In the previous content, we learned how fuzz testing discovers vulnerabilities. In this issue, we will take the practice of the open source network security fuzz testing platform (SFuzz) in the Internet of Vehicles industry as an example to explain in detail the actual process of the automotive Ethernet DOIP protocol. Vulnerability discovery process.
Before we begin, let’s understand a few terms.
Automotive Ethernet
A physical network used to connect various electrical devices in a car. Based on the traditional Ethernet protocol, the electrical characteristics of the physical interface are changed, and some new standards are customized based on the needs of the vehicle network. Vehicle Ethernet mainly involves OSI layer 1 and layer 2 technologies. At the same time, vehicle Ethernet supports multiple protocols or application forms such as TSN/TTE, TCP/IP, DOIP, SOME/IP, etc.
DOIP
A protocol for automotive diagnostics and communications that allows communication over the Internet Protocol (IP) between a vehicle's electronic control units (ECUs) and between the vehicle and external diagnostic equipment. The primary purpose of DOIP is to provide high-speed, secure and reliable diagnostic and programming communications to support vehicle diagnostics, maintenance and programming tasks.
random seed
The random numbers generated by the computer simulate random numbers through a long sequence of numbers, so they are called pseudo-random numbers. When these random numbers are actually used, these random numbers generally have all the probabilistic properties and statistics of real random numbers. properties, so many sequences of pseudo-random numbers can be generated. The first random number in a sequence corresponds to a number, which is called a seed number.
After understanding the above terms, let’s take a look at how car companies use SFuzz to discover vulnerabilities in the Internet of Vehicles system.
environmental information
Test tool: SFuzz V3.0
Operating system: Ubuntu 18.4
Device under test: a certain model of DOIP equipment (customer equipment, specific information cannot be disclosed)
Test Suite: DOIP Protocol Test Suite
Testing process
Installation and deployment
-
Prepare a computer. The system can be Linux, Windows, or Mac. The company uses Ubuntu 18.4 system computer;
-
Download the SFuzz V3.0 installation package, deploy and install it according to the installation manual, and import the DOIP protocol test suite;
-
Use the RJ45 interface of the engineering machine to directly connect to the device under test, and use ping + IP (IP of the device under test) to confirm that the device under test can communicate normally.
test execution
Log in to the SFuzz platform, select the "Protocol Fuzz Testing" function to create test cases, and configure the corresponding monitor to monitor the running status of the test cases. This test uses a TCP monitor.
Enter the test startup page, select the corresponding test agent and seed number to start testing.
Start the test case to view the running process, and monitor the log returned by the device under test.
Through the SFuzz platform test interface, we found that when the test reached the 60th iteration, the platform returned a vulnerability alert, and we noticed a crash prompt in the log of the device under test. At the same time, the TCP monitor we used also monitored the port closure and began to continuously report defect information. You can see the error message from the console log:
terminate called after throwing an instance of std;;bad alloc!
what():std: :bad alloc
Aborted
Vulnerability verification
At this time, we can use the "replay" function provided by the SFuzz platform to accurately locate the vulnerability.
Through replay, we can accurately locate the 60th time as a protocol vulnerability, which will cause the device under test to send a crash. We can download the corresponding bin file (attack message) and provide it to developers for in-depth analysis and repair as soon as possible.
analysis Summary
Through multiple verifications of the above test process, it was found that when a specific mutated data packet is passed to the DOIP protocol service of the device under test, a crash will occur. We can judge that this is a real unidentified vulnerability, and the open source network security fuzz testing platform SFuzz can help users discover potential problems with test targets, efficiently detect unknown vulnerabilities, and greatly improve system security.
Aspects of fuzz testing | Revealing the vulnerability discovery process in the real world
Aspects of Fuzz Testing | How does fuzz testing accurately locate problems?
Aspects of fuzz testing | How does fuzz testing detect anomalies?