipd.it: molarity. And that may be response to your question before. Whenever you have 5 bits, you know that you're going to to send this kind of things. So even though you might want to split the
50:24:761alessandro.brighente@unipd.it: the longer sequence of bits of bits with the same polarity.
50:30:775alessandro.brighente@unipd.it: What you will have is anyway.
50:34:90alessandro.brighente@unipd.it: 5.
50:35:210alessandro.brighente@unipd.it: And then the starting beat, and then one and 2,
50:41:930alessandro.brighente@unipd.it: and so you know for sure that it's going to be a stopping meeting there.
50:47:750alessandro.brighente@unipd.it: We need to do that. So you know that
50:53:21alessandro.brighente@unipd.it: from bit 6 to 12, either.
51:05:500alessandro.brighente@unipd.it: 7 beats.
51:10:100alessandro.brighente@unipd.it: which one side in the second line, this between the number 6 and 12.
51:16:360alessandro.brighente@unipd.it: These are 7 bits known stuff in milks. Yes, but you don't know that
51:24:170alessandro.brighente@unipd.it: you can distinguish the stuff you want from the other, because they are right. If you weren't right, you couldn't.
51:31:360alessandro.brighente@unipd.it: But you know that you have 5 weeks with the same product, and then, unless you're going to add the stocking beef.
51:44:40alessandro.brighente@unipd.it: there's no way you can have 5 bits with simple IP and no stuff in there.
51:50:240alessandro.brighente@unipd.it: So if you want to send a 0 after this is, this is what happens in here. So you have a 5 bits 0. And then one. You need to add that. So you know that you need to remove that.
52:05:390alessandro.brighente@unipd.it: Does it make sense
52:07:980alessandro.brighente@unipd.it: for now? For now it does. Let's see.
52:10:960alessandro.brighente@unipd.it: Okay? So if you have 5 weeks, you do that. If you have more than 5, you're going to split them up to the 5th one.
52:18:860alessandro.brighente@unipd.it: add up the the stuff in meter, and then send the other 2. If then, if you don't have any occurrences of 5 bits with the simple item, but you have less.
52:31:640alessandro.brighente@unipd.it: You simply don't add the the stuff you need. So in here, you see that you don't add the entry.
52:44:80alessandro.brighente@unipd.it: Okay? So of course, these this thing about sending
52:49:760alessandro.brighente@unipd.it: active errors that violate the bit. Something rule is unproposed, because it's something that all of these use will will attack right? So
53:00:932alessandro.brighente@unipd.it: we know that if we do this we are going to raise a flag, an error flag at the receiver, and of course this error flag at the receiver will cause the transmission of another error. So in this case we can distinguish between 2 types of error. Right? We have the primary
53:21:149alessandro.brighente@unipd.it: active error. Flag is the one with the the bit stopping rule violated, and then the secondary active error flag, which is the one generated by
53:32:455alessandro.brighente@unipd.it: By the series itself. Of course, these this thing need did to stop at a certain point. Yeah. The the thing is that you shouldn't
53:42:500alessandro.brighente@unipd.it: leverage the same mechanism for primary
53:47:940alessandro.brighente@unipd.it: primary, active error flags and secondary active error flags. Okay? So, depending on the kind of error that you detect, you want to generate a different kind of of error flags. Okay?
54:06:500alessandro.brighente@unipd.it: If instead, we are in the passive error state. It means that we cannot send dominant bits right? We cannot override whatever is happening on the on the canvas, and we cannot stop communication from from happening instead, what we do is to send Recessive bits. But if we send Recessive bits, it means that either
54:27:800alessandro.brighente@unipd.it: our red flag gets
54:30:440alessandro.brighente@unipd.it: not to be transmitted on the canvas, or that they need to wait communications to stop, and then I can send my
54:38:830alessandro.brighente@unipd.it: Recessive error flag
54:43:406alessandro.brighente@unipd.it: the way you do this is again by violating the bit stopping rule, but instead of sending a bunch of zeros this time, we'll send a bunch of 6
54:52:910alessandro.brighente@unipd.it: 6 1. So I again would be a bit soft in violation, but will not get to override what's being transmitted on the on the canvas.
55:07:390alessandro.brighente@unipd.it: Okay? So yeah, very very same thing that we said before. Then we have the ever the passive error. Flag.
55:19:880alessandro.brighente@unipd.it: again, is a bit stopping group.
55:23:111alessandro.brighente@unipd.it: That is violated right? For some reason it gets to to just meet the other flag. Right? No communication is happening so that at least you can send this thing. And then
55:36:189alessandro.brighente@unipd.it: I send these 6 bit with the sample id, which is the receiver will be treated as a violation of the bit stopping rule, and it means that the receiver will generate a
55:55:50alessandro.brighente@unipd.it: again, an error flag.
55:57:800alessandro.brighente@unipd.it: If the receiver is inactive state.
56:01:300alessandro.brighente@unipd.it: it will respond like this writing, we'll send another packet.
56:05:450alessandro.brighente@unipd.it: which would be composed of 6 dominant bits in a row, which again would violate the beat. Starting root.
56:14:494alessandro.brighente@unipd.it: But all of them will see these right. All of these use will see these active reflex, and will not respond again to a bit stopping rule that was violated. Right? So if I'm sending that one, I know that this packet is going to be there on the on the Combusor, and then not going to react again
56:34:290alessandro.brighente@unipd.it: all the same error over and over. Right? So this is where the the communication actually stopped. Okay, but this is really important. You see that. If I'm ever passive.
56:45:310alessandro.brighente@unipd.it: the only way in which I can send my 6 Recessive beats
56:52:60alessandro.brighente@unipd.it: is for me to have a share on the canvas. And if there's just a 1 at any point in my successive bits actually just made on the canvas. I cannot do that, because the one on the canvas will override them.
57:10:130alessandro.brighente@unipd.it: Overwrite my in my packet. Okay?
57:14:740alessandro.brighente@unipd.it: We'll see an example of these in a couple of slides, just to to make it a bit clearer.
57:21:260alessandro.brighente@unipd.it: So what does what do all these things have to do with the fact that we need to have a share on the canvas. Right? And this is something that I said up to now, having a share on the canvas.
57:34:980alessandro.brighente@unipd.it: Well, of course, being a shared communication media, it means at a certain point I should have resources allocated to me
57:44:50alessandro.brighente@unipd.it: to get to transmit the packet right? There's no contention, mechanism or no arbitration mechanism. Everybody can transmit them whenever they want on the canvas, and then it's a mess. We don't know basically
57:56:200alessandro.brighente@unipd.it: what's happening in there.
57:59:410alessandro.brighente@unipd.it: Soon.
58:04:900alessandro.brighente@unipd.it: So yeah, we have a mechanism which is called arbitration. By which issues compete one another right. All these use that want to transmit a package need to compete to understand which one among them has the highest priority, and therefore gets to transmit the the packet. Okay? So
58:31:960alessandro.brighente@unipd.it: no. So
58:34:930alessandro.brighente@unipd.it: how does this thing work? Right? So it means that there needs to be time slots. Right. So we let's imagine to have the temporal line right? You have time in here, and time is divided into slots, and these slots should be sufficiently longer such that the time frame can go back and forth in the whole canvas right length. Sufficient for message to go back and forth.
59:03:290alessandro.brighente@unipd.it: Why is that the case? Well, because
59:06:500alessandro.brighente@unipd.it: when we want to compete with other issues.
59:09:760alessandro.brighente@unipd.it: all the issues that want to transmit at that specific moment need to be aware of other issues that want to transmit at this specific moment. So if we don't give a if we don't have slots that are big enough in time. We might miss some of these messages that come from the other side of the canvas. Right? If you mention the canvas as
59:31:520alessandro.brighente@unipd.it: the figure that we've seen before. We have a very long line, potentially very long line. And maybe one issue is at one end and the other issue is at the other end. I both of them have somebody transmit at a specific time, and we need to give them enough time to to get to understand that they are competing
59:49:630alessandro.brighente@unipd.it: great. So
59:53:680alessandro.brighente@unipd.it: I want to transmit something. I might see you right. I have a message I want to deliver. So the 1st thing I need to do is to check whether something is already happening on the canvas right, whether the communication media is idle or not.
00:07:40alessandro.brighente@unipd.it: Alright. So I
00:09:230alessandro.brighente@unipd.it: I censor what what's happening in the canvas? And they see
00:16:450alessandro.brighente@unipd.it: and I see
00:20:550alessandro.brighente@unipd.it: basically look for the end of the packet that is being transmitted right? If there's something going on in the canvas, we know that the frame is going to have a certain structure, and there's going to be an end of frame field at a certain point.
00:34:840alessandro.brighente@unipd.it: Great. I wait for that, and at that moment I want to compete to have my share of the resources.
00:45:170alessandro.brighente@unipd.it: So we have something that is related with the with the contention, right? The fact that actually issues need to compete.
00:52:470alessandro.brighente@unipd.it: And when I want to to participate in this contestion, I just send my starter frame beat right and notify that. Okay, something might happen at this point after the end of frame of the previous packet I will send my
01:07:410alessandro.brighente@unipd.it: start. The frame beat
01:09:870alessandro.brighente@unipd.it: all other issues that have something. Just me will send this out of frame bit at that point, right? So we know that that, something is going to happen. Now.
01:21:200alessandro.brighente@unipd.it: we said that we have mechanisms by which we can understand
01:26:110alessandro.brighente@unipd.it: which issue has higher priority over the others, which one has something more urgent to to communicate to other issues, right and the way in which we do that is based on the Id field. Right? So I start sending my Id field and compare that with those of the other issues. And how do I do that?
01:46:600alessandro.brighente@unipd.it: It's very simple. As we said before, bits 0 will always win on bits one. So I'm sending my pizza. And then I'm sensing at the same time what is happening on on the canvas itself. Right? And I compare what they transmitter with what they sense.
02:06:580alessandro.brighente@unipd.it: If I get to transmitter my whole id field without having any error right? If all the bits that transmitter are those that I sense from the canvas. It means that I want the contention. It's my time to send the packet. I can move on by sending that packet.
02:23:570alessandro.brighente@unipd.it: If, instead of a certain point I lose this contention. It means that the bit that I sent is not the one that I sense on the canvas. Then I need to stop right. And if you remember, before we we were talking about bit errors, and something related to the effect do not happen at the contention phase. Right? At this point. We do not want to raise errors, because otherwise we will stop all the other issues. It might be
02:47:630alessandro.brighente@unipd.it: nasty and do that, but that's not something that happens usually right? So if I have a bit error on these contention things, it just means that
02:57:725alessandro.brighente@unipd.it: my priority is not high enough to get to trust me to the my packet on the canvas. Okay, someone else
03:04:900alessandro.brighente@unipd.it: won the competition
03:08:580alessandro.brighente@unipd.it: here. A very, very, very, very simple example of this right. We have a 3 transmitters as one as 2 and s. 3, that are issues that won't transmit to their their frame. Right?
03:21:557alessandro.brighente@unipd.it: They already transmitted the starter train. So they start with their with their Id fields.
03:27:510alessandro.brighente@unipd.it: Okay, so here in these 3 rows, you have the bits that this user actually trust me.
03:33:770alessandro.brighente@unipd.it: And here on the last row, you have the beta that gets actually to be transmitted on the canvas. And so the one that issues. All of them will. Censor.
03:44:440alessandro.brighente@unipd.it: Okay? So you see that? Okay. On the 1st Idb of all or 3 is used s, 1 has value one s. 2 s. Value 0 s. 3 s. Value 0, right? So if someone is transmitting a 0, the 0 wins, it's the thing that is actually on the canvas.
04:04:720alessandro.brighente@unipd.it: Okay? Because we said, it's the dominant one.
04:07:510alessandro.brighente@unipd.it: So what these 3 is used with sensor is a 0. Well, now, this point, however, as one compares is submitted feature with the one sensor on campus, and sees that there's an error. It means that this priority was not high enough to meet the competition. And from this point on it's a.
04:28:720alessandro.brighente@unipd.it: It lost the competition. It doesn't participate in the competition anymore. And it needs to wait for the successive contention round to to participate again.
04:37:960alessandro.brighente@unipd.it: And so now you have a long sequence of beats where both a 2 and a string have the same beats. Right? So 0 0 0 again, right? Easy
04:47:890alessandro.brighente@unipd.it: 1 1, although
04:51:380alessandro.brighente@unipd.it: having a problem that the one might be overwritten by a 0 on the canvas. Right? Someone is submitting a 0, as in this case both of them are transmitting a 1, and therefore they will sense a 1 on the on the bus itself.
05:05:820alessandro.brighente@unipd.it: Blah blah blah up to the point where S. 2 transmits a 0 and s. 3 transmits a 1. This one would be the dominant, and therefore would be the one that is transmitted on the combat. And at this point s. 3 senses the error, right, the bit error between the transmission and what is actually on the bus, and from this point on is is off
05:30:210alessandro.brighente@unipd.it: and assume wins the competition and gets to transmit the it's it's actual frame. Right? It can transmit the everything that happens after the id filled.
05:44:810alessandro.brighente@unipd.it: Yeah.
05:50:20alessandro.brighente@unipd.it: yes, because basically, after the so you know the structure of the campaign. You know that there's going to be an end of frame the end. And after that you have a certain number of
06:09:680alessandro.brighente@unipd.it: let's call them random pizza that you add them for synchronization. Right? So you need to to sense a certain thing end of framer
06:18:100alessandro.brighente@unipd.it: and pizza or synchronization. And after that you know that the contention is going to start.
06:23:650alessandro.brighente@unipd.it: so the the contention should be there.
06:26:480alessandro.brighente@unipd.it: and after that you should send your starter frame.
06:30:20alessandro.brighente@unipd.it: and after that you you send the the application. So this kind of mechanism ensures that all these users are aligned in time.
06:42:940alessandro.brighente@unipd.it: outside by using the fax controller.
06:45:860alessandro.brighente@unipd.it: Sorry the end of the month.
06:49:430alessandro.brighente@unipd.it: Yeah, no, no, no. So the the bits on the bus are phone.
06:57:120alessandro.brighente@unipd.it: I have a series that are transmitting right? And so they will try to apply the the voltage condition on the canvas to transmit that value. Right? So I miss you one. I want to transmitter 0 if I want to transmit 0, I know that I need to apply 4.5 volts on high and 1.5 volts on count low.
07:18:650alessandro.brighente@unipd.it: That's that is something that I apply
07:22:871alessandro.brighente@unipd.it: but if I want to
07:27:60alessandro.brighente@unipd.it: to transmit a bit one
07:29:268alessandro.brighente@unipd.it: I know that they need to apply the same voltage value on the 2 wires. But someone else is applying something different. Right? You want to transmit a 0, and they're applying a different voltage condition on the 2 wires.
07:42:380alessandro.brighente@unipd.it: and so the one with the with 0 will win this right because it will have a higher voltage value applying there.
07:50:790alessandro.brighente@unipd.it: And now the thing is, despite the fact that I'm trying to apply this voltage value and have a beta 0 on the one
08:00:40alessandro.brighente@unipd.it: on the canvasive.
08:01:620alessandro.brighente@unipd.it: This is not the thing that I censor right?
08:04:20alessandro.brighente@unipd.it: Ideally, I know that due to my transmission, there should be a 1, but a sense of 0.
08:10:180alessandro.brighente@unipd.it: Okay, so all these user try to transmit them. Their visa and whatever is on the canvas has been decided by one of these user documented the canvas. There's no Central Controller. There's no one that decides on behalf of all these users. Right?
08:26:344alessandro.brighente@unipd.it: All of these use are their their own brain. Let's call their own centralized system.
08:33:971alessandro.brighente@unipd.it: But there's no one. There's no account controller in the center that decides for all of the issues.
08:41:359alessandro.brighente@unipd.it: If his response to your question is what you mean.
08:48:20alessandro.brighente@unipd.it: the master? We
08:49:859alessandro.brighente@unipd.it: but we can't properly
08:52:748alessandro.brighente@unipd.it: in the past, you see.
08:58:970alessandro.brighente@unipd.it: Okay.
08:59:850alessandro.brighente@unipd.it: it's
09:00:620alessandro.brighente@unipd.it: yes. So these use would try to apply their signals. And what you observe is the signal applied by this you that the queens, somehow based on these voltage values. But the voltage values for us are visa.
09:13:270alessandro.brighente@unipd.it: So for us it means that the bits that your server on the on the bus, it's either the one from the issue. That means the competition
09:22:310alessandro.brighente@unipd.it: right or the the bits that have been transmitted
09:27:957alessandro.brighente@unipd.it: by the issue that has something to say. Right? So the the 2 scenarios, either we are talking about the contention phase, and so the bits that you observe
09:37:90alessandro.brighente@unipd.it: very likely either is a 0 or is a 1, because all of the others are sending one or someone already won the competition
09:45:189alessandro.brighente@unipd.it: after the competition. You're going to serve bits, but they are the the content of the packet of the Acu that won the competition.
09:51:939alessandro.brighente@unipd.it: Why didn't think that?
09:54:760alessandro.brighente@unipd.it: Yeah.
09:56:460alessandro.brighente@unipd.it: And
10:03:280alessandro.brighente@unipd.it: yeah, because s, 2 send a 0 and the the and it somehow, the 0 we know wins right? So what is going to be there on the bus is a 0
10:15:590alessandro.brighente@unipd.it: s. 3 instead, try to send a 1,
10:18:670alessandro.brighente@unipd.it: but the one is not able to override the 0,
10:21:330alessandro.brighente@unipd.it: so it's not able to override the the 0 value applied by the other issue.
10:26:690alessandro.brighente@unipd.it: So what the S. 3 tries to transmitter, and the voltage value that it senses from the combus are different.
10:34:350alessandro.brighente@unipd.it: right?
10:35:300alessandro.brighente@unipd.it: And therefore it means that they're an error. I'm trying to transmit a 1, but they sense something, the voltage value that are associated with a 0. So it means that something didn't go wrong and someone else won. The was able to send the 0 and win the competition.
10:53:790alessandro.brighente@unipd.it: Yes. But if S. 3 has a a 1 at that point, it means that it's priority
11:03:87alessandro.brighente@unipd.it: doesn't allow it to do so right?
11:07:540alessandro.brighente@unipd.it: And these these are. This is something that we give by default to the different components of the car. For instance, I don't want the the windows opener to have higher priority over the the gas pedal.
11:21:810alessandro.brighente@unipd.it: Right? I mean, if I need to do something with the gas pedal, and I'm trying to turn down the the window at the same time. I want the gas pedal to to win. So we have their their ideas associated such that if there's a competition between these 2, then the gas pedal is going to win.
11:40:610alessandro.brighente@unipd.it: Therefore, s. 2 means there is competition, and therefore S. 2 wins the competition. But the
11:47:250alessandro.brighente@unipd.it: and that's 3 weeks that additional year.
11:51:520alessandro.brighente@unipd.it: Yes, and that's wrong.
11:54:260alessandro.brighente@unipd.it: If
11:58:340alessandro.brighente@unipd.it: and we should always
11:59:690alessandro.brighente@unipd.it: ideally, there is no possibility for that to happen in normal condition. It means that in normal conditions all the ideas that I have in the car should be different, right? And therefore there should be no 2 components with the same idea, such that they can win the competition
12:21:20alessandro.brighente@unipd.it: on the same time.
12:23:790alessandro.brighente@unipd.it: But we are still in
12:27:580alessandro.brighente@unipd.it: hey? So
12:30:780alessandro.brighente@unipd.it: and so we can
12:32:660alessandro.brighente@unipd.it: exactly to this thing to answer tasks.
12:36:530alessandro.brighente@unipd.it: I mean, I can manipulate my id now. I mean, no one is telling me I should not modify my Id.
12:41:790alessandro.brighente@unipd.it: What is this?
12:46:20alessandro.brighente@unipd.it: And
12:53:60alessandro.brighente@unipd.it: still wins the competition?
13:12:70alessandro.brighente@unipd.it: Good. So what happens now? We have another one day. Arbitration right. Everything is fine and no, they can transmit. It's it's data without having
13:23:250alessandro.brighente@unipd.it: any problem.
13:26:70alessandro.brighente@unipd.it: Everything is going to happen smoothly at a certain point. There would be, and in the frame some some bits, and then there should be a new transmission. So it means that a new competition down there, of course.
13:38:500alessandro.brighente@unipd.it: right? So
13:39:974alessandro.brighente@unipd.it: this is the thing I was mentioning before the 3 meter interframe. Symbols, right? They didn't there, there to separate package right and to provide means for this use to realize. Okay, at this point I should send the sort of frame if I want to to participate
13:57:542alessandro.brighente@unipd.it: in in the competition. Okay? So the we have this repetitive scheme, right? Repetitive course of actions, thanks to which issues can get to to send their their tickets.
14:18:640alessandro.brighente@unipd.it: Good. So
14:21:200alessandro.brighente@unipd.it: these are all things that happen within the canvas, right? When we talk about how issues are connected to the canvas.
14:29:120alessandro.brighente@unipd.it: What if I want to interact with the canvas? Right? How do I get to understand what is happening on the canvas? So if you check on your car, or whatever car you find around you should be able to to see something like that, usually under the steering wheel. There's a little door.
14:49:540alessandro.brighente@unipd.it: and where you can find that that port. Okay, so this port is the on board diagnostic board Obd, right and they have these standards nowadays. It's Obd 2,
15:04:280alessandro.brighente@unipd.it: right? So you can connect to this port and collect the combus package from from your car when you're driving, for instance, right? And in order to do that, you can use some simple device like this. Right? So here you have the connectors
15:18:479alessandro.brighente@unipd.it: report. And then here you have a USB cable that you can plug to your laptop, for instance, and start collecting canvas package right? The Obd port, of course, has a certain convention on which data passes through which PIN and that device allows you to
15:38:833alessandro.brighente@unipd.it: to connect it to to the laptop without any issue. And, for instance, there are a lot of libraries that you can use in order to analyze canvas packets. There's a Python library, for instance, that is dedicated to the canvas. Right? Thanks to which you can analyze package, you can see the the flow of packets. You can send packets, you can modify them.
16:01:540alessandro.brighente@unipd.it: And this is something that you will do in one of the exercises of the course to take a look at how canvas packets are actually formed, and how you can interact with with them.
16:16:00alessandro.brighente@unipd.it: University.
16:16:660alessandro.brighente@unipd.it: No, I tried so hard having a car at the University, but they didn't allow me, because the battery may explode.
16:24:390alessandro.brighente@unipd.it: There's a lot there's like huge amount of things bad. I can do with a car. Right? And the problem is the better the response
16:31:430alessandro.brighente@unipd.it: whatever. No, we don't have a car.
16:36:550alessandro.brighente@unipd.it: because I thought, Okay, if I go to the demolition place I get a car that maybe doesn't work. But I don't care right? I just need to to connect to the canvas
16:44:800alessandro.brighente@unipd.it: for some 100 of euros. I'm done. No, it might explode.
16:52:390alessandro.brighente@unipd.it: Okay. So going to the the fun stuff attacker model. So what can an attacker possibly do with all the things that we mentioned up to now?
17:03:551alessandro.brighente@unipd.it: We said that it's really easy to connect to the canvas. Right? I can just simply have a couple of wires connected to my raspberry
17:13:570alessandro.brighente@unipd.it: by board.
17:17:40alessandro.brighente@unipd.it: So yeah, it's actually true. You have a raspberry pi board, and there's a con adapter. You can attach the to that
17:25:399alessandro.brighente@unipd.it: which basically stands for the contraceiver and controller itself.
17:32:505alessandro.brighente@unipd.it: That allows you to connect it directly to a canvas and start interacting with that right? So it means that you can receive packet, and it means,
17:42:960alessandro.brighente@unipd.it: most interestingly.
17:45:220alessandro.brighente@unipd.it: that you can send packets right? I can craft my own packets and send them when they come bus.
17:51:00alessandro.brighente@unipd.it: So from all the things that we said up to now. There's no authentication mechanism. There's no identifier for the issue. There's no one that tells this user. This is the list of a visa that you should accept right. And there's nothing that checks whether
18:08:60alessandro.brighente@unipd.it: a packet with a certain id is somehow valid right? Everyone just see the list of bits applied on the on the canvas and the text or not, whether it's an error or not. There's no way to detect whether it's something malicious or not.
18:26:210alessandro.brighente@unipd.it: Good. So what can we do as an attacker? Well, we want to impair somehow the functionality of the vehicle, or we can get some some data out of the vehicle itself. Right? So, for instance, here you have 2 means to to examples you might want to inject packets right craft your own camp frames with the scooped Id, for instance, and and send them over the canvas and
18:58:20alessandro.brighente@unipd.it: and tamper with the functionalities of the car in a way in which we'll see.
19:03:131alessandro.brighente@unipd.it: For instance, the the thing I mentioned before about transitioning or forcing the transitioning of an issue at different States
19:11:690alessandro.brighente@unipd.it: or you may want to stop or suspend, and how the message transmission from a compromised issues. And of course, there's many way in which you can. You can do that.
19:28:715alessandro.brighente@unipd.it: We can have some basic terminology on the level of compromise we have on issues which can be weekly or fully compromised.
19:40:460alessandro.brighente@unipd.it: here you have the definition of weekly compromise, which means an attacker cannot inject any publicated messages. Right? The the attack is not completely free to do whatever he wants to do.
19:51:302alessandro.brighente@unipd.it: Instead, if we're talking about fully compromised. It means that we have full control over this use. And here you have examples on how you you can inject somehow packets on the canvas, or how you can.
20:05:79alessandro.brighente@unipd.it: Controller gain control over issues something that is not written and I think is important is the fact that
20:13:340alessandro.brighente@unipd.it: you can. You can collect data from from the canvas, right? Maybe I don't want to eject anything. I just want to be a silent attacker that is there, collecting all the packets that passes through through the canvas. Right? I can do that. I mean, there's nothing that prevents me from collecting and interpreting those packages. They're not encrypted. There's no authentication required to interact with the canvas.
20:34:640alessandro.brighente@unipd.it: So it means, for instance, that I can connect my again, last verify or whatever computing
20:42:550alessandro.brighente@unipd.it: means you. You like to the canvas and collect packets. And from those packets we have some sensitive information, right? Although it doesn't seem so. These sensitive information might be related to the location of the of the car.
20:57:620alessandro.brighente@unipd.it: It might gives us the GPS coordinates of where the car is. I might get information on the steering pattern of the car itself. I might have information on the pattern by which I drive right if I push on the gas pedal, if I need to stop, if I need to.
21:19:780alessandro.brighente@unipd.it: all the things they need to do while driving.
21:22:380alessandro.brighente@unipd.it: And there are many, many works that show how this helps us
21:29:450alessandro.brighente@unipd.it: creating a
21:31:153alessandro.brighente@unipd.it: the the driving track of the driver. Right? I collect a lot of packets, and although not being there with the driver itself. I know where the driver has been. It's something that you can use for espionage for poses, for instance. Right? You get to understand where a certain car has been.
21:48:380alessandro.brighente@unipd.it: which
21:49:950alessandro.brighente@unipd.it: not necessarily is a
21:51:890alessandro.brighente@unipd.it: a good thing. Right?
21:55:730alessandro.brighente@unipd.it: Okay? And then, we'll get into the details of the different attacks next week.
22:00:830alessandro.brighente@unipd.it: It's right
22:03:310alessandro.brighente@unipd.it: joking. Have a nice weekend.