Security Testing IoT Systems

  • Dimitrios Serpanos
  • Marilyn Wolf


System implementations need to be tested for security, because implementation bugs provide an attack surface that can be exploited to penetrate the systems. In this chapter, we introduce testing for security for IoT systems and especially fuzz testing, which is a successful technique to identify vulnerabilities in systems and network protocols. We describe an example fuzzer for the industrial protocol Modbus.


  1. [Ach17]
    Wurldtech- GE Digital, Achilles Test Platform, 2017.
  2. [Ait02]
    Aitel, D. (2002). An introduction to SPIKE, the Fuzzer Creation Kit. Presented at The BlackHat USA Conference.
  3. [Ami14]
    Amini, P. (2014). Sulley: Pure Python fully automated and unattended fuzzing framework.
  4. [Ant12]
    Antunes, J., & Neves, N. (2012). Recycling test cases to detect security vulnerabilities. In Proceedings of the 23rd International Symposium on Software Reliability Engineering, Dallas, Texas, November 27–30, 2012, pp. 231–240.Google Scholar
  5. [Avg11]
    Avgerinos, T., Cha, S. K., Hao, B. L. T., & Brumley, D. (2011). AEG: Automatic Exploit Generation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11), San Diego, California, February 6–9, 2011.Google Scholar
  6. [Ban06]
    Banks, G., et al. (2006). SNOOZE: toward a Stateful NetwOrk prOtocol fuzZEr. In Proceedings of the 9th Information Security Conference (ISC ‘06), pp. 343–358.Google Scholar
  7. [Bio]
    Biondi, P. Scapy, python interactive packet manipulation framework. http:/
  8. [Bra08]
    Bratus, S., Hansen, A., & Shubina, A.(2008). LZFuzz: A fast compression-based Fuzzer for poorly documented protocols. Technical Report TR2008–634, Dept. of Computer Science, Dartmouth College, New Hampshire.Google Scholar
  9. [Byr06]
    Byres, E. J., Hoffman, D., & Kube, N. (2006). On shaky ground – A study of security vulnerabilities in control protocols. In Proceedings of the 5th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology, American Nuclear Society, Albuquerque, November 12–16, 2006.Google Scholar
  10. [Cad06]
    Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., & Engler, D. (2008). EXE: Automatically generating inputs of Death. In: Proceedings of CCS’06, Oct–Nov 2006 (extended version appeared in ACM TIS-SEC 12:2, 2008).Google Scholar
  11. [Cad08]
    Cadar, C., Dunbar, D., & Engler, D. (2008). KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of OSDI’08, December 2008.Google Scholar
  12. [Cad13]
    Cadar, C., & Sen, K. (2013). Symbolic execution for software testing: Three decades later. Communications of the ACM, 56(2), 82–90.CrossRefGoogle Scholar
  13. [Cla07]
    Clause, J., Li, W., & Orso, A. (2007). Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA’07), London, UK, July 9–12, 2007, pp. 196–206.Google Scholar
  14. [Che07]
    Chess, B., & West, J. (2007). Secure programming with static analysis. USA: Pearson Education.Google Scholar
  15. [Cow98]
    Cowan, C., et al. (1998). StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th Usenix Security Symposium, San Antonio, Texas, January 26–29, 1998.Google Scholar
  16. [Dev07]
    Devarajan, G. (2007). Unraveling SCADA protocols: Using Sulley Fuzzer. Presented at the DefCon’15 Hacking Conference, 2007.Google Scholar
  17. [Du02]
    Du, W., & Mathur, A. P. (2002). Testing for software vulnerability using environment perturbation. Quality and Reliability Engineering International, 18(3), 261–272.CrossRefGoogle Scholar
  18. [Gan09]
    Ganesh, V., Leek, T., & Rinard, M. (2009). Taint-based directed whitebox fuzzing. In Proceedings of the 31st International Conference on Software Engineering (ICSE’09), Vancouver, Canada, May 16–24, 2009, pp. 474–484.Google Scholar
  19. [God05]
    Godefroid, P., Klarlund, N., & Sen, K. (2005). DART: Directed Automated Random Testing. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming language design and implementation, Chicago, USA, June 12–15, 2005, pp. 213–223.Google Scholar
  20. [God12]
    Godefroid, P., Levin, M. Y., & Molnar, D. (2012). SAGE: Whitebox fuzzing for security testing. ACM Queue, 10(1).Google Scholar
  21. [Gor10]
    Gorbunov, S., & Rosenbloom, A. (2010). Autofuzz: Automated network protocol fuzzing framework. IJCSNS, 10(8), 239–245.Google Scholar
  22. [Hua12]
    Huang, S. K., Huang, M. H., Huang, P. Y., Lai, C. W., Lu, H. L., Leong, W. M. (2012). CRAX: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations. IEEE 6th International Conference on Software Security and Reliability, June 20–22, 2012, pp. 78–87.Google Scholar
  23. [Kit10]
    Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. In Proceedings of the IEEE Cymposium on Computers and Communications, Italy, 2010, pp. 202–208.Google Scholar
  24. [Kob07]
    Kobayashi, T. H., Batista, A. B., Brito, A. M., & Motta Pires, P. S. (2007). Using a packet manipulation tool for security analysis of industrial network protocols. In Proceedings of 2007 IEEE Conference on Emerging Technologies and Factory Automation, Patras, 2007, pp. 744–747.Google Scholar
  25. [Koc]
  26. [Mil90]
    Miller, B. P., Fredriksen, L., & So, B. (1990). An empirical study of the reliability of UNIX utilities. Communications of the ACM, 33(12), 32–44.CrossRefGoogle Scholar
  27. [Mil95]
    Miller, B. P., et al. (1995). Fuzz revisited: A re-examination of the reliability of UNIX utilities and services. Technical report TR-1268, Department of Computer Sciences, University of Wisconsin-Madison.Google Scholar
  28. [Mil06]
    Miller, B. P., Cooksey, G., & Moore, F. (2006). An empirical study of the robustness of MacOS applications using random testing. In Proceedings of the 1st International Workshop on Random testing. Portland, Maine, July 20, 2006, pp. 46–54.Google Scholar
  29. [Mod]
    ModBus Organization. ModBus Application Protocol Specification
  30. [ModS]
    Modbus Serial Line Protocol and Implementation Guide V1.02 (Modbus_over_serial_line_V1_02.pdf).Google Scholar
  31. [Nal12]
    McNally, R., Yiu, K., Grove, D., & Gerhardy, D. Fuzzing: The State of the Art. Technical Note DSTO-TN-1043, Defence Science and Technology Organization, Australia, 02–2012.Google Scholar
  32. [New04]
    Newsome, J., & Song, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Technical report CMU-CS-04-140, 2004 (revised 2005).Google Scholar
  33. [Nis]
  34. [Pea14]
    Peach Fuzzing Platform,, 2017.
  35. [PRO]
    PROTOS-Security Testing of Protocol Implementations. http//
  36. [Qi14]
    Qi, X., Yong, P., Dai, Z., Yi, S., & Wang, T. (2014). OPC-MFuzzer: A novel multi-layers vulnerability detection tool for OPC protocol based on fuzzing technology. International Journal of Computer and Communication Engineering, 3(4), 300–305.CrossRefGoogle Scholar
  37. [Sch10]
    Schwartz, E. J., Avgerinos, T., & Brumley, D. (2010). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). 2010 IEEE Symposium on Security and Privacy.Google Scholar
  38. [Sen05]
    Sen, K., Marinov, D., & Agha, G. (2005). CUTE: A concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference (held jointly with 13th ACM SIGSOFT International Symposium on the Foundations of Software Engineering), September 5–9, 2005, pp. 263–272.Google Scholar
  39. [Sfo]
  40. [Sha11]
    Shapiro, R., Bratus, S., Rogers, E., & Smith, S. (2011). Identifying vulnerabilities in SCADA systems via fuzz-testing. Critical Infrastructure Protection V, IFIP AICT, 367, 57–72.CrossRefGoogle Scholar
  41. [Spa07]
    Sparks, S., Embleton, S., Cunningham, R., & Zou, C. (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting. In Proceedings of the 23rd Annual IEEE Computer Security Applications Conference (ACSAC 2007), pp. 477–486.Google Scholar
  42. [Str]
  43. [Sut07]
    Sutton, M., Greene, A., & Amini, P. (2007). Fuzzing: Brute force vulnerability discovery. Addison-Wesley Professional.Google Scholar
  44. [Tak08]
    Takanen, A., DeMott, J., & Miller, C. (2008). Fuzzing for software security testing and quality assurance.Google Scholar
  45. [Tsa12]
    Tsankov, P., Torabi Dashti, M., Basin, D. (2012). SECFUZZ: Fuzz-testing security protocols. In Proceedings of the 7th International Workshop on Automation of Software Test (AST 2012), June 2–3, 2012, Zurich, Switzerland.
  46. [Vda14]
    VDA Labs, “General Purpose Fuzzer.” Rockford, Michigan, 2014, gpf.html
  47. [Vie00]
    Viega, J., et al. (2000). ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of 16th Annual IEEE Conference Computer Security Applications (ACSAC'00), New Orleans, Louisiana, 2000, pp. 257–267.Google Scholar
  48. [Voy15]
    Voyiatzis, A. G., Katsigiannis, K., & Koubias, S. (2015). A Modbus/TCP Fuzzer for testing internetworked industrial systems. In Proceedings of the 20th IEEE International Conference on Emerging Technologies and Factory Automation ( ETFA 2015 ). Luxembourg, September 8–11, 2015, pp. 1–6.Google Scholar
  49. [Vua06]
    Vuagnoux, M. (2006). Autodafe: An Act of Software Torture. Swiss Federal Institute of Technology (EPFL), Cryptography and Security Laboratory (LASEC).
  50. [Wan10]
    Wang, T., Wei, T., Gu, G., & Zou, W. (2010). TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2010, pp. 497–512.Google Scholar
  51. [Wan13]
    Wang, T., et al. (2013). Design and implementation of fuzzing technology for OPC protocol. In Proceedings of 9th International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Beijing, China, 2013, pp. 424–428.Google Scholar
  52. [Zha11]
    Zhao, J., Wen, Y., & Zhao, G. (2011). H-fuzzing: A new heuristic method for fuzzing data generation. In Proceedings of Network and Parallel Computing, LNCS, Vol. 6985, Springer, 2011, pp. 32–43.Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Dimitrios Serpanos
    • 1
  • Marilyn Wolf
    • 2
  1. 1.Electrical & Computer EngineeringUniversity of PatrasPatrasGreece
  2. 2.School of ECEGeorgia Institute of TechnologyAtlantaUSA

Personalised recommendations