Scaling Software Security Analysis to Satellites: Automated Fuzz Testing and Its Unique Challenges
Johannes Willbold, Moritz Schloegel, Florian Göhler, and
5 more authors
The security of space assets is becoming an increasingly important concern, as the number of satellite services offered from space grows at an accelerating rate. In recent years, the functionalities of satellites have become increasingly sophisticated, allowing them to seamlessly provide complex services such as space-based Internet and high-resolution Earth observation. A significant contribution to these advancements was made by the software systems that control spacecraft in the harsh space environment. However, the development of satellite software poses a significant challenge due to the absence of physical access to the spacecraft during its mission. Recent research conducted by Willbold et al. has highlighted software security concerns, revealing an alarming absence of modern security measures among many satellites. Their analysis uncovered various security vulnerabilities in satellite software that could potentially allow attackers to gain full control over the spacecraft. Despite these results, their analysis is limited by the fact that software is analyzed manually, making the approach hard to scale.In this paper, we propose to use an automated vulnerability analysis technique, fuzz testing (fuzzing for short), to scale the analysis without the need of a human expert. Fuzzing is a dynamic program analysis technique that has proven highly successful at locating bugs in application software, such as browsers, or the Linux kernel. Its effectiveness has seen widespread adoption among the industry, such as Google or Meta, and launched multiple research efforts to make it even more effective. In essence, fuzzing creates a large number of inputs for the system under test and executes them while monitoring the system behavior, i.e., execution paths and crashes. Advanced approaches use lightweight instrumentation to gain introspection capabilities, allowing them to track the program path executed by a specific input and thus to guide the exploration to unseen program behavior. Despite its success, applying fuzzing to spacecraft presents unique challenges that we introduce and thoroughly discuss in this paper. First, obtaining feedback from the target program proves challenging, necessitating the exploration of firmware rehosting techniques where the target firmware is executed in an emulated environment without a precise representation of all peripherals. Second, satellites often employ complex boot processes that ensure memory integrity, perform device checks and configurations, and execute various time-intensive tasks, thereby posing challenges to approaches like fuzzing that aim to execute a program as frequently as possible, i.e., thousands of times per second. Finally, fuzzers rely primarily on crashes to identify bugs in the software under test, which fails to account for unrecoverable configuration issues. Beyond discussing these issues, we analyze their practical impact on the software of three satellites, ESTCube-1, OPS-Sat, and Flying Laptop. By discussing the challenges associated with applying fuzzing to spacecrafts and exploring potential solutions, we aim to contribute to the advancement of security practices in the aerospace industry.
