Browse Publications Technical Papers 2021-01-0139
2021-04-06

Integrating Fuzz Testing into the Cybersecurity Validation Strategy 2021-01-0139

Automotive systems have become increasingly more complex, interconnected and prone to cyberattacks in recent years. With larger software bases and multiple external communication interfaces, the risks for new vulnerabilities and attack vectors on vehicles also increase. Therefore, modern cybersecurity validation is highly stressed for finding security vulnerabilities and robustness issues early and systematically at every stage of the product development process. The integration of a sophisticated fuzz testing program within the overall cybersecurity validation strategy allows for accommodating towards these challenging demands. In this paper, we review a general automotive cybersecurity engineering process containing functional testing, vulnerability scanning and penetration testing, and highlight shortcomings that can be complemented by fuzz testing. We present how fuzz testing is not only beneficial to improve product security directly by detecting weaknesses, but also indirectly by providing input to allow enhancing other testing activities. Finally, we provide a suggestion for an updated cybersecurity engineering process, which gives guidance on when fuzz testing should be performed and how fuzz testing should interface with other testing activities. Our approach is compliant to the ISO/SAE DIS 21434 cybersecurity engineering process. The approach uses Threat Analysis and Risk Assessment (TARA) together with Cybersecurity Assurance Levels (CALs) for the systematic identification of high-priority attack vectors and assignment of testing priorities. With this knowledge, it is possible to decide where, when and how often fuzz testing shall be applied for both finding unknown vulnerabilities and regressions in an automatized manner. This approach identifies issues earlier and with greater coverage than functional testing, vulnerability scanning and penetration testing could achieve on their own. As a result, by following this approach, the overall cybersecurity engineering process is more comprehensive, security remediation costs are lower, and resources for manual activities such as penetration testing are used more efficiently.

SAE MOBILUS

Subscribers can view annotate, and download all of SAE's content. Learn More »

Access SAE MOBILUS »

Members save up to 18% off list price.
Login to see discount.
Special Offer: Download multiple Technical Papers each year? TechSelect is a cost-effective subscription option to select and download 12-100 full-text Technical Papers per year. Find more information here.
X