ICPFuzzer: proprietary communication protocol fuzzing by using machine learning and feedback strategies

The fuzzing test is able to discover various vulnerabilities and has more chances to hit the zero-day targets. And ICS(Industrial control system) is currently facing huge security threats and requires security standards, like ISO 62443, to ensure the quality of the device. However, some industrial proprietary communication protocols can be customized and have complicated structures, the fuzzing system cannot quickly generate test data that adapt to various protocols. It also struggles to define the mutation field without having prior knowledge of the protocols. Therefore, we propose a fuzzing system named ICPFuzzer that uses LSTM(Long short-term memory) to learn the features of a protocol and generates mutated test data automatically. We also use the responses of testing and adjust the weight strategies to further test the device under testing (DUT) to find more data that cause unusual connection status. We verified the effectiveness of the approach by comparing with the open-source and commercial fuzzers. Furthermore, in a real case, we experimented with the DLMS/COSEM for a smart meter and found that the test data can cause a unusual response. In summary, ICPFuzzer is a black-box fuzzing system that can automatically execute the testing process and reveal vulnerabilities that interrupt and crash industrial control communication. Not only improves the quality of ICS but also improves safety.

[1]  Taeshik Shon,et al.  Grammar-based adaptive fuzzing: Evaluation on SCADA modbus protocol , 2016, 2016 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[2]  Hui Zhao,et al.  SeqFuzzer: An Industrial Protocol Fuzzing Framework from a Deep Learning Perspective , 2019, 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST).

[3]  Lan Liu,et al.  Research on Security Detection and Data Analysis for Industrial Internet , 2019, 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[4]  Wolfgang Kröger,et al.  Hidden Vulnerabilities Due to Interdependencies between Two Systems , 2012, CRITIS.

[5]  Hui Liu,et al.  A vulnerability detecting method for Modbus-TCP based on smart fuzzing mechanism , 2015, 2015 IEEE International Conference on Electro/Information Technology (EIT).

[6]  Richard McNally,et al.  Fuzzing: The State of the Art , 2012 .

[7]  R. S. Danturthi Security Engineering , 2020, 70 Tips and Tricks for Mastering the CISSP Exam.

[8]  Sergey Bratus,et al.  Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing , 2011, Critical Infrastructure Protection.

[9]  Rishabh Singh,et al.  Not all bytes are equal: Neural byte sieve for fuzzing , 2017, ArXiv.

[10]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[11]  Changzhen Hu,et al.  Test Data Generation for Stateful Network Protocol Fuzzing Using a Rule-Based State Machine , 2016 .

[12]  Christus,et al.  A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins , 2022 .

[13]  Rishabh Singh,et al.  Deep Reinforcement Fuzzing , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[14]  Hongliang Liang,et al.  Fuzzing: State of the Art , 2018, IEEE Transactions on Reliability.

[15]  Stavros A. Koubias,et al.  A Modbus/TCP Fuzzer for testing internetworked industrial systems , 2015, 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA).

[16]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[17]  Zachary Chase Lipton A Critical Review of Recurrent Neural Networks for Sequence Learning , 2015, ArXiv.

[18]  Matthias Niedermaier,et al.  PropFuzz — An IT-security fuzzing framework for proprietary ICS protocols , 2017, 2017 International Conference on Applied Electronics (AE).

[19]  Esa Jääskelä Genetic algorithm in code coverage guided fuzz testing , 2016 .

[20]  Kirill Müller,et al.  Accelerating weighted random sampling without replacement , 2016 .

[21]  Xiangyu Zhang,et al.  ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[22]  Hilde van der Togt,et al.  Publisher's Note , 2003, J. Netw. Comput. Appl..

[23]  Konstantinos Katsigiannis,et al.  MTF -Storm: a High Performance Fuzzer for Modbus/TCP , 2018, 2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA).

[24]  Yoshua Bengio,et al.  Learning long-term dependencies with gradient descent is difficult , 1994, IEEE Trans. Neural Networks.

[25]  S. B. Needleman,et al.  A general method applicable to the search for similarities in the amino acid sequence of two proteins. , 1970, Journal of molecular biology.

[26]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  Alexey Poletykin Cyber Security Risk Assessment Method for SCADA of Industrial Control Systems , 2018, 2018 International Russian Automation Conference (RusAutoCon).

[28]  Alastair J. Walker,et al.  An Efficient Method for Generating Discrete Random Variables with General Distributions , 1977, TOMS.

[29]  Weilian Su,et al.  Cyber security of industrial communication protocols , 2017, 2017 22nd IEEE International Conference on Emerging Technologies and Factory Automation (ETFA).

[30]  Qiaoyan Wen,et al.  A mutation-based fuzz testing approach for network protocol vulnerability detection , 2012, Proceedings of 2012 2nd International Conference on Computer Science and Network Technology.

[31]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[32]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).