Service calling method, communication device, service calling system and vehicle

By verifying the behavioral and execution flow information of the first control command of the service caller and using mapping rules to identify legitimacy, the problem of service IDs being easily forged is solved, thereby improving the security and user experience of the intelligent vehicle service call process.

CN122247627APending Publication Date: 2026-06-19YINWANG INTELLIGENT TECHNOLOGIES CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
YINWANG INTELLIGENT TECHNOLOGIES CO LTD
Filing Date
2022-12-13
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In existing technologies, during the service call process of intelligent vehicles, the service ID is easily obtained or forged, resulting in insufficient security for service calls in the vehicle.

Method used

By receiving and verifying the verification information of the first control command from the service caller, including the first action information and execution flow information, the legitimacy of the control command is determined using mapping rules, ensuring that the control command is triggered by user behavior rather than forged by an attacker.

Benefits of technology

It improves the security of vehicle control service calls, identifies and prevents forged control commands, and enhances the user's driving experience and system security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247627A_ABST
    Figure CN122247627A_ABST
Patent Text Reader

Abstract

This application provides a service invocation method, a communication device, a service invocation system, and a vehicle. In this method, the service invoker sends first behavior information as verification information for a first control command, along with the first control command, to the service provider. This allows the service provider to determine, based on the first behavior information, that the first control command was triggered by a user's action, rather than being forged by an attacker. Therefore, validating the legitimacy of the first control command based on the first behavior information improves the security of vehicle body control service invocation.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] This application is a divisional application of Chinese patent application No. 202280100699.1, filed on December 13, 2022, the entire contents of which are incorporated herein by reference. Technical Field

[0002] This application relates to the field of security, and more particularly to a service invocation method, a communication device, a service invocation system, and a vehicle. Background Technology

[0003] With the rapid development of intelligent vehicles, in-vehicle software is becoming increasingly sophisticated. Users can issue control commands (e.g., unlocking doors, opening windows, adjusting seatbacks, turning on the air conditioning, etc.) through the in-vehicle software in the intelligent vehicle's service caller (e.g., the smart cockpit). When the service provider in the intelligent vehicle (e.g., the vehicle control domain) receives a control command, it first verifies whether the command originates from the aforementioned service caller. If the service provider determines that the command comes from the caller, it confirms the command's validity and sends it to the corresponding execution device, causing the device to execute the command.

[0004] Currently, in traditional technologies, service providers identify and verify control commands through the service application's identification information (e.g., identity document, ID). Specifically, each service provided by a smart vehicle has a vehicle-wide global ID. When a service provider (e.g., the vehicle control domain) receives a control command from a service caller (e.g., the smart cockpit), the service provider determines the legitimacy of the control command based on the service ID carried in the command and the access control policy based on that service ID, and then decides whether to send the control command to the executing device.

[0005] However, when the service caller is compromised, the service ID can be easily obtained or forged. Therefore, relying solely on the service ID for authentication is insufficient to guarantee the security of service calls within a vehicle. Finding a solution that can guarantee secure service calls is an urgent problem to be solved. Summary of the Invention

[0006] This application provides a service invocation method, a communication device, a service invocation system, and a vehicle to improve the security of service invocation.

[0007] Firstly, this application provides a service invocation method, which can be executed by a service provider or by a component of the service provider (e.g., a processor, chip, or chip system). For example, the service provider can be a vehicle control domain (also known as vehicle domain control, VDC, or vehicle domain control), a telematics box (T-Box) in the vehicle, or a combination of a T-Box and a vehicle control domain. In this method, the service provider receives a first control command and verification information of the first control command from a service caller. The first control command is used to invoke a first service, and the verification information of the first control command is used to verify the first control command. Furthermore, the verification information of the first control command includes first action information, which instructs a user to trigger the action that generates the first control command. Then, the service provider verifies the first control command based on the verification information; if the verification of the first control command passes, the service provider sends the first control command to an execution device, which executes the first control command.

[0008] In this embodiment, the verification information received by the service provider for verifying the first control command includes first behavior information, which instructs the user to trigger the action that generates the first control command. Based on the first behavior information, the service provider can determine that the first control command was triggered by the user's action, rather than being forged by an attacker. Therefore, verifying the legitimacy of the first control command based on the first behavior information helps improve the security of vehicle body control service calls.

[0009] In one possible implementation, the service provider verifies the first control command based on the verification information of the first control command, including: the service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule, the first mapping rule including at least one behavior information and a control command corresponding to each behavior information; if the first control command is the same as the second control command, the service provider determines that the verification of the first control command is successful.

[0010] In this embodiment, the verification information received by the service provider for verifying the first control command includes first behavior information. The service provider can then locate the second control command in the first mapping rule based on the first behavior information. When the service provider determines that the first control command is identical to the second control command determined based on the first behavior information, the service provider determines that the first control command was triggered by the user and has not been tampered with, and only then triggers the sending of the first control command to the execution device. Therefore, this improves the security of vehicle body control service invocation.

[0011] In one possible implementation, the verification information of the first control command further includes the first execution flow information, which indicates the process information for calling the first service; the first mapping rule also includes the execution flow information for calling each service. In this case, the service provider compares both the control command corresponding to the first action information and the execution flow information of the service corresponding to that control command. Specifically, if the first control command is the same as the second control command, the service provider determines the second execution flow information corresponding to the second control command based on the second control command and the first mapping rule; if the first execution flow information is the same as the second execution flow information, the service provider determines that the verification of the first control command has passed.

[0012] Optionally, the first execution flow information is the execution flow of the service call or the hash value of the execution flow of the service call. The execution flow of the service call is a set of instructions or jump instructions executed by the service caller during the generation of control commands based on behavioral information. Therefore, the execution flow of the service call can reflect the integrity of the service call process. If an attacker tampers with the service call process, the execution flow collected by the service caller will definitely contain instructions reflecting the tampering. Therefore, the execution flow of a service call triggered by a user to generate control commands is different from the execution flow of a service call tampered with by an attacker. Therefore, using the execution flow of the service call as verification information for control commands helps the service provider identify whether an attack has occurred, thus improving the security of the service call process.

[0013] In one possible implementation, the first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; each behavioral information in the first mapping rule includes at least one coordinate region. The service provider determines the second control command corresponding to the first behavioral information based on the first behavioral information and the first mapping rule, including: the service provider determining the coordinate region where the first coordinate is located; and the service provider determining the control command corresponding to the coordinate region where the first coordinate is located as the second control command based on the first mapping rule.

[0014] For example, if a user inputs a command via touchscreen, the first line of information includes first coordinates, which are the coordinates corresponding to the user's operation on the touchscreen. It should be noted that the first coordinates can be the coordinates of a single click location on the touchscreen. For example, a user clicking only one button on the touchscreen can trigger the generation of the first control command. Furthermore, the first coordinates can also be the coordinates of several click locations on the touchscreen. For example, a user continuously clicking several buttons on the touchscreen is required to trigger the generation of the first control command. Additionally, the first coordinates can be a continuous range of coordinates. For example, a user continuously swiping on the touchscreen to perform a specific swiping gesture (e.g., swiping left or right on the touchscreen) can trigger the generation of the first control command. In practical applications, other user actions can also cause the service caller to detect one or more coordinates.

[0015] In this embodiment, the coordinates corresponding to the user's operation are proposed as the first action information. Since the aforementioned coordinates are generated only when the user performs an operation on the touchscreen, using these coordinates as the first action information can reflect the user's behavior. This helps the service provider determine, based on these coordinates, that the first control command was triggered by the user's behavior, rather than being forged by an attacker, thereby improving the security of vehicle control service calls.

[0016] In one possible implementation, the first behavioral information includes first semantic information, which is semantics generated based on the user's input voice command; each behavioral information in at least one of the first mapping rules includes one semantic information; the service provider determines the second control command corresponding to the first behavioral information based on the first behavioral information and the first mapping rule, including: the service provider determines the control command corresponding to the first semantic information as the second control command based on the first mapping rule.

[0017] In this embodiment, it is proposed to use the first semantic information converted from the user's voice command as the first behavioral information. Since the aforementioned first semantic information is generated only when the user issues a voice command to the microphone, using the aforementioned first semantic information as the first behavioral information can reflect the user's behavior. This is beneficial for the service provider to determine, based on the first semantic information, that the first control command is triggered by the user's behavior, rather than being forged by an attacker, thereby improving the security of vehicle control service calls.

[0018] In one possible implementation, the first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command. For example, if the first behavioral information includes a first coordinate, then the first time information indicates the time when the user clicks the coordinate on the touchscreen. As another example, if the first behavioral information includes first semantic information, then the first time information indicates the time when the service caller detects the voice command. Specifically, if the service provider determines that the difference between the time indicated by the first time information and the current time is outside a first threshold range, the service provider determines that the verification of the first control command fails.

[0019] In this embodiment, the service provider determines whether the first control command is a replay attack based on the first-time information, which is beneficial for identifying replay attacks and improving the security of the service call process.

[0020] In one possible implementation, the verification information of the first control command is signed by the service caller. Before the service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule, the method further includes: the service provider verifying the signature of the verification information of the first control command. If the service provider verifies the signature of the verification information of the first control command, the service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule; if the service provider verifies the signature of the verification information of the first control command, the service provider determines that the verification of the first control command has failed.

[0021] In this embodiment, if the verification information of the first control command has a signature, the service provider needs to verify whether the signature of the verification information of the first control command originates from the service caller. Through the signature verification process, the service provider can identify whether the verification information of the first control command is verification information signed by the service caller, which helps to improve the security of the service call process.

[0022] In one possible implementation, the method further includes: if the first control command is not the same as the second control command, the service provider determines that the verification of the first control command has failed.

[0023] In this embodiment, if the first control command is different from the second control command determined based on the first mapping rule and the first behavior information, it indicates that the first control command does not match the first behavior information. Therefore, it is determined that the verification of the first control command failed, meaning that the first control command is not a legitimate command. This helps the service provider identify forged control commands, thereby improving the security of the service invocation process.

[0024] In one possible implementation, the method further includes: if the first execution flow information is different from the second execution flow information, the service provider determines that the verification of the first control command has failed.

[0025] In this embodiment, when the first execution flow information is different from the second execution flow information determined based on the first mapping rule and the first control command, it indicates that the first execution flow information does not match the first control command, thereby identifying forged or tampered execution flow information. At this time, the service provider will determine that the first control command verification failed. Therefore, this helps the service provider identify forged control commands, thereby improving the security of the service invocation process.

[0026] In one possible implementation, the method further includes: if the service provider determines that the verification of the first control command fails, the service provider prompts the user with an alarm message, the alarm message indicating that the verification of the first control command failed; or, if the service provider determines that the verification of the first control command fails, the service provider sends an alarm message to the service caller, the service caller prompting the user with the alarm message.

[0027] In this implementation, if the verification of the first control command fails, the service provider will also directly or indirectly prompt the user with alarm information. This helps the user quickly detect the anomaly, thereby providing a reference for the user's driving decisions and improving the user's driving experience.

[0028] In one possible implementation, the first execution flow information is obtained by a trusted module in the service caller.

[0029] In this context, a trusted module is a processing module with privileges higher than the operating system (i.e., the kernel). Specifically, the trusted module in the service caller has higher privileges than the kernel within the service caller. This can also be understood as the trusted module's runtime environment having higher privileges than the kernel's runtime environment. Because the trusted module has higher privileges than the kernel, attackers find it difficult to compromise the trusted module and tamper with its data. Therefore, compared to the traditional method of obtaining first-line information from the kernel, the scheme where the trusted module obtains first-line information is less likely to be stolen or tampered with, improving the accuracy and security of the first-line information obtained by the service caller.

[0030] Secondly, this application provides a service invocation method, which can be executed by a service invoking party or by a component of the service invoking party (e.g., a processor, chip, or chip system). For example, the service invoking party can be a smart cockpit or smart terminal device (e.g., a smartphone, smartwatch, or other smart wearable device). In this method, the service invoking party obtains first behavior information, which indicates that a user has triggered an action to generate a first control command; the service invoking party generates the first control command based on the first behavior information, which is used to invoke a first service; the service invoking party sends the first control command and verification information for the first control command, the verification information including the first behavior information and used to verify the first control command.

[0031] In this embodiment, the service caller sends the first behavior information along with the first control command as verification information to the service provider. This allows the service provider to determine, based on the first behavior information, that the first control command was triggered by the user's behavior, rather than being forged by an attacker. Therefore, validating the first control command based on the first behavior information improves the security of vehicle body control service calls.

[0032] In one possible implementation, the service caller obtains the first action information by having a trusted module within the service caller acquire it. The trusted module is a processing module with higher privileges than the operating system (i.e., the kernel); that is, the trusted module's privileges are higher than the kernel's privileges. This can also be understood as the trusted module's runtime environment having higher privileges than the kernel's runtime environment. Because the trusted module has higher privileges than the kernel, attackers find it difficult to compromise the trusted module and tamper with its data. Therefore, compared to the traditional method of obtaining the first action information through a trusted module, this approach makes the first action information less susceptible to theft or tampering, improving the accuracy and security of the service caller's acquisition of the first action information.

[0033] In one possible implementation, the trusted module operates independently of the kernel. When the kernel is attacked, the trusted module remains unaffected. Therefore, even if data in the kernel is tampered with by an attacker, the data in the trusted module remains unaffected and remains accurate and secure.

[0034] In one possible implementation, the trusted module has read and write permissions to the storage module, while the kernel does not have access to the storage module, which is used to store the first line of information. The storage module includes registers and / or memory. Because the kernel in conventional technology has read and / or write permissions to the storage module, data located in the kernel is easily attacked and tampered with. By configuring the kernel in the service caller of this application to have no access to the storage module, attackers can be prevented from stealing or tampering with the data in the storage module through the kernel. Furthermore, configuring the trusted module in the service caller of this application to have read and write permissions to the storage module ensures the accuracy and security of the first line of information obtained by the trusted module, since the trusted module's permissions are inherently higher than the kernel's and therefore less vulnerable to attack.

[0035] In one possible implementation, before the service caller sends the first control command and the verification information of the first control command to the service provider, the method further includes: the service caller obtaining the first execution flow information, which is used to indicate the process information for calling the first service.

[0036] Optionally, the first execution flow information is the execution flow of the service call or the hash value of the execution flow of the service call. The execution flow of the service call is a set of instructions or jump instructions executed by the service caller during the generation of control commands based on behavioral information. Therefore, the execution flow of the service call can reflect the integrity of the service call process. If an attacker tampers with the service call process, the execution flow collected by the service caller will definitely contain instructions reflecting the tampering. Therefore, the execution flow of a service call triggered by a user to generate control commands is different from the execution flow of a service call tampered with by an attacker. Therefore, using the execution flow of the service call as verification information for control commands helps the service provider identify whether an attack has occurred, thus improving the security of the service call process.

[0037] In one possible implementation, the service caller obtains the first execution flow information by: a trusted module in the service caller obtaining the first execution flow information.

[0038] In this embodiment, since the first execution flow information is obtained by a trusted module in the service caller, it can be guaranteed that the first execution flow information used as verification information is secure and reliable. Furthermore, since the first execution flow information is information that the service caller will inevitably generate when generating the first control command based on the first behavior information, using the first execution flow information as one of the verification information ensures that the first control command is triggered by the user and not forged by an attacker. Therefore, using the first execution flow information and the first behavior information as verification information for the first control command helps improve the security and reliability of the vehicle body control service.

[0039] In one possible implementation, the verification information of the first control command is signed with the service caller's key; before the service caller sends the first control command and the verification information of the first control command to the service provider, the method further includes: the service caller using the key to sign the verification information of the first control command.

[0040] In this embodiment, a signature processing method is proposed for the verification information of the first control command, which helps to increase the difficulty for attackers to forge the verification information of the first control command, thereby improving the security of the service call process.

[0041] In one possible implementation, the first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; or, the first behavioral information includes first semantic information, which is semantic information generated based on the user's input voice command.

[0042] In this embodiment, the coordinates corresponding to the user's operation are proposed as the first action information. Since the aforementioned coordinates are generated only when the user performs an operation on the touchscreen, using these coordinates as the first action information can reflect the user's behavior. This helps the service provider determine, based on these coordinates, that the first control command was triggered by the user's behavior, rather than being forged by an attacker, thereby improving the security of vehicle control service calls.

[0043] In one possible implementation, the first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command. For example, if the first behavioral information includes a first coordinate, then the first time information indicates the time when the user clicks the coordinate on the touchscreen. As another example, if the first behavioral information includes first semantic information, then the first time information indicates the time when the service caller detects the voice command.

[0044] In this embodiment, it is proposed to use the first semantic information converted from the user's voice command as the first behavioral information. Since the aforementioned first semantic information is generated only when the user issues a voice command to the microphone, using the aforementioned first semantic information as the first behavioral information can reflect the user's behavior. This is beneficial for the service provider to determine, based on the first semantic information, that the first control command is triggered by the user's behavior, rather than being forged by an attacker, thereby improving the security of vehicle control service calls.

[0045] In one possible implementation, the trusted module includes at least one of the following: a virtual machine monitor, a trusted kernel, or a trusted execution environment (TEE).

[0046] This embodiment provides various specific implementation methods for trusted modules, which helps to improve the diversity of trusted modules in specific implementations.

[0047] It should be noted that the specific implementation methods and beneficial effects of this aspect are similar to some of the implementation methods in the first aspect above. For details, please refer to the specific implementation methods and beneficial effects of the first aspect, which will not be repeated here.

[0048] Thirdly, this application provides a communication device, which can be a service provider or a component of the service provider (e.g., a processor, chip, or chip system). The communication device includes a transceiver module and a processing module. The transceiver module receives a first control command and verification information of the first control command from a service caller. The first control command is used to invoke a first service, and the verification information of the first control command is used to verify the first control command. The verification information of the first control command includes first action information, which instructs a user to trigger the action that generates the first control command. The processing module verifies the first control command based on the verification information, and when the verification of the first control command is successful, controls the transceiver module to send the first control command to an execution device, which executes the first control command.

[0049] In one possible implementation, the processing module is specifically configured to determine a second control command corresponding to the first behavior information based on the first behavior information and a first mapping rule, wherein the first mapping rule includes at least one behavior information and a control command corresponding to each behavior information; and, when the first control command is the same as the second control command, to determine that the verification of the first control command is successful.

[0050] In one possible implementation, the verification information of the first control command further includes the first execution flow information, which is used to indicate the process information for calling the first service; the first mapping rule further includes the execution flow information of each service.

[0051] The processing module is specifically configured to, when the first control command is the same as the second control command, determine the second execution flow information corresponding to the second control command based on the second control command and the first mapping rule; and, when the first execution flow information is the same as the second execution flow information, determine that the verification of the first control command has passed.

[0052] Optionally, the first execution flow information is the execution flow that calls the first service or the hash value of the execution flow that calls the first service.

[0053] In one possible implementation, the first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; each behavioral information in the first mapping rule includes at least one coordinate region. The processing module is specifically configured to determine the coordinate region where the first coordinate is located; and, based on the first mapping rule, determine the control command corresponding to the coordinate region where the first coordinate is located as the second control command.

[0054] In one possible implementation, the first behavioral information includes first semantic information, which is semantics generated based on the user's input voice command; each behavioral information in the first mapping rule includes one semantic information. Specifically, the processing module is used to determine, based on the first mapping rule, that the control command corresponding to the first semantic information is the second control command.

[0055] In one possible implementation, the first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command. The processing module is specifically configured to determine that the verification of the first control command fails if the service provider determines that the difference between the time indicated by the first time information and the current time is outside a first threshold range.

[0056] In one possible implementation, the verification information of the first control command is signed by the service caller. The processing module is further configured to verify the signature of the verification information of the first control command; and, if the signature of the verification information of the first control command is successfully verified, to determine the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule.

[0057] In one possible implementation, the processing module is further configured to determine that the verification of the first control command has failed if the service provider fails to verify the signature of the verification information of the first control command.

[0058] In one possible implementation, the processing module is further configured to determine that the verification of the first control command fails if the first control command is different from the second control command.

[0059] In one possible implementation, the processing module is further configured to determine that the verification of the first control command fails if the first execution flow information is different from the second execution flow information.

[0060] In one possible implementation, the processing module is further configured to, when it is determined that the verification of the first control command fails, control the input / output module to prompt an alarm message to the user, the alarm message indicating that the verification of the first control command fails; or, the processing module is further configured to, when it is determined that the verification of the first control command fails, control the transceiver module to send an alarm message to the service caller, the service caller prompting the user with the alarm message.

[0061] In one possible implementation, the first execution flow information is obtained by a trusted module in the service caller.

[0062] It should be noted that the specific implementation methods and beneficial effects of this aspect are similar to some of the implementation methods in the first aspect above. For details, please refer to the specific implementation methods and beneficial effects of the first aspect, which will not be repeated here.

[0063] Fourthly, this application provides a communication device, which can be a service caller or a component of the service caller (e.g., a processor, chip, or chip system). The communication device includes a transceiver module and a processing module. The processing module is used to acquire first action information, which indicates that a user has triggered an action to generate a first control command; and to generate the first control command based on the first action information, which is used to invoke a first service. The transceiver module is used to send the first control command and verification information of the first control command, the verification information of the first control command including the first action information, which is used to verify the first control command.

[0064] In one possible implementation, the processing module includes a trusted module. The trusted module in the communication device acquires the first action information, and the trusted module has higher privileges than the kernel in the service caller.

[0065] Optionally, the operating environment of the trusted module is independent of the operating environment of the kernel.

[0066] Optionally, the trusted module has read and write permissions to the storage module, while the kernel does not have access to the storage module, which is used to store the first line of information.

[0067] In one possible implementation, the processing module is further configured to obtain the first execution flow information, which indicates the process information for calling the first service. Optionally, the first execution flow information is the execution flow of calling the first service or the hash value of the execution flow of calling the first service.

[0068] In one possible implementation, a trusted module in the communication device acquires the first execution flow information.

[0069] In one possible implementation, the verification information of the first control command is signed by the service caller. The processing module is also configured to sign the verification information of the first control command using a key.

[0070] In one possible implementation, the first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; or, the first behavioral information includes first semantic information, which is semantic information generated based on the user's voice input.

[0071] In one possible implementation, the first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command.

[0072] In one possible implementation, the trusted module includes at least one of the following: a virtual machine monitor, a trusted kernel, or a trusted execution environment (TEE).

[0073] It should be noted that the specific implementation methods and beneficial effects of this aspect are similar to some of the implementation methods in the second aspect above. For details, please refer to the specific implementation methods and beneficial effects of the second aspect, which will not be repeated here.

[0074] Fifthly, embodiments of this application provide a communication device, which may be a service provider as described in the foregoing embodiments, or a chip within the service provider. The communication device may include a processing module and a transceiver module. When the communication device is a service provider, the processing module may be a processor, and the transceiver module may be a transceiver; the service provider may also include a storage module, which may be a memory; the storage module is used to store instructions, and the processing module executes the instructions stored in the storage module to cause the service provider to perform the method of the first aspect or any embodiment of the first aspect. When the communication device is a chip within the service provider, the processing module may be a processor, and the transceiver module may be an input / output interface, pin, or circuit, etc.; the processing module executes the instructions stored in the storage module to cause the service provider to perform the method of the first aspect or any embodiment of the first aspect. The storage module may be a storage module within the chip (e.g., a register, cache, etc.), or a storage module located outside the chip within the service provider (e.g., a read-only memory, random access memory, etc.).

[0075] Sixthly, embodiments of this application provide a communication device, which can be a service caller as described in the foregoing embodiments, or a chip within the service caller. The communication device may include a processing module and a transceiver module. When the communication device is a service caller, the processing module may be a processor, and the transceiver module may be a transceiver; the service caller may also include a storage module, which may be a memory; the storage module is used to store instructions, and the processing module executes the instructions stored in the storage module to cause the service caller to perform the method of the second aspect or any embodiment of the second aspect. When the communication device is a chip within the service caller, the processing module may be a processor, and the transceiver module may be an input / output interface, pin, or circuit, etc.; the processing module executes the instructions stored in the storage module to cause the service caller to perform the method of the second aspect or any embodiment of the second aspect. The storage module may be a storage module within the chip (e.g., a register, cache, etc.), or a storage module located outside the chip within the service caller (e.g., a read-only memory, random access memory, etc.).

[0076] In a seventh aspect, this application provides a communication device, which may be an integrated circuit chip. The integrated circuit chip includes a processor. The processor is coupled to a memory for storing programs or instructions that, when executed by the processor, cause the communication device to perform the methods described in any of the embodiments of the foregoing aspects.

[0077] Eighthly, embodiments of this application provide a computer program product containing instructions that, when run on a computer, cause the computer to perform the methods described in any of the foregoing embodiments.

[0078] Ninthly, embodiments of this application provide a computer-readable storage medium including instructions that, when executed on a computer, cause the computer to perform the methods described in any of the preceding embodiments.

[0079] In a tenth aspect, embodiments of this application provide a service invocation system, which includes a service provider that performs the first aspect and any of the embodiments of the first aspect; or, the service invocation system includes a service invoker that performs the second aspect and any of the embodiments of the second aspect.

[0080] Eleventhly, embodiments of this application provide a vehicle that includes a service provider performing the first aspect and any of the embodiments of the first aspect; or, the vehicle includes a service caller performing the second aspect and any of the embodiments of the second aspect. Attached Figure Description

[0081] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application.

[0082] Figure 1A A system architecture diagram applicable to the service invocation method proposed in this application; Figure 1B A system architecture diagram applicable to the service invocation method proposed in this application; Figure 1C An example diagram of a processor architecture to which the service invocation method of this application is applicable; Figure 1D Another example diagram of the processor architecture to which the service invocation method of this application applies; Figure 2 This is a flowchart of the service invocation method in this application; Figure 3 This is another flowchart of the service invocation method in this application; Figure 4 This is a schematic diagram of one embodiment of the communication device in this application. Detailed Implementation

[0083] The technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments.

[0084] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such terms are interchangeable where appropriate so that the embodiments described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0085] It should be understood that the term "and / or" in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, or B existing alone. Additionally, the character " / " in this article generally indicates that the preceding and following related objects have an "or" relationship.

[0086] To facilitate understanding, the following section will first introduce the system architecture and application scenarios to which the service invocation method of this application is applicable: The service invocation method provided in this application is mainly applied to scenarios where users trigger the generation of control commands to invoke services in the vehicle. For example, users input control commands through the vehicle's software or hardware to invoke the service corresponding to those control commands.

[0087] like Figure 1A and Figure 1B As shown, the system to which the service invocation method provided in this application is applicable mainly includes the service invoker, the service provider, and the execution device.

[0088] In this system, the service caller is a device or functional module that generates a control command in response to a user's instruction to invoke the service corresponding to that control command. The service provider is a device or functional module within the vehicle that provides services based on the control command. Furthermore, the execution device executes the control command to implement the service corresponding to that control command. The aforementioned services can be vehicle control services such as opening and closing doors, windows, windshield wipers, and adjusting seats; over-the-air (OTA) technology, typically referring to upgrades and diagnostics; or other vehicle services; this application does not limit the scope of these services.

[0089] For example, consider a vehicle body control service. This service could be a door and window control service, a wiper control service, a seat control service, or a headlight control service, etc. If a user wants to open a window, the user can trigger a control command to open the window through the service caller. Upon receiving the control command, the service provider will verify its validity. If the service provider determines that the control command is valid, it will send the command to the corresponding execution device.

[0090] For example, the service caller can be a smart cockpit or smart terminal device (e.g., a smartphone, smartwatch, or other smart wearable device). The service provider can be a vehicle control domain (also known as vehicle domain control, VDC, or vehicle domain control), a telematics box (T-Box) in the vehicle, or a combination of a T-Box and a vehicle control domain. The execution device can be a motor or controller that drives the vehicle body hardware. For example, if the control command is to open a window, the execution device is a window-related control motor, which is activated to open the window. It should be noted that in this application, when the aforementioned service caller is a smart cockpit, the aforementioned service provider is a vehicle control domain. For example, in... Figure 1A In the example shown, a user can trigger the generation of a control command by clicking a button on the touchscreen of the smart cockpit. Upon receiving the control command, the vehicle control domain verifies its validity to decide whether to send it to the corresponding execution device. When the aforementioned service caller is a terminal device, the service provider includes the communication box and / or the vehicle control domain. For example, in... Figure 1B In the example shown, the user triggers the generation of a control command via a smart terminal. After receiving the control command, the communication box can either verify its validity or pass it through to the vehicle control domain for validity verification.

[0091] Furthermore, the aforementioned service caller's processing architecture includes a kernel and trusted modules. The trusted modules have higher privileges than the kernel, making them less vulnerable to attack. For ease of understanding, examples from two common processor architectures will be provided below: like Figure 1CThe image shows an example of a processor architecture to which the service invocation method of this application is applicable. This example is an Advanced Reduced Instruction Set Machine (ARM) architecture. In this architecture, the service caller includes multiple privilege levels (EL), with privilege level 0 (EL0), privilege level 1 (EL1), and privilege level 2 (EL2) progressively increasing in privilege, i.e., the software execution privileges increase accordingly. EL0 is referred to as unprivileged execution and is used to run vehicle control applications; EL1 is used to run the operating system (i.e., the kernel); EL2 provides support for virtualization and is used to run a hypervisor. Optionally, EL1 is also used for a trusted kernel. Furthermore, the ARM architecture based on hardware isolation technology can also run a trusted execution environment (TEE). Figure 1C In the architecture shown, any one of the Hypervisor, the Trusted Kernel, and the Trusted Execution Environment can be used as a trusted module to execute the service invocation methods described later.

[0092] like Figure 1D The image shows an example of another processor architecture to which the service invocation method of this application is applicable: the x86_64 architecture. In this architecture, the service invoker includes multiple privilege levels (Rings). Privileges gradually decrease from privilege level 0 (Ring0) to privilege level 3 (Ring3), meaning the software's execution privileges decrease accordingly. Ring3 has the lowest privileges and is used to run vehicle control applications; Ring0 has higher privileges than Ring3 and is typically used to run the operating system (i.e., the kernel). Furthermore, the privileges of virtual-machine extensions root mode (VMX root mode) (also known as privileged mode under hardware virtualization technology) are higher than those of virtual-machine extensions non-root mode (VMX non-root mode) (also known as non-privileged mode under hardware virtualization technology), and are used to run virtual-machine monitors (VMMs). The virtual-machine monitors control the execution of virtual machines by configuring virtual-machine control data structures (VMCSs). Figure 1DIn the architecture shown, both the Virtual Machine Monitor (VMM) and the Virtual Control Structure (VMCS) can act as trusted modules to execute the service invocation methods described later.

[0093] In this system, traditional technology uses the service provider to validate control commands based on the ID sent by the service caller. However, when the service caller is compromised, the service ID can be easily obtained or forged. Therefore, relying solely on the service ID to validate control commands is insufficient to guarantee the security of service calls within the vehicle.

[0094] To address this issue, this application provides a service invocation method, primarily applicable to software-based vehicle body control scenarios. This method verifies received control commands based on user behavior, enabling the identification of control commands forged by attackers, thereby improving the security of vehicle body control service invocation.

[0095] The following will combine Figure 2 The main flow of one embodiment of the service invocation method of this application is described below. In this method, the service invoker and the service provider mainly perform the following steps: Step 201: The service caller obtains the first line of information.

[0096] The first action information is used to instruct the user to trigger the generation of a first control command. This first control command is used to invoke a first service. For example, if the first control command is a vehicle body control command, then the first service is a vehicle body control service. For instance, if the first control command is a door opening command, then the first service is a door opening service; if the first control command is a window opening command, then the first service is a window opening service; if the first control command is a windshield wiper activation command, then the first service is a windshield wiper activation service. This first action information can also be understood as the user's action detected by the service caller that triggers the generation of the first control command and the invocation of the first service.

[0097] Specifically, the input / output hardware used when the user inputs commands differs, and the specific implementation of the first line of information detected by the service caller differs as well.

[0098] In one possible implementation, if a user inputs a command via a touchscreen, the first line of information includes a first coordinate, which is the coordinate corresponding to the user's operation. Optionally, the first line of information also includes first time information, which indicates the time when the coordinate was generated based on the user's operation.

[0099] It should be noted that the first coordinate can be the coordinate corresponding to a user's click, swipe, or other operation on the touchscreen (e.g., a vehicle's central control screen). Specifically, the first coordinate can be the coordinate value of a single click location on the touchscreen. For example, a user clicking only one button on the touchscreen can trigger the generation of the first control command. Furthermore, the first coordinate can also be the coordinate values ​​of several click locations on the touchscreen. For example, a user continuously clicking several buttons on the touchscreen is required to trigger the generation of the first control command. Additionally, the first coordinate can be a continuous range of coordinates. For example, a user continuously swiping on the touchscreen to perform a specific swiping gesture (e.g., swiping left or right on the touchscreen) can trigger the generation of the first control command. In practical applications, other user actions can also cause the service caller to detect one or more coordinates.

[0100] In another possible implementation, if a user inputs a voice command via a microphone, the first behavioral information includes first semantic information, which is semantics generated based on the user's input voice command. Optionally, the first behavioral information also includes first temporal information, which indicates the time when the service caller detects the voice command.

[0101] In practical applications, the actions that generate the first behavioral information can include not only clicking the smart cockpit's touchscreen and uttering voice commands, but also other actions that enable human-computer interaction. For example, detecting specific gestures made by the user through sensors; this is not limited here. In subsequent embodiments, a detailed description will be provided using the example of the first behavioral information including first coordinates and first time.

[0102] Optionally, a trusted module in the service caller obtains the first line of information. Specifically, the user generates an electrical signal through hardware (e.g., input / output hardware) in the service caller and transmits it to the trusted module, which then timestamps the electrical signal to obtain the first line of information.

[0103] In this context, a trusted module is a processing module with privileges higher than the operating system (i.e., the kernel). Specifically, the trusted module in the service caller has higher privileges than the kernel within the service caller. This can also be understood as the trusted module's runtime environment having higher privileges than the kernel's runtime environment. Because the trusted module has higher privileges than the kernel, attackers find it difficult to compromise the trusted module and tamper with its data. Therefore, compared to the traditional method of obtaining first-line information from the kernel, the scheme where the trusted module obtains first-line information is less likely to be stolen or tampered with, improving the accuracy and security of the first-line information obtained by the service caller.

[0104] It should be noted that the specific implementation of the trusted module differs across different processor architectures. For example, in... Figure 1C In the ARM architecture shown, the trusted module can be implemented by any one of the trusted kernel, the hypervisor, and the trusted execution environment (TEE). For example, in... Figure 1D In the x86_64 architecture shown, the trusted module can be a virtual machine monitor (VMM) or a virtual control structure (VMCS).

[0105] Optionally, the trusted module's operating environment is independent of the kernel's operating environment. When the kernel is attacked, the trusted module will not be affected. Therefore, even if the data in the kernel is tampered with by an attacker, the data in the trusted module will not be affected, and the data in the trusted module will remain accurate and secure.

[0106] Optionally, the trusted module has read and write permissions to the storage module, while the kernel does not have access to the storage module, which is used to store the first line of information. The storage module includes registers and / or memory. Because the kernel in conventional technologies has read and / or write permissions to the storage module, data located in the kernel is easily attacked and tampered with. By configuring the kernel in the service caller of this application to have no access to the storage module, attackers can be prevented from stealing or tampering with the data in the storage module through the kernel. Furthermore, configuring the trusted module in the service caller of this application to have read and write permissions to the storage module ensures the accuracy and security of the first line of information obtained by the trusted module, since the trusted module's permissions are inherently higher than the kernel's and therefore less vulnerable to attack.

[0107] It should be noted that different users use different input / output hardware, resulting in different electrical signals transmitted to the trusted module. These will be described separately below: In one possible implementation, if a user inputs a command via a touchscreen, the first action information includes first coordinates and a first time. For example, when a user taps the touchscreen on the smart cockpit, the touchscreen's register digitizes the detected electrical signal and then transmits the signal to the trusted module.

[0108] For ease of understanding, Figure 1CTaking the processor architecture shown as an example. If the trusted module is a virtual machine monitor (Hypervisor), after the touchscreen detects the user's click operation and records the coordinates of the click in the storage module, the Virtual Machine Monitor can obtain the coordinates of the user's click from the storage module, that is, the trusted module obtains the first coordinates. Trustworthy, the Virtual Machine Monitor (Hypervisor) adds a timestamp after obtaining the first coordinates, obtaining the first line of information containing the first coordinates and the first time. It should be noted that... Figure 1C and Figure 1D The process by which other trusted modules (e.g., trusted kernel, TEE, or VMM) in the example obtain the first line of information is similar to that of the virtual machine monitor, and will not be described in detail here.

[0109] In another possible implementation, if the user inputs a voice command via a microphone, the first behavioral information includes first semantic information and a first time. For example, when the user issues a voice command, the microphone converts the detected analog signal into an electrical signal, which is then transmitted to the semantic recognition module to identify the semantic information, and then the semantic information is transmitted to the trusted module.

[0110] For ease of understanding, we will still use Figure 1C Taking the processor architecture shown as an example, if the trusted module is a hypervisor, after the microphone detects the user's voice command, converts the semantic command into semantic information, and records it in the storage module, the hypervisor can obtain this semantic information from the storage module, meaning the trusted module obtains the first semantic information. Trustably, after obtaining the first semantic information, the hypervisor timestamps it, obtaining first action information containing both the first semantic information and the first action at the first moment.

[0111] Step 202: The service caller generates a first control command based on the first action information.

[0112] Specifically, taking the first line of information including the first coordinates and the first time as an example, the service caller determines the area where the first coordinates are located relative to the touch screen interface based on the first coordinates, and then generates the first control command based on that area. Optionally, the kernel in the service caller can generate the first control command based on the first line of information.

[0113] For example, if the first coordinate corresponds to the button "open the door" on the touch screen, the service caller generates a control command for opening the door based on the first coordinate, so that the control command for opening the door can invoke the door opening service after being sent to the service provider.

[0114] It should be noted that the specific implementation of the first control command may be a string of command code or a command identifier. This application does not limit the specific implementation of the control command.

[0115] Step 203: The service caller signs the verification information of the first control command.

[0116] In this embodiment, step 203 is optional. If the service caller executes step 203, the service provider will execute step 205 after receiving the verification information of the first control command. If the service caller does not execute step 203, the service provider will not execute step 205 after receiving the verification information of the first control command, but will instead execute step 206.

[0117] The verification information of the first control command is used by the service provider to verify the first control command. The verification information of the first control command includes the first behavior information, that is, the first behavior information obtained by the service caller in step 201.

[0118] Optionally, the trusted module in the service caller uses a key to sign the verification information (i.e., the first line information) of the first control command. For example, after obtaining the first line information, the trusted module in the service caller uses the aforementioned key to sign the verification information (i.e., the first line information) of the first control command.

[0119] For ease of understanding, Figure 1C Taking the processor architecture shown as an example. If the trusted module is implemented by two modules (e.g., a virtual machine monitor and a TEE), after the virtual machine monitor obtains the first line of information, it transmits the first line of information to the TEE. Then, the TEE performs signature processing on the first line of information and returns the signed first line of information to the virtual machine monitor. Alternatively, after obtaining the first line of information, the virtual machine monitor stores the first line of information in trusted memory. Then, the TEE retrieves the first line of information from the trusted memory of the virtual machine monitor, performs signature processing on the first line of information, and writes the signed first line of information into the trusted memory of the virtual machine monitor. If the trusted module is implemented by one module (e.g., a virtual machine monitor), after the virtual machine monitor obtains the first line of information, it performs signature processing on the first line of information to obtain the signed first line of information. This application does not limit which specific trusted module implements the signature processing function.

[0120] In this embodiment, since the first action information is obtained by a trusted module with high privileges, attackers cannot easily compromise the trusted module and tamper with the information within it. Therefore, the first action information is secure and reliable, and using it as the verification information for the first control command is also secure and reliable. Compared to the traditional method of using the application identifier of the vehicle control service as verification information, the first action information obtained by the trusted module is less susceptible to tampering and forgery. Therefore, the method of using the first action information as the verification information for the first control command is more reliable and secure.

[0121] Furthermore, this embodiment proposes to use a key to sign the verification information of the first control command, which helps to further prevent attackers from forging the verification information of the first control command and improves the reliability and security of the verification information of the first control command.

[0122] Step 204: The service caller sends a first control command and verification information of the first control command to the service provider; correspondingly, the service provider receives the first control command and verification information of the first control command from the service caller.

[0123] Optionally, the verification information of the first control command is signed with the key of the service caller, meaning the verification information of the first control command has undergone signature processing by the service caller. The verification information of the first control command includes first line information.

[0124] Step 205: The service provider verifies the signature of the verification information of the first control command.

[0125] In this embodiment, step 205 is optional. If the service caller executes step 203, the service provider will execute step 205 after receiving the verification information of the first control command. If the service caller does not execute step 203, the service provider will not execute step 205 after receiving the verification information of the first control command, but will instead execute step 206.

[0126] Specifically, the service provider uses a key to verify the signature of the verification information of the first control command. This key can be either a symmetric key or an asymmetric key; no limitation is made here. For example, if the service caller uses its private key to sign the verification information of the first control command, the service provider needs to use the service caller's public key to verify the verification information of the first control command. As another example, if the service caller uses a symmetric key to sign the verification information of the first control command, the service provider needs to use that symmetric key to verify the verification information of the first control command.

[0127] It should also be noted that the service provider can determine whether all received control commands have been signed based on the information pre-configured by the operations and maintenance personnel. For example, if the operations and maintenance personnel configure signature verification-related steps for both the service caller and the service provider—that is, if the operations and maintenance personnel configure the service caller to perform step 203 and the service provider to perform step 205—then the service provider will verify each received control command (e.g., the first control command) to determine whether the received control command (e.g., the first control command) is a legally signed control command.

[0128] Taking the first control command as an example, if the service provider verifies the signature of the verification information of the first control command using the public key of the service caller and it passes, it means that the signature on the first control command comes from the service caller, that is, the first control command is a command with a valid signature, and the service provider executes step 206; if the service provider verifies the signature of the verification information of the first control command using the public key of the service caller and it fails, it means that the signature on the first control command does not come from the service caller, that is, the first control command may be forged by an attacker, and the service provider executes step 208b.

[0129] Optionally, if the first action information includes first time information, the service provider needs to determine whether the first control command has been subjected to a replay attack based on the first time information before executing step 206. Specifically, the service provider can determine whether the difference between the time indicated by the first time information and the current time is outside a first threshold range. If the difference between the time indicated by the first time information and the current time is within the first threshold range, it indicates that the verification information of the first control command was not intercepted and retransmitted by an attacker, and the service provider triggers the execution of step 206; if the difference between the time indicated by the first time information and the current time is outside the first threshold range, it indicates that the verification information of the first control command may have been intercepted and retransmitted by an attacker, and the service provider stops triggering the execution of step 206 and triggers the execution of step 208b.

[0130] Step 206: The service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule.

[0131] The first mapping rule is a pre-configured mapping rule in the service provider for verifying authentication information of the first control command. This first mapping rule includes at least one type of behavioral information and a corresponding control command for each type of behavioral information. The service provider searches for the first behavioral information from the at least one type of behavioral information in the first mapping rule, and then determines that the control command corresponding to the first behavioral information is the second control command.

[0132] It should be noted that when the implementation method of the information in the first line is different, the behavior information included in the first mapping rule is also different. The following is an introduction to each case: In one possible implementation, the first behavior information includes a first coordinate and a first time; each piece of behavior information in at least one piece of behavior information in the first mapping rule includes at least one coordinate region. Specifically, the service provider first determines the coordinate region where the first coordinate is located, and then, based on the first mapping rule, the service provider determines that the control command corresponding to the coordinate region where the first coordinate is located is the second control command.

[0133] Exemplarily, if the behavior information includes a coordinate region, the first mapping rule may be as shown in Table 1-1 below: Table 1-1

[0134] In the example shown in Table 1-1, X represents the abscissa and Y represents the ordinate. The coordinate region determined by the value ranges of X and Y corresponds to a certain button on the touch screen. For example, the button corresponding to the coordinate region determined by a0 < X < b0 and c0 < Y < d0 is the "door opening button", so the control command corresponding to this coordinate region is the "door opening command". Another example, the button corresponding to the coordinate region determined by a1 < X < b1 and c1 < Y < d1 is the "window opening button", so the control command corresponding to this coordinate region is the "window opening command".

[0135] Exemplarily, if the first coordinate is X = a3 and Y = b3, and a0 < a3 < b0 and c0 < b3 < d0, then the service provider determines, based on the first coordinate and the first mapping rule, that the second control command corresponding to the first behavior information is the "door opening command".

[0136] In another possible implementation, the first behavior information includes first semantic information and a first time; each piece of behavior information in at least one piece of behavior information in the first mapping rule includes one semantic information. Specifically, the service provider determines, based on the first mapping rule, that the control command corresponding to the first semantic information is the second control command.

[0137] Exemplarily, if the behavior information includes semantic information, the first mapping rule may be as shown in Table 1-2 below: Table 1-2

[0138] In the example shown in Table 1-2, if the semantic information included in the first behavior information received by the service provider is "door opening", then the service provider determines, based on the semantic information and the first mapping rule, that the second control command corresponding to the first behavior information is the "door opening command".

[0139] It should be noted that the specific implementation of the control command in the first mapping rule (e.g., Table 1-1 or Table 1-2) may be a string of command codes or a command identifier. This application does not limit the specific implementation of the control command.

[0140] Step 207: The service provider determines whether the first control command and the second control command are the same.

[0141] If the first control command is the same as the second control command, it means that the first control command is a legitimate command initiated by the user, and the service provider executes step 208a; if the first control command is different from the second control command, it means that the first control command is not a legitimate command initiated by the user, and the service provider executes step 208b.

[0142] Step 208a: The service provider sends a first control command to the execution device.

[0143] When the first control command is the same as the second control command, the service provider determines that the first control command has been verified, that is, the first control command is a legitimate command initiated by the user. Then the service provider sends the first control command to the execution device so that the execution device executes the first control command.

[0144] Step 208b: The service provider determines that the first control command verification failed.

[0145] When the first control command and the second control command are different, the service provider determines that the first control command failed verification, meaning that the first control command is not a legitimate command initiated by the user. In this case, the service provider will not send the aforementioned first control command to the executing device. Optionally, the service provider will also trigger an alarm process. Specifically, the service provider will execute either step 210a or step 210b.

[0146] Step 209: Execute the first control command for the device.

[0147] After receiving a first control command from the service provider, the executing device will execute the first control command to invoke the first service. For example, if the first control command is a door opening command, the executing device is a door-related controller or drive device that controls the door to open. As another example, if the first control command is a window opening command, the executing device is a window-related controller or drive device that controls the window to open.

[0148] Step 210a: The service provider sends an alarm message to the user.

[0149] Step 210a is an optional step.

[0150] This alarm message indicates that the verification of the first control command failed. Alternatively, it can be understood as indicating that the verification of the first control command is invalid.

[0151] Optionally, the service provider can control the communication of the vehicle's input / output devices, thereby enabling it to display alarm information to the user through these devices. For example, if the service provider can control the vehicle's speakers, it can control the speakers to broadcast alarm information to the user via voice. As another example, if the service provider can control the vehicle's central control display screen, it can control the screen to display alarm information to the user in the form of text and / or images. This application does not limit the input / output devices that the service provider can communicate or control, and they will not be listed here.

[0152] Step 210b: The service provider sends an alarm message to the service caller; correspondingly, the service caller receives the alarm message from the service provider, and then the service caller prompts the user with the alarm message.

[0153] Step 210b is an optional step.

[0154] Once the service caller receives the aforementioned alarm information, it will notify the user of the alarm information.

[0155] In one possible example, the service caller is a device located in the vehicle, such as the smart cockpit; the service provider is the vehicle control domain. The vehicle control domain sends alarm information to the smart cockpit, which then displays the alarm information to the user through connected input / output devices. For example, the smart cockpit can control the speaker to broadcast the alarm information to the user via voice. Alternatively, the smart cockpit can control the central control display to show the alarm information to the user in text and / or image format. Another example is that the smart cockpit can control the head-up display (HUD) to show the alarm information to the user in text and / or image format. In practical applications, the smart cockpit can also communicate with other input / output devices, which will not be listed here.

[0156] In another possible example, the service caller is a device capable of communicating with the vehicle. For example, the service caller is a smart terminal device (e.g., a smartphone, smartwatch, or other wearable device). The service provider is the vehicle control domain, or a combination of the vehicle's communication box (T-Box) and the vehicle control domain. In this example, the smart terminal device can receive alarm information from the vehicle control domain via the vehicle's communication box (T-Box), and then the terminal device can announce the alarm information via voice or display the alarm information to the user in the form of text and / or images.

[0157] In this embodiment, the service caller delegates the permission to obtain the first action information from a lower-privilege kernel (e.g., the kernel in privilege level 1 (EL1)) to a higher-privilege trusted module (e.g., the virtual machine monitor in privilege level 2 (EL2)). Since data in a higher-privilege trusted module is less susceptible to tampering than data in a lower-privilege kernel, obtaining the first action information through a trusted module, rather than through the kernel, helps prevent the first action information obtained by the service caller from being tampered with or forged. This, in turn, helps ensure the security of the verification information for the first control command sent to the service provider.

[0158] Furthermore, the verification information received by the service provider for verifying the first control command includes first behavior information. Based on this first behavior information, the service provider can determine whether the first control command was triggered by a user's action. Only when the service provider determines that the first control command is identical to a second control command determined based on the first behavior information, and confirms that the first control command was triggered by the user and has not been tampered with, will the service provider send the first control command to the execution device. Therefore, this improves the security of vehicle body control service invocation.

[0159] The following will combine Figure 3 The main flow of another embodiment of the service caller in this application is described below. In this method, the service caller and the service provider mainly perform the following steps: Step 301: The service caller obtains the first line of information.

[0160] Optionally, a trusted module in the service caller obtains the first line of information.

[0161] Step 302: The service caller generates a first control command based on the first action information.

[0162] Steps 301 and 302 are similar to steps 201 and 202 above. Please refer to the relevant descriptions in steps 201 and 202 above for details. They will not be repeated here.

[0163] Step 303: The service caller obtains the first execution flow information.

[0164] The execution flow (also known as the control flow) is the set of instructions executed by the service caller during the generation of control commands based on behavioral information. Therefore, the execution flow of a service call reflects the integrity of the service call process. If an attacker tampers with the service call process, the execution flow collected by the service caller will definitely contain instructions reflecting the tampering. Therefore, the execution flow of a service call triggered by a user to generate control commands is different from the execution flow of a service call tampered with by an attacker. Thus, using the execution flow of a service call as verification information for control commands helps service providers identify whether they have been attacked, thereby improving the security of the service call process.

[0165] The aforementioned first execution flow information is used to indicate the process information of calling the first service. For example, the first execution flow information is information generated by the service caller during the process of generating the first control command based on the first action information. Therefore, the first execution flow information can indicate the integrity of the first service call process. Optionally, the aforementioned first execution flow information is the execution flow of calling the first service or the hash value of the execution flow of calling the first service. For example, when generating the first control command, the service caller directly determines the obtained execution flow of calling the first service as the verification information of the first control command. Another example is that after generating the first control command and collecting the execution flow of calling the first service, the service caller uses a hash algorithm to perform hash calculation on the execution flow of calling the first service to obtain the hash value of the execution flow of calling the first service, and uses the hash value of the execution flow of calling the first service as the verification information of the first control command.

[0166] Optionally, a trusted module in the service caller obtains the first execution flow information. Optionally, the trusted module in the service caller can collect the execution flow based on hardware (e.g., hardware modules on ARM architecture (e.g., on-chip debugging modules such as Coresight), processor trace (PT) modules on Intel architecture, performance monitoring unit (PMU), etc.), or it can collect the execution flow through software instrumentation. The specific method is not limited here.

[0167] In one possible example, the kernel in the service caller generates a first control command based on the first line information. Simultaneously, a trusted module in the service caller collects the execution flow of the first service generated by the kernel during the generation of the first control command. The trusted module then uses the first line information and the execution flow of the first service as verification information for the first control command.

[0168] In another possible example, when the kernel in the service caller generates the first control command based on the first line information, a trusted module in the service caller collects the execution flow of the first service generated by the kernel when generating the first control command. Then, the trusted module in the service caller calculates the hash value of the execution flow of the first service. Finally, the trusted module in the service caller determines the first line information and the hash value of the execution flow of the first service as the verification information for the first control command.

[0169] In this step, since the first execution flow information is obtained by a trusted module in the service caller, it can be guaranteed that the first execution flow information used as verification information is secure and reliable. Furthermore, since the first execution flow information is information that the service caller will inevitably generate when generating the first control command based on the first behavior information, using the first execution flow information as one of the verification information ensures that the first control command is triggered by the user and not forged by an attacker. Therefore, using the first execution flow information and the first behavior information as verification information for the first control command helps improve the security and reliability of the vehicle body control service.

[0170] Step 304: The service caller signs the verification information of the first control command.

[0171] In this embodiment, step 304 is optional. If the service caller executes step 304, the service provider will execute step 306 after receiving the verification information of the first control command. If the service caller does not execute step 304, the service provider will not execute step 306 after receiving the verification information of the first control command, but will instead execute step 307.

[0172] The verification information of the first control command is used to verify the first control command. The verification information of the first control command includes the first action information (i.e., the first action information obtained by the service caller in step 301) and the first execution flow information (i.e., the first execution flow information obtained by the service caller in step 303).

[0173] Specifically, after obtaining the first action information and the first execution flow information, the trusted module in the service caller will use the verification information of the first control command corresponding to the key (i.e., the first action information and the first execution flow information) for signature processing.

[0174] For ease of understanding, Figure 1CTaking the processor architecture shown as an example. If the trusted module is implemented by two modules (e.g., a virtual machine monitor and a TEE), after the virtual machine monitor obtains the first action information and the first execution flow information, it transmits them together to the TEE. Then, the TEE signs the first action information and the first execution flow information together, and then the TEE returns the verification information of the first control command after signing to the virtual machine monitor. Alternatively, after obtaining the first action information and the first execution flow information, the virtual machine monitor stores them in trusted memory. Then, the TEE retrieves the first action information and the first execution flow information from the trusted memory of the virtual machine monitor, signs the first action information and the first execution flow information, and writes the signed first action information and the first execution flow information into the trusted memory of the virtual machine monitor. If the trusted module is implemented by one module (e.g., a virtual machine monitor), after the virtual machine monitor obtains the first action information and the first execution flow information, it signs the first action information and the first execution flow information together to obtain the verification information of the first control command after signing. This application does not specify which trusted module should implement the signature processing function.

[0175] In this embodiment, it is proposed to use a key to sign the verification information of the first control command, which helps to further prevent attackers from forging the verification information of the first control command and improves the reliability and security of the verification information of the first control command.

[0176] Step 305: The service caller sends a first control command and verification information of the first control command to the service provider; correspondingly, the service provider receives the first control command and verification information of the first control command from the service caller.

[0177] Optionally, the verification information of the first control command includes a key signature of the service caller. The verification information of the first control command includes first action information and first execution flow information.

[0178] Step 306: The service provider verifies the signature of the verification information of the first control command.

[0179] In this embodiment, step 306 is optional. If the service caller executes step 304, the service provider will execute step 306 after receiving the verification information of the first control command. If the service caller does not execute step 304, the service provider will not execute step 306 after receiving the verification information of the first control command, but will instead execute step 307.

[0180] Specifically, the service provider uses a key to verify the signature of the verification information of the first control command. This key can be either a symmetric key or an asymmetric key; no specific limitation is made here. Please refer to the relevant description in step 205 above; it will not be repeated here.

[0181] Taking the first control command as an example, if the service provider verifies the signature of the verification information of the first control command using the public key of the service caller and it passes, it means that the signature on the first control command comes from the service caller, that is, the first control command is a command with a valid signature, and the service provider executes step 307; if the service provider verifies the signature of the verification information of the first control command using the public key of the service caller and it fails, it means that the signature on the first control command does not come from the service caller, that is, the first control command may be forged by an attacker, and the service provider executes step 311b.

[0182] Optionally, if the first action information includes first time information, the service provider needs to determine whether the first control command has been subjected to a replay attack based on the first time information before executing step 307. Specifically, the service provider can determine whether the difference between the time indicated by the first time information and the current time is outside a first threshold range. If the difference between the time indicated by the first time information and the current time is within the first threshold range, it indicates that the verification information of the first control command was not intercepted and retransmitted by an attacker, and the service provider triggers the execution of step 307; if the difference between the time indicated by the first time information and the current time is outside the first threshold range, it indicates that the verification information of the first control command may have been intercepted and retransmitted by an attacker, and the service provider stops triggering the execution of step 307 and triggers the execution of step 311b.

[0183] Step 307: The service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule.

[0184] The first mapping rule includes at least one type of behavioral information and a control command corresponding to each type of behavioral information.

[0185] Specifically, step 307 is similar to step 206 above. Please refer to the relevant description in step 206 above for details, which will not be repeated here.

[0186] Step 308: The service provider determines whether the first control command and the second control command are the same.

[0187] If the first control command is the same as the second control command, the service provider executes step 309; if the first control command is different from the second control command, it means that the first control command is not a legitimate command initiated by the user, and the service provider executes step 311b.

[0188] Step 309: The service provider determines the second execution flow information corresponding to the second control command based on the second control command and the first mapping rule.

[0189] In this embodiment, the first mapping rule includes not only at least one type of behavioral information and a control command corresponding to each type of behavioral information, but also execution flow information of the service corresponding to each control command. The service provider can not only find the second control command corresponding to the first behavioral information from the first mapping rule, but also find the second execution flow information corresponding to the second control command based on the second control command.

[0190] It should be noted that the behavioral information contained in the first mapping rule will differ depending on the implementation method of the first behavioral information. These will be described separately below: In one possible implementation, the first behavioral information includes a first coordinate and a first time; each of the at least one behavioral information in the first mapping rule includes at least one coordinate region.

[0191] For example, if the behavioral information includes a coordinate region, then the first mapping rule can be as shown in Table 2-1 below: Table 2-1

[0192] Specifically, the service provider first determines the coordinate region where the first coordinate is located. Then, based on the first mapping rule, the service provider determines the control command corresponding to the coordinate region where the first coordinate is located as the second control command. Finally, the service provider determines the second control command based on the first mapping rule.

[0193] In another possible implementation, the first behavioral information includes first semantic information and first time; each behavioral information in at least one of the first mapping rules includes a semantic information.

[0194] For example, if the behavioral information includes semantic information, then the first mapping rule can be as shown in Table 2-2 below: Table 2-2

[0195] Specifically, the service provider determines the control command corresponding to the first semantic information as the second control command based on the first mapping rule, and then determines the second control command based on the first mapping rule.

[0196] Step 310: Determine whether the first execution flow information and the second execution flow information are the same.

[0197] If the first execution flow information is the same as the second execution flow information, the service provider executes step 311a; if the first execution flow information is different from the second execution flow information, it indicates that the first control command is not a legitimate command initiated by the user, and the service provider executes step 311b.

[0198] Step 311a: The service provider sends the first control command to the execution device.

[0199] In step 311b, the service provider determines that the first control command verification failed.

[0200] Step 312: Execute the first control command for the device.

[0201] Step 313a: The service provider sends an alarm message to the user.

[0202] Step 313b: The service provider sends an alarm message to the service caller so that the service caller can notify the user of the alarm message.

[0203] In this embodiment, steps 311a, 311b, 312, 313a, and 313b are the same as those described above. Figure 2 Steps 208a, 208b, 209, 210a, and 210b in the corresponding embodiment are similar; please refer to the foregoing for details. Figure 2 The relevant descriptions of each step in the corresponding embodiments will not be repeated here.

[0204] In this embodiment, the service caller can generate a first control command based on the first action information and obtain the first execution flow information generated during the generation of the first control command. Then, the first action information and the first execution flow information are sent to the service provider as verification information for the first control command, so that the service provider can verify the first control command based on the first action information and the first execution flow information. Therefore, this helps to improve the security of vehicle body control service calls.

[0205] Furthermore, the verification information received by the service provider for verifying the first control command includes first action information and first execution flow information. Based on the first mapping rule and the first action information, the service provider determines the second execution flow information corresponding to the first action information in the first mapping rule. When the first execution flow information and the second execution flow information are the same, the service provider determines that the first control command is legitimate and only then triggers the sending of the first control command to the execution device. Because the service provider can determine that the first control command was triggered by the user based on the first action information and can determine that the first control command has not been tampered with based on the first execution flow information, this improves the security of vehicle body control service calls.

[0206] like Figure 4As shown, this application provides a communication device 40. The communication device 40 can be a service caller or a component within the service caller (e.g., an integrated circuit, a chip, etc.). The communication device 40 can also be a service provider or a component within the service provider (e.g., an integrated circuit, a chip, etc.). The communication device 40 can also be other communication modules used to implement the methods in the method embodiments of this application.

[0207] The communication device 40 may include a processing module 401 (or processing unit). Optionally, the communication device 40 may also include an interface module 402 (or transceiver unit or transceiver module) and a storage module 403 (or storage unit). The interface module 402 is used to enable communication with other devices. For example, the interface module 402 may be a transceiver module or an input / output module.

[0208] In one possible design, such as Figure 4 One or more modules may be implemented by one or more processors, or by one or more processors and memory; or by one or more processors and transceivers; or by one or more processors, memory, and transceivers. This application embodiment does not limit this. The aforementioned processors, memory, and transceivers can be configured individually or integrated. When the communication device 40 is used to implement the functions of a service caller, the architecture of the processing module 401 in the communication device 40 can be referred to... Figure 1C or Figure 1D The example shown.

[0209] In one design, the communication device 40 has the capability to implement the aforementioned Figure 2 or Figure 3 The corresponding embodiments describe the functions of the service caller. For example, the communication device 40 includes modules, units, or means corresponding to the steps involved in the service caller's execution as described in the embodiments of this application. These functions, units, or means can be implemented in software, hardware, or a combination of both. For instance, the interface module 402 in the communication device 40 is used to receive a first control command and verification information from the service caller. The first control command is used to call a first service, and the verification information is used to verify the first control command. The verification information includes first action information, which instructs the user to trigger the action that generates the first control command. The processing module 401 is used to verify the first control command based on the verification information. When the verification of the first control command passes, the control interface module 402 sends the first control command to the execution device, which executes the first control command.

[0210] In one possible implementation, the processing module 401 is specifically configured to determine a second control command corresponding to the first behavior information based on the first behavior information and a first mapping rule, wherein the first mapping rule includes at least one behavior information and a control command corresponding to each behavior information; and, when the first control command is the same as the second control command, determine that the verification of the first control command is successful.

[0211] In one possible implementation, the verification information of the first control command further includes the first execution flow information, which indicates the process information for calling the first service. The first mapping rule also includes execution flow information for each service. The processing module 401 is specifically configured to: when the first control command is the same as the second control command, determine the second execution flow information corresponding to the second control command based on the second control command and the first mapping rule; and when the first execution flow information is the same as the second execution flow information, determine that the verification of the first control command has passed. Optionally, the first execution flow information is the execution flow of calling the first service or the hash value of the execution flow of calling the first service.

[0212] In one possible implementation, the first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; each behavioral information in the first mapping rule includes at least one coordinate region. The processing module 401 is specifically configured to determine the coordinate region where the first coordinate is located; and, based on the first mapping rule, determine the control command corresponding to the coordinate region where the first coordinate is located as the second control command.

[0213] In one possible implementation, the first behavioral information includes first semantic information, which is semantic information generated based on the user's input voice command; each behavioral information in the first mapping rule includes one semantic information. The processing module 401 is specifically configured to determine, based on the first mapping rule, that the control command corresponding to the first semantic information is the second control command.

[0214] In one possible implementation, the first behavior information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command. The processing module 401 is specifically configured to determine that the verification of the first control command fails if the service provider determines that the difference between the time indicated by the first time information and the current time is outside a first threshold range.

[0215] In one possible implementation, the verification information of the first control command is signed by the service caller. The processing module 401 is further configured to verify the signature of the verification information of the first control command; and, if the signature of the verification information of the first control command is successfully verified, to determine the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule.

[0216] In one possible implementation, the processing module 401 is further configured to determine that the verification of the first control command has failed if the signature of the verification information of the first control command fails to be verified by the service provider.

[0217] In one possible implementation, the processing module 401 is further configured to determine that the verification of the first control command fails if the first control command is different from the second control command.

[0218] In one possible implementation, the processing module 401 is further configured to determine that the verification of the first control command fails if the first execution flow information is different from the second execution flow information.

[0219] In one possible implementation, the processing module 401 is further configured to, when it is determined that the verification of the first control command fails, control the input / output module to prompt the user with alarm information, the alarm information being used to indicate that the verification of the first control command fails; or, the processing module 401 is further configured to, when it is determined that the verification of the first control command fails, control the interface module 402 to send alarm information to the service caller, the service caller being used to prompt the user with the alarm information.

[0220] It should be noted that the specific implementation method and beneficial effects of this embodiment can be referred to the method of the service provider in the above embodiments, and will not be repeated here.

[0221] In one design, the communication device 40 is used to perform the aforementioned Figure 2 or Figure 3 The method of the service caller in the corresponding embodiment. The processing module 401 in the communication device 40 is used to acquire first behavior information, which indicates that a user has triggered the behavior of generating a first control command; and to generate the first control command based on the first behavior information, which is used to call a first service. The interface module 402 is used to send the first control command and verification information of the first control command, the verification information of the first control command including the first behavior information, which is used to verify the first control command.

[0222] In one possible implementation, the processing module 401 includes a trusted module. The trusted module in the communication device acquires the first line of information, and its privileges are higher than those of the kernel in the service caller. Optionally, the operating environment of the trusted module is independent of the operating environment of the kernel. Optionally, the trusted module has read and write permissions to the storage module, while the kernel does not have access to the storage module, which is used to store the first line of information.

[0223] In one possible implementation, the processing module 401 is further configured to obtain the first execution flow information, which is used to indicate process information for calling the first service. Optionally, the first execution flow information is the execution flow of calling the first service or the hash value of the execution flow of calling the first service.

[0224] In one possible implementation, a trusted module in the communication device acquires the first execution flow information.

[0225] In one possible implementation, the verification information of the first control command is signed by the service caller. The processing module 401 is further configured to sign the verification information of the first control command using a key.

[0226] In one possible implementation, the first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; or, the first behavioral information includes first semantic information, which is semantic information generated based on the user's input voice command.

[0227] In one possible implementation, the first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command.

[0228] In one possible implementation, the trusted module includes at least one of the following: a virtual machine monitor, a trusted kernel, or a trusted execution environment (TEE).

[0229] It should be noted that the specific implementation method and beneficial effects of this embodiment can be referred to the service caller method in the above embodiments, and will not be repeated here.

[0230] Furthermore, this application provides a computer program product comprising one or more computer instructions. When these computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. For example, implementing the aforementioned... Figure 2 or Figure 3 The methods related to the service caller in the code. For example, implementing the methods described above... Figure 2 or Figure 3The method relates to the service provider in the process. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can store or a data storage device such as a server or data center that integrates one or more available media. The available medium can be magnetic media (e.g., floppy disk, hard disk, magnetic tape), optical media (e.g., digital versatile disc (DVD)), or semiconductor media (e.g., solid-state disk (SSD)).

[0231] Furthermore, this application also provides a computer-readable storage medium storing a computer program that is executed by a processor to perform the aforementioned functions. Figure 2 or Figure 3 The methods related to the service caller in the process.

[0232] Furthermore, this application also provides a computer-readable storage medium storing a computer program that is executed by a processor to perform the aforementioned functions. Figure 2 or Figure 3 Methods related to service providers in the process.

[0233] In addition, this application also provides a service invocation system, which includes the aforementioned Figure 2 or Figure 3 The service provider in the corresponding embodiment and the aforementioned Figure 2 or Figure 3 The service caller in the corresponding embodiment.

[0234] In addition, this application also provides a vehicle that includes the aforementioned Figure 2 or Figure 3 The service provider in the corresponding embodiment and the aforementioned Figure 2 or Figure 3 The corresponding service caller in this embodiment. Furthermore, the vehicle also includes an execution device. Additionally, the vehicle includes external human-computer interaction devices such as a touchscreen and a microphone.

[0235] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.

[0236] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

Claims

1. A service invocation method, characterized by, include: The service provider receives a first control command and verification information of the first control command from the service caller. The verification information of the first control command includes first behavior information, which is related to the user's action of triggering the generation of the first control command. The service provider verifies the first control command based on the verification information of the first control command; If the first control command is verified to be valid, the service provider provides services in accordance with the first control command.

2. The method of claim 1, wherein, The service provider verifies the first control command based on the verification information of the first control command, including: The service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule. The first mapping rule includes at least one type of behavior information and the control command corresponding to each type of behavior information. If the first control command is the same as the second control command, then the service provider determines that the first control command has been verified.

3. The method of claim 2, wherein, The first control command is used to invoke the first service, and the verification information of the first control command also includes first execution flow information, which is used to indicate the process information for invoking the first service; the first mapping rule also includes execution flow information for invoking each service. The method further includes: If the first control command is the same as the second control command, the service provider determines the second execution flow information corresponding to the second control command based on the second control command and the first mapping rule. The second execution flow information is used to indicate the process information for calling the second service. The service provider determines that the verification of the first control command is successful, including: If the first execution flow information is the same as the second execution flow information, then the service provider determines that the first control command has been verified.

4. The method of claim 3, wherein, The first execution flow information is either the execution flow that calls the first service or the hash value of the execution flow that calls the first service.

5. The method according to any one of claims 2 to 4, characterized in that, The first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; each behavioral information in the first mapping rule includes at least one coordinate region. The service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule, including: The service provider determines the coordinate region where the first coordinate is located; The service provider determines the control command corresponding to the coordinate region where the first coordinate is located as the second control command based on the first mapping rule.

6. The method according to any one of claims 2 to 4, characterized in that, The first behavioral information includes first semantic information, which is semantic information generated based on the user's input voice command; each behavioral information in at least one of the first mapping rules includes one semantic information. The service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule, including: The service provider determines the control command corresponding to the first semantic information as the second control command based on the first mapping rule.

7. The method according to any one of claims 2 to 6, characterized in that, The first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command; The method further includes: If the service provider determines that the difference between the time indicated by the first time information and the current time is outside the first threshold range, then the service provider determines that the verification of the first control command fails.

8. The method according to any one of claims 2 to 7, characterized in that, The verification information of the first control command is signed by the service caller; Before the service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule, the method further includes: The service provider verifies the signature of the verification information of the first control command; The service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule, including: If the service provider verifies that the signature of the verification information of the first control command passes, the service provider determines the second control command corresponding to the first behavior information based on the first behavior information and the first mapping rule.

9. The method of claim 8, wherein, The method further includes: If the service provider fails to verify the signature of the verification information of the first control command, the service provider determines that the verification of the first control command has failed.

10. The method of claim 2, wherein, The method further includes: If the first control command is different from the second control command, the service provider determines that the verification of the first control command failed.

11. The method of claim 3, wherein, The method further includes: If the first execution flow information is different from the second execution flow information, the service provider determines that the verification of the first control command has failed.

12. The method of claim 7, 9, 10, or 11, wherein, The method further includes: If the service provider determines that the verification of the first control command fails, the service provider will display an alarm message to the user, the alarm message indicating that the verification of the first control command failed. or, If the service provider determines that the verification of the first control command fails, the service provider sends an alarm message to the service caller, and the service caller uses this alarm message to notify the user.

13. The method according to any one of claims 3 to 12, characterized in that, The first execution flow information is obtained by a trusted module in the service caller.

14. A service invocation method, characterized by, include: The service caller obtains the first behavior information, which is related to the user's action of triggering the generation of the first control command; The service caller generates the first control command based on the first behavior information; The service caller sends the first control command and the verification information of the first control command, wherein the verification information of the first control command includes the first behavior information.

15. The method of claim 14, wherein, The service caller obtains the first line of information, including: The trusted module in the service caller obtains the first behavior information, and the privileges of the trusted module are higher than those of the kernel in the service caller.

16. The method of claim 15, wherein, The operating environment of the trusted module is independent of the operating environment of the kernel.

17. The method according to claim 15 or 16, characterized in that, The trusted module has read and write permissions to the storage module, while the kernel does not have access to the storage module, which is used to store the first behavioral information.

18. The method according to any one of claims 14 to 17, characterized in that, The first control command is used to invoke a first service. Before the service invoking party sends the first control command and its verification information to the service provider, the method further includes: The service caller obtains first execution flow information, which is used to indicate the process information for calling the first service.

19. The method of claim 18, wherein, The first execution flow information is either the execution flow that calls the first service or the hash value of the execution flow that calls the first service.

20. The method of claim 18 or 19, wherein, The service caller obtains the first execution flow information, including: The trusted module in the service caller obtains the first execution flow information.

21. The method according to any one of claims 14 to 20, characterized in that, The verification information of the first control command is signed by the service caller; Before the service initiator sends the first control command and the verification information of the first control command to the service provider, the method further includes: The service caller uses a key to sign the verification information of the first control command.

22. The method according to any one of claims 14 to 21, characterized in that, The first behavioral information includes a first coordinate, which is the coordinate corresponding to the user's operation; or, The first behavioral information includes first semantic information, which is semantic information generated based on the user's input voice commands.

23. The method according to claim 22, characterized in that, The first behavioral information includes first time information, which is the time when the service caller detects that the user has triggered the action of generating the first control command.

24. The method according to any one of claims 15 to 23, characterized in that, The trusted module includes at least one of the following: Virtual machine monitor, trusted kernel, or trusted execution environment (TEE).

25. A communication device, characterized in that, Including processor and memory; The memory stores computer programs; The processor invokes the computer program to cause the communication device to perform the method as described in any one of claims 1 to 13.

26. A communication device, characterized in that, Includes processing units and storage units; The storage unit stores computer programs; The processing unit invokes the computer program to cause the communication device to perform the method as described in any one of claims 14 to 24.

27. A service invocation system, characterized in that, include: The communication device as claimed in claim 25 and the communication device as claimed in claim 26.

28. A vehicle, characterized in that, include: The communication device as claimed in claim 25 and the communication device as claimed in claim 26.

29. A computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method as claimed in any one of claims 1 to 13; or, to perform the method as claimed in any one of claims 14 to 24.

30. A computer program product storing instructions that, when executed on a computer, cause the computer to perform the method as claimed in any one of claims 1 to 13; or, to perform the method as claimed in any one of claims 14 to 24.