MSGFuzzer: Message Sequence Guided Industrial Robot Protocol Fuzzing

Industrial robots are widely used in industrial control systems (ICS). Once compromised, it could be maliciously controlled by attackers, endangering manufacturing processes or even human lives. Therefore, timely discovery of vulnerabilities in industrial robots is essential. Protocol fuzzing is a popular method for discovering protocol implementation vulnerabilities. However, the intricate workflow of industrial robots imposes strict message sequence constraints on message execution. Moreover, the overhead of sequence constraint satisfaction is exacerbated by the redundant messages in message sequences and the inherent delays in physical domain execution. These challenges make it difficult for fuzzers to penetrate deep code paths for fuzzing effectively. In this paper, we propose MSGFuzzer, a message sequence-guided industrial robot protocol fuzzer. Specifically, we filter the original traffic based on message byte characteristics and generate message sequences. After that, we distinguish the sequence constraints for each message through the feedback mechanism of the industrial robot. To reduce state-guidance time, we construct the minimal message sequence based on the constraint conditions of messages. We evaluated MSGFuzzer on a real industrial robot. The results show that MSGFuzzer discovered 12 unique crashes. Note that this is at least 71.4% more effective than state-of-the-art protocol fuzzers in crash discoveries.