StructuredFuzzer: Fuzzing Structured Text-Based Control Logic Applications

Koffi, Koffi Anderson; Kampourakis, Vyron; Song, Jia; Kolias, Constantinos; Ivans, Robert Christopher

doi:10.3390/electronics13132475

StructuredFuzzer: Fuzzing Structured Text-Based Control Logic Applications

Journal Article · Tue Jun 25 00:00:00 EDT 2024 · Electronics

DOI:https://doi.org/10.3390/electronics13132475· OSTI ID:2438034

^[1]; ^[2]; ^[1]; ^[1]; ^[3]

University of Idaho, Idaho Falls, ID (United States)
Norwegian University of Science and Technology, Trondheim (Norway)
Idaho National Laboratory (INL), Idaho Falls, ID (United States)

Rigorous testing methods are essential for ensuring the security and reliability of industrial controller software. Fuzzing, a technique that automatically discovers software bugs, has also proven effective in finding software vulnerabilities. Unsurprisingly, fuzzing has been applied to a wide range of platforms, including programmable logic controllers (PLCs). However, current approaches, such as coverage-guided evolutionary fuzzing implemented in the popular fuzzer American Fuzzy Lop Plus Plus (AFL++), are often inadequate for finding logical errors and bugs in PLC control logic applications. They primarily target generic programming languages like C/C++, Java, and Python, and do not consider the unique characteristics and behaviors of PLCs, which are often programmed using specialized programming languages like Structured Text (ST). Furthermore, these fuzzers are ill suited to deal with complex input structures encapsulated in ST, as they are not specifically designed to generate appropriate input sequences. This renders the application of traditional fuzzing techniques less efficient on these platforms. To address this issue, this paper presents a fuzzing framework designed explicitly for PLC software to discover logic bugs in applications written in ST specified by the IEC 61131-3 standard. The proposed framework incorporates a custom-tailored PLC runtime and a fuzzer designed for the purpose. We demonstrate its effectiveness by fuzzing a collection of ST programs that were crafted for evaluation purposes. We compare the performance against a popular fuzzer, namely, AFL++. The proposed fuzzing framework demonstrated its capabilities in our experiments, successfully detecting logic bugs in the tested PLC control logic applications written in ST. On average, it was at least 83 times faster than AFL++, and in certain cases, for example, it was more than 23,000 times faster.

View Accepted Manuscript (DOE)

Research Organization:: Idaho National Laboratory (INL), Idaho Falls, ID (United States)

Sponsoring Organization:: USDOE Laboratory Directed Research and Development (LDRD) Program

Grant/Contract Number:: AC07-05ID14517

OSTI ID:: 2438034

Report Number(s):: INL/JOU--24-80084-Rev000

Journal Information:: Electronics, Journal Name: Electronics Journal Issue: 13 Vol. 13; ISSN 2079-9292

Publisher:: MDPICopyright Statement

Country of Publication:: United States

Language:: English

References (21)

Programmable logic controllers based systems (PLC-BS): vulnerabilities and threats Serhane, Abraham; Raad, Mohamad; Raad, Raad SN Applied Sciences, Vol. 1, Issue 8 https://doi.org/10.1007/s42452-019-0860-2	journal	July 2019
Cybersecurity for industrial control systems: A survey Bhamare, Deval; Zolanvari, Maede; Erbad, Aiman Computers & Security, Vol. 89 https://doi.org/10.1016/j.cose.2019.101677	journal	February 2020
A systematic literature review on wireless security testbeds in the cyber-physical realm Kampourakis, Vyron; Gkioulos, Vasileios; Katsikas, Sokratis Computers & Security, Vol. 133 https://doi.org/10.1016/j.cose.2023.103383	journal	October 2023
Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences Chen, Yuqi; Poskitt, Christopher M.; Sun, Jun 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE) https://doi.org/10.1109/ASE.2019.00093	conference	November 2019
Optimizing Seed Inputs in Fuzzing with Machine Learning Cheng, Liang; Zhang, Yang; Zhang, Yi 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion) https://doi.org/10.1109/ICSE-Companion.2019.00096	conference	May 2019
Comparison of Leading Language Parsers – ANTLR, JavaCC, SableCC, Tree-sitter, Yacc, Bison Latif, Afshan; Azam, Farooque; Anwar, Muhammad Waseem 2023 13th International Conference on Software Technology and Engineering (ICSTE) https://doi.org/10.1109/ICSTE61649.2023.00009	conference	October 2023
The real story of stuxnet Kushner, David IEEE Spectrum, Vol. 50, Issue 3 https://doi.org/10.1109/MSPEC.2013.6471059	journal	March 2013
Skyfire: Data-Driven Seed Generation for Fuzzing Wang, Junjie; Chen, Bihuan; Wei, Lei 2017 IEEE Symposium on Security and Privacy (SP) https://doi.org/10.1109/SP.2017.23	conference	May 2017
SAVIOR: Towards Bug-Driven Hybrid Testing Chen, Yaohui; Li, Peng; Xu, Jun 2020 IEEE Symposium on Security and Privacy (SP) https://doi.org/10.1109/SP40000.2020.00002	conference	May 2020
Angr - The Next Generation of Binary Analysis Wang, Fish; Shoshitaishvili, Yan 2017 IEEE Cybersecurity Development (SecDev) https://doi.org/10.1109/SecDev.2017.14	conference	September 2017
Symbolic execution of programmable logic controller code Guo, Shengjian; Wu, Meng; Wang, Chao Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering https://doi.org/10.1145/3106237.3106245	conference	August 2017
Safl Wang, Mingzhe; Liang, Jie; Chen, Yuanliang Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings https://doi.org/10.1145/3183440.3183494	conference	May 2018
Polar Luo, Zhengxiong; Zuo, Feilong; Jiang, Yu ACM Transactions on Embedded Computing Systems, Vol. 18, Issue 5s https://doi.org/10.1145/3358227	journal	October 2019
An empirical study of the reliability of UNIX utilities Miller, Barton P.; Fredriksen, Lars; So, Bryan Communications of the ACM, Vol. 33, Issue 12 https://doi.org/10.1145/96267.96279	journal	December 1990
Fuzzing: a survey Li, Jun; Zhao, Bodong; Zhang, Chao Cybersecurity, Vol. 1, Issue 1 https://doi.org/10.1186/s42400-018-0002-y	journal	June 2018
Embedded fuzzing: a review of challenges, tools, and solutions Eisele, Max; Maugeri, Marcello; Shriwas, Rachna Cybersecurity, Vol. 5, Issue 1 https://doi.org/10.1186/s42400-022-00123-y	journal	September 2022
INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing Hsu, Chin-Chia; Wu, Che-Yu; Hsiao, Hsu-Chun Proceedings 2018 Workshop on Binary Analysis Research https://doi.org/10.14722/bar.2018.23014	conference	January 2018
PropFuzz — An IT-security fuzzing framework for proprietary ICS protocols Niedermaier, Matthias; Fischer, Florian; von Bodisco, Alexander 2017 International Conference on Applied Electronics (AE) https://doi.org/10.23919/AE.2017.8053600	conference	September 2017
IFFSET: In-Field Fuzzing of Industrial Control Systems using System Emulation Tychalas, Dimitrios; Maniatakos, Michail 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE) https://doi.org/10.23919/DATE48585.2020.9116365	conference	March 2020
Security Challenges in Industry 4.0 PLC Systems Hajda, Janusz; Jakuszewski, Ryszard; Ogonowski, Szymon Applied Sciences, Vol. 11, Issue 21 https://doi.org/10.3390/app11219785	journal	October 2021
WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations Kampourakis, Vyron; Chatzoglou, Efstratios; Kambourakis, Georgios Cryptography, Vol. 6, Issue 4 https://doi.org/10.3390/cryptography6040053	journal	October 2022

Similar Records

Program Fuzzing on High Performance Computing Resources

Technical Report · Mon Dec 31 23:00:00 EST 2018 · OSTI ID:1492735

Speeding-up fuzzing through directional seeds

Journal Article · Thu Feb 13 19:00:00 EST 2025 · International journal of information security · OSTI ID:2516767

Related Subjects

47 OTHER INSTRUMENTATION
97 MATHEMATICS AND COMPUTING
AFL
AFL++
ICS
PLC
fuzzing
structured text

StructuredFuzzer: Fuzzing Structured Text-Based Control Logic Applications

Citation Formats

References (21)

Similar Records

Related Subjects