Cyber-Physical Inconsistency Vulnerability Identification for Safety Checks in Robotic Vehicles

We propose a new type of vulnerability for Robotic Vehicles (RVs), called Cyber-Physical Inconsistency. These vulnerabilities target safety checks in RVs (e.g., crash detection). They can be exploited by setting up malicious environment conditions such as placing an obstacle with a certain weight and a certain angle in the RV's trajectory. Once exploited, the safety checks may fail to report real physical accidents or report false alarms (while the RV is still operating normally). Both situations could lead to life-threatening consequences. The root cause of such vulnerabilities is that existing safety checks are mostly using simple range checks implemented in general-purpose programming languages, which are incapable of describing the complex and delicate physical world. We develop a novel technique that requires the interplay of program analysis, vehicle modeling, and search-based testing to identify such vulnerabilities. Our experiment on 4 real-world control software and 8 vehicles including quadrotors, rover, and fixed-wing airplane has discovered 10 real vulnerabilities. Our technique does not have false positives as it only reports when an exploit can be generated.

[1]  Mahesh Viswanathan,et al.  DryVR: Data-Driven Verification and Compositional Reasoning for Automotive Systems , 2017, CAV.

[2]  David A. Van Veldhuizen,et al.  Evolutionary Computation and Convergence to a Pareto Front , 1998 .

[3]  Hao Wu,et al.  Controlling UAVs with Sensor Input Spoofing Attacks , 2016, WOOT.

[4]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[5]  K. Schittkowski,et al.  NONLINEAR PROGRAMMING , 2022 .

[6]  Azim Eskandarian,et al.  Finite element model and validation of a surrogate crash test vehicle for impacts with roadside objects , 1997 .

[7]  Wen-Chuan Lee,et al.  Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach , 2018, CCS.

[8]  J. S. Warner,et al.  A Simple Demonstration that the Global Positioning System ( GPS ) is Vulnerable to Spoofing , 2012 .

[9]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[10]  Thao Dang,et al.  NLTOOLBOX: A Library for Reachability Computation of Nonlinear Dynamical Systems , 2013, ATVA.

[11]  Baowen Xu,et al.  Debugging with Intelligence via Probabilistic Inference , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[12]  Robert Bartle,et al.  The Elements of Real Analysis , 1977, The Mathematical Gazette.

[13]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[14]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[15]  Mirko Conrad,et al.  A Systematic Approach to Testing Automotive Control Software , 2004 .

[16]  Michael D. Ernst,et al.  Feedback-Directed Random Test Generation , 2007, 29th International Conference on Software Engineering (ICSE'07).

[17]  Ali Osman Atahan,et al.  Vehicle crash test simulation of roadside hardware using LS-DYNA: a literature review , 2010 .

[18]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[19]  Lennart Ljung,et al.  System Identification: Theory for the User , 1987 .

[20]  K. H. Lyle,et al.  A History of Full-Scale Aircraft and Rotorcraft Crash Testing and Simulation at NASA Langley Research Center , 2004 .

[21]  Henrik Sandberg,et al.  A Survey of Physics-Based Attack Detection in Cyber-Physical Systems , 2018, ACM Comput. Surv..

[22]  T. Humphreys,et al.  Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer , 2008 .

[23]  Hajime Kita,et al.  Multi-objective optimization by genetic algorithms: a review , 1996, Proceedings of IEEE International Conference on Evolutionary Computation.

[24]  Kalyanmoy Deb,et al.  A combined genetic adaptive search (GeneAS) for engineering design , 1996 .

[25]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[26]  Huai Liu,et al.  A Lightweight Program Dependence Based Approach to Concurrent Mutation Analysis , 2018, 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC).

[27]  Zhongshu Gu,et al.  Securing Real-Time Microcontroller Systems through Customized Memory View Switching , 2018, NDSS.

[28]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[29]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[30]  Kalyanmoy Deb,et al.  Simulated Binary Crossover for Continuous Search Space , 1995, Complex Syst..

[31]  Qixin Wang,et al.  A System Identification Based Oracle for Control-CPS Software Fault Localization , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[32]  Atiqur Rahman,et al.  Simulation of Car Frontal Fascia During Crash using LS-DYNA , 2019 .

[33]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[34]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[35]  Mahesh Viswanathan,et al.  Automatic Reachability Analysis for Nonlinear Hybrid Models with C2E2 , 2016, CAV.

[36]  Patrick C. Hickey,et al.  TrackOS: A Security-Aware Real-Time Operating System , 2016, RV.

[37]  TEJASAGAR AMBATI,et al.  SIMULATION OF VEHICULAR FRONTAL CRASH-TEST , 2012 .

[38]  Ralf Salomon,et al.  Evolutionary algorithms and gradient search: similarities and differences , 1998, IEEE Trans. Evol. Comput..

[39]  Salvatore J. Stolfo,et al.  Defending Embedded Systems with Software Symbiotes , 2011, RAID.

[40]  Saurabh Bagchi,et al.  Protecting Bare-Metal Embedded Systems with Privilege Overlays , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[41]  Kalyanmoy Deb,et al.  A fast and elitist multiobjective genetic algorithm: NSGA-II , 2002, IEEE Trans. Evol. Comput..

[42]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[43]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[44]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[45]  R. K. Ursem Multi-objective Optimization using Evolutionary Algorithms , 2009 .

[46]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[47]  Michael D. Ernst,et al.  Combined static and dynamic automated test generation , 2011, ISSTA '11.

[48]  Kalyanmoy Deb,et al.  Omni-optimizer: A generic evolutionary algorithm for single and multi-objective optimization , 2008, Eur. J. Oper. Res..

[49]  Xinyan Deng,et al.  RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing , 2019, USENIX Security Symposium.

[50]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.