KPIT has developed a methodology for identifying vulnerabilities using Fuzz Technique. We have developed a Fuzzer which can be used to find hidden vulnerabilities of an Automotive Systems by sending fuzzed data over CAN (UDS)/ CAN protocol, using mutation based Fuzz Testing.
KPIT Approach
- Identify all Diagnostic Session IDs present on the System Under Test (SUT), Identify arbitration ids for all the diagnostic sessions
- Create positive test suit with valid CAN messages
- Mutation of the valid input request is carried out, mutated inputs are provided to the SUT and SUT’s responses are analyzed for crash or halt.
- By providing invalid input to the system ,the behavior of the ECU is observed. The erroneous responses of ECU (vulnerabilities) are found and reported. These requests and responses are stored in a file and analyzed.
- Generate list of vulnerable messages
Possible Attacks that can be prevented on Automotive Systems :
- Denial of Service(DoS) attack.
- Replay Attack
Tools / Methodologies
- KPIT has developed own methodology for identifying vulnerabilities using FUZZ Technique
- Knowledge of the system: Black / Grey Box Fuzz Testing
- Hardware: CAN Tools (CANoe, CANAnalyzer,), ECU
- KPIT has knowhow on commercial Fuzz Testing tool like Synopsys Defensics