Table of Contents
Fetching ...

Uncovering Failures in Cyber-Physical System State Transitions: A Fuzzing-Based Approach Applied to sUAS

Theodore Chambers, Arturo Miguel Russell Bernal, Michael Vierhauser, Jane Cleland-Huang

TL;DR

This work tackles the challenge of validating state transitions in safety-critical cyber-physical systems, specifically small unmanned aerial systems (sUAS), by introducing SaFUZZ, a state-aware fuzzing framework. SaFUZZ operates in two phases: hazard analysis with fuzz specification generation, and automated test execution with dynamic Fault-Tree generation for root-cause analysis, enabling cross-layer exploration of mode transitions, failsafes, and human interactions under diverse timing and environmental conditions. The approach was validated on a real-world sUAS platform (Drone Response) using high-fidelity simulations and field tests, uncovering 11 failures (including 7 true state/mode transition faults and 1 autopilot code fault) and demonstrating that SaFUZZ revealed issues not captured by standard development testing, with 4 of 6 simulated faults reproduced in real flights. While sim-to-real discrepancies—especially around geofence and failsafe behavior—highlight fidelity limits, SaFUZZ proves a practical, scalable means to surface transition hazards and guide improvements in cross-layer sUAS validation and safety assurance.

Abstract

The increasing deployment of small Uncrewed Aerial Systems (sUAS) in diverse and often safety-critical environments demands rigorous validation of onboard decision logic under various conditions. In this paper, we present SaFUZZ, a state-aware fuzzing pipeline that validates core behavior associated with state transitions, automated failsafes, and human operator interactions in sUAS applications operating under various timing conditions and environmental disturbances. We create fuzzing specifications to detect behavioral deviations, and then dynamically generate associated Fault Trees to visualize states, modes, and environmental factors that contribute to the failure, thereby helping project stakeholders to analyze the failure and identify its root causes. We validated SaFUZZ against a real-world sUAS system and were able to identify several points of failure not previously detected by the system's development team. The fuzzing was conducted in a high-fidelity simulation environment, and outcomes were validated on physical sUAS in a real-world field testing setting. The findings from the study demonstrated SaFUZZ's ability to provide a practical and scalable approach to uncovering diverse state transition failures in a real-world sUAS application.

Uncovering Failures in Cyber-Physical System State Transitions: A Fuzzing-Based Approach Applied to sUAS

TL;DR

This work tackles the challenge of validating state transitions in safety-critical cyber-physical systems, specifically small unmanned aerial systems (sUAS), by introducing SaFUZZ, a state-aware fuzzing framework. SaFUZZ operates in two phases: hazard analysis with fuzz specification generation, and automated test execution with dynamic Fault-Tree generation for root-cause analysis, enabling cross-layer exploration of mode transitions, failsafes, and human interactions under diverse timing and environmental conditions. The approach was validated on a real-world sUAS platform (Drone Response) using high-fidelity simulations and field tests, uncovering 11 failures (including 7 true state/mode transition faults and 1 autopilot code fault) and demonstrating that SaFUZZ revealed issues not captured by standard development testing, with 4 of 6 simulated faults reproduced in real flights. While sim-to-real discrepancies—especially around geofence and failsafe behavior—highlight fidelity limits, SaFUZZ proves a practical, scalable means to surface transition hazards and guide improvements in cross-layer sUAS validation and safety assurance.

Abstract

The increasing deployment of small Uncrewed Aerial Systems (sUAS) in diverse and often safety-critical environments demands rigorous validation of onboard decision logic under various conditions. In this paper, we present SaFUZZ, a state-aware fuzzing pipeline that validates core behavior associated with state transitions, automated failsafes, and human operator interactions in sUAS applications operating under various timing conditions and environmental disturbances. We create fuzzing specifications to detect behavioral deviations, and then dynamically generate associated Fault Trees to visualize states, modes, and environmental factors that contribute to the failure, thereby helping project stakeholders to analyze the failure and identify its root causes. We validated SaFUZZ against a real-world sUAS system and were able to identify several points of failure not previously detected by the system's development team. The fuzzing was conducted in a high-fidelity simulation environment, and outcomes were validated on physical sUAS in a real-world field testing setting. The findings from the study demonstrated SaFUZZ's ability to provide a practical and scalable approach to uncovering diverse state transition failures in a real-world sUAS application.
Paper Structure (17 sections, 7 figures, 4 tables)

This paper contains 17 sections, 7 figures, 4 tables.

Figures (7)

  • Figure 1: Application-level states and lower-level PX4 modes for a simple mission. Colors indicate the controlling entity: Application (Blue), PX4 (Orange), Human (Green).
  • Figure 2: High-Level overview of SaFUZZ showing preliminary setup (Phase 1) and the automated pipeline (Phase 2).
  • Figure 3: Partial hazard tree illustrating four representative categories of sUAS failures: state transition failures (H1), failsafe activation failures (H2), human interactions, illustrated here as incorrect positioning of the throttle upon human takeover (H3), and feature interaction errors (H4). Annotated nodes show example semantic fuzz tests targeting each category. The types of hazards shown in this tree are not exhaustive.
  • Figure 4: Decision Tree classifier for labeling fuzz‐test outcomes. Nodes check mission‐failure predicates and human‐interaction conditions; assigns Success, Failure, or Invalid.
  • Figure 5: One of the PX4-equipped hexacopters used in the field tests, running Drone Response Autonomy software onboard a Jetson Xavier NX.
  • ...and 2 more figures