Abstract
Security vulnerabilities typically arise from bugs in input validation and in the application logic. Fuzz-testing is a popular security evaluation technique in which hostile inputs are crafted and passed to the target software in order to reveal bugs. However, in the case of SCADA systems, the use of proprietary protocols makes it difficult to apply existing fuzz-testing techniques as they work best when the protocol semantics are known, targets can be instrumented and large network traces are available. This paper describes a fuzz-testing solution involving LZFuzz, an inline tool that provides a domain expert with the ability to effectively fuzz SCADA devices.
Chapter PDF
Similar content being viewed by others
References
D. Aitel, An introduction to SPIKE, The fuzzer creation kit, presented at the BlackHat USA Conference (www.blackhat.com/presentations/bh-usa-02/bh-us-02-aitel-spike.ppt), 2002.
P. Amini, PaiMei and the five finger exploding palm RE techniques, presented at REcon (www.recon.cx/en/s/pamini.html), 2006.
P. Amini, Sulley: Pure Python fully automated and unattended fuzzing framework (code.google.com/p/sulley), 2010.
Beyond Security, Black box software testing, McLean, Virginia (www.bey ondsecurity.com/black-box-testing.html).
S. Bratus, A. Hansen and A. Shubina, LZFuzz: A Fast Compression-Based Fuzzer for Poorly Documented Protocols, Technical Report TR2008-634, Department of Computer Science, Dartmouth College, Hanover, New Hampshire (www.cs.dartmouth.edu/reports/TR2008-634.pdf), 2008.
J. Cache, H. Moore and M. Miller, Exploiting 802.11 wireless driver vulnerabilities on Windows, Uninformed, vol. 6 (uninformed.org/index.cgi?v=6), January 2007.
C. Cadar, V. Ganesh, P. Pawlowski, D. Dill and D. Engler, EXE: Automatically generating inputs of death, ACM Transactions on Information and System Security, vol. 12(2), pp. 10:1–38, 2008.
S. Convery, Hacking Layer 2: Fun with Ethernet switches, presented at the BlackHat USA Conference (www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf), 2002.
G. Devarajan, Unraveling SCADA protocols: Using Sulley fuzzer, presented at the DefCon 15 Hacking Conference, 2007.
Digital Bond, ICCPSic assessment tool set released, Sunrise, Florida (www.digitalbond.com/2007/08/28/iccpsic-assessment-tool-set-released), 2007.
M. Eddington, Peach Fuzzing Platform (peachfuzzer.com), 2010.
GitHub, QueMod, San Francisco (github.com/struct/QueMod), 2010.
D. Kaminsky, Black ops: Pattern recognition, presented at the BlackHat USA Conference (www.slideshare.net/dakami/dmk-blackops2006), 2006.
H. Meer, Memory corruption attacks: The (almost) complete history, presented at the BlackHat USA Conference (media.blackhat.com/bh-us-10/white papers/Meer/BlackHat-USA-2010-Meer-History-of-Memory-Corruption-Attacks-wp.pdf), 2010.
B. Miller, L. Fredriksen and B. So, An empirical study of the reliability of UNIX utilities, Communications of the ACM, vol. 33(12), pp. 32–44, 1990.
C. Miller and Z. Peterson, Analysis of Mutation and Generation-Based Fuzzing, White Paper, Independent Security Evaluators, Baltimore, Maryland (securityevaluators.com/files/papers/analysisfuzzing.pdf), 2007.
Mu Dynamics, Mu Test Suite, Sunnyvale, California (www.mudynamics.com/products/mu-test-suite.html).
C. Nevill-Manning and I. Witten, Identifying hierarchical structure in sequences: A linear-time algorithm, Journal of Artificial Intelligence Research, vol. 7, pp. 67–82, 1997.
T. Proell, Fuzzing proprietary protocols: A practical approach, presented at the Security Education Conference Toronto (www.sector.ca/presentations10/ThomasProell.pdf), 2010.
F. Raynal, E. Detoisien and C. Blancher, arp-sk: A Swiss knife tool for ARP (sid.rstack.org/arp-sk), 2004.
J. Roning, M. Laakso, A. Takanen and R. Kaksonen, PROTOS: Systematic approach to eliminate software vulnerabilities, presented at Microsoft Research, Seattle, Washington (www.ee.oulu.fi/research/ouspg/PROTOS_MSR2002-protos), 2002.
VDA Labs, General Purpose Fuzzer, Rockford, Michigan (www.vdalabs.com/tools/efs_gpf.html), 2007.
J. Ziv and A. Lempel, A universal algorithm for sequential data compression, IEEE Transactions on Information Theory, vol. 23(3), pp. 337–343, 1977.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Shapiro, R., Bratus, S., Rogers, E., Smith, S. (2011). Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing. In: Butts, J., Shenoi, S. (eds) Critical Infrastructure Protection V. ICCIP 2011. IFIP Advances in Information and Communication Technology, vol 367. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24864-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-24864-1_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24863-4
Online ISBN: 978-3-642-24864-1
eBook Packages: Computer ScienceComputer Science (R0)