Fuzz testing

KPIT has developed a methodology for identifying vulnerabilities using Fuzz Technique. We have developed a Fuzzer which can be used to find hidden vulnerabilities of an Automotive Systems by sending fuzzed data over CAN (UDS)/ CAN protocol, using mutation based Fuzz Testing.



KPIT Approach

  • Identify all Diagnostic Session IDs present on the System Under Test (SUT), Identify arbitration ids for all the diagnostic sessions
  • Create positive test suit with valid CAN messages
  • Mutation of the valid input request is carried out, mutated inputs are provided to the SUT and SUT’s responses are analyzed for crash or halt.
  • By providing invalid input to the system ,the behavior of the ECU is observed. The erroneous responses of ECU (vulnerabilities) are found and reported. These requests and responses are stored in a file and analyzed.
  • Generate list of vulnerable messages

Possible Attacks that can be prevented on Automotive Systems :

  • Denial of Service(DoS) attack.
  • Replay Attack

Tools / Methodologies

  • KPIT has developed own methodology for identifying vulnerabilities using FUZZ Technique
  • Knowledge of the system: Black / Grey Box Fuzz Testing
  • Hardware: CAN Tools (CANoe, CANAnalyzer,), ECU
  • KPIT has knowhow on commercial Fuzz Testing tool like Synopsys Defensics