Connectivity and Artificial Intelligence
Security first — the more software is used to connect things, the more crucial it is to protect it from external attacks. With the growth of the Internet of Things (IoT), such as connected autonomous cars, smart household appliances, smart building automation, smart city infrastructures and smart I4.0 factories, the required amount of software to realize the desired functionality has increased exponentially. As these products are constantly connected to the internet to offer and make use of a wide range of digital services, they are exposed to remote attacks. These attacks pose a very serious threat to IoT because they are easy to launch, cheap to replicate and simple to scale. Most remote attacks exploit security vulnerabilities in (network-facing) software. Recently, a new breed of (modern) fuzzing tools achieved a breakthrough which has made them very effective in finding robustness flaws and security bugs. For instance, as of June 2021, OSS-Fuzz has leveraged modern fuzzing to find over 30 thousand bugs in 500 open-source projects. “Fuzzing” has thus proven itself to be the most effective testing technique to find previously unknown security vulnerabilities. In simple terms, modern fuzzing is an automated software testing technique that generates targeted test cases to find vulnerabilities and bugs in software. At the time of writing, fuzzing is mainly applicable to desktop or enterprise software, and exploring fuzzing in relation to IoT software or cyber-physical systems in general is still an open research area.
Bosch Research R&D Project Lead Rakshith Amarnath explains what Fuzzing means.
IoT software differs from enterprise, desktop or cloud software in several aspects. First, software portability is not always a given due to the special purpose utility of IoT devices. For performance reasons, most IoT software is platform dependent. This entanglement makes it difficult to strip out (stub) IoT software in isolation and fuzz it independently of hardware, peripherals and sensor sets. Furthermore, the problem is intensified when the build chain is complex, involving code-generation and usage of certified tools for regulatory reasons.
Second, IoT software is mostly stateful, which means that in order to trigger an interesting functionality, a series of state transitions must take place. In addition, cyber-physical systems take inputs from the environment via sensors, and the environment often represents the external state for the system. If we only check the software without considering external states, the tests will be neither effective nor representative.
Third, the complexity of the software supply chain for an embedded IoT device is increasing. Ensuring the robustness and security of software that includes a mix of internal (white-box components) and external (black-box) components becomes a challenge. The talk I gave at FuzzCon Europe 2020 sheds light on what's different about fuzzing automotive software.
Together with my team at Bosch Research, we are attempting to tackle domain-specific challenges to make fuzzing-like techniques useful for IoT software as we seek answers to the following research questions:
- How do we fuzz stateful software? Is there a way to handle evolving program states while fuzzing?
- How long should the fuzzing last? Are there approaches to determine a better end-of-test criteria for fuzzing?
- How do we fuzz IoT devices? Can we tailor fuzzing to IoT use cases? Can we rely on debuggers to guide fuzzing?
- How can we leverage machine learning for fuzzing? Is there a way to generalize a machine-learning test-case generator to cover multiple fault types?
- How can we extend industrial-grade virtual emulation platforms, such as virtual Electronic Control Units (vECUs), with fuzzing? Can we find a good combination of different ensembles for fuzzing embedded software?
We will soon be publishing our research results in leading scientific and industrial conferences. Furthermore, we are very pleased to be conducting collaborative research on these topics as part of the recently launched CPSec project of the German Federal Ministry of Education and Research (BMBF).
What are your thoughts on this topic?
Please feel free to share them or to contact me directly.
Author: Rakshith Amarnath
Rakshith is a research engineer, project leader and fuzzing evangelist at Bosch Research. Together with his team, Rakshith is currently investigating how fuzzing can be made applicable to effectively test and secure connected Bosch products. Rakshith completed his M.Sc. degree in Embedded Systems with honors from the Delft University of Technology in 2012. Since then, he has been part of Bosch Research working on software dependability (including safety and security). He further actively represents Bosch Research’s topics and technically coordinates publicly funded projects from the German Federal Ministry. Additionally, he engages with the scientific community via invited keynote talks and as an industry chair for IEEE conferences.
The following resources provide a more in-depth understanding of fuzzing and its application for use cases of interest to Bosch.