Abstract
Industrial Control System (ICS), as the core of the critical infrastructure, its vulnerabilities threaten physical world security. Mutation-based black-box fuzzing is a popular method for vulnerability discovery in ICS, and the diversification of seeds is crucial to its performance. However, the ICS devices are dedicated devices whose programs are challenging to get, protocols are unknown, and execution traces are hard to obtain in real-time. These restrictions impede seed selection, thereby reducing the efficiency of fuzzing. Therefore, it has become our primary goal to select a high-quality seed set containing as few seeds as possible with extensive triggered traces.
In this paper, we present a novel automatic seed selection method called DSS, selecting high-quality seeds for improving fuzzing efficiency. The method is based on the observation that dissimilar response messages are generated by different device execution processes in most cases, which helps us build the connection of messages discrepancy and execution traces discrepancy to guide DSS. Expressly, we point out that dissimilar messages are effective indicators of different execution paths. Therefore, choosing ICS messages with high discrepancy as seeds can bring more initial execution traces and fewer seeds with the same semantic, which are essential to black-box fuzzing. Our experiments show that the quantity of seeds selected by DSS is significantly less than the traditional method when achieving the same trace coverage.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Amini, P., Portnoy, A.: Sulley fuzzing framework (2010)
Case, D.U.: Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) 388 (2016)
Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for linux-based embedded firmware. In: NDSS, vol. 16, pp. 1–16 (2016)
Eddington, M.: Peach fuzzing platform. Peach Fuzzer 34 (2011)
Gascon, H., Wressnegger, C., Yamaguchi, F., Arp, D., Rieck, K.: Pulsar: stateful black-box fuzzing of proprietary network protocols. In: Thuraisingham, B., Wang, X.F., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 330–347. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_18
Hamming, R.W.: Error detecting and error correcting codes. Bell Syst. Techn. J. 29(2), 147–160 (1950)
Heffner, C.: Binwalk: firmware analysis tool (2010). https://code.google.com/p/binwalk/. Visited 03 Mar 2013
Hu, Z., Shi, J., Huang, Y., Xiong, J., Bu, X.: GANfuzz: a GAN-based industrial network protocol fuzzing framework. In: Proceedings of the 15th ACM International Conference on Computing Frontiers, pp. 138–145 (2018)
Kim, S., Cho, J., Lee, C., Shon, T.: Smart seed selection-based effective black box fuzzing for IIoT protocol. J. Supercomput. 76, 1–15 (2020)
Kleber, S., Maile, L., Kargl, F.: Survey of protocol reverse engineering algorithms: decomposition of tools for static traffic analysis. IEEE Commun. Surv. Tutorials 21(1), 526–561 (2019). https://doi.org/10.1109/COMST.2018.2867544
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady 10, 707–710 (1966)
Luo, Z., Zuo, F., Jiang, Y., Gao, J., Jiao, X., Sun, J.: Polar: function code aware fuzz testing of ICS protocol. ACM Trans. Embed. Comput. Syst. (TECS) 18(5s), 1–22 (2019)
Luo, Z., Zuo, F., Shen, Y., Jiao, X., Chang, W., Jiang, Y.: ICS protocol fuzzing: coverage guided packet crack and generation. In: 2020 57th ACM/IEEE Design Automation Conference (DAC), pp. 1–6. IEEE (2020)
Maier, D., Seidel, L., Park, S.: BaseSAFE: baseband sanitized fuzzing through emulation. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 122–132 (2020)
Rebert, A., et al.: Optimizing seed selection for fuzzing. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 861–875 (2014)
Ruge, J., Classen, J., Gringoli, F., Hollick, M.: Frankenstein: advanced wireless fuzzing to exploit new Bluetooth escalation targets. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 19–36 (2020)
Slowik, J.: Evolution of ICS attacks and the prospects for future disruptive events. Threat Intelligence Centre Dragos Inc. (2019)
Vaz, R., et al.: Venezuela’s power grid disabled by cyber attack. Green Left Weekly (1213) 15 (2019)
Zalewski, M.: American fuzzy lop (2014)
Zhao, H., Li, Z., Wei, H., Shi, J., Huang, Y.: SeqFuzzer: an industrial protocol fuzzing framework from a deep learning perspective. In: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 59–67. IEEE (2019)
Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H., Sun, L.: FIRM-AFL: high-throughput greybox fuzzing of IoT firmware via augmented process emulation. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1099–1114 (2019)
Acknowledgement
This paper is supported by the science and technology project of State Grid Corporation of China: “Research on 5G Electric Power security protection system and key technology verification” (Grant No. 5700-202058379A-0-0-00).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Bai, S., Wen, H., Fang, D., Sun, Y., Liu, P., Sun, L. (2021). DSS: Discrepancy-Aware Seed Selection Method for ICS Protocol Fuzzing. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12727. Springer, Cham. https://doi.org/10.1007/978-3-030-78375-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-78375-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78374-7
Online ISBN: 978-3-030-78375-4
eBook Packages: Computer ScienceComputer Science (R0)