Sudharssan Mohan, Kyeongseok Yang, Zelun Kong, Yonghwi Kwon, Junghwan , Tyler Summers, Hongjun Choi, Heejo Lee, and Chung Hwan Kim

Proceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering (ASE) 2025.

View code or BibTeX.

areas
Security, Cyber-Physical Systems, Software Testing

abstract

Robotic aerial vehicles (RAVs), particularly drones, are crucial in civil and military sectors. However, researchers have found that adversaries can inject noise into sensor measurements and cause physical impacts on the RAVs like crashes. Although identifying such signal injection attacks is essential to evaluate and improve the robustness of an RAV, it is challenging to discover them since their impact depends on the RAV's physical states and the search space of noise signals and physical states is vast due to its dynamic nature.

This paper proposes IMUFUZZER, a feedback-driven fuzzing framework, to automatically test an RAV system and discover signal injection attacks. IMUFUZZER generates realistic noise signals for various inertial measurement unit (IMU) sensors, and monitors their impact on RAV control to detect mission failures, leveraging a high-fidelity RAV simulator. To find the physical states that attacks depend on, IMUFUZZER generates various mission paths that the RAV will fly through. We develop a novel feedback mechanism to quantify the resilience of the RAV against attacks and efficiently guide the fuzzing process to find signal injection attacks. Using IMUFUZZER, we have discovered 23 successful signal injection attacks on popular RAV control software (ArduPilot). We evaluate the correctness and effectiveness of our feedback-based sensor fuzzing and demonstrate the feasibility of the discovered attacks through physical experiments.