Differential fuzz testing to detect tampering in sensor systems and its application to arms control authentication

Abstract: In future nuclear arms control treaties, it will be necessary to authenticate the hardware and software components of verification measurement systems, i.e., to ensure these systems are functioning as intended and have not been tampered with by malicious actors. While methods such as source code hashing and static analysis can help verify the integrity of software components, they may not be capable of detecting tampering with environment variables, external libraries, or the firmware and hardware of radiation measurement systems. In this article, we introduce the concept of physical differential fuzz testing as a challenge-response-style tamper indicator that can holistically and simultaneously test all the above components in a cyber-physical system. In essence, we randomly sample (or "fuzz") the untampered system's parameter space, including both normal and off-normal parameter values, and consider the time series of outputs as the baseline signature of the system. Re-running the same input sequence on a untampered system will produce an output sequence consistent with this baseline, while running the same input sequence on a tampered system will produce a modified output sequence and raise an alarm. We then apply this concept to authenticating the radiation measurement equipment in nuclear weapon verification systems and conduct demonstration fuzz testing measurements with a sodium iodide (NaI) gamma ray spectrometer. Because there is Poisson noise in the measured output spectra, we also use a mechanism for comparing inherently noisy or stochastic fuzzing sequences. We show that physical differential fuzz testing can detect two types of tamper attempts, and conclude that it is a promising framework for authenticating future cyber-physical systems in nuclear arms control, safeguards, and beyond.