FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network

Andrei Bytes, Prashant Hari Narayan Rajput, Constantine Doumanidis, Nils Ole Tippenhauer, Michail Maniatakos, Jianying Zhou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domainspecific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.

Original languageEnglish (US)
Title of host publicationProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
PublisherAssociation for Computing Machinery
Pages499-512
Number of pages14
ISBN (Electronic)9798400707650
DOIs
StatePublished - Oct 16 2023
Event26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 - Hong Kong, China
Duration: Oct 16 2023Oct 18 2023

Publication series

NameACM International Conference Proceeding Series

Conference

Conference26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
Country/TerritoryChina
CityHong Kong
Period10/16/2310/18/23

Keywords

  • fuzzing
  • industrial control systems
  • programmable logic controllers

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Fingerprint

Dive into the research topics of 'FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network'. Together they form a unique fingerprint.

Cite this