Improving Fuzz Testing of Infotainment Systems and Telematics Units using Agent

In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. Since these systems are typically based on operating systems providing more functionality such as Linux and Android, it is possible to use appropriate tools to collect additional information from the system under test (SUT) to determine whether there were any exceptions detected during the fuzz testing. Furthermore, it would be possible to gather more details about the detected exceptions on the SUT which helps developers to better understand and identify the root cause of the issues and fix the problems more efficiently. To this end, we introduce the Agent Instrumentation Framework and explain how it can be used to improve fuzz testing of IVIs and telematics units. We show how additional information can be collected from the target system and used to identify whether there are exceptions on the SUT and additionally help developers identify the underlying cause of any issues detected. Finally, to showcase the effectiveness of the agent instrumentation framework we built a test bench based on this approach and performed fuzz testing on multiple SUTs. Based on our findings we highlight several examples of issues that would have not been detected unless we used agent instrumentation.