More Web Proxy on the site http://driver.im/

research-article

Open access

ICS3Fuzzer: A Framework for Discovering Protocol Implementation Bugs in ICS Supervisory Software by Fuzzing

Authors:

Dongliang Fang,

Limin SunAuthors Info & Claims

ACSAC '21: Proceedings of the 37th Annual Computer Security Applications Conference

Pages 849 - 860

https://doi.org/10.1145/3485832.3488028

Published: 06 December 2021 Publication History

All formats PDF

Abstract

The supervisory software is widely used in industrial control systems (ICSs) to manage field devices such as PLC controllers. Once compromised, it could be misused to control or manipulate these physical devices maliciously, endangering manufacturing process or even human lives. Therefore, extensive security testing of supervisory software is crucial for the safe operation of ICS. However, fuzzing ICS supervisory software is challenging due to the prevalent use of proprietary protocols. Without the knowledge of the program states and packet formats, it is difficult to enter the deep states for effective fuzzing.

In this work, we present a fuzzing framework to automatically discover implementation bugs residing in the communication protocols between the supervisory software and the field devices. To avoid heavy human efforts in reverse-engineering the proprietary protocols, the proposed approach constructs a state-book based on the readily-available execution trace of the supervisory software and the corresponding inputs. Then, we propose a state selection algorithm to find the protocol states that are more likely to have bugs. Our fuzzer distributes more budget on those interesting states. To quickly reach the interesting states, traditional snapshot-based method does not work since the communication protocols are time sensitive. We address this issue by synchronously managing external events (GUI operations and network traffic) during the fuzzing loop. We have implemented a prototype and used it to fuzz the supervisory software of four popular ICS platforms. We have found 13 bugs and received 3 CVEs, 2 are classified as critical (CVSS3.x score CRITICAL 9.8) and affected 40 different products.

References

[1]

Humberto J Abdelnur, Radu State, and Olivier Festor. 2007. KiF: a stateful SIP fuzzer. In Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications. 47–56.

Digital Library

[2]

Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin Almeroth, Richard Kemmerer, and Giovanni Vigna. 2006. SNOOZE: toward a Stateful NetwOrk prOtocol fuzZEr. In International Conference on Information Security. Springer, 343–358.

Digital Library

[3]

Jonathan Bennett. 2020. AutoIt Script Home Page. https://www.autoitscript.com/site/

[4]

Eli Biham, Sara Bitan, Aviad Carmel, Alon Dankner, Uriel Malin, and Avishai Wool. 2019. Rogue7: Rogue engineering-station attacks on S7 Simatic PLCs. Black Hat USA (2019).

[5]

Georges Bossert, Frédéric Guihéry, and Guillaume Hiet. 2014. Towards automated protocol reverse engineering using semantic information. In Proceedings of the 9th ACM symposium on Information, computer and communications security. 51–62.

Digital Library

[6]

Derek Bruening, Qin Zhao, and Saman Amarasinghe. 2012. Transparent dynamic instrumentation. In Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments. 133–144.

Digital Library

[7]

Juan Caballero, Pongsin Poosankam, Christian Kreibich, and Dawn Song. 2009. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16th ACM conference on Computer and communications security. 621–634.

Digital Library

[8]

Defense Use Case. 2016. Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) 388 (2016).

[9]

Weidong Cui, Jayanthkumar Kannan, and Helen J Wang. 2007. Discoverer: Automatic Protocol Reverse Engineering from Network Traces. In USENIX Security Symposium. 1–14.

[10]

George Denton, Filip Karpisek, Frank Breitinger, and Ibrahim Baggili. 2017. Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30. Digital Investigation 22(2017), S26–S38.

Digital Library

[11]

Mohamed Endi, YZ Elhalwagy, 2010. Three-layer PLC/SCADA system architecture in process automation and data monitoring. In 2010 the 2nd international conference on computer and automation engineering (iccae), Vol. 2. IEEE, 774–779.

[12]

Nicolas Falliere, Liam O Murchu, and Eric Chien. 2011. W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5, 6 (2011), 29.

[13]

Davide Fauri, Bart de Wijs, Jerry den Hartog, Elisa Costante, Emmanuele Zambon, and Sandro Etalle. 2017. Encryption in ICS networks: A blessing or a curse?. In 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm). IEEE, 289–294.

[14]

Ivan Fratric. 2017. WinAFL: A fork of AFL for fuzzing Windows binaries. https://github.com/googleprojectzero/winafl.

[15]

Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck. 2015. Pulsar: Stateful black-box fuzzing of proprietary network protocols. In International Conference on Security and Privacy in Communication Systems. Springer, 330–347.

[16]

A. Ginter. 2017. The top 20 cyber attacks against industrial control systems. White Paper, Waterfall Security Solutions.

[17]

Tianxiao Gu, Chengnian Sun, Xiaoxing Ma, Chun Cao, Chang Xu, Yuan Yao, Qirun Zhang, Jian Lu, and Zhendong Su. 2019. Practical GUI testing of Android applications via model abstraction and refinement. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 269–280.

Digital Library

[18]

John T Hagen and Barry E Mullins. 2013. TCP veto: A novel network attack and its Application to SCADA protocols. In 2013 IEEE PES Innovative Smart Grid Technologies Conference (ISGT). IEEE, 1–6.

[19]

ICS-CERT. 2015. Cimon CmnView DLL Hijacking Vulnerability. https://us-cert.cisa.gov/ics/advisories/ICSA-15-069-01

[20]

Rob Caldwell Josh Homan, Sean McBride. 2016. IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems. https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

[21]

Jinho Jung, Stephen Tong, Hong Hu, Jungwon Lim, Yonghwi Jin, and Taesoo Kim. 2021. WINNIE: Fuzzing Windows Applications with Harness Synthesis and Fast Cloning. In Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS), Virtual.

[22]

Sushma Kalle, Nehal Ameen, Hyunguk Yoo, and Irfan Ahmed. 2019. CLIK on PLCs! Attacking control logic with decompilation and virtual PLC. In Binary Analysis Research (BAR) Workshop, Network and Distributed System Security Symposium (NDSS).

[23]

Tammo Krueger, Hugo Gascon, Nicole Krämer, and Konrad Rieck. 2012. Learning stateful models for network honeypots. In Proceedings of the 5th ACM workshop on Security and artificial intelligence. 37–48.

Digital Library

[24]

Mohit Kumar. 2018. TSMC Chip Maker Blames WannaCry Malware for Production Halt. The Hacker News (2018).

[25]

Zhengxiong Luo, Feilong Zuo, Yu Jiang, Jian Gao, Xun Jiao, and Jiaguang Sun. 2019. Polar: Function code aware fuzz testing of ics protocol. ACM Transactions on Embedded Computing Systems (TECS) 18, 5s(2019), 1–22.

Digital Library

[26]

Zhengxiong Luo, Feilong Zuo, Yuheng Shen, Xun Jiao, Wanli Chang, and Yu Jiang. 2020. ICS protocol fuzzing: Coverage guided packet crack and generation. In Design Automation Conference (DAC). York.

[27]

Rui Ma, Daguang Wang, Changzhen Hu, Wendong Ji, and Jingfeng Xue. 2016. Test data generation for stateful network protocol fuzzing using a rule-based state machine. Tsinghua Science and Technology 21, 3 (2016), 352–360.

[28]

Valentin Jean Marie Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J Schwartz, and Maverick Woo. 2019. The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering(2019).

[29]

Thomas Morris and Wei Gao. 2013. Industrial Control System Cyber Attacks. https://doi.org/10.14236/ewic/ICSCSR2013.3

[30]

Trent Nelson and May Chaffin. 2011. Common cybersecurity vulnerabilities in industrial control systems. Control systems security program(2011).

[31]

James Newsome, David Brumley, Jason Franklin, and Dawn Song. 2006. Replayer: Automatic protocol replay by binary analysis. In Proceedings of the 13th ACM conference on Computer and communications security. 311–321.

Digital Library

[32]

Matthias Niedermaier, Florian Fischer, and Alexander von Bodisco. 2017. PropFuzz—An IT-security fuzzing framework for proprietary ICS protocols. In 2017 International Conference on Applied Electronics (AE). IEEE, 1–4.

[33]

NVD. 2021. CVE-2021-20587 Detail. https://nvd.nist.gov/vuln/detail/CVE-2021-20587

[34]

Joshua Pereyda. 2017. boofuzz: Network protocol fuzzing for humans. Accessed: Feb 17(2017).

[35]

Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury. 2020. AFLNet: a greybox fuzzer for network protocols. In 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST). IEEE, 460–465.

[36]

Saranyan Senthivel, Shrey Dhungana, Hyunguk Yoo, Irfan Ahmed, and Vassil Roussev. 2018. Denial of engineering operations attacks in industrial control systems. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. 319–329.

Digital Library

[37]

Keith Stouffer, Joe Falco, and Karen Scarfone. 2011. Guide to industrial control systems (ICS) security. NIST special publication 800, 82 (2011), 16–16.

Digital Library

[38]

Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, stochastic model-based GUI testing of Android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. 245–256.

Digital Library

[39]

Kuniyasu Suzaki, Toshiki Yagi, Akira Tanaka, Yutaka Oiwa, and Etsuya Shibayama. 2014. Rollback mechanism of nested virtual machines for protocol fuzz testing. In Proceedings of the 29th Annual ACM Symposium on Applied Computing. 1484–1491.

Digital Library

[40]

Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, and Scuola Superiore S Anna. 2008. Automatic Network Protocol Analysis. In NDSS, Vol. 8. Citeseer, 1–14.

[41]

Wurldtech. 2021. Achilles Test Platform. Accessed: Sep, 2021 https://www.ge.com/digital/sites/default/files/download_assets/achilles_test_platform.pdf.

[42]

Yapeng Ye, Zhuo Zhang, F. Wang, X. Zhang, and D. Xu. 2021. NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces. In NDSS.

[43]

Michal Zalewski. 2014. American fuzzy loop. http://lcamtuf.coredump.cx/afl/

Cited By

Zhang XZhang CLi XDu ZMao BLi YZheng YLi YPan LLiu YDeng R(2024)A Survey of Protocol FuzzingACM Computing Surveys10.1145/369678857:2(1-36)Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1145/3696788
Lee CKim DKim GLee SKim TShu YLiu JTan RHe YChen J(2024)LTA: Control-Driven UAV Testing and Bug Localization with Flight Record DecompositionProceedings of the 22nd ACM Conference on Embedded Networked Sensor Systems10.1145/3666025.3699350(450-463)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3666025.3699350
Zhang YFang DLiu PXi LLu XChen XSi SSun L(2024)MSGFuzzer: Message Sequence Guided Industrial Robot Protocol Fuzzing2024 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST60714.2024.00021(140-150)Online publication date: 27-May-2024
https://doi.org/10.1109/ICST60714.2024.00021
Show More Cited By

Index Terms

ICS3Fuzzer: A Framework for Discovering Protocol Implementation Bugs in ICS Supervisory Software by Fuzzing
1. Information systems
  1. Data management systems
    1. Middleware for databases
2. Theory of computation
  1. Logic

Index terms have been assigned to the content through auto-classification.

Recommendations

ICS protocol fuzzing: coverage guided packet crack and generation
DAC '20: Proceedings of the 57th ACM/EDAC/IEEE Design Automation Conference

Industrial Control System (ICS) protocols play an essential role in building communications among system components. Recently, many severe vulnerabilities, such as Stuxnet and DragonFly, exposed in ICS protocols have affected a wide distribution of ...
Fuzzing for CPS Mutation Testing
ASE '23: Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering

Mutation testing can help reduce the risks of releasing faulty software. For such reason, it is a desired practice for the development of embedded software running in safety-critical cyber-physical systems (CPS). Unfortunately, state-of-the-art test data ...
Finding Software Vulnerabilities by Smart Fuzzing
ICST '11: Proceedings of the 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation

Nowadays, one of the most effective ways to identify software vulnerabilities by testing is the use of fuzzing, whereby the robustness of software is tested against invalid inputs that play on implementation limits or data boundaries. A high number of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '21: Proceedings of the 37th Annual Computer Security Applications Conference

December 2021

1077 pages

ISBN:9781450385794

DOI:10.1145/3485832

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Guangdong Province Key Area R&D Program of China
Joint Funds of the National Natural Science Foundation of China

Conference

ACSAC '21

ACSAC '21: Annual Computer Security Applications Conference

December 6 - 10, 2021

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
2,348
Total Downloads

Downloads (Last 12 months)751
Downloads (Last 6 weeks)179

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang XZhang CLi XDu ZMao BLi YZheng YLi YPan LLiu YDeng R(2024)A Survey of Protocol FuzzingACM Computing Surveys10.1145/369678857:2(1-36)Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1145/3696788
Lee CKim DKim GLee SKim TShu YLiu JTan RHe YChen J(2024)LTA: Control-Driven UAV Testing and Bug Localization with Flight Record DecompositionProceedings of the 22nd ACM Conference on Embedded Networked Sensor Systems10.1145/3666025.3699350(450-463)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3666025.3699350
Zhang YFang DLiu PXi LLu XChen XSi SSun L(2024)MSGFuzzer: Message Sequence Guided Industrial Robot Protocol Fuzzing2024 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST60714.2024.00021(140-150)Online publication date: 27-May-2024
https://doi.org/10.1109/ICST60714.2024.00021
Marchetto A(2024)A Retrospective Analysis of a Rapid Review on Fuzz Security Testing for Software Implementation of Communication ProtocolsSN Computer Science10.1007/s42979-024-03234-05:7Online publication date: 17-Sep-2024
https://dl.acm.org/doi/10.1007/s42979-024-03234-0
Bytes ARajput PDoumanidis CManiatakos MZhou JTippenhauer N(2023)FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the NetworkProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607226(499-512)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607226
Uwibambe MPan YLi Q(2023)Fuzzing for Power Grids: A Comparative Study of Existing Frameworks and a New Method for Detecting Silent Crashes in Control Devices2023 IEEE Design Methodologies Conference (DMC)10.1109/DMC58182.2023.10412473(1-6)Online publication date: 24-Sep-2023
https://doi.org/10.1109/DMC58182.2023.10412473
Gao YSun X(2023)Anomaly detection for mobile computing based smart vertical approachesInternational Journal of System Assurance Engineering and Management10.1007/s13198-023-02092-yOnline publication date: 28-Aug-2023
https://doi.org/10.1007/s13198-023-02092-y
Zhu ZShi JWang CXiong GHao ZGou G(2022)MCFM: Discover Sensitive Behavior from Encrypted Traffic in Industrial Control System2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00124(897-904)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00124
Sun YLi ZLv SSun L(2022)Spenny: Extensive ICS Protocol Reverse Analysis via Field Guided Symbolic ExecutionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.322807620:6(4502-4518)Online publication date: 9-Dec-2022
https://dl.acm.org/doi/10.1109/TDSC.2022.3228076

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents