This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
Integrating Fuzz Testing into a CI Pipeline for Automotive Systems
Technical Paper
2022-01-0117
ISSN: 0148-7191, e-ISSN: 2688-3627
Annotation ability available
Sector:
Language:
English
Abstract
With the rapid development of connected and autonomous vehicles, more sophisticated automotive systems running large portions of software and implementing a variety of communication interfaces are being developed. The ever-expanding codebase increases the risk for software vulnerabilities, while at the same time the large number of communication interfaces make the systems more susceptible to be targeted by attackers. As such, it is of utmost importance for automotive organizations to identify potential vulnerabilities early and continuously in the development lifecycle in an automated manner. In this paper, we suggest a practical approach for integrating fuzz testing into a Continuous Integration (CI) pipeline for automotive systems. As a first step, we have performed a Threat Analysis and Risk Assessment (TARA) of a general E/E architecture to identify high-risk interfaces and functions. Next, we discuss the strategies for continuous fuzz testing and the technical requirements for integrating fuzz testing into a CI pipeline. Here it is imperative that organizations update their test strategies, covering how often to test, when to test, what to test, how to detect exceptions and how to handle the test results. The technical requirements further describe what is required in a fuzz testing environment to fulfill these strategies. Finally, we have prepared an appropriate test environment for integrating fuzz testing into a target system’s CI pipeline. The fuzz testing tool is executed in an automated and continuous manner as part of the development process. Technical details about the implementation are presented and discussed. As a result, by integrating fuzz testing into a CI pipeline, it contributes to the overall DevSecOps toolchain, allowing automotive organizations to perform more comprehensive and systematic fuzz testing for detecting potential vulnerabilities early and continuously throughout development.
Authors
Topic
Citation
Oka, D. and Vinzenz, N., "Integrating Fuzz Testing into a CI Pipeline for Automotive Systems," SAE Technical Paper 2022-01-0117, 2022, https://doi.org/10.4271/2022-01-0117.Also In
References
- VDA 2021
- ISO/SAE 2021
- Manufacturing Standards Committee 2021
- Vinzenz , N. and Oka , D. Integrating Fuzz Testing into the Cybersecurity Validation Strategy SAE Technical Paper 2021-01-0139 2021 https://doi.org/10.4271/2021-01-0139
- Knudsen , J. and Varpiola , M. Fuzz Testing Maturity Model Synopsys Whitepaper May 2017
- Oka , D.K. Building Secure Cars: Assuring the Automotive Software Development Lifecycle Wiley 2021
- Oka , D.K. , Fujikura , T. , and Kurachi , R. Shift Left: Fuzzing Earlier in the Automotive Software Development Lifecycle using HIL Systems Escar Europe Brussels, Belgium 2018
- Kuipers , R. and Oka D.K. Improving Fuzz Testing of Infotainment Systems and Telematics Units Using Agent Instrumentation Escar USA Ypsilanti, MI, USA 2019
- Atlassian https://www.atlassian.com/software/jira
- Synopsys https://codedx.com
- Intland Software https://intland.com/codebeamer/
- Oka D.K. , Makila T. , and Kuipers R. 2019
- libFuzzer https://llvm.org/docs/LibFuzzer.html
- Jenkins
- AddressSanitizer https://clang.llvm.org/docs/AddressSanitizer.html
- Valgrind https://www.valgrind.org/
- Synopsys https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
- GitLab https://about.gitlab.com/
- Jenkins https://www.jenkins.io/
- Dadam , S.R. , Zhu , D. , Kumar , V. , Ravi , V. Palukuru V.S.S. Onboard Cybersecurity Diagnostic System for Connected Vehicles SAE Technical Paper 2021-01-1249 2021 10.4271/2021-01-1249