Ting Su,Zhoulai Fu,Geguang Pu,Jifeng He,Zhendong Su

DOI: https://doi.org/10.1109/icse.2015.81

2015-01-01

Abstract:Data flow testing (DFT) focuses on the flow of data through a program. Despite its higher fault-detection ability over other structural testing techniques, practical DFT remains a significant challenge. This paper tackles this challenge by introducing a hybrid DFT framework: (1) The core of our framework is based on dynamic symbolic execution (DSE), enhanced with a novel guided path search to improve testing performance, and (2) we systematically cast the DFT problem as reach ability checking in software model checking to complement our DSE-based approach, yielding a practical hybrid DFT technique that combines the two approaches' respective strengths. Evaluated on both open source and industrial programs, our DSE-based approach improves DFT performance by 60~80% in terms of testing time compared with state-of-the-art search strategies, while our combined technique further reduces 40% testing time and improves data-flow coverage by 20% by eliminating infeasible test objectives. This combined approach also enables the cross-checking of each component for reliable and robust testing results.

Shengjian Guo,Meng Wu,Chao Wang

DOI: https://doi.org/10.1145/3106237.3106245

2017-08-21

Abstract:Programmable logic controllers (PLCs) are specialized computers for automating a wide range of cyber-physical systems. Since these systems are often safety-critical, software running on PLCs need to be free of programming errors. However, automated tools for testing PLC software are lacking despite the pervasive use of PLCs in industry. We propose a symbolic execution based method, named SymPLC, for automatically testing PLC software written in programming languages specified in the IEC 61131-3 standard. SymPLC takes the PLC source code as input and translates it into C before applying symbolic execution, to systematically generate test inputs that cover both paths in each periodic task and interleavings of these tasks. Toward this end, we propose a number of PLC-specific reduction techniques for identifying and eliminating redundant interleavings. We have evaluated SymPLC on a large set of benchmark programs with both single and multiple tasks. Our experiments show that SymPLC can handle these programs efficiently, and for multi-task PLC programs, our new reduction techniques outperform the state-of-the-art partial order reduction technique by more than two orders of magnitude.

Ting Su,Chengyu Zhang,Yichen Yan,Lingling Fan,Geguang Pu,Yang Liu,Zhoulai Fu,Zhendong Su

DOI: https://doi.org/10.48550/arXiv.1803.10431

2019-03-31

Abstract:Data-flow testing (DFT) aims to detect potential data interaction anomalies by focusing on the points at which variables receive values and the points at which these values are used. Such test objectives are referred as \emph{def-use pairs}. However, the complexity of DFT still overwhelms the testers in practice. To tackle this problem, we introduce a hybrid testing framework for data-flow based test generation: (1) The core of our framework is symbolic execution (SE), enhanced by a novel guided path exploration strategy to improve testing performance; and (2) we systematically cast DFT as reachability checking in software model checking (SMC) to complement SE, yielding practical DFT that combines the two techniques' strengths. We implemented our framework for C programs on top of the state-of-the-art symbolic execution engine KLEE and instantiated with three different software model checkers. Our evaluation on the 28,354 def-use pairs collected from 33 open-source and industrial program subjects shows (1) our SE-based approach can improve DFT performance by 15$\sim$48% in terms of testing time, compared with existing search strategies; and (2) our combined approach can further reduce testing time by 20.1$\sim$93.6%, and improve data-flow coverage by 27.8$\sim$45.2% by eliminating infeasible test objectives. Compared with the SMC-based approach alone, our combined approach can also reduce testing time by 19.9$\sim$23.8%, and improve data-flow coverage by 7$\sim$10%. This combined approach also enables the cross-checking of each component for reliable and robust testing results. We have made our testing framework and benchmarks publicly available to facilitate future research.

Software Engineering

Weigang He,Jianqi Shi,Ting Su,Zeyu Lu,Li Hao,Yanhong Huang

DOI: https://doi.org/10.1016/j.scico.2021.102608

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:A programmable logic controller (PLC) is essentially a computer dedicated to industrial control which is widely used in the field of global automation control. However, PLC software bugs can result in economic losses and even personal safety issues. PLC software must be thoroughly tested regarding function, structure, safety, and other aspects to avoid accidents. Existing PLC tools are mainly based on the manual setting of input data, which is not only unable to be well automated but also cannot provide information about code coverage. This paper presents an automated test case generation approach for a Structured Text (ST) language to reduce the cost of testing, using dynamic symbolic execution. We apply this method to implement the coverage-based automated test case generation tool STAutoTester. We have evaluated STAutoTester on 21 programs. The experimental results show that STAutoTester can effectively handle these programs. For 11 ST programs, STAutoTester reduces, on average, 87.5% of generated test cases compared to SYMPLC.

Jianqi Shi,Yinghao Chen,Qin Li,Yanhong Huang,Yang Yang,Mengyan Zhao

DOI: https://doi.org/10.1109/tc.2024.3351285

IF: 3.183

2024-03-15

IEEE Transactions on Computers

Abstract:Programmable Logic Controllers (PLCs) are specialized computers extensively utilized in industrial control fields. Since they control industrial equipment, software faults in PLCs can result in significant losses. However, current testing for PLC programs is mainly manual, and there are very few automatic testing tools. Structured Text (ST) is one of the five PLC programming languages stipulated by the IEC 61131-3 standard, suitable for writing complex control logic. This paper proposes an automatic unit test case generation framework for ST programs based on Dynamic Symbolic Execution and PLC states, as well as a supporting algorithm, and implements the PLCAutoTester tool. PLCAutoTester supports the automatic generation of ST program unit test cases that comply with statement coverage, branch coverage, and MC/DC coverage criterion. We evaluated the PLCAutoTester using 20 PLC programs and compared it with S YMPLC. The experimental results show that PLCAutoTester can generate unit test cases with high coverage in a short time. And in 11 common programs, PLCAutoTester is able to generate test cases with almost the same statement coverage as S YMPLC while reducing the number of test cases by 95%.

engineering, electrical & electronic,computer science, hardware & architecture

Wei Lin,Heng Chuan Tan,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1109/dsn58367.2023.00044

2023-01-01

Abstract:Programmable logic controllers (PLCs) are vulnerable to malware, which is a key security risk for Industrial Control Systems (ICSs). Existing attestation solutions are invasive because they require hardware security modules and software upgrades in legacy devices. We propose DNAttest, a Digital-twin-based Noninvasive Attestation solution to attest PLC behaviors in near-real time. DNAttest requires minimal ICS infrastructure changes and does not interfere with normal ICS operations. DNAttest detects PLC deviations by replicating all input messages for a PLC to its digital twin and comparing their output messages. Due to transient uncertainty in the PLC's internal processing state, DNAttest may output an incorrect comparison. To generate all plausible output values for comparison, we instantiate multiple emulated PLCs by replicating input messages with different timing profiles. We demonstrate on a close-to-real-world power grid testbed that DNAttest can provide a timely detection of a wide range of attacks non-invasively and accurately. DNAttest solution is lightweight and scalable. A typical desktop PC can attest more than 20 actual PLCs even if we use 10 emulators to monitor every actual PLC.

Zeyu Lu,Xia Mao,Yanhong Huang,Jianqi Shi,Yang

DOI: https://doi.org/10.18293/seke2021-105

2021-01-01

Abstract:Since programmable logic controllers (PLCs) control safety-critical infrastructures, examining the PLC software satisfies the high-reliability specifications necessary to ensure the safeness of PLCs.However, prior works have limitations in finding defects in the PLC source code.Static verification techniques suffer from notable false positives without capturing runtime behavior.The symbolic execution and conformance testing technique captures the relations of inputs and outputs.It is not sufficient to consider only the data constraints as the PLC operates in real-time.In this paper, we propose a novel approach in the detection of the runtime behavior of PLC programs with incorporated time constraints.This testing approach automatically finds implementation errors in PLC programs by mining invariants from runtime traces.As the existing tools mine only data or time invariants which are inadequate to test PLC programs, our approach focuses on the interplay of data and time invariants.Dynamically detected datatime invariants are then checked with the safety specifications.We evaluate the usefulness of our approach in a real-life case.The experimental results show that the proposed approach can find errors in PLC programs effectively.

Ting Su,Ke Wu,Weikai Miao,Geguang Pu,Jifeng He,Yuting Chen,Zhendong Su

DOI: https://doi.org/10.1145/3020266

2017-01-01

Abstract:Data-flow testing (DFT) is a family of testing strategies designed to verify the interactions between each program variable’s definition and its uses. Such a test objective of interest is referred to as a def-use pair. DFT selects test data with respect to various test adequacy criteria (i.e., data-flow coverage criteria) to exercise each pair. The original conception of DFT was introduced by Herman in 1976. Since then, a number of studies have been conducted, both theoretically and empirically, to analyze DFT’s complexity and effectiveness. In the past four decades, DFT has been continuously concerned, and various approaches from different aspects are proposed to pursue automatic and efficient data-flow testing. This survey presents a detailed overview of data-flow testing, including challenges and approaches in enforcing and automating it: (1) it introduces the data-flow analysis techniques that are used to identify def-use pairs; (2) it classifies and discusses techniques for data-flow-based test data generation, such as search-based testing, random testing, collateral-coverage-based testing, symbolic-execution-based testing, and model-checking-based testing; (3) it discusses techniques for tracking data-flow coverage; (4) it presents several DFT applications, including software fault localization, web security testing, and specification consistency checking; and (5) it summarizes recent advances and discusses future research directions toward more practical data-flow testing.

Ting Su,Geguang Pu,Bin Fang,Jifeng He

DOI: https://doi.org/10.1109/SERE.2014.23

2014-01-01

Abstract:Recently code transformations or tailored fitness functions are adopted to achieve coverage (structural or logical criterion) driven testing to ensure software reliability. However, some internal threats like negative impacts on underlying search strategies or local maximum exist. So we propose a dynamic symbolic execution (DSE) based framework combined with a path filtering algorithm and a new heuristic path search strategy, i.e., predictive path search, to achieve faster coverage-driven testing with lower testing cost. The empirical experiments (three open source projects and two industrial projects) show that our approach is effective and efficient. For the open source projects w.r.t branch coverage, our approach in average reduces 25.5% generated test cases and 36.3% solved constraints than the traditional DSE-based approach without path filtering. And the presented heuristic strategy, on the same testing budget, improves the branch coverage by 26.4% and 35.4% than some novel search strategies adopted in KLEE and CREST.

Xiaodong Zhang,Zijiang Yang,Qinghua Zheng,Pei Liu,Jialiang Chang,Yu Hao,Ting Liu

DOI: https://doi.org/10.1109/icst.2017.23

2017-01-01

Abstract:With the advent of multicore processors, there is a trend towards multithreading to take advantage of parallel computing resources. Due to greatly increased complexity, programmers need effective testing methodology that can thoroughly test multithreaded programs. There has been significant progress based on symbolic execution that attempts to exhaustively explore all the intra-thread paths and inter-thread interleavings. However, such testing approach faces two insuperable challenges. Firstly, exploring an astronomically large number of paths and interleavings limits its scalability. Secondly, a path itself does not directly help programmers understand program behavior. In this paper, we propose an alternate testing methodology that focuses on definition-use data flow instead of paths/interleavings. Such approach not only leads to orders of magnitude reduction in testing complexity, but also gives programmers direct help on examining the shared variable usage in a multithreaded program.

Jian Bao,Huifeng Wu,Yimajian Yan

DOI: https://doi.org/10.1007/s00170-014-6166-z

IF: 3.563

2014-07-25

The International Journal of Advanced Manufacturing Technology

Abstract:In this paper, a fault diagnosis system-programmable logic controller (FDS-PLC) is developed and discussed, regarding the improvement of reliability of PLC systems. Traditional approaches to improve reliability of the fault diagnose functions of PLC are not conscious of the fact: system developers and programmers are not able to identify every fault that may occur during the system’s lifetime. In order to conquer this problem, a FDS-PLC design that establishes and perfects a specification model of the PLC system is introduced. Firstly, FDS-PLC collects and transmits diagnosis data in surplus kernel time of the embedded processor; therefore, it does not decrease the responding speed of the system. Secondly, a finite state machine (FSM) built on PC is applied to construct the specification model and report faulty states to the system operator. Finally, the system is endowed with learning ability by perfecting the specification model. The application of FDS-PLC is further illustrated by an example on an elevator control system experimental platform.

engineering, manufacturing,automation & control systems

Chengyu Zhang,Ting Su,Yichen Yan,Ke Wu,Geguang Pu

DOI: https://doi.org/10.48550/arXiv.1803.06516

2019-03-20

Abstract:Dataflow coverage, one of the white-box testing criteria, focuses on the relations between variable definitions and their <a class="link-external link-http" href="http://uses.Several" rel="external noopener nofollow">this http URL</a> empirical studies have proved data-flow testing is more effective than control-flow testing. However, data-flow testing still cannot find its adoption in practice, due to the lack of effective tool support. To this end, we propose a guided symbolic execution approach to efficiently search for program paths to satisfy data-flow coverage criteria. We implemented this approach on KLEE and evaluated with 30 program subjects which are constructed by the subjects used in previous data-flow testing literature, SIR, SV-COMP benchmarks. Moreover, we are planning to integrate the data-flow testing technique into the new proposed symbolic execution engine, SmartUnit, which is a cloud-based unit testing service for industrial software, supporting coverage-based testing. It has successfully helped several well-known corporations and institutions in China to adopt coverage-based testing in practice, totally tested more than one million lines of real code from industry.

Software Engineering

Liu Ke,Wang Jing-Yi,Wei Qiang,Guizhou University,Sun Jun,Ma Rong-Kuan,Deng Rui-Long

DOI: https://doi.org/10.1007/s11390-021-1647-7

2021-01-01

Abstract:Programmable logic controllers (PLCs) play a critical role in many industrial control systems, yet face increasingly serious cyber threats. In this paper, we propose a novel PLC-compatible software-based defense mechanism, called Heterogeneous Redundant Proactive Defense Framework (HRPDF). We propose a heterogeneous PLC architecture in HRPDF, including multiple heterogeneous, equivalent, and synchronous runtimes, which can thwart multiple types of attacks against PLC without the need of external devices. To ensure the availability of PLC, we also design an inter-process communication algorithm that minimizes the overhead of HRPDF. We implement a prototype system of HRPDF and test it in a real-world PLC and an OpenPLC-based device, respectively. The results show that HRPDF can defend against multiple types of attacks with 10.22% additional CPU and 5.56% additional memory overhead, and about 0.6 ms additional time overhead.

Hehua Zhang,Yu Jiang,William N. N. Hung,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/tc.2013.124

2014-01-01

Abstract:Programmable Logic Controllers (PLC) are widely used in industry. The reliability of the PLC is vital to many critical applications. This paper presents a novel approach to the symbolic analysis of PLC systems. The approach includes, (1) calculating the uncertainty characterization of the PLC system, (2) abstracting the PLC system as a Hidden Markov Model, (3) solving the Hidden Markov Model with domain knowledge, (4) combining the solved Hidden Markov Model and the uncertainty characterization to form a regular Markov model, and (5) utilizing probabilistic model checking to analyze properties of the Markov model. This framework provides automated analysis of both uncertainty calculations and performance measurements, without the need for expensive simulations. A case study of an industrial, automated PLC system demonstrates the effectiveness of our work.

Litian Xiao,Mengyuan Li,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/wcica.2014.7053718

2014-01-01

Abstract:The correctness of PLC (Programmable Logic Controller) program in automatic control is vital to this kind of safety-critical applications. In this paper, we present a useful method of combinational testing for correctness of PLC programs. The method is based on the denotational semantics of PLC program and the semantic functions for basic instructions. It establishes the definition of denotational semantics for PLC program. The function of denotational semantics is defined by extended λ-calculus. It analyses adaptive problems of various tests for PLC embedded software and proposes a combinational testing framework based on simulation mechanism. The equivalent transforming module of PLC program is defined by means of test module composed with high-level language code segments, which have equivalent denotational semantics and partly include program diagnostic information. The framework can decompose a PLC program test into some small tests, and solve the test problem under the condition of boundary and utmost or no environment supporting. The validity of our method is shown by one example of experiments.

Peizun Liu,Guiming Luo,Mo Xia,Maosong He

DOI: https://doi.org/10.1109/IWACI.2011.6160012

2011-01-01

Abstract:Execution environment and temporal performance are very important for modeling a real PLC system. They also become two impediments when verifying with model checking. This paper presents a methodology for modeling a PLC system including time and environment. In order to take into account interaction of PLC controller with execution environment, the proposed method extends the modeling method with an event-driven mechanism. The heterogeneous environments are abstracted as concurrent entities and further formalized into state graphs. A timed abstraction method is proposed to deal with real-time features which specified as timer on delay (TON). We have validated our approach on a concrete case study, a controller for steel plate transfer devices, and report on the results obtained for this case study.

Xia Mao,Yueling Zhang,Jianqi Shi,Yanhong Huang,Qin Li

DOI: https://doi.org/10.1016/j.scico.2021.102763

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:Programmable Logic Controllers (PLC) are widely used in Industrial Control Systems (ICS) with strict safety assurance requirements. Unfortunately, traditional techniques for debugging prefer to use post-development approaches, such as simulation and black-box testing, rather than enhancing safety before programing. In this paper, we propose a refinement-based approach to model and verify PLC systems, aiming to assure safety properties by construction. It uses the Event-B formalism and focuses on the levels of requirement analysis, specification refinement, and system development. This approach takes a three-layer framework stepwise to specify the behaviors and properties of PLC programs, thereby reducing the modeling complexity. The basic firmware layer models the general mechanisms of PLC firmware, such as periodical instruction execution and centralized I/O scanning, which are application-independent models with fundamental safety properties at an abstract level. The middle layer establishes configuration models. These models correspond to the PLC settings and interactive environments of a specific system, such as I/O addresses and peripheral devices. The business layer models business logic with more specific system-level safety requirements. With our approach, the safety properties of PLC systems can be verified throughout the modeling and refinement process. In addition, rules are proposed to convert the most concrete Event-B model into PLC code satisfying the IEC 61131-3 standard. We demonstrate this approach with a real-world running example of a pump control system for gas transmission.

Chao Sang,Jun Wu,Jianhua Li,Mohsen Guizani

DOI: https://doi.org/10.1109/tifs.2024.3402117

2024-01-01

Abstract:Industrial Control System (ICS) depends on the underlying Programmable Logical Controllers (PLCs) to run. As such, the security of the internal control logic of the PLCs is the top concern of ICS. Reversing analysis and forensic work against PLC require extracting control logic from the control application running inside PLC, which is still an unresolved problem. To address the challenge, we propose a PLC decompile framework named CLEVER, which can analyze the control application and extract the control logic. First, we propose a simulation execution based code extraction method, which is utilized to filter the control logic related data. Then, to normalize the control application decompile process, an intermediate representation (IR) is designed, which can simplify the analysis process and enhance the extensibility of CLEVER. Finally, a heuristic data flow analysis algorithm is proposed to find variable dependency, and a sequential parsing method is utilized to reconstruct the source code from the control application. To evaluate our work, real world PLC hardware and programming software are used for the experiment. We use 22 real-world, 58 hand-written, and 150 auto-generated control applications to demonstrate the usability, correctness, and operational efficiency of CLEVER.

Xuankai Zhang,Jun Wu,Jianhua Li,Ali Kashif Bashir,Chao Sang,Bei Pei,Marwan Omar

DOI: https://doi.org/10.1109/icc51166.2024.10622481

2024-01-01

Abstract:PLC control programs are vulnerable to real-time threats, where attackers can disrupt the backhaul/front-end network of industrial production by creating numerous loops or I/O operations, leading to severe consequences. Therefore, formal verification of PLC control logic at the binary level is essential. In this study, we introduce a framework designed for formal verification of PLC control logic at the binary level. Our verification framework is based on simulation execution, which extracts the core control logic from PLC binary code. Initially, we develop an efficient framework for automating the parsing of PLC programs at the binary level and constructing their control flow graphs (CFGs). Next, we devise an algorithm to transform the reversed PLC assembly program into an smv model, a widely accepted formal verification tool. Subsequently, we generate real-time requirements relevant to industrial production and perform formal verification on the constructed models. To assess the real-time performance of our framework in safeguarding PLC systems, we implement a prototype and evaluated it across various representative ICS scenarios. The evaluation results demonstrate the capability of our proposed approach to effectively detect synchronization threats in PLC logic control programs.

Kun Wang,Jingyi Wang,Christopher M. Poskitt,Xiangxiang Chen,Jun Sun,Peng Cheng

DOI: https://doi.org/10.1109/TSE.2023.3315292

2023-09-12

Abstract:Programmable Logic Controllers (PLCs) are responsible for automating process control in many industrial systems (e.g. in manufacturing and public infrastructure), and thus it is critical to ensure that they operate correctly and safely. The majority of PLCs are programmed in languages such as Structured Text (ST). However, a lack of formal semantics makes it difficult to ascertain the correctness of their translators and compilers, which vary from vendor-to-vendor. In this work, we develop K-ST, a formal executable semantics for ST in the K framework. Defined with respect to the IEC 61131-3 standard and PLC vendor manuals, K-ST is a high-level reference semantics that can be used to evaluate the correctness and consistency of different ST implementations. We validate K-ST by executing 509 ST programs extracted from Github and comparing the results against existing commercial compilers (i.e., CODESYS, CX-Programmer, and GX Works2). We then apply K-ST to validate the implementation of the open source OpenPLC platform, comparing the executions of several test programs to uncover five bugs and nine functional defects in the compiler.

Programming Languages,Software Engineering