Abstract
Industrial Control System (ICS) protocols are widely used to build communications among system components. Compared with common internet protocols, ICS protocols have more control over remote devices by carrying a specific field called “function code”, which assigns what the receive end should do. Therefore, it is of vital importance to ensure their correctness. However, traditional vulnerability detection techniques such as fuzz testing are challenged by the increasing complexity of these diverse ICS protocols.
In this paper, we present a function code aware fuzzing framework — Polar, which automatically extracts semantic information from the ICS protocol and utilizes this information to accelerate security vulnerability detection. Based on static analysis and dynamic taint analysis, Polar initiates the values of the function code field and identifies some vulnerable operations. Then, novel semantic aware mutation and selection strategies are designed to optimize the fuzzing procedure. For evaluation, we implement Polar on top of two popular fuzzers — AFL and AFLFast, and conduct experiments on several widely used ICS protocols such as Modbus, IEC104, and IEC 61850. Results show that, compared with AFL and AFLFast, Polar achieves the same code coverage and bug detection numbers at the speed of 1.5X-12X. It also gains increase with 0%--91% more paths within 24 hours. Furthermore, Polar has exposed 10 previously unknown vulnerabilities in those protocols, 6 of which have been assigned unique CVE identifiers in the US National Vulnerability Database.
- Pedram Amini and Aaron Portnoy. 2012. Sulley. (2012). https://github.com/OpenRCE/sulleyAccessed August 22nd, 2017.Google Scholar
- IEEE Standards Association. Accessed June 3rd, 2019. IEEE C37.118. Website. https://standards.ieee.org/standard/C37_118_1-2011.html.Google Scholar
- Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as Markov chain. In ACM Conference on Computer and Communications Security.Google Scholar
Digital Library
- Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI.Google Scholar
Digital Library
- Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: Three decades later. Commun. ACM 56 (2013), 82--90.Google Scholar
Digital Library
- Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. 2018 IEEE Symposium on Security and Privacy (SP) (2018), 711--725.Google Scholar
Cross Ref
- Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Zhuo Su, and Xun Jiao. 2018. EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. arXiv preprint arXiv:1807.00182 (2018).Google Scholar
- Clang. Accessed April 5th, 2019. LLVM dataFlowSanitizer. Website. https://clang.llvm.org/docs/DataFlowSanitizer.html.Google Scholar
- dj chen. Accessed April 5th, 2019. IEC104. Website. https://github.com/airpig2011/IEC104.Google Scholar
- Ying Fu, Meng Ren, Fuchen Ma, Heyuan Shi, Xin Yang, Yu Jiang, Huizhong Li, and Xiang Shi. 2019. EVMFuzzer: Detect EVM vulnerabilities via fuzz testing. (2019).Google Scholar
- Vijay Ganesh, Tim Leek, and Martin C. Rinard. 2009. Taint-based directed whitebox fuzzing. 2009 IEEE 31st International Conference on Software Engineering (2009), 474--484.Google Scholar
Digital Library
- Jian Gao, Xin Yang, Ying Fu, Yu Jiang, Heyuan Shi, and Jiaguang Sun. 2018. Vulseeker-pro: Enhanced semantic learning based binary vulnerability seeker with emulation. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 803--808.Google Scholar
Digital Library
- MZ Automation GmbH. Accessed April 5th, 2019. libiec61850. Website. https://github.com/mz-automation/libiec61850.Google Scholar
- Patrice Godefroid, Adam Kiezun, and Michael Y. Levin. 2008. Grammar-based whitebox fuzzing. In PLDI.Google Scholar
- Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated whitebox fuzz testing. In NDSS.Google Scholar
- Jianmin Guo, Yu Jiang, Yue Zhao, Quan Chen, and Jiaguang Sun. 2018. Dlfuzz: Differential fuzzing testing of deep learning systems. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 739--743.Google Scholar
Digital Library
- Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In USENIX Security Symposium.Google Scholar
- George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In ACM Conference on Computer and Communications Security.Google Scholar
Digital Library
- Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In ASE.Google Scholar
- Jie Liang, Yu Jiang, Yuanliang Chen, Mingzhe Wang, Chijin Zhou, and Jiaguang Sun. 2018. Pafl: Extend fuzzing optimizations of single mode to industrial parallel mode. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 809--814.Google Scholar
Digital Library
- Barton P. Miller, Lars Fredriksen, and Bryan So. 1990. An empirical study of the reliability of UNIX utilities. Commun. ACM 33 (1990), 32--44.Google Scholar
Digital Library
- Stéphane Raimbault. Accessed April 5th, 2019. libmodbus. Website. https://github.com/stephane/libmodbus.Google Scholar
- Sanjay Rawat, Vivek Jain, Ashish Jith Sreejith Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware evolutionary fuzzing. In NDSS.Google Scholar
- Koushik Sen, Darko Marinov, and Gul A. Agha. 2005. CUTE: A concolic unit testing engine for C.Google Scholar
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In USENIX Annual Technical Conference.Google Scholar
Digital Library
- Heyuan Shi, Runzhe Wang, Ying Fu, Mingzhe Wang, Xiaohai Shi, Xun Jiao, Houbing Song, Yu Jiang, and Jiaguang Sun. 2019. Industry practice of coverage-guided enterprise linux kernel fuzzing. (2019).Google Scholar
- Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Krügel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS.Google Scholar
- Michael J. Sutton, Adam Greene, and P. Amini. 2007. Fuzzing: Brute force vulnerability discovery.Google Scholar
- Tool. Accessed April 5th, 2019. AFL-Clang-Fast. Website. https://github.com/mirrorer/afl/blob/master/llvm_mode/README.llvm.Google Scholar
- Tool. Accessed April 5th, 2019. Peach Fuzzing Platform. Website. https://www.peach.tech.Google Scholar
- Mingzhe Wang, Jie Liang, Yuanliang Chen, Yu Jiang, Xun Jiao, Hao Liu, Xibin Zhao, and Jia-Guang Sun. 2018. SAFL: Increasing and accelerating testing coverage with symbolic execution and guided fuzzing. 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion) (2018), 61--64.Google Scholar
Digital Library
- Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. 2010 IEEE Symposium on Security and Privacy (2010), 497--512.Google Scholar
Digital Library
- Website. 2017. Heartbleed - A vulnerability in OpenSSL. (2017). http://heartbleed.com/Accessed: 2017-05-13.Google Scholar
- Website. Accessed April 5th, 2019. IEC 61850. Website. http://libiec61850.com/libiec61850/.Google Scholar
- Website. Accessed April 5th, 2019. vulnerabilites detected by American Fuzzy Lop. Website. http://lcamtuf.coredump.cx/afl/.Google Scholar
- Wikipedia. Accessed April 5th, 2019. IEC104. Website. https://en.wikipedia.org/w/index.php?title=IEC1048redirect=no.Google Scholar
- Wikipedia. Accessed April 5th, 2019. Modbus. Website. https://en.wikipedia.org/wiki/Modbus.Google Scholar
- Wikipedia. Accessed June 3rd, 2019. DNP3. Website. https://en.wikipedia.org/wiki/DNP3.Google Scholar
- Wikipedia. Accessed June 3rd, 2019. ICCP. Website. https://en.wikipedia.org/w/index.php?title=Inter-Control_Center_Communications_Protocol8redirect=no.Google Scholar
- Wikipedia. Accessed June 3rd, 2019. IEC101. Website. https://en.wikipedia.org/wiki/IEC_60870-5.Google Scholar
- Wikipedia. Accessed June 3rd, 2019. Profinet. Website. https://en.wikipedia.org/wiki/PROFINET.Google Scholar
- Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In PLDI.Google Scholar
- Michal Zalewski. 2015. American fuzzy lop. (2015).Google Scholar
Index Terms
Polar: Function Code Aware Fuzz Testing of ICS Protocol
Recommendations
Field classification-based novel fuzzing case generation for ICS protocols
An industrial control system combined with IT is not a special thing; however, cyber security in this field does not mature. Therefore, vulnerability analysis techniques for protocols used in this field are clearly needed. In this paper, we propose a ...
JFuzz: A Tool for Automated Java Unit Testing Based on Data Mutation and Metamorphic Testing Methods
TSA '15: Proceedings of the 2015 Second International Conference on Trustworthy Systems and Their ApplicationsAutomated test framework plays a significant role in test driven software development methodologies. The XUnit family of testing tools has been widely used in the industry. However, they are weak in supporting test case generation and test result ...
Vulcloud: Scalable and Hybrid Vulnerability Detection in Cloud Computing
SERE-C '13: Proceedings of the 2013 IEEE Seventh International Conference on Software Security and Reliability CompanionVulnerability exploits will result in security breaches or violations of the system's security policy causing information leakage or economic losses. Although many detection methods such as static analysis, dynamic analysis and fuzz testing have been ...






Comments