Back Ground For Ardupilot, Mavlink

SITL(Software In The Loop) 

SITL은 ArduCopter를 대상으로 드론의 behavior를 드론 하드웨어 없이, 드론의 행동을 측정할 수 있다. SITL은 C++ 컴파일러를 통해 드론 os를 빌드하여 아래의 그림처럼 소프트웨어적으로 입-출력 값들을 주고 받게 하여, 정해진 미션을 수행하는 드론을 분석할 수 있게 해주는 드론시스템의 애뮬레이트 시스템이라 할 수 있다. 

Fuzzing

Fuzzing is a technique for finding vulnerabilities and bugs in software programs and protocols by injecting malformed or semi-malformed data.

The injected data may include minimum or maximum values and invalid, unexpected or random data. After the data is injected, the system can be observed to find any kind of unexpected behaviour, e.g., if the program crashes or failing built-in code assertions, that other testing techniques missed.

The technique of fuzzing is illustrated in Fig 2.2.

There are three main types of fuzzing variants that can be distinguished: Plain Fuzzing, Protocol Fuzzing and State-based Fuzzing [12, 13].

Plain Fuzzing is the most simple way of testing. The input data can be completely random or constructed by changing some parts of correct input that has been recorded. These types of fuzzers, also called dumb fuzzers, require almost no is malformed [14].

Protocol Fuzzing is a more sophisticated way of testing.

The input is generated based on the protocol specifications like message format and dependencies between field. This is also called smart generation and is able to create semi-valid input. This can be necessary if the input needs to be well formed.

The advantage of this technique is that the more intelligence is used, the deeper the fuzzing can penetrate into the software.

Protocol fuzzers typically generate input data from scratch, filling the fields with minimum and maximum values [14, 15]. -> 이 부분은 RV_Fuzzer가 한 부분 

State-based Fuzzing is a fuzzing technique that does not try to find errors and vulnerabilities by changing the content of the packets, but instead attempts to fuzz the state-machine of the software.

이 정의를 기반으로 생각 했을 때, 시스템의 behavior를 Formal verification 하고 그 상태로의 전이가 fuzzing된다는 것을 함께 보이면 원하는 결과를 얻을 수 있을 것 같다. 

This can be done by breaking the sequence of messages that is typically used in the protocol. The impact of this kind of fuzzing technique depends on which states are skipped [14].

Typically, the fuzzing strategy is to start with a dumb and basic fuzzer and then increase the amount of intelligence when necessary to create a more sophisticated fuzzer [16]. The fuzzing technique is capable of finding faults in error handling, clean-up code and by using state-based fuzzers, fuzzing is able to find faults in state machine logic [17].

기본적인 fuzzer는 다음과 같은 행동을 한다.

• 1. Generation of the test cases
• 2. Recording or logging of the test cases for reproduction
• 3. Transmitting the test cases as input to the tested program
• 4. Observing the behaviour and detect crashes

 

[12] J. DeMott A. Takanen, C. Miller. Fuzzing for Software Security Testing and Quality Assurance. ARTECH HOUSE, INC., 2008.

[13] P. Amini A. Greene, M. Sutton. Fuzzing Brute Force Vulnerability Discovery. Addison-Wesley, 2007.

[14] B. Hond. Fuzzing the gsm protocol. Master’s thesis, Radboud University Nijmegen, 2011.

[15] owasp. Owasp fuzzing. URL:https://www.owasp.org/index.php/Fuzzing. last checked on 2016-05-03.

[16] M. Hillman. 15 minute guide to fuzzing. URL:https://www.mwrinfosecurity. com/our-thinking/15-minute-guide-to-fuzzing/