Integrating Fuzz Testing into the Cybersecurity Validation Strategy ZF Friedrichshafen AG

Format:

Book

Conference/Event

Author/Creator:

Vinzenz, Nico, author.

Contributor:

Oka, Dennis Kengo

Conference Name:

SAE WCX Digital Summit (2021-04-13 : Live Online, Pennsylvania, United States)

Language:

English

Physical Description:

1 online resource cm

Place of Publication:

Warrendale, PA SAE International 2021

Summary:

Automotive systems have become increasingly more complex, interconnected and prone to cyberattacks in recent years. With larger software bases and multiple external communication interfaces, the risks for new vulnerabilities and attack vectors on vehicles also increase. Therefore, modern cybersecurity validation is highly stressed for finding security vulnerabilities and robustness issues early and systematically at every stage of the product development process. The integration of a sophisticated fuzz testing program within the overall cybersecurity validation strategy allows for accommodating towards these challenging demands. In this paper, we review a general automotive cybersecurity engineering process containing functional testing, vulnerability scanning and penetration testing, and highlight shortcomings that can be complemented by fuzz testing. We present how fuzz testing is not only beneficial to improve product security directly by detecting weaknesses, but also indirectly by providing input to allow enhancing other testing activities. Finally, we provide a suggestion for an updated cybersecurity engineering process, which gives guidance on when fuzz testing should be performed and how fuzz testing should interface with other testing activities. Our approach is compliant to the ISO/SAE DIS 21434 cybersecurity engineering process. The approach uses Threat Analysis and Risk Assessment (TARA) together with Cybersecurity Assurance Levels (CALs) for the systematic identification of high-priority attack vectors and assignment of testing priorities. With this knowledge, it is possible to decide where, when and how often fuzz testing shall be applied for both finding unknown vulnerabilities and regressions in an automatized manner. This approach identifies issues earlier and with greater coverage than functional testing, vulnerability scanning and penetration testing could achieve on their own. As a result, by following this approach, the overall cybersecurity engineering process is more comprehensive, security remediation costs are lower, and resources for manual activities such as penetration testing are used more efficiently

Notes:

Vendor supplied data

Publisher Number:

2021-01-0139

Access Restriction:

Restricted for use by site license