research-article

Fuzzing proprietary protocols of programmable controllers to find vulnerabilities that affect physical control

Authors:

Dongliang Fang,

Limin SunAuthors Info & Claims

Volume 127, Issue C

https://doi.org/10.1016/j.sysarc.2022.102483

Published: 01 June 2022 Publication History

Abstract

Programmable controllers, critical components in Industrial Control Systems (ICS), are the bridge between cyberspace and physical world. With the development of the Industrial Internet of Things (IIoT), they are no longer physically isolated, allowing remote hackers to exploit vulnerabilities to attack them. However, due to the high degree of privatization and the complicated work flow of programmable controllers, the existing work is not suitable for discovering programmable controller vulnerabilities. In our research, we propose a traffic-driven protocol fuzzing approach for programmable controllers. Specifically, we perform proprietary protocol fuzzing on the network daemon by selecting seeds and guiding states of the device. In the fuzzing process, in addition to monitoring the network status, an oscilloscope is also used to automatically monitor the status of underlying control services. The triggering of these vulnerabilities invalidate the control of actuators by programmable controllers and directly affect the physical world. Moreover, it is extremely difficult to recover compromised devices to normal production tasks. We evaluated our prototype on 15 real-world programmable controllers from six popular manufacturers. We found 26 vulnerabilities based on analysis results, 20 of which can directly cause physical control services to crash.

References

[1]

Vaz Ricardo, et al., Venezuela’s power grid disabled by cyber attack, Green Left Wkly (1213) (2019) 15.

[2]

Case Defense Use, Analysis of the cyber attack on the Ukrainian power grid, 2016, Electricity Information Sharing and Analysis Center (E-ISAC), 388.

[3]

Langner R., Stuxnet: Dissecting a cyberwarfare weapon, IEEE Secur. Privacy 9 (3) (2011) 49–51.

Digital Library

[4]

Formby David, Durbha Srikar, Beyah Raheem, Out of control: Ransomware for industrial control systems, in: RSA Conference, Vol. 4, no. 6, Computer Science, Singapore, 2017.

[5]

Garcia Luis, Brasser Ferdinand, Cintuglu Mehmet Hazar, Sadeghi Ahmad-Reza, Mohammed Osama A, Zonouz Saman A, Hey, my malware knows physics! attacking PLCs with physical model aware rootkit, in: NDSS, NDSS, San Diego, California, 2017.

[6]

Zheng Yaowen, Davanian Ali, Yin Heng, Song Chengyu, Zhu Hongsong, Sun Limin, Firm-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation, in: 28th {U S E N I X} Security Symposium ({U S E N I X} Security 19), USENIX, SANTA CLARA, CA, USA, 2019, pp. 1099–1114.

[7]

Yu Bo, Wang Pengfei, Yue Tai, Tang Yong, Poster: Fuzzing iot firmware via multi-stage message generation, in: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, New York, NY, USA, 2019, pp. 2525–2527.

[8]

Kim Taegyu, Kim Chung Hwan, Rhee Junghwan, Fei Fan, Tu Zhan, Walkup Gregory, Zhang Xiangyu, Deng Xinyan, Xu Dongyan, RVFuzzer: Finding input validation bugs in robotic vehicles through control-guided testing, in: 28th USENIX Security Symposium (USENIX Security 19), USENIX Association, Santa Clara, CA, ISBN 978-1-939133-06-9, 2019, pp. 425–442. URL https://www.usenix.org/conference/usenixsecurity19/presentation/kim.

[9]

You W., Wang X., Ma S., Huang J., Zhang X., Wang X., Liang B., Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery, in: 2019 IEEE Symposium on Security and Privacy, SP, IEEE, San Francisco, CA, 2019, pp. 769–786,.

[10]

Luo Z., Zuo F., Shen Y., Jiao X., Chang W., Jiang Y., ICS protocol fuzzing: Coverage guided packet crack and generation, in: 2020 57th ACM/IEEE Design Automation Conference (DAC), IEEE, San Francisco, California, 2020, pp. 1–6,.

[11]

Li Yuekang, Chen Bihuan, Chandramohan Mahinthan, Lin Shang-Wei, Liu Yang, Tiu Alwen, Steelix: Program-state based binary fuzzing, in: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, in: ESEC/FSE 2017, Association for Computing Machinery, New York, NY, USA, ISBN 9781450351058, 2017, pp. 627–637,.

Digital Library

[12]

Chen Jiongyi, Diao Wenrui, Zhao Qingchuan, Zuo Chaoshun, Lin Zhiqiang, Wang XiaoFeng, Lau Wing Cheong, Sun Menghan, Yang Ronghai, Zhang Kehuan, IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing, in: NDSS, NDSS, San Diego, California, 2018.

[13]

Redini Nilo, Continella Andrea, Das Dipanjan, Pasquale Giulio De, Spahn Noah, Machiry Aravind, Bianchi Antonio, Kruegel Christopher, Vigna Giovanni, DIANE: Identifying fuzzing triggers in apps to generate under-constrained inputs for IoT devices, in: Proceedings of the IEEE Symposium on Security and Privacy, IEEE, virtual, 2021.

[14]

Cisco, Kittyfuzzer, 2020, https://kitty.readthedocs.io/en/latest/.

[15]

Pereyda Joshua, Boofuzz, 2020, https://github.com/jtpereyda/boofuzz.

[16]

Gascon Hugo, Wressnegger Christian, Yamaguchi Fabian, Arp Daniel, Rieck Konrad, Pulsar: Stateful black-box fuzzing of proprietary network protocols, in: Thuraisingham Bhavani, Wang XiaoFeng, Yegneswaran Vinod (Eds.), Security and Privacy in Communication Networks, Springer International Publishing, Cham, ISBN 978-3-319-28865-9, 2015, pp. 330–347.

[17]

Da Xu Li, He Wu, Li Shancang, Internet of things in industries: A survey, IEEE Trans. Ind. Inf. 10 (4) (2014) 2233–2243.

[18]

SHODAN, Shodan, 2021, URL https://www.shodan.io/explore/category/industrial-control-systems.

[19]

Mirian A., Ma Z., Adrian D., Tischer M., Chuenchujit T., Yardley T., Berthier R., Mason J., Durumeric Z., Halderman J.A., Bailey M., An internet-wide view of ICS devices, in: 2016 14th Annual Conference on Privacy, Security and Trust, PST, 2016, pp. 96–103,.

[20]

Searle Justin, Plcscan, 2015, https://github.com/meeas/plcscan.

[21]

Lyon Gordon Fyodor, Nmap Network Scanning: the Official Nmap Project Guide to Network Discovery and Security Scanning, Insecure, USA, 2009.

[22]

Martin Ester, Hans-Peter Kriegel, Jörg Sander, Xiaowei Xu, et al., A density-based algorithm for discovering clusters in large spatial databases with noise, in: Kdd, Vol. 96, no. 34, 1996, pp. 226–231.

[23]

rays Hex, IDA pro, 2020, https://hex-rays.com/ida-pro/.

[24]

OllyDbg, Ollydbg, 2014, https://www.ollydbg.de/.

[25]

Feng Xiaotao, Sun Ruoxi, Zhu Xiaogang, Xue Minghui, Wen Sheng, Liu Dongxi, Nepal Surya, Xiang Yang, Snipuzz: Black-box fuzzing of IoT firmware via message snippet inference, 2021, arXiv preprint arXiv:2105.05445.

[26]

Bai Shuangpeng, Fang Dongliang, Sun Yue, Puzhuo Liu Hui Wen, Sun Limin, DSS: Discrepancy-aware seed selection method for ICS protocol fuzzing, in: 19th International Conference on Applied Cryptography and Network Security, ACNS, Kamakura, Japan, 2021.

[27]

AutoIt, Autoit tools, 2020, URL https://www.autoitscript.com/site/.

[28]

Philippe Biondi and the Scapy community, Scapy, 2020, https://scapy.net/.

[29]

Bronger Torsten, Pyvisa, 2020, https://pyvisa.readthedocs.io/en/latest/.

[30]

PLC manufacturers: The latest PLC brands, rankings and revenues, 2020, https://ladderlogicworld.com/plc-manufacturers/.

[31]

Bossert Georges, Netzob: Protocol reverse engineering, modeling and fuzzing, 2020, URL https://github.com/netzob/netzob.

[32]

CNCERT/CC, China national vulnerability database, 2020, URL https://www.cnvd.org.cn/.

[33]

pnfsoftware, JEB decompiler for S7 PLC, 2021, URL https://www.pnfsoftware.com/jeb/plc.

[34]

Keliris Anastasis, Maniatakos Michail, Icsref: A framework for automated reverse engineering of industrial control systems binaries, in: NDSS, NDSS, San Diego, California, 2018.

[35]

Kalle Sushma, Ameen Nehal, Yoo Hyunguk, Ahmed Irfan, Clik on plcs! attacking control logic with decompilation and virtual plc, in: Binary Analysis Research (BAR) Workshop, Network and Distributed System Security Symposium, NDSS, NDSS, San Diego, California, 2019.

[36]

Basnight Zachry, Butts Jonathan, Lopez Jr. Juan, Dube Thomas, Firmware modification attacks on programmable logic controllers, Int. J. Crit. Infrastruct. Prot. 6 (2) (2013) 76–84.

[37]

Spenneberg Ralf, Brüggemann Maik, Schwartke Hendrik, Plc-blaster: A worm living solely in the plc, Black Hat Asia 16 (2016) 1–16.

[38]

Muench Marius, Nisi Dario, Francillon Aurélien, Balzarotti Davide, Avatar2: A multi-target orchestration platform, in: Proc. Workshop Binary Anal. Res., Vol. 18, Colocated NDSS Symp., NDSS, San Diego, USA, 2018, pp. 1–11.

[39]

Scooter Software, Beyond compare, 2021, https://www.scootersoftware.com/.

[40]

Biham Eli, Bitan Sara, Carmel Aviad, Dankner Alon, Malin Uriel, Wool Avishai, Rogue7: Rogue engineering-station attacks on S7 simatic PLCs, in: USA Blackhat, Blackhat, USA, 2019.

[41]

Gorbunov Serge, Rosenbloom Arnold, Autofuzz: Automated network protocol fuzzing framework, IJCSNS 10 (8) (2010) 239.

[42]

Steffen Pfrang, David Meier, Michael Friedrich, Jürgen Beyerer, Advancing Protocol Fuzzing for Industrial Automation and Control Systems, in: ICISSP, 2018, pp. 570–580.

[43]

General purpose fuzzer,, 2007, http://www.vdalabs.com/tools/gpf.html. [Online; (Accessed 18 May 2017)].

[44]

Bratus Sergey, Hansen Axel, Shubina Anna, Lzfuzz: a fast compression-based fuzzer for poorly documented protocols, 2008.

[45]

Peachfuzzer, 2020, https://www.peach.tech/.

[46]

Banks Greg, Cova Marco, Felmetsger Viktoria, Almeroth Kevin, Kemmerer Richard, Vigna Giovanni, SNOOZE: toward a stateful NetwOrk protocol fuzZEr, in: International Conference on Information Security, Springer, 2006, pp. 343–358.

[47]

Hu Zhicheng, Shi Jianqi, Huang YanHong, Xiong Jiawen, Bu Xiangxing, GANFuzz: A GAN-based industrial network protocol fuzzing framework, in: Proceedings of the 15th ACM International Conference on Computing Frontiers, in: CF ’18, Association for Computing Machinery, New York, NY, USA, ISBN 9781450357616, 2018, pp. 138–145,.

Digital Library

[48]

Augsburg H.S., Profuzz, 2012, URL https://github.com/HSASec/ProFuzz. [Online; (Accessed 07 November 2017)].

[49]

Voyiatzis Artemios G, Katsigiannis Konstantinos, Koubias Stavros, A modbus/TCP fuzzer for testing internetworked industrial systems, in: 2015 IEEE 20th Conference on Emerging Technologies & Factory Automatio, ETFA, 2015, pp. 1–6.

[50]

Niedermaier Matthias, Fischer Florian, von Bodisco Alexander, Propfuzz—An IT-security fuzzing framework for proprietary ICS protocols, in: 2017 International Conference on Applied Electronics, AE, IEEE, Pilsen, Czech Republic, 2017, pp. 1–4.

[51]

Klick Johannes, Lau Stephan, Marzin Daniel, Malchow Jan-Ole, Roth Volker, Internet-facing PLCs as a network backdoor, in: 2015 IEEE Conference on Communications and Network Security, CNS, IEEE, Florence, Italy, 2015, pp. 524–532.

[52]

McLaughlin Stephen, McDaniel Patrick, Sabot: specification-based payload generation for programmable logic controllers, in: Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, Raleigh, NC, USA, 2012, pp. 439–449.

[53]

Senthivel Saranyan, Dhungana Shrey, Yoo Hyunguk, Ahmed Irfan, Roussev Vassil, Denial of engineering operations attacks in industrial control systems, in: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, ACM, New YorkNYUnited States, 2018, pp. 319–329.

[54]

Abbasi Ali, Hashemi Majid, Ghost in the plc designing an undetectable programmable logic controller rootkit via pin control attack, Black Hat Eur 2016 (2016) 1–35.

[55]

Leverett Éireann, Wightman Reid, Vulnerability inheritance programmable logic controllers, in: Proceedings of the Second International Symposium on Research in Grey-Hat Hacking, GreHack 2013, Grenoble, France, 2013.

[56]

Adelstein F., Stillerman M., Kozen D., Malicious code detection for open firmware, in: 18th Annual Computer Security Applications Conference, 2002. Proceedings, IEEE, Las Vegas, NV, USA, 2002, pp. 403–412,.

[57]

Quansheng Qiao, Shuangyun Xing, Wenli Shang, Jianming Zhao, Xuefeng Zhao, Design and implementation of the trusted PLC, Process Autom. Instrum. (12) (2016) 21.

[58]

Bestak I., Orgon M, Performance measurement of encryption algorithms used in PLC devices, Int. J. Res. Rev. Comput. Sci. (IJRRCS) 2 (5) (2011).

[59]

Bestak I, The use of encryption algorithms in PLC networks, Simulation 3 (64) (2012) 168.

[60]

Clark Andrew, Zhu Quanyan, Poovendran Radha, Başar Tamer, An impact-aware defense against stuxnet, in: 2013 American Control Conference, IEEE, Washington, DC, USA, 2013, pp. 4140–4147.

[61]

Malchow Jan-Ole, Marzin Daniel, Klick Johannes, Kovacs Robert, Roth Volker, Plc guard: A practical defense against attacks on cyber-physical systems, in: 2015 IEEE Conference on Communications and Network Security, CNS, IEEE, Florence, Italy, 2015, pp. 326–334.

[62]

Ponomarev Stanislav, Intrusion detection system of industrial control networks using network telemetry, IEEE Trans. Dependable Secure Comput. (2016) 252–260.

[63]

Yau Ken, Chow Kam-Pui, Yiu Siu-Ming, Chan Chun-Fai, Detecting anomalous behavior of PLC using semi-supervised machine learning, in: 2017 IEEE Conference on Communications and Network Security, CNS, IEEE, 2017, pp. 580–585.

[64]

Zonouz Saman, Rrushi Julian, McLaughlin Stephen, Detecting industrial control malware using automated PLC code analytics, IEEE Secur. Privacy 12 (6) (2014) 40–47.

[65]

Morales Efren Dario Lopez, Honeyplc: A next-generation honeypot for industrial control systems, in: 2020 the ACM Conference on Computer and Communications Security, CCS, Association for Computing Machinery, New York, NY, USA, 2020.

[66]

Böhme Marcel, Pham Van-Thuan, Roychoudhury Abhik, Coverage-based greybox fuzzing as markov chain, IEEE Trans. Softw. Eng. 45 (5) (2017) 489–506.

Digital Library

[67]

Ji Tiantian, Wang Zhongru, Tian Zhihong, Fang Binxing, Ruan Qiang, Wang Haichen, Shi Wei, AFLPro: Direction sensitive fuzzing, J. Inf. Secur. Appl. 54 (2020).

[68]

Yang Jiageng, Zhang Xinguo, Lu Hui, Shafiq Muhammad, Tian Zhihong, StFuzzer: Contribution-aware coverage-guided fuzzing for smart devices, Secur. Commun. Netw. 2021 (2021).

[69]

Tychalas Dimitrios, Benkraouda Hadjer, Maniatakos Michail, ICSFuzz: Manipulating I/Os and repurposing binary code to enable instrumented fuzzing in ICS control applications, in: 30th USENIX Security Symposium (USENIX Security 21), USENIX Association, 2021, URL https://www.usenix.org/conference/usenixsecurity21/presentation/tychalas.

[70]

Zhao Hui, Li Zhihui, Wei Hansheng, Shi Jianqi, Huang Yanhong, Seqfuzzer: An industrial protocol fuzzing framework from a deep learning perspective, in: 2019 12th IEEE Conference on Software Testing, Validation and Verification, ICST, IEEE, Xi’an, China, 2019, pp. 59–67.

[71]

Cheng Kai, Li Qiang, Wang Lei, Chen Qian, Zheng Yaowen, Sun Limin, Liang Zhenkai, DTaint: detecting the taint-style vulnerability in embedded device firmware, in: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN, IEEE, 2018, pp. 430–441.

[72]

Redini Nilo, Machiry Aravind, Wang Ruoyu, Spensky Chad, Continella Andrea, Shoshitaishvili Yan, Kruegel Christopher, Vigna Giovanni, Karonte: Detecting insecure multi-binary interactions in embedded firmware, in: 2020 IEEE Symposium on Security and Privacy, SP, 2020, pp. 1544–1561.

[73]

Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, Zhi Xue, Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems, in: 30th USENIX Security Symposium, USENIX Security 21, 2021, pp. 303–319.

Cited By

Zhang XZhang CLi XDu ZMao BLi YZheng YLi YPan LLiu YDeng R(2024)A Survey of Protocol FuzzingACM Computing Surveys10.1145/369678857:2(1-36)Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1145/3696788
Liu PZheng YSun CLi HLi ZSun L(2024)Battling against Protocol Fuzzing: Protecting Networked Embedded Devices from Dynamic FuzzersACM Transactions on Software Engineering and Methodology10.1145/364184733:4(1-26)Online publication date: 22-Jan-2024
https://dl.acm.org/doi/10.1145/3641847
Liu PZheng YSun CQin CFang DLiu MSun LAamodt TSwift MJerger N(2023)FITS: Inferring Intermediate Taint Sources for Effective Vulnerability Analysis of IoT Device FirmwareProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624759(138-152)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624759

Index Terms

Fuzzing proprietary protocols of programmable controllers to find vulnerabilities that affect physical control
1. Social and professional topics

Index terms have been assigned to the content through auto-classification.

Recommendations

Comparing cyber physical systems with RFID applications: common attacks and countermeasure challenges

The RFID technology is widely used in industrial control systems (ICS) and cyber physical systems (CPS). However, the design of the current RFID protocol is optimal in performance but with less effort invested into security. As such, RIFD infrastructure ...
A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography
Invited Tutorial

Side-channel attacks have become a severe threat to the confidentiality of computer applications and systems. One popular type of such attacks is the microarchitectural attack, where the adversary exploits the hardware features to break the protection ...
Attack detection/prevention system against cyber attack in industrial control systems
Abstract
Industrial control systems (ICS) are vital for countries’ industrial facilities and critical infrastructures. However, there are not enough security assessments against cyber attacks carried out on ICS for not preventing business ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Systems Architecture: the EUROMICRO Journal

Journal of Systems Architecture: the EUROMICRO Journal Volume 127, Issue C

Jun 2022

198 pages

ISSN:1383-7621

Issue’s Table of Contents

Elsevier B.V.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 01 June 2022

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang XZhang CLi XDu ZMao BLi YZheng YLi YPan LLiu YDeng R(2024)A Survey of Protocol FuzzingACM Computing Surveys10.1145/369678857:2(1-36)Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1145/3696788
Liu PZheng YSun CLi HLi ZSun L(2024)Battling against Protocol Fuzzing: Protecting Networked Embedded Devices from Dynamic FuzzersACM Transactions on Software Engineering and Methodology10.1145/364184733:4(1-26)Online publication date: 22-Jan-2024
https://dl.acm.org/doi/10.1145/3641847
Liu PZheng YSun CQin CFang DLiu MSun LAamodt TSwift MJerger N(2023)FITS: Inferring Intermediate Taint Sources for Effective Vulnerability Analysis of IoT Device FirmwareProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624759(138-152)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624759

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents