This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
Integrating Fuzz Testing into the Cybersecurity Validation Strategy
Technical Paper
2021-01-0139
ISSN: 0148-7191, e-ISSN: 2688-3627
This content contains downloadable datasets
Annotation ability available
Sector:
Event:
SAE WCX Digital Summit
Language:
English
Abstract
Automotive systems have become increasingly more complex, interconnected and prone to cyberattacks in recent years. With larger software bases and multiple external communication interfaces, the risks for new vulnerabilities and attack vectors on vehicles also increase. Therefore, modern cybersecurity validation is highly stressed for finding security vulnerabilities and robustness issues early and systematically at every stage of the product development process. The integration of a sophisticated fuzz testing program within the overall cybersecurity validation strategy allows for accommodating towards these challenging demands. In this paper, we review a general automotive cybersecurity engineering process containing functional testing, vulnerability scanning and penetration testing, and highlight shortcomings that can be complemented by fuzz testing. We present how fuzz testing is not only beneficial to improve product security directly by detecting weaknesses, but also indirectly by providing input to allow enhancing other testing activities. Finally, we provide a suggestion for an updated cybersecurity engineering process, which gives guidance on when fuzz testing should be performed and how fuzz testing should interface with other testing activities. Our approach is compliant to the ISO/SAE DIS 21434 cybersecurity engineering process. The approach uses Threat Analysis and Risk Assessment (TARA) together with Cybersecurity Assurance Levels (CALs) for the systematic identification of high-priority attack vectors and assignment of testing priorities. With this knowledge, it is possible to decide where, when and how often fuzz testing shall be applied for both finding unknown vulnerabilities and regressions in an automatized manner. This approach identifies issues earlier and with greater coverage than functional testing, vulnerability scanning and penetration testing could achieve on their own. As a result, by following this approach, the overall cybersecurity engineering process is more comprehensive, security remediation costs are lower, and resources for manual activities such as penetration testing are used more efficiently.
Recommended Content
Instructor-Led Training | Managing Cybersecurity Risks Using ISO/SAE 21434 |
Ground Vehicle Standard | Design Review Based on Failure Modes (DRBFM) |
Aerospace Standard | Systems Engineering Capability Model Appraisal Method |
Citation
Vinzenz, N. and Oka, D., "Integrating Fuzz Testing into the Cybersecurity Validation Strategy," SAE Technical Paper 2021-01-0139, 2021, https://doi.org/10.4271/2021-01-0139.Data Sets - Support Documents
Title | Description | Download |
---|---|---|
Unnamed Dataset 1 |
Also In
References
- ISO/SAE DIS 21434 2020 https://www.iso.org/standard/70918.html
- Wooderson , P. , and Ward , D. Cybersecurity Testing and Validation SAE Technical Paper 2017-01-1655 2017 https://doi.org/10.4271/2017-01-1655
- VDA QMC Working Group 13/Automotive SIG 2017
- Knudsen , J. and Varpiola , M. 2017
- CVE-2017-7932 2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7932
- CVE-2018-6242 2018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6242
- Software Engineering Institute
- CVE 2020 https://cve.mitre.org/
- NIST 2020 https://nvd.nist.gov/
- Oka , D.K. , Fujikura , T. , and Kurachi , R. Shift Left: Fuzzing Earlier in the Automotive Software Development Lifecycle Using HIL Systems escar Europe Brussels, Belgium 2018
- Hirata , K. , Oka , D.K. , and Vuillaume , C. Using Monitoring Capabilities to Improve Fuzz Testing over CAN: Memory Checking and Code Coverage Symposium on Cryptography and Information Security (SCIS) Kumamoto, Japan 2016
- Kuipers , R. and Oka , D.K. Improving Fuzz Testing of Infotainment Systems and Telematics Units Using Agent Instrumentation escar USA Ypsilanti, MI 2019
- Fowler , D.S. , Bryans , J. , Shaikh , S.A. , and Wooderson , P. Fuzz Testing for Automotive Cyber-Security 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W) Luxembourg City 2018 239 246 10.1109/DSN-W.2018.00070
- ISO 14229-1 2020 https://www.iso.org/standard/72439.html
- Duvall , P. , Matyas , S. , and Glover , A. Continuous Integration: Improving Software Quality and Reducing Risk Addison-Wesley Professional 2007