Testing Techniques for Finding Software Vulnerabilities in Industrial Control Systems

Alternative Title
Testing Techniques for Finding Software Vulnerabilities in Industrial Control Systems
Author(s)
유형욱
Alternative Author(s)
Hyunguk Yoo
Advisor
손태식
Department
일반대학원 컴퓨터공학과
Publisher
The Graduate School, Ajou University
Publication Year
2017-02
Language
eng
Keyword
Software TestingIndustrial Control SystemSoftware Vulnerability
Alternative Abstract
In the most cyberattack, software vulnerabilities are one of the main attack vector. In particular, software vulnerabilities in industrial control systems have become a serious security threat. Software testing is one of the most effective approach to find software vulnerabilities. However, existing software testing techniques have limitations for the software that have complex states or highly structured input format which are common characteristics of the communication protocols used in industrial control systems. In this thesis, we propose two novel techniques to analyze and test software that have complex states or highly structured input format. First, we present a new state machine inference technique to correctly learn a complete and minimal state machine with fewer resource than existing techniques. We apply our technique to infer a state machine for the Secure Authentication component of a DNP3 application, and demonstrate the effectiveness of our technique. Second, we propose a new fuzzing technique, grammar-based adaptive fuzzing, to efficiently generate test inputs for the software that have highly structured input format. In the proposed technique, we use input grammar of the software as well as the dynamic dependency relationship between the input fields. We show that our technique execute more code of the target software than existing mutation-based fuzzing and non-adaptive grammar-based fuzzing. We evaluate the proposed techniques on applications of industrial control system protocols. The industrial control system protocols are good targets to apply our techniques because they usually have a complex state machine and highly structured input format. In addition, their dependability and reliability are very important problem because vulnerabilities in those applications could be exploited remotely by an attacker, and it may lead to catastrophic results. In our experiments, the proposed techniques outperforms existing techniques and tools, and show great promises for testing software of the industrial control system protocols.
URI
https://dspace.ajou.ac.kr/handle/2018.oak/12321
Fulltext

Appears in Collections:
Graduate School of Ajou University > Department of Computer Engineering > 4. Theses(Ph.D)
Files in This Item:
There are no files associated with this item.
Export
RIS (EndNote)
XLS (Excel)
XML

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.

Browse