Fending Off Cyber Attacks Hardening ECUs by Fuzz Testing

Similar documents
Automotive Software Security Testing

Integration of the softscheck Security Testing Process into the V-Modell

Machine-Based Penetration Testing

CyBot Suite. Machine-based Penetration Testing

RiskSense Attack Surface Validation for IoT Systems

STAMP: AN AUTOMATED UNKNOWN ZERO- DAY VULNERABILITY DISCOVERY SYSTEM FOR MOBILE PLATFORMS

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Machine-Based Penetration Testing

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Hardening Attack Vectors to cars by Fuzzing

From Signal to Service

Tools for Security Testing

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Test requirements in networked systems

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Automotive Security: Challenges and Solutions

8 Must Have. Features for Risk-Based Vulnerability Management and More

GDPR Update and ENISA guidelines

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

A number of optimizations are already in use by the majority of companies in industry, notably:

Cyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

ODX Process from the Perspective of an Automotive Supplier. Dietmar Natterer, Thomas Ströbele, Dr.-Ing. Franz Krauss ZF Friedrichshafen AG

Professional Services Overview

Secure Product Design Lifecycle for Connected Vehicles

Penetration testing.

Automating the Top 20 CIS Critical Security Controls

IoT & SCADA Cyber Security Services

Virtualization of Heterogeneous Electronic Control Units Testing and Validating Car2X Communication

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

CANoe/CANalyzer.J1587

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

MASP Chapter on Safety and Security

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Cybersecurity, safety and resilience - Airline perspective

deep (i) the most advanced solution for managed security services

Keys to a more secure data environment

CompTIA Cybersecurity Analyst+

Fiscal 2015 Activities Review and Plan for Fiscal 2016

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

A Risk Management Platform

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

time now it has also been used productively in a multi-oem, requires precise knowledge of the protocol, the layout, the

PREEvision Technical Article

Threat and Vulnerability Assessment Tool

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

AUTOSAR Software Design with PREEvision

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Cybersecurity & Privacy Enhancements

Business Continuity Management

Internet of Things Security standards

SDLC Maturity Models

Procurement Language for Supply Chain Cyber Assurance

Cybersecurity for IoT to Nuclear

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

An Integrated Test Framework to Reduce Embedded Software Lifecycle Costs

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

13W-AutoSPIN Automotive Cybersecurity

Web Applications (Part 2) The Hackers New Target

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Rethinking Information Security Risk Management CRM002

Cyber Security Technologies

Choosing the Right Security Assessment

Internet infrastructure

Connected driving is the future. However, data exchange between vehicles. and roadside equipment will only become genuinely beneficial when it is

An ICS Whitepaper Choosing the Right Security Assessment

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CYBER SECURITY AIR TRANSPORT IT SUMMIT

[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

IBM. OA VTAM 3270 Intrusion Detection Services - Overview, Considerations, and Assessment (Prerequisite) z/os Communications Server

Introducing Cyber Observer

Is This What the Future Will Look Like?

Heavy Vehicle Cyber Security Bulletin

Security Information & Event Management (SIEM)

Concept Manual vteststudio. Version 2.2 English

Cyber Security for Process Control Systems ABB's view

Types of Software Testing: Different Testing Types with Details

Information Infrastructure and Security. The value of smart manufacturing begins with a secure and reliable infrastructure

Flash Bootloader. Product Information

RSA INCIDENT RESPONSE SERVICES

DHS Hackers and the Lawyers Who Advise Them

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Automotive Cyber Security

Article Summary of: Understanding Cloud Computing Vulnerabilities. Michael R. Eldridge

Gujarat Forensic Sciences University

Cyber Hygiene and Awareness on a Practical Level

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Descriptions for CIS Classes (Fall 2017)

Vulnerability Assessments and Penetration Testing

EU General Data Protection Regulation (GDPR) Achieving compliance

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Automated, Real-Time Risk Analysis & Remediation

Transcription:

Fending Off Cyber Attacks Hardening ECUs by Fuzz Testing In designing vehicle communication networks, security test procedures play an important role in the development process. Fuzz testing, which originated in the traditional IT field, offers automatable tests which are used to efficiently check an ECU s security-related capabilities. But how can test cases be generated using familiar exchange formats? Today s motor vehicles are increasingly being integrated effects of a successful attack. Although development pro- into the Internet of Things (IoT). Vehicles are connecting to cesses for vehicle security have become better and are devices, other vehicles, infrastructure and cloud services via using increasingly more detailed threat models, there is still new interfaces. On the one hand, this enables new func- a gap in the development tools regarding the identification tions and business models. However, this added connectiv- and prevention of security vulnerabilities in existing soft- ity also opens more potential areas of attack related to ware. cyber security threats. The rapid introduction of new and In ECU tests (Figure 1), the focus is on validating functional complex functions harbors the risk that development requirements and error states within a defined scope teams will hardly be able to keep up with the new attack which is limited by the boundaries of the selected parame- vectors that result and safeguard against them. ters. As soon as all functional requirements have been General guidelines for developing secure vehicle systems tested sufficiently, it is also necessary to work in the securi- are for ty area with system inputs which are not part of the Cyber-Physical Vehicle Systems (J3061). It contains strate- expected parameters. Vulnerabilities lurk in this comple- gies and techniques for preventing and detecting security mentary set of inputs, and they are just waiting to be breaches, and it lists measures to mitigate the undesirable exploited. Due to time constraints, it is not possible to test described in the Cybersecurity Guidebook 01

all possible input values, especially when they depend on different states and conditions. Therefore, the goal of fuzz testing is not to test all the input parameters of a system completely, but instead to programmatically generate security tests that are more likely to identify implementation errors. What is Fuzz Testing and What Benefits Does It Offer? The purpose of fuzz testing is to detect unknown vulnerabilities by stressing a system with queries which are in part random and quite inappropriate. This concept is not only applied in security tests, but in robustness tests in general. Fuzz tests go far beyond the typical tests developers perform to study all reasonably predictable manipulations. They involve generating additional test cases which ideally come up with fully unexpected data. Randomly generated input data that is applied over many test runs attains a level of test coverage that is hardly attainable by manually created tests. Since fuzz testing is the technique preferred by hackers for revealing vulnerabilities, developers need an easy-to-use extension for test tools which they can use to meet the challenges of attackers head-on. Ideally, fuzz testing will support a method of test case generation that is largely automated and can indicate problems relatively quickly. Compared with other security test methods such as penetration tests, this approach offers a good cost-benefit ratio. Fuzzing engines can be categorized according to three criteria: > > Generative engines and mutation engines: Generative engines generate test data programmatically, while mutation engines generate test data by mutating known valid data. > > Simple and intelligent fuzzing engines: In contrast to simple engines, intelligent engines are familiar with the structure of the data. However, one engine is not necessarily better than the other. An entirely simple engine, for example, can send fully random data to a system without requiring any knowledge of the system states or system parameters, like a data checksum in a message. An entirely intelligent engine would follow the protocol and system specifications 100%, so it could potentially never detect errors. A good middle path is to use a system that intelligently chooses which system parameters and logical approaches to subject to fuzz testing. > > The third classification criterion is knowledge about the system states and program structure. Here, the fuzz tests check either a black box, white box or gray box system. For some system properties, a certain level of knowledge of the system state is essential. This applies Asset Definition Threat and Risk Assessment Derivation of Security Goals Security Architecture Design & Analysis Security Mechanisms Design & Analysis Fuzz Testing Functional Security Testing Security Validation Penetration Testing Secure Implementation of Nominal Functions and Security Mechanisms Figure 1: Fuzz Testing as part of the V-model for developing security-related ECUs 02

to testing of diagnostic messages, for example. In UDS (Unified Diagnostic Services), many functions and sub- functions are protected by the 0x27 service, and possibly even by the knowledge of which session the diagnostic server is in. Without knowledge of this state machine, a fuzzing engine would be unable to penetrate deeply into the ECU s code base. Many fuzz test engines are designed for black box tests. The Vector approach, on the other hand, aims to use project configuration data supplied by the tool chain so that it can offer white box tests with knowledge of the network protocol and the specified device behavior. Furthermore, when software changes are made, developers can scale the generated test cases to adapt them to the scope of the changes. This significantly reduces the time required for tests in an incremental, continuous integration process. Requirements for Successful Fuzz Testing Solutions Based on own experiences and discussions with developers of vehicle tests and security service providers, Vector has defined key requirements for successful fuzz testing solutions in the automotive industry. > > Automotive OEMs and suppliers generally have full access to databases in which the communication of the entire vehicle network or of a subsystem is described. Defined in these databases are regular messages, expected value ranges, lengths, timing information and data types. These descriptions exist in standard data exchange formats such as DBC, LDF, FIBEX and AUTO- SAR System Extract. The descriptions are an excellent source of information for configuring fuzz test generators, which automatically generate test cases. > > A successful fuzz test solution must keep records of the test cases that are executed along with all relevant parameters. This lets testing engineers replicate the tests to compare results based on clearly defined test cases and parameters. > > The test tool should deliver reports that lend themselves to implementing corrective actions as well as relevant summaries that present additional insights to test engineers. Currently, there are some promising smaller vehicle-specific prototypes and IT-specific fuzzing solutions available. However, there is no standard automotive fuzzer for vehicle tests which fulfills all the mentioned requirements. The signals in vehicle networks pose a real challenge in the development of fuzz tests. In generating inputs that can be processed by ECUs, fuzzing tools which are popular in the IT sector cannot always fulfill requirements such as floating-point numbers, signed and unsigned N-bit integers, signal multiplexing and changing byte orders in the signal. Concept for Automatically Generating and Executing Fuzz Tests How can the described requirements be fulfilled? The core idea is to use vehicle communication databases to automatically generate and execute the fuzz tests (Figure 2). The overall concept consists of a system under test (SUT), a communication database, a vehicle test framework and an engine for creating fuzz tests. The SUT might be a remaining bus simulation, an individual ECU, a complete subsystem of multiple ECUs or a complete vehicle system. Automotive Testing Framework System under Test Data Logging Network and Visualization Signal Selection Database Reporting Config. Generation Sending / Receiving Fuzz Testing Configuration Channel Fuzzed Messages Fuzz Testing Engine Generate Fuzzed Signal Data Figure 2: Concept for automatically generated fuzz tests 03

System under Test (SUT) Data Logging Reporting CANoe Network and Visualization Signal Selection Sending/Receiving Automotive Database vteststudio Fuzz Test Configuration Fuzz Test Generator Fuzz Test Unit Fuzz Tests Fuzzed Signals Channel Figure 3: Fuzz testing with the standard CANoe tool A combination of simulated and real elements is also possible. The SUT is connected to the vehicle test framework via one or more communication channels. Vector uses the communication database as the central supplier of input data for the vehicle test framework. Among other things, the test framework can visualize the message contents, definitions of the network nodes and parameterization of the communication channels allocated to them. The user can now select the signals to be subjected to the fuzz test and store them in a configuration. Subsequently, the test framework of the fuzz test engine supplies the interfaces (APIs) for bus access based on its knowledge of the protocol, data types and conversion rules that are used. The fuzz test engine generates the test values for the SUT based on the configuration created using the vehicle test framework. The strategies for generating the test vectors depend on the specific capabilities of the fuzz test engine. The generated test data is then passed to the vehicle test framework, which packs the data for the relevant bus or communications channel and sends it to the SUT. prepares as a message that it sends to the SUT over the vehicle bus. Fuzz test execution is logged in such a way that all the test messages can be examined. Because the fuzz tests are integrated in CANoe, that tool s internal logging function can be used to record messages received by the SUT and those sent to it. All test cases exhibiting unexpected behavior are highlighted in the test window (Figure 4). The created test cases are formulated in CANoe s own CAPL programming language, and this makes it possible to view them and edit them if necessary. Challenges It must always be remembered that fuzz testing is not a comprehensive security solution; rather it is a brick that is used as part of the solution. Although fuzzing engines are continually becoming more refined, and there are new monitoring approaches, this technology as a whole still faces some challenges. In fuzz tests, errors can go unnoticed if they do not cause a complete program crash. Code should be developed so that assertions are implemented Implementation Using Standard Software The described fuzz test framework was created by using standard software and extending it (Figure 3). Serving as the test framework is the testing and development software CANoe, which is used by many ECU testers and offers user-friendly test flow control. Moreover, it fulfills requirements for processing vehicle communication protocols and communication database formats with its libraries, APIs and interfaces. Based on the imported database, CANoe visualizes the network and suggests a list of signals the user can select from. It then generates the configuration of the fuzz test engine according to the user s selections. This is based on the vteststudio test design tool. The engine generates the signals based on the configuration and its own fuzzing algorithms which CANoe then Figure 4: CANoe logs clearly which executed test cases were passed and which failed. 04

correctly in all software components, and they support investigation into the causes in case of a failure. The analysis of test cases leading to a crash is may be difficult. Depending on the available monitoring, and in software with complex inputs it takes much more effort to create fuzz tests that provide sufficient code coverage. Advantages of Fuzz Testing Fuzz testing offers far-reaching automation that can reveal critical system defects which would remain hidden in manual security audits and software audits. Fuzz testing also provides an overall picture of software robustness. This helps to identify security vulnerabilities and to correct them before they can be exploited for attacks in the field. When fuzz testing is used early in an ECU s development cycle, security gaps can be revealed early on when it is less costly or time-consuming to correct them. In combination with existing tools and test frameworks from the automotive industry, fuzz testing can make an effective contribution toward validating vehicle software. The option of programmatically generating fuzz tests from existing databases makes it possible to test signals as well as state-dependent protocols. Holger Heinemann (Dipl.-Ing. (FH)) is manager in the R&D department at Vector Informatik GmbH. In this role, he is responsible for Cyber Security Test Tools. Translation of a German publication in Hanser automotive, special edition Safety & Security August 2018 Image rights: Vector Informatik GmbH 05

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback