skip to main content
research-article

Polar: Function Code Aware Fuzz Testing of ICS Protocol

Authors Info & Claims
Published:08 October 2019Publication History
Skip Abstract Section

Abstract

Industrial Control System (ICS) protocols are widely used to build communications among system components. Compared with common internet protocols, ICS protocols have more control over remote devices by carrying a specific field called “function code”, which assigns what the receive end should do. Therefore, it is of vital importance to ensure their correctness. However, traditional vulnerability detection techniques such as fuzz testing are challenged by the increasing complexity of these diverse ICS protocols.

In this paper, we present a function code aware fuzzing framework — Polar, which automatically extracts semantic information from the ICS protocol and utilizes this information to accelerate security vulnerability detection. Based on static analysis and dynamic taint analysis, Polar initiates the values of the function code field and identifies some vulnerable operations. Then, novel semantic aware mutation and selection strategies are designed to optimize the fuzzing procedure. For evaluation, we implement Polar on top of two popular fuzzers — AFL and AFLFast, and conduct experiments on several widely used ICS protocols such as Modbus, IEC104, and IEC 61850. Results show that, compared with AFL and AFLFast, Polar  achieves the same code coverage and bug detection numbers at the speed of 1.5X-12X. It also gains increase with 0%--91% more paths within 24 hours. Furthermore, Polar has exposed 10 previously unknown vulnerabilities in those protocols, 6 of which have been assigned unique CVE identifiers in the US National Vulnerability Database.

References

  1. Pedram Amini and Aaron Portnoy. 2012. Sulley. (2012). https://github.com/OpenRCE/sulleyAccessed August 22nd, 2017.Google ScholarGoogle Scholar
  2. IEEE Standards Association. Accessed June 3rd, 2019. IEEE C37.118. Website. https://standards.ieee.org/standard/C37_118_1-2011.html.Google ScholarGoogle Scholar
  3. Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as Markov chain. In ACM Conference on Computer and Communications Security.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: Three decades later. Commun. ACM 56 (2013), 82--90.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. 2018 IEEE Symposium on Security and Privacy (SP) (2018), 711--725.Google ScholarGoogle ScholarCross RefCross Ref
  7. Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Zhuo Su, and Xun Jiao. 2018. EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. arXiv preprint arXiv:1807.00182 (2018).Google ScholarGoogle Scholar
  8. Clang. Accessed April 5th, 2019. LLVM dataFlowSanitizer. Website. https://clang.llvm.org/docs/DataFlowSanitizer.html.Google ScholarGoogle Scholar
  9. dj chen. Accessed April 5th, 2019. IEC104. Website. https://github.com/airpig2011/IEC104.Google ScholarGoogle Scholar
  10. Ying Fu, Meng Ren, Fuchen Ma, Heyuan Shi, Xin Yang, Yu Jiang, Huizhong Li, and Xiang Shi. 2019. EVMFuzzer: Detect EVM vulnerabilities via fuzz testing. (2019).Google ScholarGoogle Scholar
  11. Vijay Ganesh, Tim Leek, and Martin C. Rinard. 2009. Taint-based directed whitebox fuzzing. 2009 IEEE 31st International Conference on Software Engineering (2009), 474--484.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Jian Gao, Xin Yang, Ying Fu, Yu Jiang, Heyuan Shi, and Jiaguang Sun. 2018. Vulseeker-pro: Enhanced semantic learning based binary vulnerability seeker with emulation. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 803--808.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. MZ Automation GmbH. Accessed April 5th, 2019. libiec61850. Website. https://github.com/mz-automation/libiec61850.Google ScholarGoogle Scholar
  14. Patrice Godefroid, Adam Kiezun, and Michael Y. Levin. 2008. Grammar-based whitebox fuzzing. In PLDI.Google ScholarGoogle Scholar
  15. Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated whitebox fuzz testing. In NDSS.Google ScholarGoogle Scholar
  16. Jianmin Guo, Yu Jiang, Yue Zhao, Quan Chen, and Jiaguang Sun. 2018. Dlfuzz: Differential fuzzing testing of deep learning systems. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 739--743.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In USENIX Security Symposium.Google ScholarGoogle Scholar
  18. George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In ACM Conference on Computer and Communications Security.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In ASE.Google ScholarGoogle Scholar
  20. Jie Liang, Yu Jiang, Yuanliang Chen, Mingzhe Wang, Chijin Zhou, and Jiaguang Sun. 2018. Pafl: Extend fuzzing optimizations of single mode to industrial parallel mode. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 809--814.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Barton P. Miller, Lars Fredriksen, and Bryan So. 1990. An empirical study of the reliability of UNIX utilities. Commun. ACM 33 (1990), 32--44.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Stéphane Raimbault. Accessed April 5th, 2019. libmodbus. Website. https://github.com/stephane/libmodbus.Google ScholarGoogle Scholar
  23. Sanjay Rawat, Vivek Jain, Ashish Jith Sreejith Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware evolutionary fuzzing. In NDSS.Google ScholarGoogle Scholar
  24. Koushik Sen, Darko Marinov, and Gul A. Agha. 2005. CUTE: A concolic unit testing engine for C.Google ScholarGoogle Scholar
  25. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In USENIX Annual Technical Conference.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Heyuan Shi, Runzhe Wang, Ying Fu, Mingzhe Wang, Xiaohai Shi, Xun Jiao, Houbing Song, Yu Jiang, and Jiaguang Sun. 2019. Industry practice of coverage-guided enterprise linux kernel fuzzing. (2019).Google ScholarGoogle Scholar
  27. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Krügel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS.Google ScholarGoogle Scholar
  28. Michael J. Sutton, Adam Greene, and P. Amini. 2007. Fuzzing: Brute force vulnerability discovery.Google ScholarGoogle Scholar
  29. Tool. Accessed April 5th, 2019. AFL-Clang-Fast. Website. https://github.com/mirrorer/afl/blob/master/llvm_mode/README.llvm.Google ScholarGoogle Scholar
  30. Tool. Accessed April 5th, 2019. Peach Fuzzing Platform. Website. https://www.peach.tech.Google ScholarGoogle Scholar
  31. Mingzhe Wang, Jie Liang, Yuanliang Chen, Yu Jiang, Xun Jiao, Hao Liu, Xibin Zhao, and Jia-Guang Sun. 2018. SAFL: Increasing and accelerating testing coverage with symbolic execution and guided fuzzing. 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion) (2018), 61--64.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. 2010 IEEE Symposium on Security and Privacy (2010), 497--512.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Website. 2017. Heartbleed - A vulnerability in OpenSSL. (2017). http://heartbleed.com/Accessed: 2017-05-13.Google ScholarGoogle Scholar
  34. Website. Accessed April 5th, 2019. IEC 61850. Website. http://libiec61850.com/libiec61850/.Google ScholarGoogle Scholar
  35. Website. Accessed April 5th, 2019. vulnerabilites detected by American Fuzzy Lop. Website. http://lcamtuf.coredump.cx/afl/.Google ScholarGoogle Scholar
  36. Wikipedia. Accessed April 5th, 2019. IEC104. Website. https://en.wikipedia.org/w/index.php?title=IEC1048redirect=no.Google ScholarGoogle Scholar
  37. Wikipedia. Accessed April 5th, 2019. Modbus. Website. https://en.wikipedia.org/wiki/Modbus.Google ScholarGoogle Scholar
  38. Wikipedia. Accessed June 3rd, 2019. DNP3. Website. https://en.wikipedia.org/wiki/DNP3.Google ScholarGoogle Scholar
  39. Wikipedia. Accessed June 3rd, 2019. ICCP. Website. https://en.wikipedia.org/w/index.php?title=Inter-Control_Center_Communications_Protocol8redirect=no.Google ScholarGoogle Scholar
  40. Wikipedia. Accessed June 3rd, 2019. IEC101. Website. https://en.wikipedia.org/wiki/IEC_60870-5.Google ScholarGoogle Scholar
  41. Wikipedia. Accessed June 3rd, 2019. Profinet. Website. https://en.wikipedia.org/wiki/PROFINET.Google ScholarGoogle Scholar
  42. Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In PLDI.Google ScholarGoogle Scholar
  43. Michal Zalewski. 2015. American fuzzy lop. (2015).Google ScholarGoogle Scholar

Index Terms

  1. Polar: Function Code Aware Fuzz Testing of ICS Protocol

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!