A CAN network sends so-called frames on the bus that are received synchronously by all members connected to the same bus. Hence, CAN is a broadcast network topology.
Each Electronic Control Unit (ECU) in a car is then connected to one or more CAN bus(ses).
Normally, the messages the ECUs exchange are not authenticated or encrypted. That means everybody on the bus can fake messages. This potentially enables attackers to impersonate other ECUs, e.g., an attacker could send commands to the brake or to the steering.
VatiCAN authenticates messages by applying a keyed message authentication code (HMAC) to each message, which protects their integrity, i.e., they cannot be altered by somebody else and those messages can only be produced by the ECU holding the correct secret cryptographic key.
A block diagram of how the library works:
Spoof detection, that is the detection of messages that allegedly originate from oneself but are in fact from an attacker, can be detected by bus monitoring in software. In addition, vatiCAN supports spoof prevention of own messages by means of bus arbitration.
We leverage the fact that CAN is a bus-oriented network, and components thus receive messages from all other components on the bus. In fact, if a component monitors the CAN communication, it can identify spoofed messages by monitoring messages with its own sender identification. If a com- ponent detects a message with its own sender ID, it must be a spoofed message.
Alternatively, it is also possible to drop a detected spoofed message by intentionally destroying the CRC checksum. In CAN networks, the sender information is at the start of each frame and is synchronously processed for bus arbitration. This means an early detection stage is possible by invalidating the CRC bits using dominant bits (e.g. all zeros) while a CAN frame is still being processed.