Spenny: Extensive ICS Protocol Reverse Analysis via Field Guided Symbolic Execution

Industrial Control System (ICS) protocols have built a tight coupling between ICS components, including industrial software and field controllers such as Programmable Logic Controllers (PLCs). With more ICS components are exposed on the Internet, huge threats are emerging through the exploitation on the inherent defects of ICS protocols. However, the proprietary of ICS protocols makes it extremely hard to build intrusion detection system or perform penetration tests for ICS security reinforcement. In this work, we introduce a symbolic-execution based protocol reverse analysis framework to extract the message format and field type of ICS protocols from real-world PLC firmware. We design new coverage metric and path prioritization strategy to enhance symbolic execution for extensive protocol reverse analysis. Moreover, we propose a field-expression based method on protocol message format inference, along with the analysis on the value ranges of fields which are ignored by previous work. Our evaluation shows that our methods can extract more protocol information during symbolic execution, and achieve high accuracy on protocol reverse analysis compared to Wireshark. Furthermore, we equip the results on private ICS protocols with a black-box fuzzer to test two real-world PLCs. In total, we have found 10 vulnerabilities, including 4 new vulnerabilities.