Skip to main content

Catastrophic Cyber-Physical Malware

Part of the Advances in Information Security book series (ADIS,volume 72)


With the advent of highly sophisticated cyber-physical malware (CPM) such as Industroyer, a cyberattack could be as destructive as the terrorist attack on 9/11, and it would virtually paralyze the nation. We discuss as the major risks the vulnerability of: telecommunication infrastructure, industrial control systems (ICS), and mission-critical software.

In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and the almost limitless application-specific possibilities for designing malicious payloads.

Fundamentally, the challenges of detecting sophisticated CPM stem from the complexities inherent in the software at the heart of cyber-physical systems. We discuss three fundamental challenges: explosion of execution behaviors, computational intractability of checking feasible behaviors, and difficult-to-analyze programming constructs.

In detecting novel CPM, the tasks are: developing plausible hypotheses for malware trigger and malicious payload, analyzing software to gather evidence based on CPM hypotheses, and verifying software to prove or refute a hypothesis based on the gathered evidence. We discuss research directions for effective automation to support these tasks.


  • Malware
  • Mission-critical Software
  • Industrial Control Systems (ICS)
  • Open-ended Possibilities
  • Norm-based Behavior

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This material is based on research sponsored by DARPA under agreement numbers FA8750-15-2-0080 and FA8750-12-2-0126. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-97643-3_7
  • Chapter length: 55 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   149.00
Price excludes VAT (USA)
  • ISBN: 978-3-319-97643-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   199.99
Price excludes VAT (USA)
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12


  1. Android intent. (Accessed on 01/22/2018).

  2. Android intent (android developer guide). (Accessed on 01/22/2018).

  3. Atlas queries documentation. (Accessed on 01/22/2018).

  4. Atlas wiki. (Accessed on 01/22/2018).

  5. Automated program analysis for cybersecurity (apac). (Accessed on 01/22/2018).

  6. Bap – a binary analysis platform. (Accessed on 04/02/2018).

  7. Bitblaze. (Accessed on 04/02/2018).

  8. Blueborne cyber threat impacts amazon echo and google home. (Accessed on 01/22/2018).

  9. Codesonar. (Accessed on 04/02/2018).

  10. Coverity static analysis, static application security testing. (Accessed on 01/22/2018).

  11. Cve – common vulnerabilities and exposures (cve). (Accessed on 01/22/2018).

  12. Cvss v3.0 specification document. (Accessed on 01/22/2018).

  13. Ddos attack that disrupted internet was largest of its kind in history, experts say — technology — the guardian. (Accessed on 01/22/2018).

  14. Department of defense – directive number 3020.40. (Accessed on 01/22/2018).

  15. Ensoft corp. (Accessed on 01/22/2018).

  16. Extensible common software graph. (Accessed on 01/22/2018).

  17. Fermat conjecture. (Accessed on 01/22/2018).

  18. Grackle. (Accessed on 04/02/2018).

  19. Hp fortify. (Accessed on 01/22/2018).

  20. Klee llvm execution engine. (Accessed on 04/02/2018).

  21. Modbus. (Accessed on 01/22/2018).

  22. Modbus penetration testing framework. (Accessed on 01/22/2018).

  23. Morris worm – wikipedia. (Accessed on 01/22/2018).

  24. National vulnerability database. (Accessed on 01/22/2018).

  25. Open ssl developer confesses to causing heartbleed bug — daily mail online. (Accessed on 01/22/2018).

  26. Sandvines packetlogic devoices used to deploy government spyware in turkey and redirect egyptian users to affiiliate ads. (Accessed on 04/02/2018).

  27. Slam. (Accessed on 04/02/2018).

  28. Soot. (Accessed on 04/02/2018).

  29. Space/time analysis for cybersecurity (stac). (Accessed on 01/22/2018).

  30. Splint (programming tool) – wikipedia. (Accessed on 01/22/2018).

  31. Stuxnet – wikipedia. (Accessed on 01/22/2018).

  32. Sy110: Phases of a cyber attack / cyber recon. (Accessed on 01/22/2018).

  33. Telecommunications equipment – wikipedia. (Accessed on 01/22/2018).

  34. Wala. (Accessed on 04/02/2018).

  35. Wannacry ransomware attack. (Accessed on 01/22/2018).

  36. Final report on the august 14, 2003 blackout in the united states and canada: Causes and recommendations., April 2004. (Accessed on 01/22/2018).

  37. 2009 cyberspace policy review — homeland security., 2009. (Accessed on 01/22/2018).

  38. Defense contractors northrop grumman, l-3 communications hit by cyber-attack., June 2011. (Accessed on 01/22/2018).

  39. National cyber security divisions control systems security program (cssp)., May 2011. (Accessed on 01/22/2018).

  40. Investigative report on the u.s. national security issues posed by chinese telecommunications companies huawei and zte., October 2012. (Accessed on 01/22/2018).

  41. Darpa-baa-13-11: Vetting commodity it software and firmware (vet), updated., Februrary 2013. (Accessed on 01/22/2018).

  42. Industroyer: Biggest threat to industrial control systems since stuxnet., June 2017. (Accessed on 01/22/2018).

  43. National initiative for cybersecurity education (nice) cybersecurity workforce framework., August 2017. (Accessed on 01/22/2018).

  44. Threat modeling cheat sheet – owasp., December 2017. (Accessed on 01/22/2018).

  45. RTCA (Firm). SC 167. Software considerations in Airborne Systems and equipment certification. RTCA, Incorporated, 1992.

    Google Scholar 

  46. Alfred V Aho, Ravi Sethi, and Jeffrey D Ullman. Compilers: principles, techniques, and tools, volume 2. Addison-wesley Reading, 2007.

    Google Scholar 

  47. Jafar M. Al-Kofahi, Suresh Kothari, and Christian Kästner. Four languages and lots of macros: Analyzing autotools build systems. In Proceedings of the 16th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences, GPCE 2017, pages 176–186. ACM, 2017.

    Google Scholar 

  48. Keith Alexander. Keynote – 2011 cyber & space symposium., November 2011. (Accessed on 01/22/2018).

  49. Payas Awadhutkar, Ganesh Ram Santhanam, Benjamin Holland, and Suresh Kothari. Intelligence amplifying loop characterizations for detecting algorithmic complexity vulnerabilities. In The 24th Asia-Pacific Software Engineering Conference (APSEC 2017), 2017.

    Google Scholar 

  50. Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, Camil Demetrescu, and Irene Finocchi. A survey of symbolic execution techniques. CoRR, abs/1610.00502, 2016.

    Google Scholar 

  51. Dirk Beyer. Status report on software verification. In TACAS, volume 8413, pages 373–388, 2014.

    Google Scholar 

  52. Dirk Beyer, Thomas A Henzinger, Ranjit Jhala, and Rupak Majumdar. The software model checker blast. International Journal on Software Tools for Technology Transfer, 9(5–6):505–525, 2007.

    CrossRef  Google Scholar 

  53. Dirk Beyer and Alexander K. Petrenko. Linux driver verification. In Tiziana Margaria and Bernhard Steffen, editors, Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies, pages 1–6, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg.

    Google Scholar 

  54. Wayne Boyer and Miles McQueen. Ideal based cyber security technical metrics for control systems. In International Workshop on Critical Information Infrastructures Security, pages 246–260. Springer, 2007.

    Google Scholar 

  55. Frederick P. Brooks, Jr. The computer scientist as toolsmith ii. Commun. ACM, 39(3):61–68, March 1996.

    Google Scholar 

  56. David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. Automatically identifying trigger-based behavior in malware. Botnet Detection, pages 65–88, 2008.

    Google Scholar 

  57. David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. Bap: A binary analysis platform. In International Conference on Computer Aided Verification, pages 463–469. Springer, 2011.

    Google Scholar 

  58. Eric Byres and Justin Lowe. The myths and facts behind cyber security risks for industrial control systems. In Proceedings of the VDE Kongress, volume 116, pages 213–218, 2004.

    Google Scholar 

  59. C. Canal and A. Idani. Software Engineering and Formal Methods: SEFM 2014 Collocated Workshops: HOFM, SAFOME, OpenCert, MoKMaSD, WS-FMDS, Grenoble, France, September 1–2, 2014, Revised Selected Papers. Lecture Notes in Computer Science. Springer International Publishing, 2015.

    MATH  Google Scholar 

  60. Anton Cherepanov. Win32/industroyer a new threat for industrial control systems., June 2017. (Accessed on 01/22/2018).

  61. Alonzo Church. A note on the entscheidungsproblem. The journal of symbolic logic, 1(1):40–41, 1936.

    CrossRef  Google Scholar 

  62. Edmund M. Clarke, E Allen Emerson, and A Prasad Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems (TOPLAS), 8(2):244–263, 1986.

    CrossRef  Google Scholar 

  63. Edmund M Clarke, William Klieber, Miloš Nováček, and Paolo Zuliani. Model checking and the state explosion problem. In Tools for Practical Software Verification, pages 1–30. Springer, 2012.

    Google Scholar 

  64. Darren Cofer. Model checking: cleared for take off. Model Checking Software, pages 76–87, 2010.

    Google Scholar 

  65. Zachary A Collier, Mahesh Panwar, Alexander A Ganin, Alexander Kott, and Igor Linkov. Security metrics in industrial control systems. In Cyber-security of SCADA and Other Industrial Control Systems, pages 167–185. Springer, 2016.

    Google Scholar 

  66. Douglas Comer. Operating system design: the Xinu approach, Linksys version. CRC Press, 2011.

    CrossRef  Google Scholar 

  67. Lucian Constantin. Flame authors order infected computers to remove all traces of the malware – cio., June 2012. (Accessed on 01/22/2018).

  68. Scott Crosby. Denial of service through regular expressions. Usenix Security work in progress report, 2003.

    Google Scholar 

  69. John D’Arcy and Gwen Greene. Security culture and the employment relationship as drivers of employees security compliance. Information Management & Computer Security, 22(5):474–489, 2014.

    CrossRef  Google Scholar 

  70. Richard A De Millo, Richard J Lipton, and Alan J Perlis. Social processes and proofs of theorems and programs. Communications of the ACM, 22(5):271–280, 1979.

    CrossRef  Google Scholar 

  71. Tom Deering, Suresh Kothari, Jeremias Sauceda, and Jon Mathews. Atlas: a new way to explore software, build analysis tools. In Companion Proceedings of the 36th International Conference on Software Engineering, pages 588–591. ACM, 2014.

    Google Scholar 

  72. Tom Deering, Ganesh Ram Santhanam, and Suresh Kothari. Flowminer: Automatic summarization of library data-flow for malware analysis. In International Conference on Information Systems Security, pages 171–191. Springer, 2015.

    Google Scholar 

  73. RA DeMillo, RJ Lipton, and AJ PerHls. Social processes and proofs of programs and theorems. In Proc. Fourth ACM Symposium on Principles of Program-ming Languages, pages 206–214, 1979.

    Google Scholar 

  74. Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. Evil pickles: Dos attacks based on object-graph engineering (artifact). In DARTS-Dagstuhl Artifacts Series, volume 3. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2017.

    Google Scholar 

  75. Isil Dillig, Thomas Dillig, and Alex Aiken. Sound, complete and scalable path-sensitive analysis. In ACM SIGPLAN Notices, volume 43, pages 270–280. ACM, 2008.

    Google Scholar 

  76. Paul Ducklin. Anatomy of a goto fail apples ssl bug explained, plus an unofficial patch for os x! naked security., February 2014. (Accessed on 01/22/2018).

  77. Nick Feamster and Hari Balakrishnan. Detecting bgp configuration faults with static analysis. In Proceedings of the 2Nd Conference on Symposium on Networked Systems Design & Implementation – Volume 2, NSDI’05, pages 43–56. USENIX Association, 2005.

    Google Scholar 

  78. Kathleen Fisher. High assurance cyber military systems (hacms)., May 2013. (Accessed on 01/22/2018).

  79. National Institute for Standards and Technology (NIST). Nist guide to industrial control systems security., May 2015. (Accessed on 01/22/2018).

  80. Malay Ganai and Aarti Gupta. SAT-based scalable formal verification solutions. Springer, 2007.

    CrossRef  Google Scholar 

  81. Michael R Garey and David S Johnson. Computers and intractability. a guide to the theory of np-completeness. a series of books in the mathematical sciences, 1979.

    Google Scholar 

  82. Allen Goldberg, Tie-Cheng Wang, and David Zimmerman. Applications of feasible path analysis to program testing. In Proceedings of the 1994 ACM SIGSOFT international symposium on Software testing and analysis, pages 80–94. ACM, 1994.

    Google Scholar 

  83. Andy Greenberg. Hackers remotely kill a jeep on the highwaywith me in it — wired., July 2015. (Accessed on 01/22/2018).

  84. Benjamin Holland, Payas Awadhutkar, Suresh Kothari, Ahmed Tamrawi, and Jon Mathews. Comb: Computing relevant program behaviors. In International Conference on Software Engineering Demonstration track, page To appear., 2018.

    Google Scholar 

  85. Benjamin Holland, Tom Deering, Suresh Kothari, Jon Mathews, and Nikhil Ranade. Security toolbox for detecting novel and sophisticated android malware. In Proceedings of the 37th International Conference on Software Engineering-Volume 2, pages 733–736. IEEE Press, 2015.

    Google Scholar 

  86. Benjamin Holland, Ganesh Ram Santhanam, Payas Awadhutkar, and Suresh Kothari. Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In Source Code Analysis and Manipulation (SCAM), 2016 IEEE 16th International Working Conference on, pages 79–84. IEEE, 2016.

    Google Scholar 

  87. Michael Howard and David LeBlanc. Writing secure code. Pearson Education, 2003.

    Google Scholar 

  88. IBM. Security attacks on industrial control systems – managed security services research report. (Accessed on 01/22/2018).

  89. Kamal Jabbour and Sarah Muccio. The science of mission assurance. Journal of Strategic Security, 4(2):61, 2011.

    CrossRef  Google Scholar 

  90. Michael B Kelley. Stuxnet was far more dangerous than previous thought – business insider., November 2013. (Accessed on 01/22/2018).

  91. James C King. Symbolic execution and program testing. Communications of the ACM, 19(7):385–394, 1976.

    MathSciNet  CrossRef  Google Scholar 

  92. S. Kothari, P. Awadhutkar, and A. Tamrawi. Insights for practicing engineers from a formal verification study of the linux kernel. In 2016 IEEE International Symposium on Software Reliability Engineering Workshops, pages 264–270, Oct 2016.

    Google Scholar 

  93. S. Kothari, A. Deepak, A. Tamrawi, B. Holland, and S. Krishnan. A human-in-the-loop approach for resolving complex software anomalies. In 2014 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pages 1971–1978, Oct 2014.

    Google Scholar 

  94. Suresh Kothari, Payas Awadhutkar, Ahmed Tamrawi, and Jon Mathews. Modeling lessons from verifying large software systems for safety and security. In 2017 Winter Simulation Conference (WSC), pages 1431–1442, 2017.

    Google Scholar 

  95. Vadim Kotov and Fabio Massacci. Anatomy of exploit kits. Engineering Secure Software and Systems, 7781:181–196, 2013.

    CrossRef  Google Scholar 

  96. Mahesh Lal. Neo4j Graph Data Modeling. Packt Publishing Ltd, 2015.

    Google Scholar 

  97. Sihyung Lee. Reducing Complexity of Large-scale Network Configuration Management. PhD thesis, Pittsburgh, PA, USA, 2010. AAI3415822.

    Google Scholar 

  98. J. L. LIONS. Ariane 5 failure – full report., July 1996. (Accessed on 01/22/2018).

  99. Alan K Mackworth. Constraint satisfaction problems. Encyclopedia of AI, 285:293, 1992.

    Google Scholar 

  100. P MELL. A complete guide to the common vulnerability scoring system version 2.0. , 2007.

  101. Arash Nourian and Stuart Madnick. A systems theoretic approach to the security threats in cyber physical systems applied to stuxnet. IEEE Transactions on Dependable and Secure Computing, 2015.

    Google Scholar 

  102. Ebenezer A Oladimeji, Sam Supakkul, and Lawrence Chung. Security threat modeling and analysis: A goal-oriented approach. In Proc. of the 10th IASTED International Conference on Software Engineering and Applications (SEA 2006), pages 13–15, 2006.

    Google Scholar 

  103. Leon E. Panetta. transcript: Remarks by secretary panetta on cybersecurity to the business executives for national security, new york city., October 2012. (Accessed on 01/22/2018).

  104. Fabio Pasqualetti, Florian Dörfler, and Francesco Bullo. Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control, 58(11):2715–2729, 2013.

    MathSciNet  CrossRef  Google Scholar 

  105. Alin C Popescu, Brian J Premore, and Todd Underwood. Anatomy of a leak: As9121. Renesys Corp., , 2005.

  106. Kevin Poulsen. Slammer worm crashed ohio nuke plant network., August 2003. (Accessed on 01/22/2018).

  107. Jean-Pierre Queille and Joseph Sifakis. Specification and verification of concurrent systems in cesar. In International Symposium on programming, pages 337–351. Springer, 1982.

    Google Scholar 

  108. Jean-Pierre Queille and Joseph Sifakis. Fairness and related properties in transition systems a temporal logic to deal with fairness. Acta Informatica, 19(3):195–220, 1983.

    MathSciNet  CrossRef  Google Scholar 

  109. Brian Randell. The origins of computer programming. IEEE Annals of the History of Computing, 16(4):6–14, 1994.

    MathSciNet  CrossRef  Google Scholar 

  110. Henry Gordon Rice. Classes of recursively enumerable sets and their decision problems. Transactions of the American Mathematical Society, 74(2):358–366, 1953.

    MathSciNet  CrossRef  Google Scholar 

  111. DAVID E. SANGER. Obama ordered wave of cyberattacks against iran – the new york times., June 2012. (Accessed on 01/22/2018).

  112. Ganesh Ram Santhanam, Benjamin Holland, Suresh Kothari, and Jon Mathews. Interactive visualization toolbox to detect sophisticated android malware. In Visualization for Cyber Security (VizSec), 2017 IEEE Symposium on, pages 1–8. IEEE, 2017.

    Google Scholar 

  113. Ganesh Ram Santhanam, Benjamin Holland, Suresh Kothari, and Nikhil Ranade. Human-on-the-loop automation for detecting software side-channel vulnerabilities. In International Conference on Information Systems Security, pages 209–230. Springer, 2017.

    Google Scholar 

  114. Bruce Schneier. Heartbleed – schneier on security., April 2014. (Accessed on 01/22/2018).

  115. Tony Smith. Hacker jailed for revenge sewage attacks., October 2001. (Accessed on 01/22/2018).

  116. Panos Stratis. Formal verification in large-scaled software: Worth to ponder., 2014. (Accessed on 01/25/2018).

  117. Frank Swiderski and Window Snyder. Threat Modeling (Microsoft Professional), volume 7. Microsoft Press, 2004.

    Google Scholar 

  118. Ahmed Tamrawi and Suresh Kothari. Projected control graph for accurate and efficient analysis of safety and security vulnerabilities. In Software Engineering Conference (APSEC), 2016 23rd Asia-Pacific, pages 113–120. IEEE, 2016.

    Google Scholar 

  119. Ahmed Tamrawi and Suresh Kothari. Projected control graph for computing relevant program behaviors. Journal of Science of Computer Programming, To appear.

    Google Scholar 

  120. Alan M. Turing. The use of dots as brackets in church’s system. The Journal of Symbolic Logic, 7(4):146–156, 1942.

    MathSciNet  CrossRef  Google Scholar 

  121. Mark Weiser. Program slicing. In Proceedings of the 5th international conference on Software engineering, pages 439–449. IEEE Press, 1981.

    Google Scholar 

  122. D. E. Whitehead, K. Owens, D. Gammel, and J. Smith. Ukraine cyber-induced power outage: Analysis and practical mitigation strategies. In 2017 70th Annual Conference for Protective Relay Engineers (CPRE), pages 1–8, April 2017.

    Google Scholar 

  123. Peter T Wood. Query languages for graph databases. ACM SIGMOD Record, 41(1):50–60, 2012.

    CrossRef  Google Scholar 

  124. Jim Woodcock, Peter Gorm Larsen, Juan Bicarregui, and John Fitzgerald. Formal methods: Practice and experience. ACM Computing Surveys (CSUR), 41(4):19, 2009.

    CrossRef  Google Scholar 

  125. Avishai Wool. A quantitative study of firewall configuration errors. Computer, 37(6):62–67, 2004.

    CrossRef  Google Scholar 

  126. Victoria Woollaston. Open ssl developer confesses to causing heartbleed bug — daily mail online., April 2014. (Accessed on 01/22/2018).

  127. Yichen Xie and Alex Aiken. Saturn: A scalable framework for error detection using boolean satisfiability. ACM Transactions on Programming Languages and Systems (TOPLAS), 29(3):16, 2007.

    CrossRef  Google Scholar 

  128. Ilja S Zakharov, Mikhail U Mandrykin, Vadim S Mutilin, EM Novikov, Alexander K Petrenko, and Alexey V Khoroshilov. Configurable toolset for static verification of operating systems kernel modules. Programming and Computer Software, 41(1):49–64, 2015.

    CrossRef  Google Scholar 

  129. Jian Zhang and Xiaoxu Wang. A constraint solver and its application to path feasibility analysis. International Journal of Software Engineering and Knowledge Engineering, 11(02):139–156, 2001.

    CrossRef  Google Scholar 

Download references


We thank our colleagues from Iowa State University and EnSoft for their help with this paper. We are grateful to Jeremias Sauceda and Nikhil Ranade for their significant contributions to our research on graphical software analysis and verification. Tom Deering, Eric Woestman, Theodore Murdock, Shrawan Kumar, Akshay Deepak, and Damanjit Singh have played important roles in evolving the research. Dr. Kothari is the founder President and a financial stakeholder in EnSoft.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Suresh Kothari .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

Kothari, S., Santhanam, G.R., Awadhutkar, P., Holland, B., Mathews, J., Tamrawi, A. (2018). Catastrophic Cyber-Physical Malware. In: Conti, M., Somani, G., Poovendran, R. (eds) Versatile Cybersecurity. Advances in Information Security, vol 72. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-97642-6

  • Online ISBN: 978-3-319-97643-3

  • eBook Packages: Computer ScienceComputer Science (R0)