IPSpex: Enabling Efficient Fuzzing via Specification Extraction on ICS Protocol

Sun, Yung Nien; Lv, Shasha; You, Jianzhou; Sun, Yan; Chen, Xin; Zheng, Yaowen; Sun, Limin

doi:10.1007/978-3-031-09234-3_18

Cited by 6 publications

(3 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(6) Count and store the final byte-relational array, R. Initialize the byte-relational array, R. If element J i in array J is greater than threshold 1, then the ith and i + 1th bytes do not belong to the same field, let r i = 1; otherwise, the ith and i + 1th bytes belong to the same field, let r i = 0. Add r i to array R. (7) Output the byte relation to array R. Initialize the array:…”

Section: Implementation Of Proprietary Protocol Structure Analysis Al...mentioning

confidence: 99%

“…(6) After decoding individual gene sequences, the byte mutation algorithm is used to mutate the decoded packet. (7) The generated test case is sent to the device through the Peach fuzzer. (8) The agent monitoring module of the Peach fuzzer is used to regularly monitor whether the device is abnormal.…”

Section: Implementation Of Fuzzing Test Case Generation Algorithm For...mentioning

confidence: 99%

“…Protocol fuzzing sends constructed malformed packets to the industrial equipment and monitors industrial equipment abnormality, so as to excavate the security vulnerabilities of the industrial equipment [5,6]. For public protocols with known structures, researchers perform fuzzing test on one or more public protocols by secondary development on the basis of existing tools [7,8]. Considering that the existing research on fuzzing relates to public industrial protocols, and the existing techniques are powerless against those proprietary protocols whose structures have not been disclosed, security researchers began to concern themselves with how to fuzz proprietary protocols with undisclosed structures [4,9].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Fuzzing Technology Based on Information Theory for Industrial Proprietary Protocol

Che

Geng²,

Zhang

et al. 2023

Electronics

View full text Add to dashboard Cite

With the rapid development of the Industrial Internet of Things (IIoT), programmable logic controllers (PLCs) are becoming increasingly intelligent, leading to improved productivity. However, this also brings about a growing number of security vulnerabilities. As a result, efficiently identifying potential security vulnerabilities in PLCs has become a crucial research topic for security researchers. This article proposes a method for fuzzing industrial proprietary protocols to effectively identify security vulnerabilities in PLCs’ proprietary protocols. The aim of this study is to develop a protocol fuzzing approach that can uncover security vulnerabilities in PLCs’ proprietary protocols. To achieve this, the article presents a protocol structure parsing algorithm specifically designed for PLC proprietary protocols, utilizing information theory. Additionally, a fuzzing case generation algorithm based on genetic algorithms is introduced to select test cases that adhere to the format specifications of the proprietary protocol while exhibiting a high degree of mutation. The research methodology consists of several steps. Firstly, the proposed protocol structure parsing algorithm is used to analyze two known industrial protocols, namely Modbus TCP and S7Comm. The parsing results obtained from the algorithm are then compared with the correct results to validate its effectiveness. Next, the protocol structure parsing algorithm is applied to analyze the proprietary protocol formats of two PLC models. Finally, based on the analysis results, the PLCs are subjected to fuzzing. Overall, the proposed protocol fuzzing approach, incorporating the protocol structure parsing algorithm and the fuzzing case generation algorithm, successfully identifies two denial-of-service vulnerabilities in the PLCs’ proprietary protocols. Notably, one of these vulnerabilities is a zero-day vulnerability, indicating that it was previously unknown and undisclosed.

show abstract

Section: Implementation Of Proprietary Protocol Structure Analysis Al...mentioning

confidence: 99%