Full Program »
ICS3Fuzzer: A Framework for Discovering Protocol Implementation Bugs in ICS Supervisory Software by Fuzzing
The supervisory software is widely used in industrial control systems
(ICSs) to manage field devices such as PLC controllers. Once compromised, it
could be misused to control or manipulate these physical devices maliciously,
endangering the manufacturing process or even human lives.
Therefore, extensive security testing of supervisory software is crucial for
the safe operation of ICS. However, fuzzing ICS supervisory software
is challenging due to the prevalent use of proprietary protocols. Without the
knowledge of the program states and packet formats, it is difficult to enter
the deep states for effective fuzzing.
In this work, we present a fuzzing framework to automatically discover
implementation bugs residing in the communication protocols between the
supervisory software and the field devices. To avoid heavy human efforts in
reverse-engineering the proprietary protocols, the proposed approach
constructs a state-book based on the readily available execution trace of the supervisory
software and the corresponding inputs. Then, we propose a state selection
algorithm to find the protocol states that are more likely to have bugs. Our
fuzzer distributes more budget on those interesting states.
To quickly reach the interesting states, the traditional snapshot-based method does not work since the communication protocols are time-sensitive.
We address this issue by synchronously managing external events (GUI operations and network traffic) during the fuzzing loop.
We have implemented a prototype and used it to fuzz
the supervisory software of four popular ICS platforms.
We have found 13 bugs and received 3 CVEs,
2 are classified as critical (CVSS3.x score CRITICAL 9.8) and affected 40 different products.