Abstract
As industrial robots become an integral part of Industry 4.0 in the manufacturing sector, their interconnection and interoperability introduce significant security challenges. RESTful Web services have emerged as the preferred method for network communication due to their simplicity and ease of use. However, the effective detection of security flaws in RESTful services for industrial robots still faces three key challenges: high-quality test case generation, high-throughput testing, and anomaly detection. Unlike traditional applications deployed within cloud services, limited computational resources, unique controller states, and unclear API specifications in robots further complicate the resolution of these challenges. Consequently, a large number of security flaws persist in real and deployed devices, with some flaws even posing the risk of physical damage.
To address these challenges, we propose a novel testing technique named RobRest specifically designed for emerging RESTful services in the context of robotic systems. In test case generation, RobRest analyzes description fields extracted from the OpenAPI specification, ensuring the generation of high-quality test cases. During abnormality observation, RobRest combines both cyber and physical space states to identify anomalies in the target service. Additionally, RobRest automatically customizes each testing request to the service, minimizing resource usage within the robot controller and bypassing the quantity restrictions present in the controller. Applying RobRest to industrial robots, we identified a total of 19 system flaws (4 vulnerabilities and 15 bugs), and 2 of them have been assigned CVE IDs. Exploiting them can affect a multitude of industrial robots in the physical world.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ABB: Abb robotstudio (2023). https://new.abb.com/products/robotics/zh/robotstudio
AG, K.: Kuka (2024). https://www.kuka.com
APIFuzzer: Apifuzzer (2022). https://github.com/KissPeter/APIFuzzer
Arcuri, A.: Restful api automated test case generation with evomaster. ACM Trans. Softw. Eng. Methodol. (TOSEM) 28(1), 1–37 (2019). http://dx.doi.org/10.1145/3293455
Atlidakis, V., Godefroid, P., Polishchuk, M.: Restler: stateful rest api fuzzing. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pp. 748–758 (2019). http://dx.doi.org/10.1109/icse.2019.00083
Bennett, J.: Autoit scripting language (2024). https://www.autoitscript.com/site/autoit/
Center, A.D.: Robot web service. https://developercenter.robotstudio.com/api/RWS (2020)
Commission, I.E.: Iec 61508–1:2010, functional safety of electrical/electronic/programmable electronic safety-related systems. Tech. rep, IEC (2010)
Corradini, D., Zampieri, A., Pasqua, M., Viglianisi, E., Dallago, M., Ceccato, M.: Automated black-box testing of nominal and error scenarios in restful apis. Softw. Testing Verification Reliability 32(5), e1808 (2022). http://dx.doi.org/10.1002/stvr.1808
Dailymail: “tesla robot attacks an engineer at company’s texas factory during violent malfunction” (2023). https://www.dailymail.co.uk/sciencetech/article-12869629
Deng, G., et al.: Nautilus: automated restful api vulnerability detection. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 5593–5609 (2023). https://dlnext.acm.org/doi/10.5555/3620237.3620550
Du, W., et al.: Vulnerability-oriented testing for restful apis. In: 33rd USENIX Security Symposium (USENIX Security 24), pp. 739–755 (2024)
Ed-Douibi, H., Izquierdo, J.L.C., Cabot, J.: Automatic generation of test cases for rest apis: A specification-based approach. In: 2018 IEEE 22nd international enterprise distributed object computing conference (EDOC). pp. 181–190. IEEE (2018), http://dx.doi.org/10.1109/edoc.2018.00031
Fielding, R.T., Taylor, R.N.: Architectural Styles and the Design of Network-based Software Architectures. Ph.D. thesis, University of California, Irvine (2000)
Gamez-Diaz, A., Fernandez, P., Ruiz-Cortes, A.: An analysis of restful apis offerings in the industry. In: International Conference on Service-Oriented Computing, pp. 589–604. Springer (2017). https://doi.org/10.1007/978-3-319-69035-3_43
Godefroid, P., Huang, B.Y., Polishchuk, M.: Intelligent rest api data fuzzing. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 725–736 (2020). http://dx.doi.org/10.1145/3368089.3409719
Gosewehr, F., Wermann, J., Borsych, W., Colombo, A.W.: Specification and design of an industrial manufacturing middleware. In: 2017 IEEE 15th International Conference on Industrial Informatics (INDIN), pp. 1160–1166. IEEE (2017). http://dx.doi.org/10.1109/indin.2017.8104937
Group, A.: Abb (2024). https://global.abb/group/en
Hägele, M., Nilsson, K., Pires, J.N., Bischoff, R.: Industrial robotics. Springer handbook of robotics, pp. 1385–1422 (2016). https://doi.org/10.1007/978-3-319-32552-1_54
Hatfield-Dodds, Z., Dygalo, D.: Deriving semantics-aware fuzzers from web api schemas. In: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings, pp. 345–346 (2022), http://dx.doi.org/10.1109/icse-companion55297.2022.9793781
Heyer, C.: Human-robot interaction and future industrial robotics applications. In: 2010 IEEE/RSJ International Conference on Intelligent Robots and Systems, pp. 4749–4754. IEEE (2010). http://dx.doi.org/10.1109/iros.2010.5651294
Hils, M.: An interactive https proxy (2024). https://mitmproxy.org
Hodován, R., Kiss, Á., Gyimóthy, T.: Grammarinator: a grammar-based open source fuzzer. In: Proceedings of the 9th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation, pp. 45–48 (2018). http://dx.doi.org/10.1145/3278186.3278193
ISO: Robots and robotic devices - Safety requirements for industrial robots - Part 2: Robot systems and integration. Standard ISO 10218-2:2011(E) (2011)
ISO: Robotics - Vocabulary. Standard ISO 8373:2021(E) (2021)
Li, C., Park, J., Kim, H., Chrysostomou, D.: How can i help you? an intelligent virtual assistant for industrial robots. In: Companion of the 2021 ACM/IEEE International Conference on Human-Robot Interaction, pp. 220–224. ACM (2021). http://dx.doi.org/10.1145/3434074.3447163
Liu, Y., et al.: Morest: model-based restful api testing with execution feedback. In: 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE), pp. 1406–1417 (2022). http://dx.doi.org/10.1145/3510003.3510133
OpenAI: Gpt-4 (2024). https://openai.com/gpt-4
OpenAPI: Openapi initiative (2024). https://www.openapis.org
OpenAPI: Swagger (2024). https://swagger.io
OWASP: The owasp zed attack proxy (zap) (2024). https://www.zaproxy.org
Pogliani, M., Maggi, F., Balduzzi, M., Quarta, D., Zanero, S.: Detecting insecure code patterns in industrial robot programs. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (2020). http://dx.doi.org/10.1145/3320269.3384735
Pogliani, M., Quarta, D., Polino, M., Vittone, M., Maggi, F., Zanero, S.: Security of controlled manufacturing systems in the connected factory: the case of industrial robots. J. Comput. Virology Hacking Tech. 15, 161 – 175 (2019). http://dx.doi.org/10.1007/s11416-019-00329-8
Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 268–286 (2017). http://dx.doi.org/10.1109/sp.2017.20
of Robotics, I.F.: World robotics 2023 report (2023). https://ifr.org/ifr-press-releases/news/world-robotics-2023-report-asia-ahead-of-europe-and-the-americas
Sandiland, D.: Stop spending millions on robot downtime now (2022). https://www.robotics247.com/article/stop_spending_millions_on_robot_downtime_now/supply_chain
Souza, R., Pinho, F., Olivi, L., Cardozo, E.: A restful platform for networked robotics. In: 2013 10th International Conference on Ubiquitous Robots and Ambient Intelligence (URAI), pp. 423–428. IEEE (2013). http://dx.doi.org/10.1109/urai.2013.6677301
Acknowledgements
We thank the anonymous reviewers for their insightful comments on our work, and we also thank Roger Dahlgren and the cybersecurity team at ABB for their assistance. This work was supported by the National Natural Science Foundation of China under Grant No. 62472302, and Beijing Natural Science Foundation under Grant No. L234033.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, Y. et al. (2025). Automated Flaw Detection for Industrial Robot RESTful Service. In: Shankaranarayanan, K., Sankaranarayanan, S., Trivedi, A. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2025. Lecture Notes in Computer Science, vol 15530. Springer, Cham. https://doi.org/10.1007/978-3-031-82703-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-82703-7_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-82702-0
Online ISBN: 978-3-031-82703-7
eBook Packages: Computer ScienceComputer Science (R0)