ConTest: Taming the Cyber-physical Input Space in Fuzz Testing with Control Theory

With the proliferation of Cyber-Physical Systems (CPSs) in daily life, the security of these systems is becoming an pressing problem. Fuzz testing has recently gained attention as a promising approach for automatically detecting vulnerabilities, however, the prohibitively large search space of physical and cyber inputs remains an open research challenge. To address this gap, the paper draws on control theory, leveraging physics-informed control models to guide exploration of the input space. We design and develop ConTest, a fuzzing tool that leverages Lyapunov functions of the control model for both detection and mutation to efficiently search through the parameter space with a provable guarantee on the effectiveness of bug-finding effectiveness under bounded dynamic model errors. We implemented a prototype of ConTest and deployed it to detect spatial and temporal input validation bugs in two representative robotic vehicle (RV) platforms, ArduPilot and PX4. A total of 253 input validation bugs were found, 58 of them being zero-day bugs, and 54 of them were acknowledged by the vendors.