CISPA
Browse

FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network

Download (769.38 kB)
conference contribution
posted on 2023-11-29, 18:23 authored by Andrei Bytes, Prashant Hari Narayan Rajput, Constantine Doumanidis, Nils Ole TippenhauerNils Ole Tippenhauer, Michail Maniatakos, Jianying Zhou
Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.

History

Preferred Citation

Andrei Bytes, Prashant Rajput, Constantine Doumanidis, Nils Tippenhauer, Michail Maniatakos and Jianying Zhou. FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network. In: The International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 2023.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

The International Symposium on Research in Attacks, Intrusions and Defenses (RAID)

Legacy Posted Date

2023-07-17

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3986, title = "FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network", author = "Bytes, Andrei and Rajput, Prashant Hari Narayan and Doumanidis, Constantine and Tippenhauer, Nils Ole and Maniatakos, Michail and Zhou, Jianying", booktitle="{The International Symposium on Research in Attacks, Intrusions and Defenses (RAID)}", year="2023", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC