Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Automated Fuzzing of Automotive Control Units

Timothy Werquin, Roos Hubrechtsen, Ashok Thangarajan, Frank Piessens, Jan Tobias Muehlberg

TL;DR

The paper addresses the challenge of security testing for CAN-based automotive ECUs, where traditional methods struggle to automatically detect system changes in response to message injections. It introduces a largely automated fuzzing methodology that combines bug oracles, multiple fuzzing strategies (brute-force, mutation, identify), and a sensor-harness to observe physical ECU outputs, all integrated into the CaringCaribou framework as autoFuzz. The authors define fuzzers, configurations, and oracles, and validate the approach with case studies on VulCAN and automotive instrument clusters, demonstrating rapid vulnerability discovery and substantial speed-ups in reverse-engineering proprietary CAN behavior. The work offers a practical, extensible path for automotive security testing and protocol discovery that can generalize to other cyber-physical systems, backed by an open-source toolchain for replication and extension.

Abstract

Modern vehicles are governed by a network of Electronic Control Units (ECUs), which are programmed to sense inputs from the driver and the environment, to process these inputs, and to control actuators that, e.g., regulate the engine or even control the steering system. ECUs within a vehicle communicate via automotive bus systems such as the Controller Area Network (CAN), and beyond the vehicles boundaries through upcoming vehicle-to-vehicle and vehicle-to-infrastructure channels. Approaches to manipulate the communication between ECUs for the purpose of security testing and reverse-engineering of vehicular functions have been presented in the past, all of which struggle with automating the detection of system change in response to message injection. In this paper we present our findings with fuzzing CAN networks, in particular while observing individual ECUs with a sensor harness. The harness detects physical responses, which we then use in a oracle functions to inform the fuzzing process. We systematically define fuzzers, fuzzing configurations and oracle functions for testing ECUs. We evaluate our approach based on case studies of commercial instrument clusters and with an experimental framework for CAN authentication. Our results show that the approach is capable of identifying interesting ECU states with a high level of automation. Our approach is applicable in distributed cyber-physical systems beyond automotive computing.

Automated Fuzzing of Automotive Control Units

TL;DR

The paper addresses the challenge of security testing for CAN-based automotive ECUs, where traditional methods struggle to automatically detect system changes in response to message injections. It introduces a largely automated fuzzing methodology that combines bug oracles, multiple fuzzing strategies (brute-force, mutation, identify), and a sensor-harness to observe physical ECU outputs, all integrated into the CaringCaribou framework as autoFuzz. The authors define fuzzers, configurations, and oracles, and validate the approach with case studies on VulCAN and automotive instrument clusters, demonstrating rapid vulnerability discovery and substantial speed-ups in reverse-engineering proprietary CAN behavior. The work offers a practical, extensible path for automotive security testing and protocol discovery that can generalize to other cyber-physical systems, backed by an open-source toolchain for replication and extension.

Abstract

Modern vehicles are governed by a network of Electronic Control Units (ECUs), which are programmed to sense inputs from the driver and the environment, to process these inputs, and to control actuators that, e.g., regulate the engine or even control the steering system. ECUs within a vehicle communicate via automotive bus systems such as the Controller Area Network (CAN), and beyond the vehicles boundaries through upcoming vehicle-to-vehicle and vehicle-to-infrastructure channels. Approaches to manipulate the communication between ECUs for the purpose of security testing and reverse-engineering of vehicular functions have been presented in the past, all of which struggle with automating the detection of system change in response to message injection. In this paper we present our findings with fuzzing CAN networks, in particular while observing individual ECUs with a sensor harness. The harness detects physical responses, which we then use in a oracle functions to inform the fuzzing process. We systematically define fuzzers, fuzzing configurations and oracle functions for testing ECUs. We evaluate our approach based on case studies of commercial instrument clusters and with an experimental framework for CAN authentication. Our results show that the approach is capable of identifying interesting ECU states with a high level of automation. Our approach is applicable in distributed cyber-physical systems beyond automotive computing.

Paper Structure

This paper contains 25 sections, 3 figures.

Table of Contents

  1. Introduction
  2. Our Contributions.
  3. Background
  4. Controller Area Network (CAN) & Security
  5. CaringCaribou and Automotive Penetration Testing
  6. Fuzzing CAN Networks
  7. Bug Oracles for ECUs
  8. Defining CAN Fuzzers
  9. Brute-Force Fuzzing.
  10. Mutation Fuzzing.
  11. Identify Fuzzing.
  12. Automated ECU Exploration.
  13. Target-Specific Fuzzer Configuration
  14. A Sensor Harness to Automate ECU Fuzzing
  15. Light & Colour Sensors: ISL29125.
  16. ...and 10 more sections

Figures (3)

  • Figure 1: Extended data frame standardised by CAN 2.0B.
  • Figure 2: Sensor harness connection schema showing (1) the FT232H I2C-to-USB converter, (2) an TCA9548A I2C Multiplexer, and (3) two ISL29125 light & colour sensors.
  • Figure 3: An automotive instrument cluster with (part of) our sensor harness attached. The cluster originates from a 2014 Seat Ibiza model.