Sizzler: Sequential Fuzzing in Ladder Diagrams for Vulnerability Detection and Discovery in Programmable Logic Controllers

Programmable Logic Controllers (PLCs) constitute the basis of Industrial Control Systems (ICSs) underpinning sectors ranging from nuclear, up to energy and manufacturing. Currently, PLC vulnerability assessment practices employed by ICS operators are limited due to their reliance on empirical observations of visible code crashes prompted by PLC compilers. In parallel, the prevalent PLC firmware dependency on proprietary vendor routines restricts the composition of generic vulnerability detection or discovery schemes for zero-day threat vectors. In this work, we propose Sizzler: a novel vendor-independent vulnerability discovery framework specific to PLC applications operating with logic realised through ladder diagrams. Sizzler extends the current state of the art by proposing the optimal synergy of a mutation-based fuzzing strategy using Sequential Generative Adversarial Network (SeqGAN). By virtue of critical vendor restrictions on emulating PLC firmware, we also refine the Quick Emulator (QEMU)’s General Purpose I/O (GPIO) and the Inter-Integrated Circuit (I2C) protocols to evaluate and compare Sizzler across 30 PLC ladder diagram programs compiled from LDmicro and OpenPLC projects over five widely used Micro-Controller Units (MCUs). It is noteworthy that Sizzler has successfully identified vulnerabilities in ladder diagrams within a relatively short time frame based on our proprietary dataset and secured a CVE-ID. Moreover, through a comparison of Sizzler with prevalent fuzzing techniques over the commonly used Magma and LAVA-M datasets we exhibit its wider applicability on embedded systems and identify its limitations.