NCMFuzzer: Using non-critical field mutation and test case combination to improve the efficiency of ICS protocol fuzzing

Abstract

Industrial control systems (ICSs) have many vulnerabilities owing to the lack of protective measures. Once exploited, such vulnerabilities can result in significant economic loss and security concerns because an ICS controls the entire production process. Although fuzzing is a prevalent technique for finding potential vulnerabilities, current approaches have the disadvantages of blind mutations and low efficiency in vulnerability mining. In this study, we propose a personalized fuzzing method for ICS protocols based on non-critical field mutations and test case combinations. In our approach, we select appropriate protocol fields for personalized mutations based on the information entropy of each output, which can increase the diversity of test cases while preserving their availability. We developed a novel test case sending method that improves the efficiency of finding specific vulnerabilities by grouping related test cases. Our approach also introduces a detection method based on expected message validation to locate triggered vulnerabilities quickly. Compared to Peach and Boofuzz, our method improved the test target anomaly rate by 63.53% and 34.95%, respectively, and found one 0-day vulnerability and five n-day vulnerabilities.