Integrating Fuzz Testing into a CI Pipeline for Automotive Systems

With the rapid development of connected and autonomous vehicles, more sophisticated automotive systems running large portions of software and implementing a variety of communication interfaces are being developed. The ever-expanding codebase increases the risk for software vulnerabilities, while at the same time the large number of communication interfaces make the systems more susceptible to be targeted by attackers. As such, it is of utmost importance for automotive organizations to identify potential vulnerabilities early and continuously in the development lifecycle in an automated manner. In this paper, we suggest a practical approach for integrating fuzz testing into a Continuous Integration (CI) pipeline for automotive systems. As a first step, we have performed a Threat Analysis and Risk Assessment (TARA) of a general E/E architecture to identify high-risk interfaces and functions. Next, we discuss the strategies for continuous fuzz testing and the technical requirements for integrating fuzz testing into a CI pipeline. Here it is imperative that organizations update their test strategies, covering how often to test, when to test, what to test, how to detect exceptions and how to handle the test results. The technical requirements further describe what is required in a fuzz testing environment to fulfill these strategies. Finally, we have prepared an appropriate test environment for integrating fuzz testing into a target system’s CI pipeline. The fuzz testing tool is executed in an automated and continuous manner as part of the development process. Technical details about the implementation are presented and discussed. As a result, by integrating fuzz testing into a CI pipeline, it contributes to the overall DevSecOps toolchain, allowing automotive organizations to perform more comprehensive and systematic fuzz testing for detecting potential vulnerabilities early and continuously throughout development.

• Record URL:
  • https://doi.org/10.4271/2022-01-0117
• Availability:
  • Find a library where document is available. Order URL: http://worldcat.org/issn/01487191
• Supplemental Notes:
  • Abstract reprinted with permission of SAE International.
• Authors:
  • Oka, Dennis Kengo
  • Vinzenz, Nico
• Conference:
  • WCX SAE World Congress Experience
  • Location: Detroit & Online Michigan, United States
  • Date: 2022-4-5 to 2022-4-7
• Publication Date: 2022-3-29

Language

• English

Media Info

• Media Type: Web
• Features: References;
• Serial:
  • SAE Technical Paper
  • Publisher: Society of Automotive Engineers (SAE)
  • ISSN: 0148-7191
  • EISSN: 2688-3627
  • Serial URL: http://papers.sae.org/

Subject/Index Terms

• TRT Terms: Autonomous vehicles; Computer architecture; Computer security; Computers; Risk assessment; Testing equipment
• Subject Areas: Highways; Vehicles and Equipment;

Filing Info

• Accession Number: 01841553
• Record Type: Publication
• Source Agency: SAE International
• Report/Paper Numbers: 2022-01-0117
• Files: TRIS, SAE
• Created Date: Apr 6 2022 2:18PM