Zhengxiong Luo,Feilong Zuo,Yuheng Shen,Xun Jiao,Wanli Chang,Yu Jiang

DOI: https://doi.org/10.1109/dac18072.2020.9218603

2020-01-01

Abstract:Industrial Control System (ICS) protocols play an essential role in building communications among system components. Recently, many severe vulnerabilities, such as Stuxnet and DragonFly, exposed in ICS protocols have affected a wide distribution of devices. Therefore, it is of vital importance to ensure their correctness. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complexity and diversity of the protocols.In this paper, we propose to equip the traditional protocol fuzzing with coverage-guided packet crack and generation. We collect the coverage information during the testing procedure, save those valuable packets that trigger new path coverage and crack them into pieces, based on which, we can construct higher-quality new packets for further testing. For evaluation, we build Peach * on top of Peach, which is one of the most widely used protocol fuzzers, and conduct experiments on several ICS protocols such as Modbus and DNP3. Results show that, compared with the original Peach, Peach * achieves the same code coverage and bug detection numbers at the speed of 1.2X-25X. It also gains final increase with 8.35%-36.84% more paths within 24 hours and has exposed 9 previously unknown vulnerabilities.

dianbo zhang,jianfei wang,hua zhang

DOI: https://doi.org/10.2991/icecee-15.2015.305

2015-01-01

Abstract:With the development of ICS, PLC and SCADA systems are interconnected with Ethernet and directly connected to internet, which greatly improve the efficiency of data sharing and introduced in security threats at the same time. Once crack fault occurrence of critical infrastructure will result in casualties and great economic loss. Peach Fuzzer is an advanced and extensible fuzzing platform and is restricted to those with TCP/UDP-based protocols on Windows Platform, the PN-DCP would not be supported without publisher to send PDU correctly. So it is urgent to develop an additional publisher for PN-DCP. In this paper, we propose a novel Peach improvement on Profinet-DCP for industrial control system vulnerability detection. We analyze the importance of vulnerability detecting for PN-DCP with Peach Fuzzer. Then, introducing the Peach Framework, the hierarchy of Profinet-DCP and the PitFile of Profinet-DCP. We also evaluate our approach through experiments, the results can fully satisfy the requirement of vulnerability detecting of PN-DCP on Peach platform.

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

Min Tang,Bowei Zhang,Weifeng Sun,Jianqiao Ding

DOI: https://doi.org/10.1109/SmartIoT55134.2022.00018

2022-08-01

Abstract:Industrial control network security is undoubtedly important for an industrial control system. Fuzzy testing is an important method to detect network protocol program security vulnerabilities. In order to perform protocol fuzzing effectively, test data must be generated under the guidance of protocol forma, and the protocol needs to be analyzed before the fuzzy test to generate high-quality fuzzy test cases. In this article, we propose a fuzzy testing framework called MaskFuzzer to solve the problems. A generation adversarial network model is used to automatically learn the data structure of system communication, to generate false messages conforming to protocol specifications. In order to prove the availability of our method, we used MaskFuzzer to test the Modbus-Tcpemulator and successfully find some vulnerabilities. In addition, compared with the GAN-based test case generation method and Peach, our method is best.

Computer Science,Engineering

Puzhuo Liu,Yaowen Zheng,Zhanwei Song,Dongliang Fang,Shichao Lv,Limin Sun

DOI: https://doi.org/10.1016/j.sysarc.2022.102483

IF: 5.836

2022-06-01

Journal of Systems Architecture

Abstract:Programmable controllers, critical components in Industrial Control Systems (ICS), are the bridge between cyberspace and physical world. With the development of the Industrial Internet of Things (IIoT), they are no longer physically isolated, allowing remote hackers to exploit vulnerabilities to attack them. However, due to the high degree of privatization and the complicated work flow of programmable controllers, the existing work is not suitable for discovering programmable controller vulnerabilities. In our research, we propose a traffic-driven protocol fuzzing approach for programmable controllers. Specifically, we perform proprietary protocol fuzzing on the network daemon by selecting seeds and guiding states of the device. In the fuzzing process, in addition to monitoring the network status, an oscilloscope is also used to automatically monitor the status of underlying control services. The triggering of these vulnerabilities invalidate the control of actuators by programmable controllers and directly affect the physical world. Moreover, it is extremely difficult to recover compromised devices to normal production tasks. We evaluated our prototype on 15 real-world programmable controllers from six popular manufacturers. We found 26 vulnerabilities based on analysis results, 20 of which can directly cause physical control services to crash.

computer science, software engineering, hardware & architecture

hua zhang,zhao zhang,wen tang

DOI: https://doi.org/10.4028/www.scientific.net/AMM.551.642

2014-01-01

Applied Mechanics and Materials

Abstract:Peach is an indispensable tool for network security experts, but, it is not perfect in the coarse controlling granularity. This paper analyzes the core code of Peach and makes improvements of Peach in three aspects: 1) applying different Mutators to test different fields in PDU; 2) starting a fuzz test at any test case according to a config. xml file; 3) executing the specified number of test cases in each test. These contributions make fuzz testing like software debugging, and locate a network protocol implementation's bug triggered by which test case more precisely with less time and less test cases than ever before. This paper also adds a replaying test scenario to Peach based on our contributions. Experimental results demonstrate that the features this paper improved to Peach could save lots of time with lower costs when applying Peach to test protocol implementations.

Jiawei Zhang,Yijie Shi

DOI: https://doi.org/10.2991/aiea-16.2016.18

2016-01-01

Abstract:With the development of computer network technology, network security issues are also making more and more people pay attention. IPsec protocol as a viable solution to IP communications security was put forward, and many IPsec products were also launched. Therefore, to detect and mine possible vulnerabilities of IPsec-related products is important and necessary. Fuzzing test can help us find these vulnerabilities in these IPsec product implementations. In the current popular Fuzzing tools, Peach is a widely recognized open-source fuzzing framework. However, the current Peach is unable to support IKE protocol. The paper achieved fuzzing test for IKE protocol by extending the framework of the Peach.

Yin Li,Anmin Fu,Yuqing Zhang

DOI: https://doi.org/10.1109/swc57546.2023.10448795

2023-01-01

Abstract:The ICS protocols undertake critical functions in industrial control systems, by enabling real-time data exchange, data acquisition, parameter configuration, status monitoring, fault diagnosis, command issuance and execution. It serves as the foundation for the collaborative operations of all components in industrial control systems. With the development of internet technology, industrial control systems, which were originally physically isolated, have become new targets for hackers. However, due to the high level of privatization of ICS protocols and their complex workflow, existing methods are insufficient in detecting vulnerabilities in these protocols. This paper proposes a black-box fuzzing test method based on sensing the program runtime feedback. By collecting run-time statistics, including CPU utilization, memory utilization, disk I/O, and message interaction, our method is able to determine whether the program has triggered a new execution path, thus improving the efficiency of the fuzzing procedure. We evaluated our prototype on five open-source ICS protocol programs and discovered six reported vulnerabilities, among which five could cause the industrial control programs to become unresponsive or crash.

Feilong Zuo,Zhengxiong Luo,Junze Yu,Ting Chen,Zichen Xu,Aiguo Cui,Yu Jiang

DOI: https://doi.org/10.1109/tcad.2022.3201471

IF: 2.9

2022-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Industrial control system (ICS) employs complex multistate protocols to realize high-reliability communication and intelligent control over automation equipment. ICS has been widely used in various embedded fields, such as autonomous vehicle systems, power automation systems, etc. However, in recent years, many attacks have been performed on ICS, especially its protocols, such as the hijacks over Jeep Uconnect and Tesla Autopilot autonomous systems, also the Stuxnet and DragonFly viruses over national infrastructures. It is important to guarantee the security of ICS protocols. In this article, we present Charon, an efficient fuzzing platform for the vulnerability detection of ICS protocol implementations. In Charon, we propose an innovative fuzzing strategy that leverages state guidance to maximize cross-state code coverage instead of focusing on isolated states during the fuzzing of ICS protocols. Moreover, we devise a novel feedback collection method that employs program status inferring to avoid the restart of the ICS protocol at each iteration, allowing for continuous fuzzing. We evaluate Charon on several popular ICS protocol implementations, including real-time publish subscribe, IEC61850-MMS, MQTT, etc. Compared with typical fuzzers, such as American fuzzy lop, Polar, AFLNET, Boofuzz, and Peach, it averagely improves branch coverage by 234.2%, 194.4%, 215.9%, 52.58%, and 35.18%, respectively. Moreover, it has already confirmed 21 previously unknown vulnerabilities (e.g., stack buffer overflow) among these ICS protocols, most of which are security critical and corresponding patches from vendors have been released accordingly.

Andrei Bytes,Prashant Hari Narayan Rajput,Constantine Doumanidis,Nils Ole Tippenhauer,Michail Maniatakos,Jianying Zhou

2023-07-31

Abstract:Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain-specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.

Cryptography and Security

Ting Wang,Qi Xiong,Haihui Gao,Yong Peng,Zhonghua Dai,Shengwei Yi

DOI: https://doi.org/10.1109/IIH-MSP.2013.112

2013-01-01

Abstract:With the rapid development of information and automatic control technology, more and more industrial control system(ICS) like SCADA, is interconnected with Ethernet and directly connected to internet, which greatly improve the efficiency of data sharing and introduced in security threats at the same time. As the important components of critical infrastructure, if attacked, will behave abnormal and result in disasters to society countries and national economy. As one of the most import industrial protocols applied widely in the industry field, OPC is responsible to provide producing related data to HMI and database gathered from field devices like PLC and RTU. Because of the unique nature of industrial control system, traditional fuzzing technology cannot be applied to vulnerability detecting of OPC protocols directly. So it is urgent to develop a novel fuzzing technology for OPC protocol. This paper first described motivation of vulnerability detecting for OPC with fuzzing tool, then introduced the design and implementation of fuzzing technology for OPC protocol, the structure, workflow and algorithm is also described in detail. Finally, a experiment for OPC protocol fuzzing is proposed and the result is analyzed, some conclusion can be reached that the fuzzing technology proposed in this paper can fully satisfy the requirement of vulnerability detecting of OPC protocol.

Wanyou Lv,Jiawen Xiong,Jianqi Shi,Yanhong Huang,Shengchao Qin

DOI: https://doi.org/10.1007/s10845-020-01584-z

IF: 8.3

2020-05-23

Journal of Intelligent Manufacturing

Abstract:A growing awareness is brought that the safety and security of industrial control systems cannot be dealt with in isolation, and the safety and security of industrial control protocols (ICPs) should be considered jointly. Fuzz testing (fuzzing) for the ICP is a common way to discover whether the ICP itself is designed and implemented with flaws and network security vulnerability. Traditional fuzzing methods promote the safety and security testing of ICPs, and many of them have practical applications. However, most traditional fuzzing methods rely heavily on the specification of ICPs, which makes the test process a costly, time-consuming, troublesome and boring task. And the task is hard to repeat if the specification does not exist. In this study, we propose a smart and automated protocol fuzzing methodology based on improved deep convolution generative adversarial network and give a series of performance metrics. An automated and intelligent fuzzing framework BLSTM-DCNNFuzz for application is designed. Several typical ICPs, including Modbus and EtherCAT, are applied to test the effectiveness and efficiency of our framework. Experiment results show that our methodology outperforms the existing ones like General Purpose Fuzzer and other deep learning based fuzzing methods in convenience, effectiveness, and efficiency.

engineering, manufacturing,computer science, artificial intelligence

Fan Zhang,Qianmei Wu,Bohan Xuan,Yuqi Chen,Wei Lin,Christopher M. Poskitt,Jun Sun,Binbin Chen

DOI: https://doi.org/10.1109/tse.2023.3309330

2020-01-01

Abstract:Cyber-physical systems (CPSs) automating critical public infrastructure face a pervasive threat of attack, motivating research into different types of countermeasures. Assessing the effectiveness of these countermeasures is challenging, however, as benchmarks are difficult to construct manually, existing automated testing solutions often make unrealistic assumptions, and blindly fuzzing is ineffective at finding attacks due to the enormous search spaces and resource requirements. In this work, we propose active sensor fuzzing , a fully automated approach for building test suites without requiring any a prior knowledge about a CPS. Our approach employs active learning techniques. Applied to a real-world water treatment system, our approach manages to find attacks that drive the system into 15 different unsafe states involving water flow, pressure, and tank levels, including nine that were not covered by an established attack benchmark. Furthermore, we successfully generate targeted multi-point attacks which have been long suspected to be possible. We reveal that active sensor fuzzing successfully extends the attack benchmarks generated by our previous work, an ML-guided fuzzing tool, with two more kinds of attacks. Finally, we investigate the impact of active learning on models and the reason that the model trained with active learning is able to discover more attacks.

Zhicheng Hu,Jianqi Shi,Yanhong Huang,Jiawen Xiong,Xiangxing Bu

DOI: https://doi.org/10.1145/3203217.3203241

2018-01-01

Abstract:In this paper, we attempt to improve industrial safety from the perspective of communication security. We leverage the protocol fuzzing technology to reveal errors and vulnerabilities inside implementations of industrial network protocols(INPs). Traditionally, to effectively conduct protocol fuzzing, the test data has to be generated under the guidance of protocol grammar, which is built either by interpreting the protocol specifications or reverse engineering from network traces. In this study, we propose an automated test case generation method, in which the protocol grammar is learned by deep learning. Generative adversarial network(GAN) is employed to train a generative model over real-world protocol messages to enable us to learn the protocol grammar. Then we can use the trained generative model to produce fake but plausible messages, which are promising test cases. Based on this approach, we present an automatical and intelligent fuzzing framework(GANFuzz) for testing implementations of INPs. Compared to prior work, GANFuzz offers a new way for this problem. Moreover, GANFuzz does not rely on protocol specification, so that it can be applied to both public and proprietary protocols, which outperforms many previous frameworks. We use GANFuzz to test several simulators of the Modbus-TCP protocol and find some errors and vulnerabilities.

XIANG Shuang,ZHAO Bo,JI Xiangmin,ZHANG Huanguo

DOI: https://doi.org/10.14188/j.1671-8836.2013.05.014

2013-01-01

Abstract:Vulnerability detection is an effective way to solve security problem of current industrial control system.By analyzing the difficulties of vulnerability detection in the existing industrial control platform,this paper proposes an improved fuzzing framework that introduces the concept of confidence to quantify the test cases as a classifier input,and thus pre-screens potential test cases,so as to reduce input space and enhance hit rate.Based on this architecture design for industrial control systems,the generic framework for vulnerability mining combines with malformed data structure,test target monitoring,and test results management,and supports multi-target,multi-protocol,multiplatform extensions.Finally,experimental results on an industrial controller have shown the feasibility and effectiveness of the method.

Tengfei Tu,Hua Zhang,Boqin Qin,Zhuo Chen

DOI: https://doi.org/10.2991/fmsmt-17.2017.119

2017-01-01

Abstract:In this paper, we proposed an effective vulnerability mining system for IEC61850 protocol in the Smart Grid. First of all, we introduce the basic structures and features of IEC61850 protocol. Next, we summarize the possible vulnerabilities of it. Finally a fuzzing tester named IECFuzzer is designed and implemented using the technique of fuzzing. A lot of simulation results show that IECFuzzer can not only be used to exploit the potential denial-of-service vulnerabilities of IEC61850 protocol, but also to verify the robustness of PLC devices using IEC61850 protocol.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Xuejun Zong,Wenjie Luo,Bowei Ning,Kan He,Lian Lian,Yifei Sun

DOI: https://doi.org/10.1109/access.2024.3399820

IF: 3.9

2024-05-22

IEEE Access

Abstract:With the opening of industrial networks in the information age, the characteristic of Industrial Control Protocols (ICPs) to transmit plaintext without encryption exposes serious security risks, threatening the safe and stable operation of Industrial Control Systems (ICSs). Exploring the work of mining vulnerabilities in ICPs can use fuzzing to mine potential vulnerabilities in protocols to ensure the safe operation of ICS. However, traditional fuzzing methods require the construction of test cases based on expert experience and the format syntax specification of ICPs. This process is time-consuming, labor-intensive, inefficient, and limited when facing unknown ICPs. In response to these issues, this paper proposes an automated fuzzing method for ICPs based on the Denoising Diffusion Probabilistic Model (DDPM). Specifically, DDPM achieves the conversion from noise to data samples, which can easily and quickly generate test cases. On this basis, we designed a universal fuzzing framework, DiffusionFuzz, that can be applied to most ICPs. The experimental results obtained on ICPs such as Modbus/TCP in the Industrial Attack-Defense Range of the Key Laboratory of Information Security for Petrochemical Industry in Liaoning Province demonstrate that the test cases generated by this method are diverse, and outperform other fuzzing methods in terms of acceptance rate and ability to trigger exceptions. Certainly, DiffusionFuzz can enhance the effectiveness of fuzzing, identify vulnerabilities in ICPs, and thereby reduce potential economic risks and impacts.

computer science, information systems,telecommunications,engineering, electrical & electronic

Donglan Liu,Fangzhe Zhang,Yingxian Chang,Hao Zhang,Rui Wang,Lili Sun,Xin Liu,Fuhui Zhao,Mengqian Sun,Jianfei Chen

DOI: https://doi.org/10.1109/ICEIEC58029.2023.10200004

2023-01-01

Abstract:In this paper, we study the fuzz testing framework for electric Internet of things protocol and analyze the characteristics of different electric Internet of thing protocols. By making full use of the existing information, a new seed scheduling and change algorithm was designed based on the feature and combined with the protocol state, the protocol multi-party collaborative interaction mode and the seed grouping, and the fuzz testing process was redesigned. A fuzz testing framework based on the protocol characteristics of electric Internet of Things is proposed by combining the tools of symbol execution, Markov chain, genetic algorithm and machine learning. It can solve the problems of too much preparation and low testing efficiency in the fuzz testing of the existing electric Internet of Things protocols. Finally, the fuzz test framework for power system terminal is studied. The basic process of fuzz testing is introduced in detail from the aspects of target identification, input vector determination, test case generation, program execution, anomaly monitoring, vulnerability analysis and evaluation. A fuzz testing framework for power system terminal is proposed, which includes test case generator, target program execution engine, monitor, vulnerability detector and vulnerability filter. It can provide a unified testing environment for all business terminals, realize efficient and rapid vulnerability mining, form the active defense capability of terminals, and avoid the operation of Internet of Things terminals with diseases.

Zhengxiong Luo,Zhe Liu,Yu Jiang,Junze Yu,Feilong Zuo

DOI: https://doi.org/10.1109/DAC18074.2021.9586321

2021-12-05

Abstract:The rapid development of in-vehicle networks and protocols brings efficient communication service but also increases the risk of attack. Any vulnerability may be leveraged to cause serious consequences. It is of vital importance to guarantee their security. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complex relations among protocol states.In this paper, we propose PAVFuzz, a state-sensitive fuzz testing framework to secure those protocols used in autonomous vehicles. It automatically learns relations between two data elements in different protocol states. The relations will then be used to calculate and update the mutation weight of each data element continuously. Accordingly, PAVFuzz is able to select the target data elements and perform state-sensitive mutation to boost the efficiency. Experiments show that, compared with state-of-the-art fuzzers Peach and AFL, PAVFuzz increases branch coverage by averagely 22.51% and 369.19% within 24 hours. It has successfully exposed 12 serious previously unknown vulnerabilities among several protocols that are widely used in autonomous vehicles, such as RTPS and SOME/IP. We have reported them to the developers and corresponding patches have been released.

Engineering,Computer Science