SLIDE 1
RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through - - PowerPoint PPT Presentation
RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through - - PowerPoint PPT Presentation
RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing Taegyu Kim , Chung Hwan Kim, Junghwan Rhee, Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, Dongyan Xu Robotic Vehicles? How Do Robotic
SLIDE 2
SLIDE 3
How Do Robotic Vehicles Work?
Sensor Module Mission Module RV System Observed vehicle state in β6DoFsβ Physical Environment
Ground Control Station (GCS)
Controller
- Execute GCS commands
- Stabilize physical operations
π¨ π§ π¦ π§ππ₯ π πππ πππ’πβ Control Aerodynamics + Physics 6 degrees of freedom (6DoF) Motor
SLIDE 4
Complexity of Robotic Vehicle Control Software
x-axis Cascading Controller
Physical Operations
Mission Param. Controller Param.
π
π¦
π
π¦
π¦ π¦ π¦ π¦ π π¦ π
π¦
POS Controller
π¦π¦ ππ¦ π π¦ ππ¦
VEL Controller ACCEL Controller
Sensor + Sensor Param.
π§ π¦ π§ππ₯ π πππ πππ’πβ
- Hundreds of
parameters
- Dynamically
configurable!
Ground Control Station (GCS)
SLIDE 5
Landscape of RV Attacks
- Physical attacks [Securityβ15, EuroS&Pβ17..]
- e.g., sensor spoofing
- Defense: control-based detection and filter
- Software βsyntacticβ bug exploitation [NDSSβ18]
- e.g., buffer overflow
- Defense: program fuzzing and hardening
Sensor attack
- Control-βsemanticβ bug exploitation
- Less explored yet
- Not defendable with above approaches
SLIDE 6
Control-Semantic Bug Exploitation
- Malicious parameter-change command
- GCS-Vehicle communication is not secure [BlackHatβ16, NOMSβ16]
- e.g., MAVLink
- Cause at least one controller to malfunction
- Why is this meaningful to attackers?
- (Remotely) triggered by single malicious control parameter-change command
- Leave minimum footprint
- No need for sensor spoofing, code injection, trojaned exploits
- Launched even after program is hardened against traditional exploits
SLIDE 7
Parameter P1
1 3 2
Stable flight!
Brute force attacks
Attack launched!
1 3 2
Not-allowed Range Not-allowed Range
Nature of Control-Semantic Bug
Squeezing into Valid Input Range
Parameter P2 Parameter P3
: Waypoint N : Mission Flight Route : Actual Flight Route
N
Permitted Input Range
SLIDE 8
Parameter P
Wind Effect
1 3 2
Stable flight! w/o strong wind
: Waypoint N : Mission Flight Route : Actual Flight Route
N
Attack w/ strong wind
1 3 2
SLIDE 9
Finding the Bugs: Challenge and Solution
- How to detect a bad program run?
- Bad traditional program run?
- e.g., program crash
- NOT applicable to control programs
- Bad control program run?
- e.g., physical control instability
- NOT involve in program crash
- Define control instability condition
- Non-transient divergence between
- Reference state and observed state
- Reference state and mission
- Detectable with the standard control
properties and formulas
Challenge Solution
: Waypoint N : Mission Flight Route : Actual Flight Route
N 1 3 2
SLIDE 10
Finding the Bugs: Challenge and Solution
- How to fuzz control loops?
- Safety
- Real vehicle crashes are dangerous
- Efficiency
- Hundreds of parameters
- Large value ranges of parameters
- Wind effect
- Use a high-fidelity simulator
- Provide a virtual physical world
- Fuzz control loops safely
- Control-Guided, Feedback-Directed
Challenge Solution
SLIDE 11
Overview of RVFuzzer
Sensor inputs Motor
- utputs
Target Control Program
Control state
- utputs
Mutated parameter input commands
Simulator
Mutated wind configuration
Control-Guided Tester
Control Instability Detector π(π‘) Control-Guided Input Mutator
Ground Control Station (GCS) Software
Control states Mutated parameters Input commands
Bad program run detection Efficient Fuzzing Safe Fuzzing
SLIDE 12
VEL_XY_P = 1 VEL_XY_P = 6 VEL_XY_P = 3.5 = (1+6)/2
1 6 3.5 4.75
Donβt need to check!!
β¦
Control Instability Detector
Test Run 1 Test Run 2 Test Run 3
Control-Guided Input Mutator
Control-Guided Parameter Mutation
- Based on the monotonic control property
- Increasing (decreasing) the value of a control parameter
- ο Maintain or intensify the control instability [IROSβ99, AIAAβ05, β¦]
Feedback
π
π¦(π’)
π¦ π¦(π’) : Desired velocity : Actual velocity
SLIDE 13
Evaluation with ArduPilot and PX4: 89 Bugs Found
- 8-days testing
- 89 bugs are found
- 8 confirmed by developers
- 7 patched by developers
Module Sub-module ArduPilot PX4 RIB RSB RIB RSB Controller x, y-axis position 1 1 1 z-axis velocity 2 1 1 1 x, y-axis position 1 1 1 z-axis velocity 1 1 z-axis acceleration 3 Roll angle 1 1 1 Roll angular rate 5 3 3 Pitch angle 1 1 1 Pitch angular rate 5 3 3 Yaw angle 1 2 2 Yaw angular rate 6 3 3 Motor 3 3 Sensor Inertia sensor 3 3 Mission x, y-axis velocity 1 1 2 z-axis velocity 2 4 z-axis acceleration 2 Roll, pitch 1 1 1 1 Total
- 36
6 27 20
RIB: Range Implementation Bug RSB: Range Specification Bug
SLIDE 14
Evaluation: Vulnerable Parameters of ArduPilot
Control Program Module Parameter Physical Impacts C D U S Controller PSC_POSXY_P β β PSC_VELXY_P β β β PSC_VELXY_I β β PSC_POSZ_P β PSC_VELZ_P β PSC_ACCZ_P β β PSC_ACCZ_I β β β PSC_ACCZ_D β β β ATC_ANG_RLL_P β ATC_RAT_RLL_I β ATC_RAT_RLL_IMAX β β ATC_RAT_RLL_D β ATC_RAT_RLL_P β β ATC_RAT_RLL_FF β β ATC_ANG_PIT_P β ATC_RAT_PIT_P β β ATC_RAT_PIT_I β ATC_RAT_PIT_IMAX β Control Program Module Parameter Physical Impacts C D U S Controller ATC_RAT_PIT_D β β ATC_RAT_PIT_FF β β β ATC_ANG_YAW_P β ATC_SLEW_YAW β ATC_RAT_YAW_P β ATC_RAT_YAW_I β ATC_RAT_YAW_IMAX β ATC_RAT_YAW_D β β ATC_RAT_YAW_FF β β Sensor INS_POS1_Z β β INS_POS2_Z β β INS_POS3_Z β β Mission WPNAV_SPEED β WPNAV_SPEED_UP β WPNAV_SPEED_DN β WPNAV_ACCEL β β WPNAV_ACCEL_Z β β ANGLE_MAX β β
C: Crash D: Deviation
from trajectory
U: Unstable movement S: Stuck in a certain location
SLIDE 15
Case Studies: Two Control-Semantic Bug Exploitation
MC_ROLL_P = Roll angular control gain 0.2 MPC_THR_MAX = Maximum motor power 1 0.8 6 12 : Waypoint N : Mission Flight Route : Actual Flight Route
N 1 3 2
SLIDE 16
Summary
- Introduce a new type of control-semantic bugs
- Malicious parameter-change commands
- RVFuzzer, a cyber-physical system fuzzing tool
- Control-guided detection of bad control program run
- By detecting generic control instability properties
- Safe, efficient control loop fuzzing
- By leveraging a high-fidelity simulator and control properties
- 89 bugs found in ArduPilot and PX4
SLIDE 17