AFL-ICP: Enhancing Industrial Control Protocol Reliability via Specification-Guided Fuzzing

TL;DR

AFL-ICP introduces a specification-driven fuzzing framework for industrial control protocols, leveraging formal specifications and LLMs to improve vulnerability detection and protocol coverage.

Contribution

It pioneers a formalized, specification-guided fuzzing approach using LLMs for automated protocol adaptation and bug detection in industrial control protocols.

Findings

Outperforms state-of-the-art fuzzers in coverage

Uncovers 24 previously unknown vulnerabilities

Detects 16 semantic and logic bugs affecting industrial operations

Abstract

Industrial Control Protocols (ICPs) are critical to the reliability and stability of industrial infrastructure, yet their security is fundamentally compromised by a specification-blindness bottleneck. Modern fuzzers, constrained by observation-driven inference, struggle to penetrate deep protocol states or detect subtle semantic deviations. In this paper, we present AFL-ICP, an autonomous fuzzing framework that pioneers a specification-driven paradigm. AFL-ICP features a context-aware specification formalization pipeline to transform complex specifications into rigorous machine-executable grammars. Building on this formalized specification, AFL-ICP leverages LLMs to enable automated protocol adaptation and seed generation, allowing for rapid extension to new protocols with minimal manual effort. Additionally, it includes an LLM-powered differential checker that cross-references implementation outputs with specification requirements to detect subtle semantic and logic bugs that existing fuzzers cannot detect. We implement AFL-ICP and evaluate it on four widely used ICPs, including both open-source and closed-source variants. Results show that AFL-ICP significantly outperforms state-of-the-art fuzzers in coverage and uncovers 24 previously unknown vulnerabilities, for which we have received acknowledgments from affected vendors (e.g., FreyrSCADA). Specifically, the identified vulnerabilities include 16 semantic and logic bugs that can silently disrupt industrial operations and degrade service availability.