RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing

Danielle Adams
CSGY-9223: Mobile Security

11/13/19

Taegyu Kim, Purdue University; Chung Hwan Kim and Junghwan Rhee, NEC Laboratories America; Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, and Dongyan Xu, Purdue University

 

https://www.usenix.org/conference/usenixsecurity19/presentation/kim

RV Fuzzing

  • RV: Robotic Vehicles; drones, etc.
     
  • Unmanned Autonomous Vehicle (UAV): vehicle that senses its surroundings and navigates without remote guidance
     
  • Fuzzing: automated software testing technique that involves providing invalid, unexpected, or random data as input

How do RVs work?

  • Ground Control System (GCS)
    • ground-based computer that is used for planning a mission
       
  • RV System
    • Mission Module
    • Sensor Module
    • Controllers
    • Motor
       
  • Physical Environment

How do RVs work?

Control Parameters

  • Because of the complexity and generality of RV control model and program, a large number of configurable parameters exist in the control program.
    • Many dynamically adjustable at runtime via GCS interface.
       
  • When receiving a GCS command, the control program is supposed to perform input validation.
    • When the input is not validated, it can introduce input validation bugs that can be exploited by attackers.

Control Parameters

Landscape of RV Attacks

  • Physical attacks
    • sensor spoofing
    • Defense: control-based detection and filter
       
  • Software syntactic bug exploitation
    • buffer overflow
    • Defense: program fuzzing and hardening
       
  • Control-semantic bug exploitation
    • input validation bug
    • Not defendable with above approaches

Control-Semantic Bug Exploitation

  • Malicious parameter-changing command
    • GCS-to-vehicle communication is not secure
      • MAVLink
    • Cause at least one controller to malfunction

MAVLink

Attack Model

  • Knowing an adjustable control parameter with incorrect or missing range check logic in the control program, the attacker concocts and issues a seemingly innocent – but actually malicious – parameter-change GCS command to the victim RV.
     
  • The illegitimate parameter value will be accepted by the control program and cause at least the RV to malfunction.
     
  • The attacker may also opportunistically exploit a certain environmental condition (e.g., strong wind) under which a parameter-change command would become dangerous.

Attack Model Justifications

  • Remotely triggered by single malicious control parameter-change command (leaves a minimum footprint)
     
  • No need for sensor spoofing, code injection, or trojaned exploits
     
  • Launched after program is hardened against traditional exploits

RVFuzzer Design

Guided fuzzing technique

RVFuzzer Design

  • GCS: responsible for issuing RV control parameter-change commands
     
  • Subject Control Program: controls operations of the simulated RV
     
  • Simulator: emulates the physical vehicle and its operating physical environment

RVFuzzer Design

  • Control-Guided Tester has 2 sub-modules:
    • Control Instability Detector
      • Bad control program run is detected by looking at generic control instability properties.
    • Control-Guided Input Mutator
      • Safe, efficient control loop fuzzing leveraging a high-fidelity simulator and control properties.

Control Instability Detector

  • To accurately detect bug-induced physical disturbance, RVFuzzer must be able to sense control state deviation.
    • Among the possible physical disturbances experienced by an RV, there are 2 types of control state deviation: observed state deviation (fails to stabilize in observed) and reference state deviation (deviates from given mission).

Control-Guided Input Mutator

  • The input generation method considers both control parameters and environmental factors to optimize for coverage and test runs.
     
  • Control parameters have a value mutation space that includes:
    • list of dynamically adjustable control parameters
    • range of possible values and default for each
       
  • Uses this data along with the result of the previous run of the control program; the output of the Feedback-Driven Parameter Input Mutator is the input of the next test run.

Evaluation

  • How effective is RVFuzzer at finding input validation bugs?
    • Discovered both types of bugs (range implementation and range specification bugs) and hybrids
    • While affecting a total of 63 control parameters, detected a total of 89 input validation bugs
      • 87 of the bugs were 0-day bugs
    • At the time of this paper, developers independently confirmed 8 bugs and patched 7 of them
      • Discovering and validating requires lots of time and effort

Evaluation

Final Thoughts

  • The simplicity and reliability of MAVLink has created a weakness in drone infrastructures.
     
  • No mention of bug classification. The bugs may have tiers of severity that will lead to them needing prioritization when investigating and patching.
     
  • The overhead (~11 bugs/day) of the fuzzing technique may be justified by the potential secure and safe testing.
     
  • Will input validation bugs produce more false positives for safety?

Questions?

(Thanks!)