Bringing Fuzzing to the Cyber-Physical World

Abstract

Motivation. In naval environments, Cyber-Physical Systems (CPS), such as Unmanned Robotic Vehicles (UAVs), chemical plants, flight control systems, and nuclear reactors, impose safety and security issues in both the cyberspace and the physical space. CPS often have large codebases that control complex networks of software, hardware, and physical components operating across cyber and physical spaces. Therefore, extracting a model representing the behavior in cyber and physical spaces from a large amount of CPS code to verify its correctness can be impractical. To address these challenges, fuzzing techniques can be applied to find implementation bugs, providing scalable code verification. However, CPS code vetting via fuzzing poses two main concerns: (1) they do not detect physical/control property violations that do not trigger program crashes; for instance, it cannot detect a property of two valves that should not open at the same time when temperature exceeds a specific threshold value, and (2) they do not address the bugs in tight interaction between the CPS code and the physical world in which it operates; for instance a security property violation within a UAV system that can only be triggered when the wind speed goes beyond a certain value.Proposed Research: Fuzzing Cyber-Physical World} We will develop new techniques and practical tools operating on deeply intertwined physical and cyber components to verify CPS correctness with respect to relevant properties. Specifically, we seek to develop approaches that consider (1) the CPS code processing inputs acquired from the physical world that can potentially trigger software bugs and property violations, and (2) the physical/control domain influencing the CPS operation on spatial and temporal scales, potentially leading to unsafe and insecure physical states.In this effort, we propose to develop CPSFuzzer, a CPS fuzzing framework, to provide code verification or validation of the desired properties that capture interactions within both the cyber and physical worlds. The proposed work will follow three tasks: (Task I) Property Extraction aims to extend and combine requirements engineering and automated techniques to identify properties describing the safety and security requirements of composite system behavior, (Task II) Simulator Introspection exposes the internal states of the simulator of the subject CPS and maps the security property model to report unsafe physical states automatically and compute a score of the current state, providing feedback to the fuzzing, and (Task III) Physics-in-the-Loop Fuzzingof CPS aims at developing algorithms in both physical-state-based coverage fuzzing and composite fuzzing.Innovation Claim and Impacts. The novelty of this work lies in the security modeling of a largescale CPS, enhancing a CPS simulator as a white-box approach (instead of black-box usage) and building a new fuzzer, named CPSFuzzer, guided by physical/control states (in addition to code coverage). We will not only use fuzzing to detect exceptions such as program crashes and memory corruptions but also revise fuzzing techniques to take physical properties into account further to reason about violations of a property set through composite CPS behavior within shared physical spaces. This effort will result in the following capabilities not supported by current fuzzers: (1) It will produce methods and systems for physics-centric CPS analysis and verification in physical spaces, (2) it will evaluate the composite behavior of a target CPS controlling a complex network of one and more sensors, platforms, and systems within the physical environment, and (3) the developed framework will be a basis for a deception environment (e.g., CPS honeynet) to evaluateand mitigate the adversarial attacks that maliciously corrupt CPS inputs. As such, the results of this work will provide rigorous guarantees to achieve safer and more secure CPS implementations.

Document Details

Document Type

DoD Grant Award

Publication Date

Feb 17, 2020

Source ID

N000142012128

Entities

Tags