Electronic Control Units (ECUs), providing a wide range of functions from basic control functions to safety-critical functions, play a critical role in modern vehicles. Fuzzing has emerged as an effective approach to ensure the functional safety and automotive security of ECU firmwares. However, existing fuzzing approaches focus on the inputs from other ECUs through external buses (e.g., CAN), but neglect the inputs from internal peripherals through on-board buses (e.g., SPI). Due to the restricted input space exploration, they fail to comprehensively fuzz ECU firmwares. Moreover, existing fuzzing approaches often lack visibility into ECU firmwares’ internal states but rely on limited feedback (e.g., message timeouts or hardware indicators), hindering their effectiveness.
To address these limitations, we propose a structure-aware, diagnosis-guided framework, \tool, to comprehensively and effectively fuzz ECU firmwares. Specifically, \tool simultaneously considers external buses (i.e., CAN) and on-board buses (i.e., SPI). It leverages the structure of CAN and SPI to effectively mutate CAN messages and SPI sequences, and incorporates a dual-core microcontroller-based peripheral emulator to handle real-time SPI communication. In addition, \tool implements a new feedback mechanism to guide the fuzzing process. It leverages automotive diagnostic protocols to collect ECUs’ internal states, i.e., trouble codes, error-related variables, and exception contexts. Our compatibility evaluation on ten ECUs from three major Tier 1 automotive suppliers has indicated that our framework is compatible with nine ECUs. Our effectiveness evaluation on three representative ECUs has demonstrated that our framework detects nine previously unknown safety-critical faults, which have been patched by technicians from the suppliers.
Thu 26 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
16:00 - 17:15 | |||
16:00 25mTalk | Program Feature-based Benchmarking for Fuzz Testing Research Papers Miao Miao The University of Texas at Dallas, Sriteja Kummita Fraunhofer Institute for Mechatronic Systems Design (Fraunhofer IEM), Eric Bodden Heinz Nixdorf Institute at Paderborn University; Fraunhofer IEM, Shiyi Wei University of Texas at Dallas DOI | ||
16:25 25mTalk | Unlocking Low Frequency Syscalls in Kernel Fuzzing with Dependency-based RAG Research Papers Zhiyu Zhang Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Longxing Li Institute of Information Engineering, Chinese Academy of Sciences, China, Ruigang Liang Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Kai Chen Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences DOI | ||
16:50 25mTalk | Structure-Aware, Diagnosis-Guided ECU Firmware Fuzzing Research Papers Qicai Chen Fudan University, China, Kun Hu School of Computer Science, Fudan University, Sichen Gong Fudan University, China, Bihuan Chen Fudan University, kevin kong Fudan University, Haowen Jiang Fudan University, China, Bingkun Sun Fudan University, You Lu Fudan University, Xin Peng Fudan University DOI |
Cosmos 3A is the first room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.