Search

EP-4742072-A1 - MANAGEMENT OF SIGNAL VERIFICATION AMONGST NODES OF A COMMUNICATION SYSTEM EMPLOYING E2E PROTECTION PROTOCOLS

EP4742072A1EP 4742072 A1EP4742072 A1EP 4742072A1EP-4742072-A1

Abstract

Techniques for centralized management of signal verification of protected data messages are described. A computer-implemented method, performed by a data processing device of a system comprising a plurality of nodes respectively connected to one another via a communication framework, can comprise intercepting protected data messages sent by one or more sender nodes of the plurality of nodes via the communication framework and directed to one or more receiver nodes of the plurality of nodes, the protected data messages being configured in accordance with a secure communication protocol. The method further comprises performing a validation process of the secure communication protocol to validate the protected data messages sequentially in time as intercepted over time, extracting data content from respective messages of the protected data messages in response to successful validation of the respective messages, and providing the data content to the one or more receiver nodes via the communication framework.

Inventors

  • SANDSTRÖM, Per
  • EKBOM, Andreas

Assignees

  • VOLVO CAR CORPORATION

Dates

Publication Date
20260513
Application Date
20251030

Claims (15)

  1. A computer-implemented method, comprising: repeatedly executing, by a receiver node of a system comprising a plurality of nodes respectively connected to one another via the communication framework, a data reading process in association with consuming data content repeatedly sent to the receiver node by a sender node of the plurality of nodes in a protected format, wherein the plurality of nodes comprise the receiver node and the sender node, wherein the receiver node is coupled to at least one processor, and wherein the data reading process comprises: reading, by the receiver node, the data content in a deprotected format as included in a memory of the system that is accessible to the plurality of nodes, wherein the repeatedly executing comprising repeatedly executing the data reading process at a read frequency that is different than a send frequency at which the sender node is configured to repeatedly send the data content to the receiver node.
  2. The method of claim 1, wherein the data content in the deprotected format as included in the shared memory further comprises a timestamp indicating a time at which the data content was last sent by the sender node, and wherein the method further comprises: determining, by the receiver node, whether the data content satisfies a freshness criterion based on a time difference between the timestamp a read time at which the reading is performed; and consuming, by the receiver node, the data content based on a determination that the data content satisfies the freshness criterion.
  3. The method of claim 1, wherein the read frequency is lower than the send frequency.
  4. The method of claim 1, wherein the read frequency is responsive to a trigger event.
  5. The method of claim 1, wherein the read frequency varies and wherein the send frequency is fixed.
  6. The method of claim 1, wherein the data content is included in the deprotected format in the memory in response to: interception, by a communication management application of the system, of respective protected data messages comprising the data content as repeatedly sent by the sender node, and publication, by the communication management application, of the data content to the memory in the deprotected format as extracted from the respective protected data messages by the communication management application.
  7. The method of claim 6, wherein the publication is further in response to verifying, by the communication management application, a validity of the data content in accordance with a secure communication protocol.
  8. The method of claim 7, wherein the verifying the validity is based on respective counters included in the respective protected data messages.
  9. The method of claim 1, wherein the system is integrated on or within a vehicle.
  10. The method of claim 9, wherein the plurality of nodes comprise electronic control units associated with different onboard systems of the vehicle and different applications executed by a data processing device of the system.
  11. The method of claim 10, wherein the data processing device comprises the processor and wherein the receiver node comprises an application of the different applications.
  12. A system, comprising: a plurality of nodes respectively connected to one another via a communication framework; a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising: repeatedly executing, by a receiver node of the plurality of nodes, a data reading process in association with consuming data content repeatedly sent to the receiver node by a sender node of the plurality of nodes in a protected format, wherein the data reading process comprises: reading, by the receiver node, the data content in a deprotected format as included in a memory of the system that is accessible to the plurality of nodes, wherein the repeatedly executing comprising repeatedly executing the data reading process at a read frequency that is different than a send frequency at which the sender node is configured to repeatedly send the data content to the receiver node.
  13. The system of claim 12, wherein the data content in the deprotected format as included in the shared memory further comprises a timestamp indicating a time at which the data content was last sent by the sender node, and wherein the data reading process further comprises: determining, by the receiver node, whether the data content satisfies a freshness criterion based on a time difference between the timestamp a read time at which the reading is performed; and consuming, by the receiver node, the data content based on a determination that the data content satisfies the freshness criterion.
  14. The system of claim 12, wherein the data content is included in the deprotected format in the memory in response to: interception, by a communication management application of the system, of respective protected data messages comprising the data content as repeatedly sent by the sender node, and publication, by the communication management application, of the data content to the memory in the deprotected format as extracted from the respective protected data messages by the communication management application.
  15. A non-transitory machine-readable storage medium, comprising executable instructions that, when executed by a processor of a system comprising a plurality of nodes respectively connected to one another via the communication framework, facilitate performance of operations, comprising: repeatedly executing, by a receiver node of the plurality of nodes, a data reading process in association with consuming data content repeatedly sent to the receiver node by a sender node of the plurality of nodes in a protected format, wherein the data reading process comprises: reading, by the receiver node, the data content in a deprotected format as included in a memory of the system that is accessible to the plurality of nodes, wherein the repeatedly executing comprising repeatedly executing the data reading process at a read frequency that is different than a send frequency at which the sender node is configured to repeatedly send the data content to the receiver node.

Description

TECHNICAL FIELD The disclosed subject matter relates to end-to-end (E2E) data communication protocols, more particularly, to improved management of data signal verification amongst nodes of a communication system employing E2E protection protocols. BACKGROUND The Automotive Open System Architecture (AUTOSAR), is a worldwide development partnership that creates standardized software communication architecture for automotive systems, referred to as AUTOSAR E2E (End-to-End). The purpose of AUTOSAR E2E is to provide data protection mechanisms for safety-critical communication in automotive systems. Since vehicles often rely on complex, networked systems to control critical functions such as braking, steering, and safety features, it's essential that data transferred across these systems is both accurate and secure. While AUTOSAR E2E is primarily designed for protecting data in communication between Electronic Control Units (ECUs) in automotive systems, its application is not strictly limited to ECUs. The E2E protocols can be used for any safety-critical communication within an automotive system and other systems, especially where data integrity and fault tolerance are essential. For example, E2E protection mechanisms can also be used in communication between sensors (e.g., radar, lidar, ultrasonic) and actuators within the vehicle's control network, ensuring that critical inputs like speed, distance, and object detection data are reliable. In another example, modern vehicles often use gateway modules to connect different communication buses (e.g., a Controller Area Network (CAN), a Local Interconnect Network (LIN), a FlexRay, an Ethernet, etc.). E2E protection helps ensure that data transferred across these networks maintains its integrity, even as it's routed through gateways. AUTOSAR E2E protocols facilitate creating a more robust and secure communication infrastructure by implementing specific data protection and error-detection techniques. In particular, the E2E protocols adds checks to data to detect if it has been corrupted during transmission. This often includes mechanisms like Cyclic Redundancy Checks (CRCs), which helps ensure the receiving node can verify the integrity of the data received. The E2E protocols also detect common communication errors such as data loss, corruption, or out-of-order messages by adding sequence counters to messages. Although AUTOSAR E2E protocols are highly beneficial for ensuring reliable and secure communication between communication nodes in automotive systems, they do come with certain challenges and limitations. In particular, E2E protocols involve additional error-checking mechanisms, such as CRC and sequence counters, which increase computational demands in terms of processing power and memory used by the communication nodes. Moreover, in high-speed communications where a large amount of data needs to be verified continuously, E2E mechanisms can significantly increase resource consumption. High resource consumption may require more advanced hardware, which can increase costs, or may reduce available resources for other critical tasks, potentially affecting system performance. In addition, AUTOSAR E2E uses varying AUTOSAR E2E profiles for different ECUs, which are different configurations of E2E protection mechanisms suited for specific applications. Setting up and calibrating E2E protocols can be complex, as it involves configuring multiple parameters tailored to different E2E profiles, like sequence numbers, counters, timeout values, and CRC lengths, which vary depending on safety and timing requirements. Thus, adding E2E protection mechanisms can make the overall system more complex, both in terms of software architecture and in the ECU interactions, which can increase development time. More complex development processes, testing requirements, and compliance checks might be necessary, which can slow down project timelines and add development costs. Further, E2E protection mechanisms, especially CRC calculations, can introduce latency, which might impact real-time applications that require fast response times, like braking or collision detection systems. For example, in high-speed or low-latency automotive networks (like in-vehicle Ethernet), these delays can reduce the effectiveness of time-critical applications, posing a challenge to achieving stringent timing requirements. The above-described background relating to issues associated with AUTOSAR E2E is merely intended to provide a contextual overview of some current issues and is not intended to be exhaustive. Other contextual information may become further apparent upon review of the following detailed description. SUMMARY The following presents a summary to provide a basic understanding of one or more embodiments of the disclosed technology. This summary is not intended to identify key or critical elements or delineate any scope of the particular embodiments or any scope of the claims. Its sole purpose is to pr