FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network
Authors:
Andrei Bytes,
Prashant Hari Narayan Rajput,
Constantine Doumanidis,
Nils Ole Tippenhauer,
Michail Maniatakos,
Jianying Zhou
Abstract:
Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain-specific IEC 61131-3 languages, compiled into a proprietary binary format,…
▽ More
Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain-specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.
△ Less
Submitted 31 July, 2023; v1 submitted 28 April, 2022;
originally announced April 2022.
Why is My Secret Leaked? Discovering Vulnerabilities in Device-to-Device File Sharing
Authors:
Andrei Bytes,
Jay Prakash,
Jianying Zhou,
Tony Q. S. Quek
Abstract:
The number of active users of Wi-Fi Direct Device-to-Device file sharing applications on Android has exceeded 1.8 billion. Wi-Fi Direct, also known as Wi-Fi P2P, is commonly used for peer-to-peer, high-speed file transfer between mobile devices, as well as a close proximity connection mode for wireless cameras, network printers, TVs and other IoT and mobile devices. For its end users, such type of…
▽ More
The number of active users of Wi-Fi Direct Device-to-Device file sharing applications on Android has exceeded 1.8 billion. Wi-Fi Direct, also known as Wi-Fi P2P, is commonly used for peer-to-peer, high-speed file transfer between mobile devices, as well as a close proximity connection mode for wireless cameras, network printers, TVs and other IoT and mobile devices. For its end users, such type of direct file transfer does not incur cellular data charges. However, despite the popularity of such applications, we observe that the software vendors tend to prioritize the ease of user flow over the security in their implementations, which leads to serious security flaws. We perform a comprehensive security analysis in the context of security and usability and report our findings in the form of 17 Common Vulnerabilities and Exposures (CVE) which have been disclosed to the corresponding vendors. To address the similar flaws at the early stage of the application design, we propose a joint consideration of security and usability for such applications and their protocols that can be visualized in form of a customised User Journey Map (UJM).
△ Less
Submitted 26 April, 2020; v1 submitted 8 February, 2020;
originally announced February 2020.