RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through - PowerPoint PPT Presentation

RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing Taegyu Kim , Chung Hwan Kim, Junghwan Rhee, Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, Dongyan Xu

Robotic Vehicles?

How Do Robotic Vehicles Work? • Execute GCS commands Observed vehicle state in “6DoFs” RV System • Stabilize physical operations Ground Control Station (GCS) Mission Sensor Module Module Controller Physical 6 degrees of freedom (6DoF) Environment 𝑨 𝑧𝑏𝑥 𝑞𝑗𝑢𝑑ℎ Motor 𝑧 Control Aerodynamics 𝑦 𝑠𝑝𝑚𝑚 + Physics

Complexity of Robotic Vehicle Control Software 𝑧𝑏𝑥 𝑞𝑗𝑢𝑑ℎ 𝑧 𝑦 𝑠𝑝𝑚𝑚 x-axis Cascading Controller Controller Param. POS VEL ACCEL Ground Control Controller Controller Controller Station (GCS) Physical Operations 𝑙 𝑦 𝑙 𝑦 𝑙 𝑦 Mission Param. • Hundreds of 𝑠 𝑠 𝑠 𝑝 𝑦 𝑦 𝑦 𝑦 parameters • Dynamically 𝑦 𝑦 𝑦 𝑦 𝑦 𝑦 configurable! Sensor + Sensor Param.

Sensor attack Landscape of RV Attacks • Physical attacks [Security’15, EuroS&P’17..] • e.g., sensor spoofing • Defense: control-based detection and filter • Software “syntactic” bug exploitation [NDSS’18] • e.g., buffer overflow • Defense: program fuzzing and hardening • Control- ”semantic” bug exploitation • Less explored yet • Not defendable with above approaches

Control-Semantic Bug Exploitation • Malicious parameter-change command • GCS- Vehicle communication is not secure [BlackHat’16, NOMS’16] • e.g., MAVLink • Cause at least one controller to malfunction • Why is this meaningful to attackers? • (Remotely) triggered by single malicious control parameter-change command • Leave minimum footprint • No need for sensor spoofing, code injection, trojaned exploits • Launched even after program is hardened against traditional exploits

Attack launched! Stable flight! Nature of Control-Semantic Bug : Waypoint N N : Mission Flight Route 1 2 : Actual Flight Route 1 2 Brute force attacks 3 3 Parameter P1 Not-allowed Range Not-allowed Range Squeezing into Permitted Input Range Valid Input Range Parameter P2 Parameter P3

Wind Effect : Waypoint N N : Mission Flight Route : Actual Flight Route Stable flight! Attack w/o strong wind Parameter P w/ strong wind 1 2 1 2 3 3

Finding the Bugs: Challenge and Solution Challenge Solution • How to detect a bad program run? • Define control instability condition • Bad traditional program run? • Non-transient divergence between • • Reference state and observed state e.g., program crash • • Reference state and mission NOT applicable to control programs • Bad control program run? • Detectable with the standard control • properties and formulas e.g., physical control instability • NOT involve in program crash 1 2 : Waypoint N N : Mission Flight Route 3 : Actual Flight Route

Finding the Bugs: Challenge and Solution Challenge Solution • How to fuzz control loops? • Use a high-fidelity simulator • Safety • Provide a virtual physical world • Real vehicle crashes are dangerous • Fuzz control loops safely • Control-Guided, Feedback-Directed • Efficiency • Hundreds of parameters • Large value ranges of parameters • Wind effect

Overview of RVFuzzer Ground Control Station (GCS) Software Mutated parameter Input commands input commands Sensor Target inputs Control Control state Control-Guided Tester Program outputs Simulator Control Instability Detector Motor Bad program Control 𝑔(𝑡) outputs run detection states Control-Guided Safe Input Mutator Mutated wind configuration Fuzzing Mutated parameters Efficient Fuzzing

Control-Guided Parameter Mutation VEL_XY_P = 1 VEL_XY_P = 6 VEL_XY_P = 3.5 = (1+6)/2 Control … Instability Detector Feedback Test Run 1 Test Run 2 Test Run 3 𝑠 𝑦 (𝑢) : Desired velocity 𝑦 𝑦 (𝑢) : Actual velocity Don’t need to Control-Guided check!! Input Mutator 3.5 4.75 1 6 • Based on the monotonic control property • Increasing (decreasing) the value of a control parameter •  Maintain or intensify the control instability [IROS’99, AIAA’05, …]

Evaluation with ArduPilot and PX4: 89 Bugs Found • 8-days testing ArduPilot PX4 Module Sub-module RIB RSB RIB RSB x, y-axis position 1 0 1 1 • 89 bugs are found z-axis velocity 2 1 1 1 x, y-axis position 1 0 1 1 • 8 confirmed by developers z-axis velocity 1 0 1 0 z-axis acceleration 3 0 0 0 • 7 patched by developers Roll angle 1 0 1 1 Controller Roll angular rate 5 0 3 3 Pitch angle 1 0 1 1 Pitch angular rate 5 0 3 3 Yaw angle 1 0 2 2 Yaw angular rate 6 0 3 3 Motor 0 0 3 3 Sensor Inertia sensor 3 3 0 0 x, y-axis velocity 1 1 2 0 z-axis velocity 2 0 4 0 Mission RIB : Range Implementation Bug z-axis acceleration 2 0 0 0 Roll, pitch 1 1 1 1 RSB : Range Specification Bug Total - 36 6 27 20

Evaluation: Vulnerable Parameters of ArduPilot Control Physical Control Physical Program Parameter Impacts Program Parameter Impacts C: Crash Module C D U S Module C D U S ✓ ✓ PSC_POSXY_P ✓ ✓ ATC_RAT_PIT_D ✓ ✓ ✓ PSC_VELXY_P ✓ ✓ ✓ ATC_RAT_PIT_FF D: Deviation ✓ ✓ PSC_VELXY_I ✓ ATC_ANG_YAW_P ✓ PSC_POSZ_P ✓ ATC_SLEW_YAW from trajectory ✓ PSC_VELZ_P ✓ Controller ATC_RAT_YAW_P ✓ ✓ PSC_ACCZ_P ✓ ATC_RAT_YAW_I ✓ ✓ ✓ PSC_ACCZ_I ✓ ATC_RAT_YAW_IMAX U: Unstable ✓ ✓ ✓ PSC_ACCZ_D ✓ ✓ ATC_RAT_YAW_D ✓ ATC_ANG_RLL_P ✓ ✓ ATC_RAT_YAW_FF movement Controller ✓ ATC_RAT_RLL_I ✓ ✓ INS_POS1_Z ATC_RAT_RLL_IMAX ✓ ✓ ✓ ✓ Sensor INS_POS2_Z S: Stuck in ✓ ATC_RAT_RLL_D ✓ ✓ INS_POS3_Z ✓ ✓ ATC_RAT_RLL_P ✓ WPNAV_SPEED a certain location ✓ ✓ ATC_RAT_RLL_FF ✓ WPNAV_SPEED_UP ✓ ATC_ANG_PIT_P ✓ WPNAV_SPEED_DN Mission ✓ ✓ ATC_RAT_PIT_P ✓ ✓ WPNAV_ACCEL ✓ ATC_RAT_PIT_I ✓ ✓ WPNAV_ACCEL_Z ATC_RAT_PIT_IMAX ✓ ✓ ✓ ANGLE_MAX

Case Studies: Two Control-Semantic Bug Exploitation : Waypoint N N : Mission Flight Route : Actual Flight Route 1 2 MPC_THR_MAX 0 0.8 1 = Maximum motor power 3 MC_ROLL_P 0 0.2 6 12 = Roll angular control gain

Summary • Introduce a new type of control-semantic bugs • Malicious parameter-change commands • RVFuzzer, a cyber-physical system fuzzing tool • Control-guided detection of bad control program run • By detecting generic control instability properties • Safe, efficient control loop fuzzing • By leveraging a high-fidelity simulator and control properties • 89 bugs found in ArduPilot and PX4

Thank you! Questions? tgkim@purdue.edu