Abstract
Coverage-guided grey-box fuzzing for computer systems has been explored for decades. However, existing techniques do not adequately explore the space of continuous behaviors in Cyber-Physical Systems (CPSs), which may miss safety-critical bugs. Optimization-guided falsification is promising to find violations of safety specifications, but not suitable for identifying traditional program bugs. This article presents a fuzzing process for finding safety violations at the development phase, which is guided by two quantities: a branch coverage metric to explore discrete program behaviors and a Linear Temporal Logic (LTL) robust satisfaction metric to identify undesirable continuous plant behaviors. We implement CPFuzz to demonstrate the utility of the idea and estimate its effectiveness on seven control system benchmarks. The results show up to a better performance in average time to find violations on all benchmarks than S-TaLiRo and six benchmarks than S3CAMX. Finally, we exploit CPFuzz to synthesize the sensor spoofing attack on a DC motor with fixed-point overflow vulnerability as a case study.
Highlights
The problem of falsifying a safety property for Cyber-Physical Systems (CPSs) has extensively been studied during the last years
The robust satisfaction semantics of temporal logic [1] map the trace of the system executing to a real value instead of a logic value, offering more gradient information for optimization
Based on the robust satisfaction semantics of temporal logic, falsification casts the problem of searching safety violations as an optimization problem
Summary
The problem of falsifying a safety property for CPS has extensively been studied during the last years. Optimization-guided falsification simulates the system on intelligently generated inputs and feeds back the corresponding traces to find system violations more effectively. The robust satisfaction semantics of temporal logic [1] map the trace of the system executing to a real value instead of a logic value, offering more gradient information for optimization. Based on the robust satisfaction semantics of temporal logic, falsification casts the problem of searching safety violations as an optimization problem. The robust satisfaction semantics of temporal logic are used as the cost function for the optimization problem, which is highly nonlinear and discontinuous. The simulation function SIM can be a nonlinear hybrid system or even a data-driven model, such as a neural network that maps a current state to a state. The initial state x0 of the CPS is generated by the fuzzer to explore the possible configurations of the physical environment
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
