Feng, K., Cook, M. M. and Marnerides, A. K. (2023) Sizzler: Sequential fuzzing in Ladder diagrams for vulnerability detection and discovery in Programmable Logic Controllers. IEEE Transactions on Information Forensics and Security, (doi: 10.1109/TIFS.2023.3340615) (Early Online Publication)
Full text not currently available from Enlighten.
Abstract
Programmable Logic Controllers (PLCs) constitute the basis of Industrial Control Systems (ICSs) underpinning sectors ranging from nuclear, up to energy and manufacturing. Currently, PLC vulnerability assessment practices employed by ICS operators are limited due to their reliance on empirical observations of visible code crashes prompted by PLC compilers. In parallel, the prevalent PLC firmware dependency on proprietary vendor routines restricts the composition of generic vulnerability detection or discovery schemes for zero-day threat vectors. In this work, we propose Sizzler: a novel vendor-independent vulnerability discovery framework specific to PLC applications operating with logic realised through ladder diagrams . Sizzler extends the current state of the art by proposing the optimal synergy of a mutation-based fuzzing strategy using Sequential Generative Adversarial Network (SeqGAN). By virtue of critical vendor restrictions on emulating PLC firmware, we also refine the Quick Emulator (QEMU)’s General Purpose I/O (GPIO) and the Inter-Integrated Circuit (I2C) protocols to evaluate and compare Sizzler across 30 PLC ladder diagram programs compiled from LDmicro and OpenPLC projects over five widely used Micro-Controller Units (MCUs). It is noteworthy that Sizzler has successfully identified vulnerabilities in ladder diagrams within a relatively short time frame based on our proprietary dataset and secured a CVE-ID. Moreover, through a comparison of Sizzler with prevalent fuzzing techniques over the commonly used Magma and LAVA-M datasets we exhibit its wider applicability on embedded systems and identify its limitations.
Item Type: | Articles |
---|---|
Additional Information: | Funding agency: 10.13039/100018703-HORIZON EUROPE European Innovation Council (Grant Number: 101120221). |
Status: | Early Online Publication |
Refereed: | Yes |
Glasgow Author(s) Enlighten ID: | Cook, Mr Marco and Marnerides, Dr Angelos and Feng, Kai |
Authors: | Feng, K., Cook, M. M., and Marnerides, A. K. |
College/School: | College of Science and Engineering College of Science and Engineering > School of Computing Science |
Journal Name: | IEEE Transactions on Information Forensics and Security |
Publisher: | Institute of Electrical and Electronics Engineers |
ISSN: | 1556-6013 |
ISSN (Online): | 1556-6021 |
Published Online: | 07 December 2023 |
University Staff: Request a correction | Enlighten Editors: Update this record