posted on 2023-11-29, 18:23authored byAndrei Bytes, Prashant Hari Narayan Rajput, Constantine Doumanidis, Nils Ole TippenhauerNils Ole Tippenhauer, Michail Maniatakos, Jianying Zhou
Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing.
This work presents the FieldFuzz framework that analyzes the
security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.
History
Preferred Citation
Andrei Bytes, Prashant Rajput, Constantine Doumanidis, Nils Tippenhauer, Michail Maniatakos and Jianying Zhou. FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network. In: The International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 2023.
Primary Research Area
Secure Connected and Mobile Systems
Name of Conference
The International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Legacy Posted Date
2023-07-17
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3986,
title = "FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network",
author = "Bytes, Andrei and Rajput, Prashant Hari Narayan and Doumanidis, Constantine and Tippenhauer, Nils Ole and Maniatakos, Michail and Zhou, Jianying",
booktitle="{The International Symposium on Research in Attacks, Intrusions and Defenses (RAID)}",
year="2023",
}