Fuzz Testing with the Unified Diagnostic Services on IP Protocol

Overview

The automotive industry uses the Unified Diagnostic Services on Internet Protocol (UDSonIP - ISO 14229-5) to diagnose and communicate with electronic control units (ECU). This version of UDSonIP works over Ethernet networks. beSTORM contains protocols that function in other transport layers, such as UDS on CAN.

UDSonIP works with the Diagnostic over Internet Protocol (DoIP – ISO 13400) to connect through a gateway (which should exist in a vehicle using DoIP) to test a connected DoIP or ECU node. beSTORM sends requests to the gateway, which routes them to the tested DoIP node and then sends the responses back to beSTORM.

Testing environment requirements

• beSTORM 13.4.0 or later (licensed)

• Windows 10 or later

• A gateway that supports UDSonIP (this will be the device under test [DUT])

Fuzzing with beSTORM

To fuzz with the Unified Diagnostic Services on IP protocol in beSTORM, do the following:

1. Using a network cable, connect the UDSonIP-supported gateway (DUT) to the beSTORM computer's Ethernet adapter.

2. Open beSTORM Client.

3. Select New Project. The beSTORM New Project Wizard opens.

4. On the Welcome page, do the following:

   1. In the Project Name box, enter a name.

   2. Optionally, select a different file location for your project in the Location Name box.

   3. For Please select the wizard, select Advanced.

   4. Leave Perform a port scan, and service detection and assist me in choosing the relevant module unchecked.

      

5. Select Next.

6. On the Basic Configuration page, do the following:

   1. In the beSTORM's predefined modules list, select Unified Diagnostic Services on IP.

   2. In the Hostname or IP address box, enter the DoIP gateway's IP address.

   3. Leave Protocol and Remote Port to their default settings.

      NOTE: The gateway typically listens on port 13400 (reserved for DoIP).

      

7. Select Next.

8. On the Advanced Configuration page, adjust Scale Type to reduce the number of combinations and overall testing duration. For the least number of combinations and shortest testing duration, select Base10.

   

9. Select Next.

10. On the Module Environment page, do the following:

    1. Remote Hostname - Confirm this is the DoIP gateway's IP address you set in step 6b.

    2. Remote Port - Confirm this is the DoIP gateway's remote port from step 6c. The default value is 13400.

    3. Remote Protocol Type - Confirm this is the DoIP gateway's protocol from step 6c. The default value is tcp.

    4. Target Address – Confirm this is the logical address of the DoIP node to test.

       NOTE: A DoIP network consists of the DoIP gateway and DoIP nodes. Each DoIP node corresponds to a specific vehicle component and is tagged with a unique logical address.

    5. Source Address – The logical address of the node beSTORM will simulate. Set this parameter to the logical address of a real node in the DoIP network. If this value is incorrect, the DoIP gateway cannot establish communication with the node.

    6. Timeout value for Receive - Specifies the number of milliseconds beSTORM will wait for the DoIP node being tested to respond. The default value is 100.

       

11. Select Next.

12. On the Test Selection page, leave the Unified Diagnostic Services on IP - Activation and Unified Diagnostic Services on IP Sequence tests to their default settings.

    

13. Select Next.

14. On the Extra Configuration page, do the following:

    1. Select the ARP Echo, ICMP Echo, and TCP Echo checkboxes.

    2. Set the Monitored IP Address to the DoIP gateway's IP address. Leave all other parameters to their default setting.

       

15. Select Next.

16. On the Complete beSTORM wizard page, select Finish to begin fuzzing, or clear the Auto-start beSTORM scan now checkbox to run the test later.

17. Once your test begins, it will attempt to activate communication between the DoIP Gateway and beSTORM. If beSTORM reports the Expected message not received error message, review your configurations, specifically the Source Address (step 10e) and Timeout value for Receive (step 10f) parameters:

    

    After beSTORM establishes a connection and begins fuzzing, you should see the Session combinations number increase.

    If an exception occurs (that is, an attack was successful), a message will appear in the Exception Information dialog informing you that the gateway or the tested DoIP node is not responding. This indicates a possible vulnerability. Testing will resume after 10 seconds unless you select Pause Test:

    1. Gateway not responding:

       

    2. DoIP node not responding:

       

18. When fuzzing is complete, select Report > Generate Report from the beSTORM Client to generate a more comprehensive report of your test.