Advertisement

Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing

  • Rebecca Shapiro
  • Sergey Bratus
  • Edmond Rogers
  • Sean Smith
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 367)

Abstract

Security vulnerabilities typically arise from bugs in input validation and in the application logic. Fuzz-testing is a popular security evaluation technique in which hostile inputs are crafted and passed to the target software in order to reveal bugs. However, in the case of SCADA systems, the use of proprietary protocols makes it difficult to apply existing fuzz-testing techniques as they work best when the protocol semantics are known, targets can be instrumented and large network traces are available. This paper describes a fuzz-testing solution involving LZFuzz, an inline tool that provides a domain expert with the ability to effectively fuzz SCADA devices.

Keywords

Vulnerability assessment SCADA systems fuzz-testing 

References

  1. 1.
    D. Aitel, An introduction to SPIKE, The fuzzer creation kit, presented at the BlackHat USA Conference (www.blackhat.com/presentations/bh-usa-02/bh-us-02-aitel-spike.ppt), 2002.Google Scholar
  2. 2.
    P. Amini, PaiMei and the five finger exploding palm RE techniques, presented at REcon (www.recon.cx/en/s/pamini.html), 2006.Google Scholar
  3. 3.
    P. Amini, Sulley: Pure Python fully automated and unattended fuzzing framework (code.google.com/p/sulley), 2010.Google Scholar
  4. 4.
    Beyond Security, Black box software testing, McLean, Virginia (www.bey ondsecurity.com/black-box-testing.html). Google Scholar
  5. 5.
    S. Bratus, A. Hansen and A. Shubina, LZFuzz: A Fast Compression-Based Fuzzer for Poorly Documented Protocols, Technical Report TR2008-634, Department of Computer Science, Dartmouth College, Hanover, New Hampshire (www.cs.dartmouth.edu/reports/TR2008-634.pdf), 2008.Google Scholar
  6. 6.
    J. Cache, H. Moore and M. Miller, Exploiting 802.11 wireless driver vulnerabilities on Windows, Uninformed, vol. 6 (uninformed.org/index.cgi?v=6), January 2007.Google Scholar
  7. 7.
    C. Cadar, V. Ganesh, P. Pawlowski, D. Dill and D. Engler, EXE: Automatically generating inputs of death, ACM Transactions on Information and System Security, vol. 12(2), pp. 10:1–38, 2008.CrossRefGoogle Scholar
  8. 8.
    S. Convery, Hacking Layer 2: Fun with Ethernet switches, presented at the BlackHat USA Conference (www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf), 2002.Google Scholar
  9. 9.
    G. Devarajan, Unraveling SCADA protocols: Using Sulley fuzzer, presented at the DefCon 15 Hacking Conference, 2007.Google Scholar
  10. 10.
    Digital Bond, ICCPSic assessment tool set released, Sunrise, Florida (www.digitalbond.com/2007/08/28/iccpsic-assessment-tool-set-released), 2007.Google Scholar
  11. 11.
    M. Eddington, Peach Fuzzing Platform (peachfuzzer.com), 2010.Google Scholar
  12. 12.
    GitHub, QueMod, San Francisco (github.com/struct/QueMod), 2010.Google Scholar
  13. 13.
    D. Kaminsky, Black ops: Pattern recognition, presented at the BlackHat USA Conference (www.slideshare.net/dakami/dmk-blackops2006), 2006.Google Scholar
  14. 14.
    H. Meer, Memory corruption attacks: The (almost) complete history, presented at the BlackHat USA Conference (media.blackhat.com/bh-us-10/white papers/Meer/BlackHat-USA-2010-Meer-History-of-Memory-Corruption-Attacks-wp.pdf), 2010.Google Scholar
  15. 15.
    B. Miller, L. Fredriksen and B. So, An empirical study of the reliability of UNIX utilities, Communications of the ACM, vol. 33(12), pp. 32–44, 1990.CrossRefGoogle Scholar
  16. 16.
    C. Miller and Z. Peterson, Analysis of Mutation and Generation-Based Fuzzing, White Paper, Independent Security Evaluators, Baltimore, Maryland (securityevaluators.com/files/papers/analysisfuzzing.pdf), 2007.Google Scholar
  17. 17.
    Mu Dynamics, Mu Test Suite, Sunnyvale, California (www.mudynamics.com/products/mu-test-suite.html).Google Scholar
  18. 18.
    C. Nevill-Manning and I. Witten, Identifying hierarchical structure in sequences: A linear-time algorithm, Journal of Artificial Intelligence Research, vol. 7, pp. 67–82, 1997.zbMATHGoogle Scholar
  19. 19.
    T. Proell, Fuzzing proprietary protocols: A practical approach, presented at the Security Education Conference Toronto (www.sector.ca/presentations10/ThomasProell.pdf), 2010.Google Scholar
  20. 20.
    F. Raynal, E. Detoisien and C. Blancher, arp-sk: A Swiss knife tool for ARP (sid.rstack.org/arp-sk), 2004. Google Scholar
  21. 21.
    J. Roning, M. Laakso, A. Takanen and R. Kaksonen, PROTOS: Systematic approach to eliminate software vulnerabilities, presented at Microsoft Research, Seattle, Washington (www.ee.oulu.fi/research/ouspg/PROTOS_MSR2002-protos), 2002.Google Scholar
  22. 22.
    VDA Labs, General Purpose Fuzzer, Rockford, Michigan (www.vdalabs.com/tools/efs_gpf.html), 2007.Google Scholar
  23. 23.
    J. Ziv and A. Lempel, A universal algorithm for sequential data compression, IEEE Transactions on Information Theory, vol. 23(3), pp. 337–343, 1977.MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Rebecca Shapiro
    • 1
  • Sergey Bratus
    • 1
  • Edmond Rogers
    • 2
  • Sean Smith
    • 1
  1. 1.Dartmouth CollegeHanoverUSA
  2. 2.Information Trust InstituteUniversity of IllinoisUrbanaUSA

Personalised recommendations