RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing

Danielle Adams
CSGY-9223: Mobile Security

11/13/19

Taegyu Kim, Purdue University; Chung Hwan Kim and Junghwan Rhee, NEC Laboratories America; Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, and Dongyan Xu, Purdue University

https://www.usenix.org/conference/usenixsecurity19/presentation/kim

RV Fuzzing

• RV: Robotic Vehicles; drones, etc.
   
• Unmanned Autonomous Vehicle (UAV): vehicle that senses its surroundings and navigates without remote guidance
   
• Fuzzing: automated software testing technique that involves providing invalid, unexpected, or random data as input

How do RVs work?

• Ground Control System (GCS)
  • ground-based computer that is used for planning a mission
     
• RV System
  • Mission Module
  • Sensor Module
  • Controllers
  • Motor
     
• Physical Environment

How do RVs work?

Control Parameters

• Because of the complexity and generality of RV control model and program, a large number of configurable parameters exist in the control program.
  • Many dynamically adjustable at runtime via GCS interface.
     
• When receiving a GCS command, the control program is supposed to perform input validation.
  • When the input is not validated, it can introduce input validation bugs that can be exploited by attackers.

Control Parameters

Landscape of RV Attacks

• Physical attacks
  • ​sensor spoofing
  • Defense: control-based detection and filter
     
• Software syntactic bug exploitation
  • buffer overflow
  • Defense: program fuzzing and hardening
     
• Control-semantic bug exploitation
  • input validation bug
  • Not defendable with above approaches

Control-Semantic Bug Exploitation

• Malicious parameter-changing command
  • ​GCS-to-vehicle communication is not secure
    • MAVLink
  • Cause at least one controller to malfunction

MAVLink

• Micro Air Vehicle (MAV) Link is a lightweight, header-only message library for communication between drones and/or ground control stations.
   
• It can also be used between onboard drone components.
   
• MAVLink libraries are available in most programming languages.
   
• Research has indicated that this protocol is not secure
  • https://arxiv.org/pdf/1905.00265.pdf
  • https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8425627

Attack Model

• Knowing an adjustable control parameter with incorrect or missing range check logic in the control program, the attacker concocts and issues a seemingly innocent – but actually malicious – parameter-change GCS command to the victim RV.
   
• The illegitimate parameter value will be accepted by the control program and cause at least the RV to malfunction.
   
• The attacker may also opportunistically exploit a certain environmental condition (e.g., strong wind) under which a parameter-change command would become dangerous.

Attack Model Justifications

• Remotely triggered by single malicious control parameter-change command (leaves a minimum footprint)
   
• No need for sensor spoofing, code injection, or trojaned exploits
   
• Launched after program is hardened against traditional exploits

RVFuzzer Design

Guided fuzzing technique

RVFuzzer Design

• GCS: responsible for issuing RV control parameter-change commands
   
• Subject Control Program: controls operations of the simulated RV
   
• Simulator: emulates the physical vehicle and its operating physical environment

RVFuzzer Design

• Control-Guided Tester has 2 sub-modules:
  • Control Instability Detector
    • Bad control program run is detected by looking at generic control instability properties.
  • Control-Guided Input Mutator
    • Safe, efficient control loop fuzzing leveraging a high-fidelity simulator and control properties.

Control Instability Detector

• To accurately detect bug-induced physical disturbance, RVFuzzer must be able to sense control state deviation.
  • Among the possible physical disturbances experienced by an RV, there are 2 types of control state deviation: observed state deviation (fails to stabilize in observed) and reference state deviation (deviates from given mission).

Control-Guided Input Mutator

• The input generation method considers both control parameters and environmental factors to optimize for coverage and test runs.
   
• Control parameters have a value mutation space that includes:
  • list of dynamically adjustable control parameters
  • range of possible values and default for each
     
• Uses this data along with the result of the previous run of the control program; the output of the Feedback-Driven Parameter Input Mutator is the input of the next test run.

Evaluation

• How effective is RVFuzzer at finding input validation bugs?
  • Discovered both types of bugs (range implementation and range specification bugs) and hybrids
  • While affecting a total of 63 control parameters, detected a total of 89 input validation bugs
    • 87 of the bugs were 0-day bugs
  • At the time of this paper, developers independently confirmed 8 bugs and patched 7 of them
    • Discovering and validating requires lots of time and effort

Evaluation

Final Thoughts

• The simplicity and reliability of MAVLink has created a weakness in drone infrastructures.
   
• No mention of bug classification. The bugs may have tiers of severity that will lead to them needing prioritization when investigating and patching.
   
• The overhead (~11 bugs/day) of the fuzzing technique may be justified by the potential secure and safe testing.
   
• Will input validation bugs produce more false positives for safety?

Questions?

(Thanks!)