Improving Coverage Guided Fuzzing for Programmable Logic Controllers


Supervision: Ali Abbasi

Start date: as soon as possible

Duration: 6 months

More details: [AFL] [PLC]


One of the effective ways for vulnerability discovery is Fuzzing. Fuzzing is a form of executing the software in thousands iteration while providing random or unexpected input to the functions. Based on that random input a fuzzer can observe whether a program crashes with specific input. Some of these crashes can be a security vulnerability. Today In general-purpose computers domain there are many fuzzers such as American Fuzzy Lop (AFL), LibFuzzer and OSS-Fuzz exist. These tools have shown exceptional results on finding hundreds of vulnerabilities within Microsoft Windows, Apple MacOS, and GNU Linux.

However, there are certain limitations within Programmable Logic Controller (PLC) devices which makes it hard to apply existing fuzzers to them.In this thesis you are going to overcome those limitations by improving upon already existing framework for binary instrumentation and fuzzing of PLCs.

Tasks that are to be solved by the student include:

  • Getting familiar with AFL fuzzer.
  • Getting familiar with ARM Cortex R4F CPU architecture and instruction set.
  • Writing simple IDA Pro plugin.
  • Writing small ARM assembly payload to transfer execution trace within the PLC to the AFL fuzzer using TCP/IP protocol.

### Note: the result of this thesis goes under embargo and can not get published publicly for duration of one year.


The student is expected to be comfortable in reading ARM assembly code as well as programming in C and Python. Knowledge of IDA Pro is a plus.