- Naohide Waguri - FFRI Inc.
- Eiichi Tsichida - Mentor, A Siemens Business
- Takashi Ichimasa - Mentor, A Siemens Business
Security is one of the hottest technology topics around these days, relevant in no end of use cases and applications, including electronic control units (ECUs) used in factory automation (FA) and the auto industry. As evidence for the outsize attention the topic receives, consider how security researchers Charlie Miller and Chris Valasek became modest internet celebrities after their 2015 Jeep hack, which prompted a 1.4 million vehicle recall by Fiat Chrysler Automobiles (FCA). Like star athletes on the move, the pair’s careers are now tracked breathlessly by the press. “Famed hackers Charlie Miller and Chris Valasek are joining Cruise after leaving Didi and Uber,” blares one recent Recode headline.
And of course there’s no shortage of alarming news from beyond the auto industry, including vulnerability in Broadcom’s WiFi chipsets (in Android and iOS devices, thus potentially imperilling all phones) and a potential attack vector spread via Bluetooth (thus threatening no less than the entire IoT). Without question, staying ahead in the arms race against hackers means constantly looking for novel ways to find and correct security flaws, including (and perhaps especially) when it comes to relatively low-level hardware. In this brief whitepaper we describe one such way — an automated fuzzing test of a virtual ECU to find and correct vulnerabilities during the upstream development process.
Our basic motivation stems from a truism that applies to basically any tech development process, notably in cases where security is paramount. Namely, catching and fixing bugs as early as possible matters deeply since the difficulty and cost of doing so increases in a nonlinear fashion as development proceeds. Indeed the worst-case scenario, as demonstrated by FCA’s big recall, is having to fix something after a product is released. Fuzzing tests offer a good way to detect bugs early in a robust, security-centric development process, such as the Microsoft Security Development Lifecycle process. Automating such tests can drive down costs dramatically.
View & Download:
Read the entire Using An Automated Fuzzing Test Of A Virtual Prototype To Eliminate ECU Security Vulnerabilities technical paper.