Abstract:Rigorous testing methods are essential for ensuring the security and reliability of industrial controller software. Fuzzing, a technique that automatically discovers software bugs, has also proven effective in finding software vulnerabilities. Unsurprisingly, fuzzing has been applied to a wide range of platforms, including programmable logic controllers (PLCs). However, current approaches, such as coverage-guided evolutionary fuzzing implemented in the popular fuzzer American Fuzzy Lop Plus Plus (AFL++), are often inadequate for finding logical errors and bugs in PLC control logic applications. They primarily target generic programming languages like C/C++, Java, and Python, and do not consider the unique characteristics and behaviors of PLCs, which are often programmed using specialized programming languages like Structured Text (ST). Furthermore, these fuzzers are ill suited to deal with complex input structures encapsulated in ST, as they are not specifically designed to generate appropriate input sequences. This renders the application of traditional fuzzing techniques less efficient on these platforms. To address this issue, this paper presents a fuzzing framework designed explicitly for PLC software to discover logic bugs in applications written in ST specified by the IEC 61131-3 standard. The proposed framework incorporates a custom-tailored PLC runtime and a fuzzer designed for the purpose. We demonstrate its effectiveness by fuzzing a collection of ST programs that were crafted for evaluation purposes. We compare the performance against a popular fuzzer, namely, AFL++. The proposed fuzzing framework demonstrated its capabilities in our experiments, successfully detecting logic bugs in the tested PLC control logic applications written in ST. On average, it was at least 83 times faster than AFL++, and in certain cases, for example, it was more than 23,000 times faster.

What problem does this paper attempt to address?

The paper aims to address the shortcomings in the safety and reliability testing of industrial controller software (especially Programmable Logic Controllers, PLCs), particularly when control logic applications are written in Structured Text (ST). The paper notes that while fuzzing has been proven to be an effective method for discovering software vulnerabilities and is widely applied across various platforms, including PLCs, existing fuzzing techniques, such as coverage-guided evolutionary fuzzing (implemented in the popular fuzzer American Fuzzy Lop Plus Plus, AFL++), are often insufficient for detecting logical errors and bugs in PLC control logic applications. These methods are primarily targeted at general-purpose programming languages, such as C/C++, Java, and Python, and do not take into account the unique characteristics and behaviors of PLCs, as well as the uniqueness of programming languages like ST that are specifically used for PLCs. The solution proposed in the paper is a fuzzing framework named StructuredFuzzer, designed specifically for PLC software, to detect logical bugs in ST programs that follow the IEC 61131-3 standard. The framework includes a customized PLC runtime environment and a fuzzer specifically designed for ST. Experimental results show that compared to AFL++, this framework demonstrates a significant efficiency improvement in detecting logical bugs in PLC control logic applications, with an average speed 83 times faster and in some cases even over 23,000 times faster. The paper also discusses in detail the challenges faced when fuzzing PLC control applications, including the specificity of PLC programming languages and runtime environments, complex input structures, and real-time constraints. By introducing a customized PLC runtime environment and a specially designed fuzzer to generate inputs that fit the context of ST programs, the paper addresses these issues, thereby enhancing the specificity and efficiency of fuzz testing. Furthermore, the paper validates the effectiveness of the proposed framework through a carefully designed collection of ST programs, providing a benchmark for future related research.

StructuredFuzzer: Fuzzing Structured Text-Based Control Logic Applications

FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network

K-ST: A Formal Executable Semantics of the Structured Text Language for PLCs

Automated Test Cases Generator for IEC 61131-3 Structured Text Based Dynamic Symbolic Execution

A Multi-Agent Framework for Extensible Structured Text Generation in PLCs

A deep convolution generative adversarial networks based fuzzing framework for industry control protocols

Fuzzing proprietary protocols of programmable controllers to find vulnerabilities that affect physical control

PropFuzz -- An IT-Security Fuzzing Framework for Proprietary ICS Protocols

Industrial Oriented Evaluation of Fuzzing Techniques

FuzzCoder: Byte-level Fuzzing Test via Large Language Model

PCFuzzing: A Penetration Combinatorial Fuzzing Framework by Simulating Attack Trace

$μ$AFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware

Fuzzing Based on Function Importance by Interprocedural Control Flow Graph

FOX: Coverage-guided Fuzzing as Online Stochastic Control

From Control Application to Control Logic: PLC Decompile Framework for Industrial Control System

Steelix: program-state based binary fuzzing

Improve Model Testing by Integrating Bounded Model Checking and Coverage Guided Fuzzing

A Binary Level Verification Framework for Real-Time Performance of PLC Program in Backhaul/Fronthaul Networks

Path Sensitive Fuzzing for Native Applications

A Survey on Programmable Logic Controller Vulnerabilities, Attacks, Detections, and Forensics