Fuzz testing is a popular testing approach used to find bugs in C/C++ and embedded software, particularly memory corruptions. It has proven effective for identifying obscure bugs that are difficult to find through other testing methods. This testing approach is increasingly being adopted by automotive companies to comply with new security standards, save time, mitigate costs, and improve software quality. Let's have a look at how fuzzing is helping all of these automotive companies.
Fuzzing Finds Bugs in C/C++ and Embedded Software
Fuzz Testing enables developers to generate a large number of inputs to stress the system under test, which can expose obscure bugs that are difficult to find through other testing methods. Additionally, the testing approach has proven to be particularly effective for finding memory corruptions in C/C++ and embedded code, such as heap buffer overflows and use-after-free.
Discovering these memory corruptions during the development process allows developers to address them before the software is released, resulting in a lower risk of security breaches and crashes. That's why companies like Google and Microsoft adopted fuzz testing a long time ago, while the automotive industry is just now starting to catch up.
Fuzz Testing Supports Automotive Companies to Comply With ISO 21434
Automotive companies, such as CARIAD and Woven Planet, are increasingly adopting fuzz testing, since the new ISO 21434 standard mandates security testing for more software modules than previous industry standards. However, it is too expensive and time-consuming to regularly run pentests on each module. So, the car manufacturers are looking for ways to automate their security testing and substitute pentests through continuous fuzz tests.
In the end, it’s cheaper to run a fuzz test on a module than to perform a full penetration test. In addition, fuzzing has the further advantage of assisting in identifying and fixing bugs earlier in the development process, which also saves cost and time on mitigation.
From my perspective, it is unlikely that fuzz testing will completely replace penetration testing, but it is evident that automotive companies are increasingly employing both testing methods in a complementary way.
Fuzz Testing Automates the Threat Agent Risk Assessment
In the automotive software industry, any product development process must be accompanied by a cybersecurity engineering process. The most commonly used methodology in this process is known as the "Threat Agent Risk Assessment" (TARA), which is designed to help identify, assess, prioritize, and control cybersecurity risks.
TARA is a highly practical method for improving cybersecurity, as it takes into consideration mitigation controls and accepted levels of risk. However, implementing the Threat Agent Risk Assessment (TARA) for a new project can be challenging, as it involves a variety of testing methodologies and processes that need to be covered:
- Functional Testing: assessing the functionality of the current system
- Cybersecurity Specifications: determining what specifications exist and what needs to be added
- Vulnerability Scanning: discovering any vulnerabilities within the product based on the known vulnerability database
- Penetration Testing: a manual look into the product by experts to test for any points that can be exploited
Integrating fuzz testing tools into the CI/CD system can automate most of these required testing methods. With enterprise fuzzing solutions like CI Fuzz, for instance, developers can continuously scan applications for functional bus and security issues and triage these findings. These enterprise solutions usually come with standardized bug reports, which contain all the necessary information to easily replicate and fix these issues.
This talk Nico Vinzenz (Cybersecurity Expoert at ZF) addresses the pain points of most automotive cybersecurity test strategies and explains how fuzz testing can be beneficial when integrated early and systematically at every stage of the product development process.
Automotive Developers Love Fuzzing!
To sum up this article, fuzz testing solves major pain points of automotive developers:
- Fuzz testing finds bugs in C/C++ and embedded software.
- Fuzz testing supports automotive developers in complying with ISO 21434 and automates the Threat Agent Risk Assessment (TARA).
- Fuzz testing complements penetration testing and enables automotive developers to run continuous security tests on their code while maintaining their development speed.
If you work in the automotive industry, it's worth looking for best practices and examples from companies like Continental, Bosch, ZF, and CARIAD that have successfully implemented fuzz testing in their projects. If you want to learn more about how automated fuzz testing can help you become compliant with industry norms such as ISO 21434, you can check out the ten steps in our ISO 21434 compliance checklist.