Fuzz Testing for Automotive Cyber-Security

There is increasing computational complexity within the connected car, and with the advent of autonomous vehicles, how do manufacturers test for cyber-security assurance? The fuzz test is a successful black box testing method that hackers have used to find security weaknesses in various domains. Therefore, should the fuzz test, mentioned (without any details) in SAE J3061, be applied more widely into the vehicle systems development process to help reduce vulnerabilities? To investigate this question a custom fuzzer was developed to allow for experimentation against a target vehicle's CAN bus (used as the data interconnect for the vehicle's ECUs). The results demonstrate that the fuzz test has a part to play as one of the many security tests that a vehicle's systems need to undergo before being made ready for series production. However, previous problems raised when cyber testing a vehicle were confirmed. Thus, in adding the fuzz test to the automotive engineering tool box some issues are raised that need addressing in future research.

[1]  Mark Harman,et al.  The Oracle Problem in Software Testing: A Survey , 2015, IEEE Transactions on Software Engineering.

[2]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.

[3]  Tomas Olovsson,et al.  In-Vehicle CAN Message Authentication: An Evaluation Based on Industrial Criteria , 2017, 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall).

[4]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[5]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[6]  Ayse Basar Bener,et al.  Defect prediction from static code features: current results, limitations, new approaches , 2010, Automated Software Engineering.

[7]  Dong Hoon Lee,et al.  A Practical Wireless Attack on the Connected Car and Security Protocol for In-Vehicle CAN , 2015, IEEE Transactions on Intelligent Transportation Systems.

[8]  Ryo Kurachi,et al.  Implementation of the CAN-FD protocol in the fuzzing tool beSTORM , 2016, 2016 IEEE International Conference on Vehicular Electronics and Safety (ICVES).

[9]  Craig A. Smith,et al.  The Car Hacker's Handbook: A Guide for the Penetration Tester , 2016 .

[10]  Tomas Olovsson,et al.  Securing the Connected Car: A Security-Enhancement Methodology , 2018, IEEE Vehicular Technology Magazine.

[11]  Franz Wotawa,et al.  Testing methods used in the automotive industry: results from a survey , 2014, JAMAICA 2014.

[12]  Ming Meng,et al.  An Analysis of Secure Software Development Lifecycle from an Automotive Development Perspective , 2016 .

[13]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[14]  B.G. Kolkhorst,et al.  Developing error-free software , 1988, IEEE Aerospace and Electronic Systems Magazine.

[15]  Jeremy Bryans,et al.  Towards a Testbed for Automotive Cybersecurity , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).