PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles

Hyungsub Kim, Muslum Ozgur Ozmen, Antonio Bianchi, Z. Berkay Celik, Dongyan Xu
2021 Proceedings 2021 Network and Distributed System Security Symposium   unpublished
improperly allowed them to activate the anti-stall system [17] . Unfortunately, previous fuzzing approaches cannot discover this type of violations for the following two reasons. First, they do not consider the entire input space of the RV's control software, including user commands, configuration parameters, and environmental factors. Second, they only focus on finding memory corruption bugs or RV's control stability issues. Therefore, they cannot detect safety policy violations, e.g., a drone
more » ... is deploying the parachute at a too-low altitude. We develop PGFUZZ, a policy-based fuzzing framework designed to address these challenges. PGFUZZ includes three interconnected components: (1) Pre-Processing, (2) Policy-Guided Fuzzing, and (3) Bug Post-Processing. In the Pre-Processing component, we express the correct operation of an RV through policies denoted by a metric temporal logic (MTL). Thereafter, we minimize the fuzzing space via finding inputs related to the tested policies that, when mutated, could potentially trigger policy violations. For example, given a policy in natural language stating that "the fail-safe mode must be triggered when the engine temperature is higher than 100°C", PGFUZZ expresses this policy with the MTL formula: {(temperature>100°C) → (failsafe=on)}. It then decomposes this formula into the temperature and the fail-safe mode states, and identifies fuzzing inputs such as user commands (e.g., increasing temperature) and configuration parameters (e.g., units of temperature), influencing the policy states. Then, the Policy-Guided Fuzzing mutates inputs identified by the Pre-Processing component. It implements two kinds of distance metrics, propositional distances to guide the mutation engine, and a global distance to detect when a policy violation occurs. The distance metrics quantify how close the current system states are to a policy violation. Positive distances indicate the policy holds, whereas negative distances indicate the policy is violated. Therefore, PGFUZZ mutates inputs to minimize the global distance. After each input is sent to the control software, which runs in an RV simulator, PGFUZZ collects the system states and computes the distance metrics. The input's impact on the distance metric (whether it increases or decreases) is leveraged to decide on the next inputs. When the global distance becomes negative, a policy violation is detected. Turning to the fail-safe mode example, PGFUZZ mutates inputs to increase the temperature to be larger than 100°C, and checks whether, at the same time, the fail-safe mode is activated. The last component, Bug Post-Processing, minimizes the input sequence triggering the bugs by excluding inputs irrelevant to the policy violation. The minimized input sequence is then used to identify the root cause of each violated policy. To verify the correctness and effectiveness of PGFUZZ, we Abstract-Robotic vehicles (RVs) are becoming essential tools of modern systems, including autonomous delivery services, public transportation, and environment monitoring. Despite their diverse deployment, safety and security issues with RVs limit their wide adoption. Most attempts to date in RV security aim to propose defenses that harden their control program against syntactic bugs, input validation bugs, and external sensor spoofing attacks. In this paper, we introduce PGFUZZ, a policy-guided fuzzing framework, which validates whether an RV adheres to identified safety and functional policies that cover user commands, configuration parameters, and physical states. PGFUZZ expresses desired policies through temporal logic formulas with time constraints as a guide to fuzz the analyzed system. Specifically, it generates fuzzing inputs that minimize a distance metric measuring "how close" the RV current state is to a policy violation. In addition, it uses static and dynamic analysis to focus the fuzzing effort only on those commands, parameters, and environmental factors that influence the "truth value" of any of the exercised policies. The combination of these two techniques allows PGFUZZ to increase the efficiency of the fuzzing process significantly. We validate PGFUZZ on three RV control programs, ArduPilot, PX4, and Paparazzi, with 56 unique policies. PGFUZZ discovered 156 previously unknown bugs, 106 of which have been acknowledged by their developers.
doi:10.14722/ndss.2021.24096 fatcat:eihty35vivc5bba7jsis2atwpu