自动驾驶系统模糊测试技术综述

摘要/Abstract

摘要： 自动驾驶是未来汽车产业发展趋势，然而自动驾驶车辆严重依赖于控制其运行的互连系统和软件，系统软件漏洞导致车辆面临严峻的安全隐患.自动驾驶安全测试能够提升汽车安全性，是保障汽车安全上路的重要环节.模糊测试(fuzz testing)作为一种自动化的漏洞测试技术，在面对复杂的软件系统时展现出卓越的漏洞探索能力.针对目前广泛使用的开源模糊测试工具进行了系统的归纳梳理，并通过对自动驾驶系统特性的深入分析，总结了当前研究面临的主要挑战，包括：1)难以全面考虑输入维度；2)多功能协同并发问题难以解决；3)安全问题类别不适配.为应对这些挑战提出了相应的参考建议，为未来相关研究提供了指导方向.

关键词: 自动驾驶, 软件安全, 模糊测试, 功能安全, 信息安全

Abstract: Autonomous driving is the future development trend of the automotive industry, while autonomous vehicles heavily rely on interconnected systems and software that control their operation. System software vulnerabilities lead to serious safety hazards for vehicles. Therefore, automatic driving safety test is an important link to further improve the safety of autonomous vehicle. Fuzz testing, as an automated vulnerability testing technology, exhibits outstanding vulnerability exploration capabilities when dealing with complex software systems. It holds significant potential for widespread application in autonomous driving systems. This paper provides a systematic summary of widely used opensource fuzz testing tools. Through an indepth analysis of the characteristics of autonomous driving systems, the study identifies key challenges currently faced by research in this field, including: 1) difficulty in comprehensively considering input dimensions; 2) challenges in uncovering issues related to multifunctional collaborative concurrency; 3) mismatch of security issue categories. In response to these challenges, the research proposes corresponding recommendations, providing guidance for future related research.

Key words: autonomous driving, software security, fuzz testing, functional safety, information security

中图分类号:

TP311.56

王朋成, 高思淼, 王斯奋, 洪晟, 李众豪, . 自动驾驶系统模糊测试技术综述[J]. 信息安全研究, 2024, 10(11): 982-.

参考文献

［1］Penmetsa P, Sheinidashtegol P, Musaev A, et al. Effects of the autonomous vehicle crashes on public perception of the technology［J］. IATSS Research, 2021, 45(4): 485492［2］Jefferson J, McDonald A D. The autonomous vehicle social network: Analyzing tweets after a recent Tesla autopilot crash［C］ Proc of the Human Factors and Ergonomics Society Annual Meeting. Sage CA: SAGE Publications, 2019: 20712075［3］Morando A, Gershon P, Mehler B, et al. A model for naturalistic glance behavior around Tesla autopilot disengagements［JOL］. Accident Analysis & Prevention, 2021 ［20240719］. https:doi.org10.1016j.aap.2021.106348［4］Chu Y, Liu P. Human factor risks in driving automation crashes［C］ Proc of Int Conf on HumanComputer Interaction. Berlin: Springer, 2023: 312［5］He Shanshan. Autonomous Vehicles: Business, Technology and Law［M］. Berlin: Springer, 2021: 93111［6］Wakabayashi D. Selfdriving Uber car kills pedestrian in Arizona, where robots roam［NOL］. The New York Times, 20180319 ［20230722］. https:www.nytimes.com20180319technologyuberselfdrivingcarkillspede strian.html［7］Bratu D V, Zolya M A, Moraru S A. RoboCoV Cleaner: An indoor autonomous UVC disinfection robot with advanced dualsafety systems［JOL］. Sensors ［20240719］. https:doi.org10.3390s24030974［8］Vasic M, Billard A. Safety issues in humanrobot interactions［C］ Proc of the 2013 IEEE Int Conf on Robotics and Automation. Piscataway, NJ: IEEE, 2013: 197204［9］Moukahal L J, Zulkernine M, Soukup M. Vulnerabilityoriented fuzz testing for connected autonomous vehicle systems［J］. IEEE Trans on Reliability, 2021, 70(4): 14221437［10］Abuabed Z, Alsadeh A, Taweel A. STRIDE threat modelbased framework for assessing the vulnerabilities of modern vehicles［J］. Computers & Security, 2023, 133: 103391［11］Taslimasa H, Dadkhah S, Neto E C P, et al. Security issues in Internet of vehicles (IoV): A comprehensive survey［J］. Internet of Things, 2023, 22: 100809［12］Anwar A, Anwar A, Moukahal L, et al. Security assessment of invehicle communication protocols［J］. Vehicular Communications, 2023, 44: 100639［13］Garcia J, Feng Y, Shen J, et al. A comprehensive study of autonomous vehicle bugs［C］ Proc of the 42nd ACMIEEE Int Conf on Software Engineering (ICSE’20). New York: ACM, 2020: 385396［14］Shuk Y H, Rai A. Continued voluntary participation intention in firmparticipating open source software projects［J］. Information Systems Research, 2017, 28(3): 603625［15］Fioraldi A, Mantovani A, Maier D, et al. Dissecting American fuzzy lop: A FuzzBench evaluation［J］. ACM Trans on Software Engineering and Methodology, 2023, 32(2): 126［16］Petrica L, Vasilescu L, Ion A, et al. IxFIZZ: Integrated functional and fuzz testing framework based on Sulley and SPIN［J］. Science and Technology, 2015, 18(1): 5468［17］Godefroid P. Fuzzing: Hack, art, and science［J］. Communications of the ACM, 2020, 63(2): 7076［18］Wang C, Kang S. ADFL: An improved algorithm for American fuzzy lop in fuzz testing［C］ Proc of the 4th Int Conf on Cloud Computing and Security (ICCCS 2018). Berlin: Springer, 2018: 2736［19］Gan S, Zhang C, Qin X, et al. Collafl: Path sensitive fuzzing［C］ Proc of the 2018 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2018: 679696［20］汪美琴, 夏旸, 贾琼, 等.模糊测试技术的研究进展与挑战［J］. 信息安全研究, 2024, 10(7): 668674［21］Han H S, Oh D H, Cha S K. CodeAlchemist: Semanticsaware code generation to find vulnerabilities in JavaScript engines［C］ Proc of Network and Distributed Systems Security (NDSS) Symposium. 2019: 2427［22］You W, Wang X, Ma S, et al. Profuzzer: Onthefly input type probing for better zeroday vulnerability discovery［C］ Proc of the 2019 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 769786［23］刘宝旭, 李昊, 孙钰杰, 等. 智能化漏洞挖掘与网络空间威胁发现综述［J］. 信息安全研究, 2023, 9(10): 932939［24］王鹃, 张冲, 龚家新, 等. 基于机器学习的模糊测试研究综述［J］. 信息网络安全, 2023, 23(8): 116［25］Ye G, Tang Z, Tan S H, et al. Automated conformance testing for JavaScript engines via deep compiler fuzzing［C］ Proc of the 42nd ACM SIGPLAN Int Conf on Programming Language Design and Implementation. New York: ACM, 2021: 435450［26］Odena A, Olsson C, Andersen D, et al. TensorFuzz: Debugging neural networks with coverageguided fuzzing［C］ Proc of Int Conf on Machine Learning. New York: PMLR, 2019: 49014911［27］Li T, Li J, He X. An Improvement of AFL based on the function call depth［C］ Proc of the 18th Int Computer Conf on Wavelet Active Media Technology and Information Processing (ICCWAMTIP). Piscataway, NJ: IEEE, 2021: 440445［28］Basu T, Chattopadhyay S. Testing cache sidechannel leakage［C］ Proc of the 2017 IEEE Int Conf on Software Testing, Verification and Validation Workshops (ICSTW). Piscataway, NJ: IEEE, 2017: 5160［29］Manès V J M, Han Y, Han S, et al. The art, science, and engineering of fuzzing: A survey［J］. IEEE Trans on Software Engineering, 2021, 47(11): 23122331［30］Cousineau P, Lachine B. Enhancing boofuzz process monitoring for closedsource SCADA system fuzzing［C］ Proc of the 2023 IEEE Int Systems Conference (SysCon). Piscataway, NJ: IEEE, 2023: 18［31］Kim S, Kim T. Robofuzz: Fuzzing robotic systems over robot operating system (ROS) for finding correctness bugs［C］ Proc of the 30th ACM Joint European Conf on the Foundations of Software Engineering, New York: ACM, 2022: 447458［32］Kim S, Liu M, Rhee J, et al. DriveFuzz: Discovering autonomous driving bugs through driving qualityguided fuzzing［C］ Proc of the 2022 ACM SIGSAC Conf on Computer and Communications Security (CCS’22). New York: ACM, 2022: 17531767［33］Xie K T, Bai J J, Zou Y H, et al. ROZZ: Propertybased fuzzing for robotic programs in ROS［C］ Proc of the 2022 Int Conf on Robotics and Automation (ICRA). Piscataway, NJ: IEEE, 2022: 67866792［34］Bai J J, Song H X, Hu S M. Multidimensional and messageguided fuzzing forrobotic pograms in robot operating system［C］ Proc of the 29th ACM Int Conf on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2024: 763778［35］Delgado R, Campusano M, Bergel A. Fuzz testing in behaviorbased robotics［C］ Proc of the 2021 IEEE Int Conf on Robotics and Automation (ICRA). Piscataway, NJ: IEEE, 2021: 9375938［36］Rivera S, State R. Securing robots: An integrated approach for security challenges and monitoring for the robotic operating system (ROS)［C］ Proc of the 2021 IFIPIEEE Int Symp on Integrated Network Management (IM). Piscataway, NJ: IEEE, 2021: 754759［37］Woodlief T, Elbaum S, Sullivan K. Fuzzing mobile robot environments for fast automated crash detection［C］ Proc of the 2021 IEEE Int Conf on Robotics and Automation (ICRA). Piscataway, NJ: IEEE, 2021: 54175423［38］Wang C, Tok Y C, Poolat R, et al. How to secure autonomous mobile robots? An approach with fuzzing, detection and mitigation［J］. Journal of Systems Architecture, 2021, 112: 101838［39］Chen H, Xue Y, Li Y, et al. Hawkeye: Towards a desired directed greybox fachinery［EBOL］. 2018 ［20240719］. https:doi.org10.11453243734.3243849

[1]	潘琪亮, 李明, 皮振中, 黄利文, 方中奎, . 基于DeepSpeed框架构建信息安全领域通用人工智能模型的探索[J]. 信息安全研究, 2024, 10(E1): 155-.
[2]	唐双林, 侍国亮, 周志洪, . 基于深度学习的智能网联汽车时序数据异常检测方法研究[J]. 信息安全研究, 2024, 10(E1): 227-.
[3]	刘晓瑞, 莫怀训, . 基于功能安全的PLC控制软件组件设计实践初探[J]. 信息安全研究, 2024, 10(E1): 231-.
[4]	顾芳铭, 况博裕, 许亚倩, 付安民, . 面向自动驾驶感知系统的对抗样本攻击研究综述[J]. 信息安全研究, 2024, 10(9): 786-.
[5]	王江, 姜伟, 张璨, . 开源软件供应链安全风险分析研究[J]. 信息安全研究, 2024, 10(9): 862-.
[6]	汪美琴, 夏旸, 贾琼, 陈志浩, 刘明哲, . 模糊测试技术的研究进展与挑战[J]. 信息安全研究, 2024, 10(7): 668-.
[7]	靳文京, 卜哲, 秦博阳, . 基于序列生成对抗网络的智能模糊测试方法[J]. 信息安全研究, 2024, 10(6): 490-.
[8]	陈斌, 董平, 谢晓刚, 宋涤非, . 5G网络安全测评技术研究与实践[J]. 信息安全研究, 2024, 10(6): 539-.
[9]	马冬青, 崔涛, . 基于TOPSIS和GRA的信息安全风险评估[J]. 信息安全研究, 2024, 10(5): 474-.
[10]	张骏飞, 张雄伟, 孙蒙, . 基于分治方法的声纹识别系统模型反演[J]. 信息安全研究, 2024, 10(2): 130-.
[11]	钟宏, 夏云浩, 张金鑫, . 基于权重反馈的WiFi协议模糊测试用例优化方法[J]. 信息安全研究, 2024, 10(11): 1049-.
[12]	王洪义, 沙乐天, . 基于静态分析和模糊测试的路由器漏洞检测方法[J]. 信息安全研究, 2024, 10(1): 40-.
[13]	丁丽媛, . 金融机构ICT供应链信息安全风险分析及应对措施研究[J]. 信息安全研究, 2024, 10(1): 55-.
[14]	尘兴灿, 万明明, 王仲宇, 刘昊, 李程, . 智能网联汽车安全合规测试平台研究[J]. 信息安全研究, 2023, 9(E2): 109-.
[15]	邱勤, 夏羿, 王国宇, 申屠欣欣, 马禹昇, 郑国忠, 王雪珊, . 基于SBOM的软件供应链安全关键技术的研究[J]. 信息安全研究, 2023, 9(E2): 66-.