Skip to main content

Automated Flaw Detection for Industrial Robot RESTful Service

  • Conference paper
  • First Online:
Verification, Model Checking, and Abstract Interpretation (VMCAI 2025)

Abstract

As industrial robots become an integral part of Industry 4.0 in the manufacturing sector, their interconnection and interoperability introduce significant security challenges. RESTful Web services have emerged as the preferred method for network communication due to their simplicity and ease of use. However, the effective detection of security flaws in RESTful services for industrial robots still faces three key challenges: high-quality test case generation, high-throughput testing, and anomaly detection. Unlike traditional applications deployed within cloud services, limited computational resources, unique controller states, and unclear API specifications in robots further complicate the resolution of these challenges. Consequently, a large number of security flaws persist in real and deployed devices, with some flaws even posing the risk of physical damage.

To address these challenges, we propose a novel testing technique named RobRest specifically designed for emerging RESTful services in the context of robotic systems. In test case generation, RobRest analyzes description fields extracted from the OpenAPI specification, ensuring the generation of high-quality test cases. During abnormality observation, RobRest combines both cyber and physical space states to identify anomalies in the target service. Additionally, RobRest automatically customizes each testing request to the service, minimizing resource usage within the robot controller and bypassing the quantity restrictions present in the controller. Applying RobRest to industrial robots, we identified a total of 19 system flaws (4 vulnerabilities and 15 bugs), and 2 of them have been assigned CVE IDs. Exploiting them can affect a multitude of industrial robots in the physical world.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. ABB: Abb robotstudio (2023). https://new.abb.com/products/robotics/zh/robotstudio

  2. AG, K.: Kuka (2024). https://www.kuka.com

  3. APIFuzzer: Apifuzzer (2022). https://github.com/KissPeter/APIFuzzer

  4. Arcuri, A.: Restful api automated test case generation with evomaster. ACM Trans. Softw. Eng. Methodol. (TOSEM) 28(1), 1–37 (2019). http://dx.doi.org/10.1145/3293455

  5. Atlidakis, V., Godefroid, P., Polishchuk, M.: Restler: stateful rest api fuzzing. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pp. 748–758 (2019). http://dx.doi.org/10.1109/icse.2019.00083

  6. Bennett, J.: Autoit scripting language (2024). https://www.autoitscript.com/site/autoit/

  7. Center, A.D.: Robot web service. https://developercenter.robotstudio.com/api/RWS (2020)

  8. Commission, I.E.: Iec 61508–1:2010, functional safety of electrical/electronic/programmable electronic safety-related systems. Tech. rep, IEC (2010)

    Google Scholar 

  9. Corradini, D., Zampieri, A., Pasqua, M., Viglianisi, E., Dallago, M., Ceccato, M.: Automated black-box testing of nominal and error scenarios in restful apis. Softw. Testing Verification Reliability 32(5), e1808 (2022). http://dx.doi.org/10.1002/stvr.1808

  10. Dailymail: “tesla robot attacks an engineer at company’s texas factory during violent malfunction” (2023). https://www.dailymail.co.uk/sciencetech/article-12869629

  11. Deng, G., et al.: Nautilus: automated restful api vulnerability detection. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 5593–5609 (2023). https://dlnext.acm.org/doi/10.5555/3620237.3620550

  12. Du, W., et al.: Vulnerability-oriented testing for restful apis. In: 33rd USENIX Security Symposium (USENIX Security 24), pp. 739–755 (2024)

    Google Scholar 

  13. Ed-Douibi, H., Izquierdo, J.L.C., Cabot, J.: Automatic generation of test cases for rest apis: A specification-based approach. In: 2018 IEEE 22nd international enterprise distributed object computing conference (EDOC). pp. 181–190. IEEE (2018), http://dx.doi.org/10.1109/edoc.2018.00031

  14. Fielding, R.T., Taylor, R.N.: Architectural Styles and the Design of Network-based Software Architectures. Ph.D. thesis, University of California, Irvine (2000)

    Google Scholar 

  15. Gamez-Diaz, A., Fernandez, P., Ruiz-Cortes, A.: An analysis of restful apis offerings in the industry. In: International Conference on Service-Oriented Computing, pp. 589–604. Springer (2017). https://doi.org/10.1007/978-3-319-69035-3_43

  16. Godefroid, P., Huang, B.Y., Polishchuk, M.: Intelligent rest api data fuzzing. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 725–736 (2020). http://dx.doi.org/10.1145/3368089.3409719

  17. Gosewehr, F., Wermann, J., Borsych, W., Colombo, A.W.: Specification and design of an industrial manufacturing middleware. In: 2017 IEEE 15th International Conference on Industrial Informatics (INDIN), pp. 1160–1166. IEEE (2017). http://dx.doi.org/10.1109/indin.2017.8104937

  18. Group, A.: Abb (2024). https://global.abb/group/en

  19. Hägele, M., Nilsson, K., Pires, J.N., Bischoff, R.: Industrial robotics. Springer handbook of robotics, pp. 1385–1422 (2016). https://doi.org/10.1007/978-3-319-32552-1_54

  20. Hatfield-Dodds, Z., Dygalo, D.: Deriving semantics-aware fuzzers from web api schemas. In: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings, pp. 345–346 (2022), http://dx.doi.org/10.1109/icse-companion55297.2022.9793781

  21. Heyer, C.: Human-robot interaction and future industrial robotics applications. In: 2010 IEEE/RSJ International Conference on Intelligent Robots and Systems, pp. 4749–4754. IEEE (2010). http://dx.doi.org/10.1109/iros.2010.5651294

  22. Hils, M.: An interactive https proxy (2024). https://mitmproxy.org

  23. Hodován, R., Kiss, Á., Gyimóthy, T.: Grammarinator: a grammar-based open source fuzzer. In: Proceedings of the 9th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation, pp. 45–48 (2018). http://dx.doi.org/10.1145/3278186.3278193

  24. ISO: Robots and robotic devices - Safety requirements for industrial robots - Part 2: Robot systems and integration. Standard ISO 10218-2:2011(E) (2011)

    Google Scholar 

  25. ISO: Robotics - Vocabulary. Standard ISO 8373:2021(E) (2021)

    Google Scholar 

  26. Li, C., Park, J., Kim, H., Chrysostomou, D.: How can i help you? an intelligent virtual assistant for industrial robots. In: Companion of the 2021 ACM/IEEE International Conference on Human-Robot Interaction, pp. 220–224. ACM (2021). http://dx.doi.org/10.1145/3434074.3447163

  27. Liu, Y., et al.: Morest: model-based restful api testing with execution feedback. In: 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE), pp. 1406–1417 (2022). http://dx.doi.org/10.1145/3510003.3510133

  28. OpenAI: Gpt-4 (2024). https://openai.com/gpt-4

  29. OpenAPI: Openapi initiative (2024). https://www.openapis.org

  30. OpenAPI: Swagger (2024). https://swagger.io

  31. OWASP: The owasp zed attack proxy (zap) (2024). https://www.zaproxy.org

  32. Pogliani, M., Maggi, F., Balduzzi, M., Quarta, D., Zanero, S.: Detecting insecure code patterns in industrial robot programs. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (2020). http://dx.doi.org/10.1145/3320269.3384735

  33. Pogliani, M., Quarta, D., Polino, M., Vittone, M., Maggi, F., Zanero, S.: Security of controlled manufacturing systems in the connected factory: the case of industrial robots. J. Comput. Virology Hacking Tech. 15, 161 – 175 (2019). http://dx.doi.org/10.1007/s11416-019-00329-8

  34. Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 268–286 (2017). http://dx.doi.org/10.1109/sp.2017.20

  35. of Robotics, I.F.: World robotics 2023 report (2023). https://ifr.org/ifr-press-releases/news/world-robotics-2023-report-asia-ahead-of-europe-and-the-americas

  36. Sandiland, D.: Stop spending millions on robot downtime now (2022). https://www.robotics247.com/article/stop_spending_millions_on_robot_downtime_now/supply_chain

  37. Souza, R., Pinho, F., Olivi, L., Cardozo, E.: A restful platform for networked robotics. In: 2013 10th International Conference on Ubiquitous Robots and Ambient Intelligence (URAI), pp. 423–428. IEEE (2013). http://dx.doi.org/10.1109/urai.2013.6677301

Download references

Acknowledgements

We thank the anonymous reviewers for their insightful comments on our work, and we also thank Roger Dahlgren and the cybersecurity team at ABB for their assistance. This work was supported by the National Natural Science Foundation of China under Grant No. 62472302, and Beijing Natural Science Foundation under Grant No. L234033.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Shuaizong Si or Limin Sun .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, Y. et al. (2025). Automated Flaw Detection for Industrial Robot RESTful Service. In: Shankaranarayanan, K., Sankaranarayanan, S., Trivedi, A. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2025. Lecture Notes in Computer Science, vol 15530. Springer, Cham. https://doi.org/10.1007/978-3-031-82703-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-82703-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-82702-0

  • Online ISBN: 978-3-031-82703-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics