Professional Documents
Culture Documents
D1-07 PETRE-Testing Security and Reliability of Ethernet Communications
D1-07 PETRE-Testing Security and Reliability of Ethernet Communications
of Automotive Ethernet
using fuzzing
Zonal-based
Automotive Architecture
* text and diagrams taken from IEEE P802.1DG v0.3, July 2018
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 2
CAN vs Ethernet
Key differentiator: The Transport Network
CAN High
R R
CAN Low
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 3
TCP/IP and OSI Models
Transmitting Receiving
Device Device
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 4
Testing types, techniques and tactics
e.g. OPEN TC8 v2.0, Aug 2017, 823 Tests
49 ARP
• Conformance testing
22 ICMPv4
• Positive vs Negative testing
• Device vs System level testing 53 IPv4
• It is an automated software
testing technique
• It involves providing invalid,
unexpected, or random data as Specified
inputs to a computer program. Functionality
• An effective fuzzer generates
semi-valid inputs that:
– are "valid enough" to pass the parser,
but
Negative input Target of e.g.
– are "invalid enough" to expose Conformance or
space is infinite,
corner cases target of fuzzing Functional testing
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 6
Who is using Fuzzing?
A brief history of fuzzing
1950s
• Testing programs with random inputs started in the 1950s, when data was still stored
on punched cards.
• In 1983, "The Monkey“ was developed, a tool that would generate random inputs for
classic Mac OS applications, such as MacPaint.
• The term "fuzzing" originates from a 1988 class project, taught by Barton Miller at the
University of Wisconsin.
• In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure
for security-critical components of the Chromium web browser.
• In September 2016, Microsoft announced Project Springfield, a cloud-based fuzz
testing service for finding security critical bugs in software.
• In November 2018 Google revealed that OSS-Fuzz, the company's automated
fuzzing service/bot, has identified and reported over 9,000 vulnerabilities in widely
used open source projects since 2017.
2019
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 7
Types of Fuzzing
From dumb to smart fuzzers
• Random-based fuzzing
Dumb
– No protocol knowledge
• Data structure aware fuzzing
– A data model, a grammar, or a protocol description is required
• Mutation-based fuzzing
– It generates inputs by modifying existing data (e.g. utilize a pcap
Smart
capture as seed)
• Generation-based fuzzing
– It uses fuzzing heuristics to generate data based on a specified
model
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 8
Types of Fuzzing
…continued
• Black-box fuzzing
Dumb
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 9
Fuzzing Automotive Ethernet Protocols
Choosing the right fuzzing ingredients for IVN testing
• Data aware fuzzing
• Both mutation- and generation- based fuzzing
• Black-box fuzzing
• Both data and behavioral fuzzing
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 10
Fuzzing Heuristics
The power of a smart fuzzer
Strings 30
0 5 10 15 20 25 30 35 0 2 4 6 8 10
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 11
Spirent Automotive Fuzzer
A modularized solution for data and behavior fuzzing
Protocol
Data Message Fuzzing
Probes State
Model Flow Job
machine
Contains the definition Describes the message How to check if the DUT Used for advanced Uses all previous 4
of the protocol order and any timing is still alive behavior fuzzing components to glue
messages restrictions between together a fuzzing job
For each field, the messages
fuzzing heuristic can be Used for basic behavior
specified fuzzing
Fields can be omitted
from being fuzzed
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 12
Data model
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 13
Message flow
• A file describing:
– order of the messages
– any state information (relation between request / Message
responses) Flow
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 14
Probes
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 15
IPv4 fuzzing
Data fuzzing targeting the protocol
stack
Data
Model
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 16
DoIP fuzzing
Behavior fuzzing targeting the
protocol stack & application
max 50ms
max 50ms
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 17
ARXML – AUTOSAR XML
Description of communication networks
Optional Operation
ARXML
Spirent ARXML Parser
Data
Model Spirent Fuzzed Data
Fuzzing DUT
Engine ECU
Message
Flow
Probes
Fuzzing
Job
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 19
Fuzzing CAN based applications
AUTOSAR Time Sync over CAN
CAN(-FD)
Ethernet
Features disabled
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 20
Fuzzing CAN
Data
Model
Razvan Petre, Spirent Communications IEEE-SA Ethernet & IP @ Automotive Technology Day, Sept 24 th 2019, Detroit 21
Summary
Best practices & benefits of using fuzzing for automotive industry