HIFuzz: Human Interaction Fuzzing for small Unmanned Aerial Vehicles

TL;DR

HIFuzz tackles safety challenges arising from human interactions in small UAS by applying scenario-based fuzz testing across three progressively realistic levels (L1-L3) with two safety gateways (G1, G2). The framework defines formal test specifications and uses a structured pipeline to rapidly explore test spaces in simulation, validate human-in-the-loop behaviors with real users, and confirm mitigations in field trials. Key findings show that HIFuzz reveals diverse human-interaction vulnerabilities, including both known SA demons and novel failure modes, and that each test level provides unique insights while enabling safe field deployment through rigorous gating. The approach is demonstrated on a distributed multi-sUAS (D4A) system, indicating potential generalizability to other CPS domains.

Abstract

Small Unmanned Aerial Systems (sUAS) must meet rigorous safety standards when deployed in high-stress emergency response scenarios; however many reported accidents have involved humans in the loop. In this paper, we, therefore, present the HiFuzz testing framework, which uses fuzz testing to identify system vulnerabilities associated with human interactions. HiFuzz includes three distinct levels that progress from a low-cost, limited-fidelity, large-scale, no-hazard environment, using fully simulated Proxy Human Agents, via an intermediate level, where proxy humans are replaced with real humans, to a high-stakes, high-cost, real-world environment. Through applying HiFuzz to an autonomous multi-sUAS system-under-test, we show that each test level serves a unique purpose in revealing vulnerabilities and making the system more robust with respect to human mistakes. While HiFuzz is designed for testing sUAS systems, we further discuss its potential for use in other Cyber-Physical Systems.

Figures (5)

• Figure 1: Due to a combination of mistakes, including 'operator error' by the Remote Pilot in Command, the sUAS flew off-route and ascended to 734 feet AGL. Note: All required regulatory reports were filed describing the incident.
• Figure 2: The HIFuzz framework supports tests at all three levels. L1 operates fully in a simulated environment with support from a fuzzer and a proxy human agent. L2 operates with real humans in an otherwise simulated environment, and L3 operators in the physical world.
• Figure 3: HIFuzz Prompts are shared with human test participants via a mobile app. Here we show the design of the tester's precheck screen (1), followed by a series of prompts shared with the RPIC (2a-h), and MC (3) roles respectively. Figures represent the design which was fully implemented and deployed using React-Native.
• Figure 4: An issue posted to Github describing a human-interaction incident, where the RPIC was forced to take control due to an altitude anomaly on the drone.
• Figure 5: In this case the RPIC switched modes to stabilized whilst the sUAS was flying in offboard mode. Due to the current trajectory and momentum of the sUAS, it continued its upward trajectory, ultimately reaching a height of 377 meters and a distance of over 550 meters. Ultimately, the TESTER issued a land command to force an end to the mission. To minimize human errors caused by untimely mode-switches to stabilized, we can move the stabilized switch to a less prominent position, and add monitors to recognize if the drone is in 'free flight' due to a sudden switch to STABILIZE mode.