Grey-box Analysis and Fuzzing of Automotive Electronic Components via Control-Flow Graph Extraction

Abstract

Electronic Control Units are embedded systems which control the functionality of a modern vehicle. The growing number of Electronic Control Units in a vehicle, together with their increasing complexity, prompts the need for automated tools to test their security. To this end, we present EffCAN, a tool for ECU firmware fuzzing via Controller Area Network. EffCAN operates on the Control Flow Graph, which we extract from the firmware. The Control Flow Graph is a platform independent representation, which allows us to abstract from the often obscure underlying architecture. The Control Flow Graph is annotated with information about static data comparisons that affect the control flow of the firmware. This information is used to create initial seeds for the fuzzer. It is also used to adapt the input messages in order to cover hard to reach execution paths. We have evaluated EffCAN on three Electronic Control Units, from different manufacturers. The fuzzer was able to crash two of the units. To our knowledge, this is the first approach that uses static analysis to guide the fuzzing of automotive Electronic Control Units.