Get Your Cyber-Physical Tests Done! Data-Driven Vulnerability Assessment of Robotic Aerial Vehicles

The rapid growth of robotic aerial vehicles (RAVs) has attracted extensive interest in numerous public and civilian applications, from flying drones to quadrotors. Security of RAV systems is posting greater challenges as RAV controller software becomes more complex and exposes a growing attack surface. Memory isolation techniques, which virtually separate the memory space and conduct hardware-based memory access control, are believed to prevent the attacker from compromising the entire system by exploiting one memory vulnerability. In this paper, we propose Ares, a new variable-level vulnerability assessment framework to explore deeper bugs from a combined cyber-physical perspective. We present a data-driven method to illustrate that, despite state-of-the-art memory isolation efforts, RAV systems are still vulnerable to physics-aware data manipulation attacks. We augment RAV control states with intermediate state variables by tracing accessible control parameters and vehicle dynamics within the same isolated memory region. With this expanded state variable space, we apply multivariate statistical analysis to investigate inter-variable quantitative data dependencies and search for vulnerable state variables. Ares utilizes a reinforcement learning-based method to show how an attacker can exploit memory bugs and parameter defects in a legitimate memory view and elaborately craft adversarial variable values to disrupt a RAV's safe operations. We demonstrate the feasibility and capability of Ares on the widely-used ArduPilot RAV framework. Our extensive empirical evaluation shows that the attacker can leverage these vulnerable state variables to achieve various RAV failures during real-time operation, and even evade existing defense solutions.