CAN Bus Security Analysis: a Fuzzing Approach

Modern vehicles are equipped with numerous Electronic Control Units (ECUs), each featuring intricate functionalities and being tightly interconnected via internal networks. Among these, the Controller Area Network (CAN) is the most common. Past research has revealed the CAN network to be vulnerable to a multitude of cybersecurity attacks, enabling an attacker to take control of safety-critical ECUs such as the ones managing the engine, steering, or brakes. Securing ECUs connected via the CAN network against cyber threats is of paramount importance since an infected ECU could be used to propagate the attack to the other units on the network. Fuzz testing is a widely adopted, automated software testing technique that helps identify vulnerabilities and defects in programs. It involves sending a large amount of generated data to the system under test to identify messages that cause crashes, errors, or other incorrect behavior. Existing fuzzers in the automotive security landscape often fall into two categories: proof-of-concept open-source tools lacking advanced functionalities or closed-source solutions requiring proprietary hardware, hindering interoperability with other tools. This thesis aims to bridge this gap by developing a modular fuzzer tailored for robustness and future extensibility. The primary focus is on enhancing the ease of integration while providing a versatile tool for cybersecurity testing. Organizing the fuzzer into multiple modules facilitates the concurrent development of different features. Additionally, relying on a higher abstraction of the CAN protocol ensures interoperability among the developed components. A direct outcome of this abstraction is the elimination of dependence on proprietary hardware. The development of dedicated modules for various network interfaces transforms them into plug-and-play components for the fuzzer. This thesis introduces two interfaces: one for utilizing a virtual CAN bus and the other for interfacing with Intrepid CS devices. To validate the fuzzer's effectiveness, testing has been conducted on both a simulated virtual ECU and a physical test bench. Finally, testing has been performed to compare various developed fuzz generator modules, highlighting their efficacy under different assumptions. It is important to note that while the project primarily focuses on the CAN network, the architecture has been designed to seamlessly extend to multiple protocols.