Integrating Fuzz Testing into a CI Pipeline for Automotive Systems 2022-01-0117
With the rapid development of connected and autonomous vehicles, more sophisticated automotive systems running large portions of software and implementing a variety of communication interfaces are being developed. The ever-expanding codebase increases the risk for software vulnerabilities, while at the same time the large number of communication interfaces make the systems more susceptible to be targeted by attackers. As such, it is of utmost importance for automotive organizations to identify potential vulnerabilities early and continuously in the development lifecycle in an automated manner. In this paper, we suggest a practical approach for integrating fuzz testing into a Continuous Integration (CI) pipeline for automotive systems. As a first step, we have performed a Threat Analysis and Risk Assessment (TARA) of a general E/E architecture to identify high-risk interfaces and functions. Next, we discuss the strategies for continuous fuzz testing and the technical requirements for integrating fuzz testing into a CI pipeline. Here it is imperative that organizations update their test strategies, covering how often to test, when to test, what to test, how to detect exceptions and how to handle the test results. The technical requirements further describe what is required in a fuzz testing environment to fulfill these strategies. Finally, we have prepared an appropriate test environment for integrating fuzz testing into a target system’s CI pipeline. The fuzz testing tool is executed in an automated and continuous manner as part of the development process. Technical details about the implementation are presented and discussed. As a result, by integrating fuzz testing into a CI pipeline, it contributes to the overall DevSecOps toolchain, allowing automotive organizations to perform more comprehensive and systematic fuzz testing for detecting potential vulnerabilities early and continuously throughout development.