Yingnan Zhou (Nankai University), Yuhao Liu (Nankai University), Hanfeng Zhang (Nankai University), Yan Jia (Nankai University), Sihan Xu (Nankai University), Zhiyuan Jiang (National University of Defense Technology), Zheli Liu (Nankai University)
Flight control software for unmanned aerial vehicles (UAVs) offers numerous configuration parameters. However, their complexity raises the risk of incorrect configurations, leading to mission failures or crashes. Although fuzzing is effective for discovering software vulnerabilities, its application to UAVs configuration is hindered by the need to obtain physical states (e.g., position and altitude) from a time-consuming simulator. Furthermore, machine learning-based acceleration methods often suffer from limited generalizability due to their reliance on flight logs as training data. To address these challenges, we propose UAVConfigFuzzer, a novel fuzzing tool that accelerates configuration testing via setpoint estimation guided fuzzing. In flight control software, setpoints are the calculated target values that guide the UAV’s movement based on configurations. UAVConfigFuzzer leverages the native setpoint generation module to generate setpoints, which serve as the estimated UAV’s physical states to rapidly quantify the severity of UAV’s anomalies. Guided by this efficient and accurate feedback, UAVConfigFuzzer steers the mutation process toward anomaly-inducing configurations without relying on simulators or extensive flight logs. We evaluate UAVConfigFuzzer on PX4, a widely used open-source UAV flight control software, the results demonstrate that the feedback achieves an average runtime of 27 milliseconds. The estimated states maintain high fidelity, with a mean position error below 6.92 cm and a velocity error below 0.13 m/s. Leveraging this rapid feedback, UAVConfigFuzzer detects 14 incorrect configurations. These issues were validated on real UAV hardware and have been acknowledged by the community maintainers for remediation.