Research And Implementation Of In-vehicle Network Vulnerability Mining Technology Based On Penetration Testing And Fuzzing Testing

With the increasing integration of automotive electronics and the integration of the Internet of Things,modern vehicles are no longer simple physical control systems,the more intelligent a vehicle is,the more electronic control units are integrated.A large number of electronic control units connected through the bus form a complex in-vehicle network to realize various complex functions such as automatic driving and infotainment.While the vehicles are becoming more intelligent,the highly complex in-vehicle network puts vehicle information security facing severe challenges.Attackers can launch attacks through various means,and finally invade the CAN bus network to implement precise vehicle control,endangering the personal and property safety of vehicle occupants.In this context,it is of great practical significance to study the security,intrusion methods and protection methods of automotive CAN bus networks.This thesis first proposes a penetration test plan for CAN based on the research of vehicle control network technology.According to common attack methods,the method of ID frequency comparison and characteristic value comparison is used to reversely analyze CAN bus conventional data messages.The diagnostic data messages are comprehensively detected by scanning ID,main services,sub-functions and their parameters.Secondly,a fuzzing test engine is designed on the basis of penetration testing,including data generation modules,data transceiver modules and abnormality monitoring modules for two data messages.The conventional data messages fuzzing test engine is designed to discover data anomalies while causing vehicle dysfunction.The diagnostic data messages fuzzing test engine is designed to detect abnormalities where the in-vehicle network does not meet the UDS protocol.By testing the actual vehicle,it proved the good effect of the penetration test.Among them,conventional attack methods such as replay attacks have seriously affected the functions of the vehicle body,cracked the ID and data fields of the functions such as turn signals and door locks in the conventional data messages,and scanned the ID,main service of the entire diagnostic data messages and some ECU sub-functions.The fuzzing test plan designed in this thesis also found the security loopholes of the actual vehicle.The conventional data messages fuzzing test successfully caused the abnormality of the vehicle body,and the anomaly detection module successfully detected the abnormality by calculating the information entropy and issued an alarm;the diagnostic data messages fuzzing test successfully tested a large number of abnormalities in the low-speed network that did not meet the UDS protocol and positive responses that are difficult to capture in high-speed network penetration tests by injecting data and monitoring in real time responses,and all successfully reproduced and made a vulnerability assessment.The above results all prove the effectiveness and universality of the design in this thesis,prove that the actual vehicle has a large safety hazard,and help safety product development and researchers test the safety risks of the vehicle network to propose corresponding protective measures.