wolfSentry Protecting the CAN bus

The CAN bus is becoming ubiquitous in vehicle and factory automation the world over. The devices it connects are becoming more powerful and more connected to the outside world. As such security for the devices on this bus is becoming more and more important.

In a previous post we mentioned that we have provided an example of how to use wolfSSL on the CAN bus to encrypt connections between devices. But that is only one part of the equation, filtering traffic so that only expected packets make it through is another required part.

wolfSentry is already a very powerful IDS that can run on lightweight embedded devices. Now we have an example of how to use this on the CAN bus.

The example is based on our previous wolfSSL CAN bus example, so it uses TLS 1.3 for the message payload, but it also uses wolfSentry to filter the target and source addresses for ISO-TP’s “Normal fixed addressing”. This addressing scheme is compatible with many other CAN bus standards.

You can find this example in the wolfSentry codebase on GitHub (https://github.com/LinuxJedi/wolfsentry/tree/can-bus/examples/Linux-CANbus). It uses the Linux kernel SocketCAN functionality but can be easily adapted to work with other CAN bus implementations.

In addition to the above we have also created our own ISO-TP layer which is part of wolfSSL. This cuts down the implementation size significantly as you just need to hook in the CAN bus send and receive functionality. The wolfSSL example (and therefore the wolfSentry example) has been updated to use this new implementation.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.