SlideShare a Scribd company logo

Improving Automotive Software Testing with Agent Instrumentation

Synopsys Software Integrity Group
Synopsys Software Integrity Group

In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. For more information, please visit www.synopsys.com/auto

Software
1 of 28
© 2019 Synopsys, Inc. 1 Improving Fuzz Testing of Infotainment Systems and Telematics Units Using Agent Instrumentation Rikke Kuipers and Dennis Kengo Oka rikke.kuipers@synopsys.com dennis.kengo.oka@synopsys.com
© 2019 Synopsys, Inc. 2 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
© 2019 Synopsys, Inc. 3 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
© 2019 Synopsys, Inc. 4 Download link: www.synopsys.com/auto-security Cybersecurity Research Center
© 2019 Synopsys, Inc. 5 What are the primary factors that lead to vulnerabilities in automotive software/technology/components? Coding Open source software Testing
© 2019 Synopsys, Inc. 6 What are the primary factors that lead to vulnerabilities in automotive software/technology/components? Coding Open source software Testing
© 2019 Synopsys, Inc. 7 Fuzz testing • Testing technique where malformed or “out-of-specification” inputs are provided to the SUT (system under test), which is then observed to detect exceptions or unintended behavior • Allows developers and testers to identify unknown vulnerabilities in their systems and components
© 2019 Synopsys, Inc. 8 Real-world example—Two embedded systems Low-level ECU Powertrain, chassis, body Small embedded codebase Model-based development Safety criticality: High/Low Security exposure: Low IVI (in-vehicle infotainment), ADAS, telematics ECU Open source platforms/libraries Entire operating systems (AGL) Safety criticality: Low/Medium/High Security exposure: High Linux Android …
© 2019 Synopsys, Inc. 9 Challenges for automotive components • Difficult to instrument the SUT so as to determine whether there was an exception or if it has failed or crashed • E.g., fuzz testing Wi-Fi or Bluetooth, instrumentation typically occurs over the same protocol that is being fuzzed—this limited instrumentation could lead to several potential issues going undetected • Difficult to gather information from the SUT so as to more easily determine the underlying root causes for the exception or failure
© 2019 Synopsys, Inc. 10 Undetected exceptions on SUT Fuzzer SUTFuzz testing PC Zombie processes Protocol being fuzzed Memory leaks Core dumps Application … Exceptions on SUT not detected by just observing the fuzzed protocol
© 2019 Synopsys, Inc. 11 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
© 2019 Synopsys, Inc. 12 Agent Instrumentation Framework—Concept • Developers/testers have access to internals of the SUT (e.g., Linux and Android) • Achieve more efficient and accurate fuzz testing by employing a gray/white box approach where agents placed on the SUT assist with the instrumentation • The agents provide the fuzzer with detailed instrumentation data from the SUT • This data is used to determine the fail/pass verdict of a test case and also provides the developers/testers with valuable information from the SUT
© 2019 Synopsys, Inc. 13 Agent Instrumentation Framework—Modes • More control over the agents • Agents can perform various functions before and after a test case executes • Allows for automation and using more advanced techniques for finding unknown vulnerabilities • Slower to execute the test run • Agents are polled periodically • Fuzzer parses incoming syslog messages with instrumentation data • Cannot tie an exception to a specific test case but only reports when a prespecified condition has been met • Advantage is speed of execution with the loss of accuracy Synchronous mode Asynchronous mode
© 2019 Synopsys, Inc. 14 Overview of Agent Instrumentation Framework Fuzzer Agent instrumentation SUTFuzz testing PC Client External instrumentation Syslog config.json Server Syslog AgentHandler config.json Starter Logger Agent CLI HTTP JSON UDP/ Syslog
© 2019 Synopsys, Inc. 15 Examples of agents (1) • AgentCoreDump –Looks for a core dump file—gives a fail verdict if detected –This file can be used to further analyze the state of the process during the crash • AgentLogTailer –Monitors a log file –Gives a fail verdict if a new line is written to the file and matches any of the predefined parameters • AgentProcessMonitor –Monitors the state of a process –Gives a fail verdict if the process is down or turned into a zombie process –Can also monitor the process’s memory usage and give a fail verdict if usage goes over a configured limit
© 2019 Synopsys, Inc. 16 Examples of agents (2) • AgentPID –Monitors processes on the SUT with more options –Can only be run in synchronous mode—otherwise it might generate false positives –Before each test case is executed, makes a mapping of each predefined process with its process identifier (PID) and PIDs of its children –After a test case is executed, performs the same mapping again – If a process has died, its PID will not be present in the new mapping – If a process has died but restarted, then it has a new PID – Gives a fail verdict in both cases
© 2019 Synopsys, Inc. 17 Examples of agents (3) • AgentAddressSanitizer –Finds memory addressability issues and memory leaks using Google’s ASAN framework: – e.g., use after free (dangling pointer dereference), heap buffer overflow, stack buffer overflow, global buffer overflow, use after return, use after scope, initialization order bugs, memory leaks –Target software needs to be compiled with additional compiler flags—can only be run in synchronous mode –Two configurations: memory leaks and all other addressability issues – To find memory leaks: Kills target process after each test case, and analyzes ASAN’s output – To find all other addressability issues: Configures ASAN to kill the process upon finding any issue (this configuration is faster than finding memory leaks) – In both cases, reports crash trace and detailed crash information (if available) back to the fuzzer
© 2019 Synopsys, Inc. 18 Examples of agents (4) • AgentValgrind –Finds memory leaks and addressability issues (similar to AgentAddressSanitizer) –Difference is the mode of operation and speed –Uses various checkers and profilers from the Valgrind project, which effectively emulates a hardware layer for the program to run on –Quite heavy and adds overhead to each test case –Advantage is that there is no need to recompile target software
© 2019 Synopsys, Inc. 19 Example configuration script Starter script on SUT loads AgentPID, which monitors three processes: • /system/bin/mediaserver • com.android.Bluetooth • android.process.media
© 2019 Synopsys, Inc. 20 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
© 2019 Synopsys, Inc. 21 Setup of test bench Defensics Agent instrumentation SUTFuzz testing PC Client External instrumentation config.json Server AgentHandlerStarter Logger Agent CLI HTTP JSON
© 2019 Synopsys, Inc. 22 Test setup • Run in synchronous mode • Agents used most: –AgentPID as it requires no extra configuration or modification of the SUT –AgentAddressSanitizer and AgentValgrind to find memory issues • Automatically run scripts to enable the agents and collect results • Target systems: Linux or Android • Protocols: –Browser protocols –Bluetooth protocols –Wireless (802.11) protocols –Messaging protocols –File format parsing (audio, images, video) –CAN bus
© 2019 Synopsys, Inc. 23 Bluetooth results • Found a critical vulnerability where a fuzzed single frame causes the main Bluetooth kernel module to crash • Detected by monitoring the bluetoothd daemon process using AgentPID • Since the device has a daemon watchdog that quickly restarts bluetoothd, this vulnerability would not have been detected by just observing the Bluetooth protocol 15:25:43.238 python client.py --config pid- monitor.json instrumentation 15:25:43.640 Instrumentation verdict: FAIL 15:25:43.640 FAIL Agent: pid_monitor Info: Agent pid_monitor says 15:25:43.640 ofonod : ['353'] 15:25:43.640 bluetoothd : ['896'] -> []. 15:25:43.640 bluetoothgateway : [547] 15:25:43.640 mediaserver : [154] 15:25:43.640 wez-launch : ['114'] 15:25:43.640 wez : ['114', '130'] 15:25:43.640 ogg_streamhandler : [11] 15:25:43.640 pulseaudio : ['775'] 15:25:43.640 audio_daemon : ['839'] 15:25:43.640 media_engine_app : [145] AgentPID agent
© 2019 Synopsys, Inc. 24 Wi-Fi results • Found a critical vulnerability where a fuzzed single frame caused several kernel modules to crash • Nonauthenticated frame—could be sent by anyone • Log Tailer agent found this issue by tailing syslog with the keywords “stack,” “crash,” and several kernel module names • This vulnerability would not have been detected by only observing the Wi-Fi communication, as the kernel watchdog restarted the affected modules immediately Log Tailer agent
© 2019 Synopsys, Inc. 25 MQTT results • Access to the source of the MQTT broker • AgentAddressSanitizer to test for memory addressability issues and memory leaks • Recompiled the code with additional compilation flags to enable Google’s ASAN instrumentation • Found a memory leak in the popular MQTT broker Mosquitto • This vulnerability would not have been detected by only observing the fuzzed protocol AgentAddressSanitizer
© 2019 Synopsys, Inc. 26 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
Thank You
Improving Automotive Software Testing with Agent Instrumentation

Recommended

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This WorksSynopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedSynopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Synopsys Software Integrity Group
 

Recommended

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This WorksSynopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedSynopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealitySynopsys Software Integrity Group
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Improving Dependability of Embedded Software System
Improving Dependability of Embedded Software SystemImproving Dependability of Embedded Software System
Improving Dependability of Embedded Software SystemRAKESH RANA
 
IFIP2023-Abhik.pptx
IFIP2023-Abhik.pptxIFIP2023-Abhik.pptx
IFIP2023-Abhik.pptxAbhik Roychoudhury
 
Briforum2012 advanced appv-sequencing
Briforum2012 advanced appv-sequencingBriforum2012 advanced appv-sequencing
Briforum2012 advanced appv-sequencingKevin Kaminski
 

More Related Content

What's hot

Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 

What's hot (19)

Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still Exists
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 

Similar to Improving Automotive Software Testing with Agent Instrumentation

Improving Dependability of Embedded Software System
Improving Dependability of Embedded Software SystemImproving Dependability of Embedded Software System
Improving Dependability of Embedded Software SystemRAKESH RANA
 
Briforum2012 advanced appv-sequencing
Briforum2012 advanced appv-sequencingBriforum2012 advanced appv-sequencing
Briforum2012 advanced appv-sequencingKevin Kaminski
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET Journal
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 
Analysis Of Process Structure In Windows Operating System
Analysis Of Process Structure In Windows Operating SystemAnalysis Of Process Structure In Windows Operating System
Analysis Of Process Structure In Windows Operating SystemDarian Pruitt
 
Mule soft meetup__adelaide_october_2020_final (2)
Mule soft meetup__adelaide_october_2020_final (2)Mule soft meetup__adelaide_october_2020_final (2)
Mule soft meetup__adelaide_october_2020_final (2)Nicholas Bowman
 
Automating "Network Ready for Use" with pytest
Automating "Network Ready for Use" with pytestAutomating "Network Ready for Use" with pytest
Automating "Network Ready for Use" with pytestJeremy Schulman
 
bqurious Test Automation & Management Suite
bqurious Test Automation & Management Suitebqurious Test Automation & Management Suite
bqurious Test Automation & Management SuiteAbhay Goel
 
Mule soft meetup_tw_no1_june17
Mule soft meetup_tw_no1_june17Mule soft meetup_tw_no1_june17
Mule soft meetup_tw_no1_june17WendyTey4
 
Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh tapsi sharma
 
Testing strategies and best practices using MUnit
Testing strategies and best practices using MUnitTesting strategies and best practices using MUnit
Testing strategies and best practices using MUnitJimmy Attia
 
Fact vs-hype top10
Fact vs-hype top10Fact vs-hype top10
Fact vs-hype top10Usman Arif
 
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...Ann Marie Neufelder
 
Agile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseJim Nickel
 
IRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance SystemIRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance SystemIRJET Journal
 
Princeton-NJ-Meetup-Troubleshooting-with-AnyPoint-Monitoring
Princeton-NJ-Meetup-Troubleshooting-with-AnyPoint-MonitoringPrinceton-NJ-Meetup-Troubleshooting-with-AnyPoint-Monitoring
Princeton-NJ-Meetup-Troubleshooting-with-AnyPoint-MonitoringSravan Lingam
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Teodoro Cipresso
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16AppDynamics
 

Similar to Improving Automotive Software Testing with Agent Instrumentation (20)

Improving Dependability of Embedded Software System
Improving Dependability of Embedded Software SystemImproving Dependability of Embedded Software System
Improving Dependability of Embedded Software System
 
IFIP2023-Abhik.pptx
IFIP2023-Abhik.pptxIFIP2023-Abhik.pptx
IFIP2023-Abhik.pptx
 
Briforum2012 advanced appv-sequencing
Briforum2012 advanced appv-sequencingBriforum2012 advanced appv-sequencing
Briforum2012 advanced appv-sequencing
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
 
Analysis Of Process Structure In Windows Operating System
Analysis Of Process Structure In Windows Operating SystemAnalysis Of Process Structure In Windows Operating System
Analysis Of Process Structure In Windows Operating System
 
Mule soft meetup__adelaide_october_2020_final (2)
Mule soft meetup__adelaide_october_2020_final (2)Mule soft meetup__adelaide_october_2020_final (2)
Mule soft meetup__adelaide_october_2020_final (2)
 
Automating "Network Ready for Use" with pytest
Automating "Network Ready for Use" with pytestAutomating "Network Ready for Use" with pytest
Automating "Network Ready for Use" with pytest
 
bqurious Test Automation & Management Suite
bqurious Test Automation & Management Suitebqurious Test Automation & Management Suite
bqurious Test Automation & Management Suite
 
Mule soft meetup_tw_no1_june17
Mule soft meetup_tw_no1_june17Mule soft meetup_tw_no1_june17
Mule soft meetup_tw_no1_june17
 
Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh
 
Testing strategies and best practices using MUnit
Testing strategies and best practices using MUnitTesting strategies and best practices using MUnit
Testing strategies and best practices using MUnit
 
Fact vs-hype top10
Fact vs-hype top10Fact vs-hype top10
Fact vs-hype top10
 
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
 
Agile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and Defense
 
IRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance SystemIRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance System
 
Princeton-NJ-Meetup-Troubleshooting-with-AnyPoint-Monitoring
Princeton-NJ-Meetup-Troubleshooting-with-AnyPoint-MonitoringPrinceton-NJ-Meetup-Troubleshooting-with-AnyPoint-Monitoring
Princeton-NJ-Meetup-Troubleshooting-with-AnyPoint-Monitoring
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013
 
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
Innovate 2014: Get an A+ on Testing Your Enterprise Applications with Rationa...
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
 

More from Synopsys Software Integrity Group

Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileSynopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsSynopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsSynopsys Software Integrity Group
 

More from Synopsys Software Integrity Group (14)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 

Improving Automotive Software Testing with Agent Instrumentation

  • 1. © 2019 Synopsys, Inc. 1 Improving Fuzz Testing of Infotainment Systems and Telematics Units Using Agent Instrumentation Rikke Kuipers and Dennis Kengo Oka rikke.kuipers@synopsys.com dennis.kengo.oka@synopsys.com
  • 2. © 2019 Synopsys, Inc. 2 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
  • 3. © 2019 Synopsys, Inc. 3 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
  • 4. © 2019 Synopsys, Inc. 4 Download link: www.synopsys.com/auto-security Cybersecurity Research Center
  • 5. © 2019 Synopsys, Inc. 5 What are the primary factors that lead to vulnerabilities in automotive software/technology/components? Coding Open source software Testing
  • 6. © 2019 Synopsys, Inc. 6 What are the primary factors that lead to vulnerabilities in automotive software/technology/components? Coding Open source software Testing
  • 7. © 2019 Synopsys, Inc. 7 Fuzz testing • Testing technique where malformed or “out-of-specification” inputs are provided to the SUT (system under test), which is then observed to detect exceptions or unintended behavior • Allows developers and testers to identify unknown vulnerabilities in their systems and components
  • 8. © 2019 Synopsys, Inc. 8 Real-world example—Two embedded systems Low-level ECU Powertrain, chassis, body Small embedded codebase Model-based development Safety criticality: High/Low Security exposure: Low IVI (in-vehicle infotainment), ADAS, telematics ECU Open source platforms/libraries Entire operating systems (AGL) Safety criticality: Low/Medium/High Security exposure: High Linux Android …
  • 9. © 2019 Synopsys, Inc. 9 Challenges for automotive components • Difficult to instrument the SUT so as to determine whether there was an exception or if it has failed or crashed • E.g., fuzz testing Wi-Fi or Bluetooth, instrumentation typically occurs over the same protocol that is being fuzzed—this limited instrumentation could lead to several potential issues going undetected • Difficult to gather information from the SUT so as to more easily determine the underlying root causes for the exception or failure
  • 10. © 2019 Synopsys, Inc. 10 Undetected exceptions on SUT Fuzzer SUTFuzz testing PC Zombie processes Protocol being fuzzed Memory leaks Core dumps Application … Exceptions on SUT not detected by just observing the fuzzed protocol
  • 11. © 2019 Synopsys, Inc. 11 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
  • 12. © 2019 Synopsys, Inc. 12 Agent Instrumentation Framework—Concept • Developers/testers have access to internals of the SUT (e.g., Linux and Android) • Achieve more efficient and accurate fuzz testing by employing a gray/white box approach where agents placed on the SUT assist with the instrumentation • The agents provide the fuzzer with detailed instrumentation data from the SUT • This data is used to determine the fail/pass verdict of a test case and also provides the developers/testers with valuable information from the SUT
  • 13. © 2019 Synopsys, Inc. 13 Agent Instrumentation Framework—Modes • More control over the agents • Agents can perform various functions before and after a test case executes • Allows for automation and using more advanced techniques for finding unknown vulnerabilities • Slower to execute the test run • Agents are polled periodically • Fuzzer parses incoming syslog messages with instrumentation data • Cannot tie an exception to a specific test case but only reports when a prespecified condition has been met • Advantage is speed of execution with the loss of accuracy Synchronous mode Asynchronous mode
  • 14. © 2019 Synopsys, Inc. 14 Overview of Agent Instrumentation Framework Fuzzer Agent instrumentation SUTFuzz testing PC Client External instrumentation Syslog config.json Server Syslog AgentHandler config.json Starter Logger Agent CLI HTTP JSON UDP/ Syslog
  • 15. © 2019 Synopsys, Inc. 15 Examples of agents (1) • AgentCoreDump –Looks for a core dump file—gives a fail verdict if detected –This file can be used to further analyze the state of the process during the crash • AgentLogTailer –Monitors a log file –Gives a fail verdict if a new line is written to the file and matches any of the predefined parameters • AgentProcessMonitor –Monitors the state of a process –Gives a fail verdict if the process is down or turned into a zombie process –Can also monitor the process’s memory usage and give a fail verdict if usage goes over a configured limit
  • 16. © 2019 Synopsys, Inc. 16 Examples of agents (2) • AgentPID –Monitors processes on the SUT with more options –Can only be run in synchronous mode—otherwise it might generate false positives –Before each test case is executed, makes a mapping of each predefined process with its process identifier (PID) and PIDs of its children –After a test case is executed, performs the same mapping again – If a process has died, its PID will not be present in the new mapping – If a process has died but restarted, then it has a new PID – Gives a fail verdict in both cases
  • 17. © 2019 Synopsys, Inc. 17 Examples of agents (3) • AgentAddressSanitizer –Finds memory addressability issues and memory leaks using Google’s ASAN framework: – e.g., use after free (dangling pointer dereference), heap buffer overflow, stack buffer overflow, global buffer overflow, use after return, use after scope, initialization order bugs, memory leaks –Target software needs to be compiled with additional compiler flags—can only be run in synchronous mode –Two configurations: memory leaks and all other addressability issues – To find memory leaks: Kills target process after each test case, and analyzes ASAN’s output – To find all other addressability issues: Configures ASAN to kill the process upon finding any issue (this configuration is faster than finding memory leaks) – In both cases, reports crash trace and detailed crash information (if available) back to the fuzzer
  • 18. © 2019 Synopsys, Inc. 18 Examples of agents (4) • AgentValgrind –Finds memory leaks and addressability issues (similar to AgentAddressSanitizer) –Difference is the mode of operation and speed –Uses various checkers and profilers from the Valgrind project, which effectively emulates a hardware layer for the program to run on –Quite heavy and adds overhead to each test case –Advantage is that there is no need to recompile target software
  • 19. © 2019 Synopsys, Inc. 19 Example configuration script Starter script on SUT loads AgentPID, which monitors three processes: • /system/bin/mediaserver • com.android.Bluetooth • android.process.media
  • 20. © 2019 Synopsys, Inc. 20 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions
  • 21. © 2019 Synopsys, Inc. 21 Setup of test bench Defensics Agent instrumentation SUTFuzz testing PC Client External instrumentation config.json Server AgentHandlerStarter Logger Agent CLI HTTP JSON
  • 22. © 2019 Synopsys, Inc. 22 Test setup • Run in synchronous mode • Agents used most: –AgentPID as it requires no extra configuration or modification of the SUT –AgentAddressSanitizer and AgentValgrind to find memory issues • Automatically run scripts to enable the agents and collect results • Target systems: Linux or Android • Protocols: –Browser protocols –Bluetooth protocols –Wireless (802.11) protocols –Messaging protocols –File format parsing (audio, images, video) –CAN bus
  • 23. © 2019 Synopsys, Inc. 23 Bluetooth results • Found a critical vulnerability where a fuzzed single frame causes the main Bluetooth kernel module to crash • Detected by monitoring the bluetoothd daemon process using AgentPID • Since the device has a daemon watchdog that quickly restarts bluetoothd, this vulnerability would not have been detected by just observing the Bluetooth protocol 15:25:43.238 python client.py --config pid- monitor.json instrumentation 15:25:43.640 Instrumentation verdict: FAIL 15:25:43.640 FAIL Agent: pid_monitor Info: Agent pid_monitor says 15:25:43.640 ofonod : ['353'] 15:25:43.640 bluetoothd : ['896'] -> []. 15:25:43.640 bluetoothgateway : [547] 15:25:43.640 mediaserver : [154] 15:25:43.640 wez-launch : ['114'] 15:25:43.640 wez : ['114', '130'] 15:25:43.640 ogg_streamhandler : [11] 15:25:43.640 pulseaudio : ['775'] 15:25:43.640 audio_daemon : ['839'] 15:25:43.640 media_engine_app : [145] AgentPID agent
  • 24. © 2019 Synopsys, Inc. 24 Wi-Fi results • Found a critical vulnerability where a fuzzed single frame caused several kernel modules to crash • Nonauthenticated frame—could be sent by anyone • Log Tailer agent found this issue by tailing syslog with the keywords “stack,” “crash,” and several kernel module names • This vulnerability would not have been detected by only observing the Wi-Fi communication, as the kernel watchdog restarted the affected modules immediately Log Tailer agent
  • 25. © 2019 Synopsys, Inc. 25 MQTT results • Access to the source of the MQTT broker • AgentAddressSanitizer to test for memory addressability issues and memory leaks • Recompiled the code with additional compilation flags to enable Google’s ASAN instrumentation • Found a memory leak in the popular MQTT broker Mosquitto • This vulnerability would not have been detected by only observing the fuzzed protocol AgentAddressSanitizer
  • 26. © 2019 Synopsys, Inc. 26 Challenges of fuzzing automotive components Agent Instrumentation Framework—using agents on the SUT to improve fuzz testing Results show it is possible to detect previously undetectable exceptions