IRL - Vulnerability search in Industrial Control Systems: a reverse engineering approach

De Ensiwiki
Aller à : navigation, rechercher

Titre : Vulnerability search in Industrial Control Systems: a reverse engineering approach Sujet proposé dans : M2 MOSIG, Projet --- M2R Informatique, Projet --- Magistere, M2 Responsable(s) :

   Laurent Mounier ( VERIMAG-DCS
   Stéphane Mocanu ( LIG

Mots-clés : Security, Industrial Systems (Scada), Vulnerability detection, Reverse-Engineering Durée du projet : 5 months, possible follow-up with a PhD Nombre maximal d'étudiants : 1 Places disponibles : 1 Interrogation effectuée le : 14 novembre 2018, à 16 heures 11


Industrial control systems are specialized computer systems used in many activities of vital importance like energy production and distribution, chemical industry or water management.

These systems consist in dedicated hardware and software (Programmable Logic Devices, Control Systems, Human Machine Interface) interacting via field-bus communications. Their components and communication protocols are often based on legacy and out-of-date hardware and software, not always in conformity with modern security standards and updates.

Thus, they might include vulnerabilities which may be used by attackers with potentially serious consequences. Vulnerability research and analysis are then a major concern for governmental agencies (ANSSI), component providers, and end-users.

The topic of this research lays in this field, dealing with vulnerability detection in industrial systems. Due to the unavailability of both the complete specifications and the source code of the software components, we propose a reverse engineering approach for vulnerability detection. This approach may target several layers like:

- Behavioral inference of the control automata of a PLC via active learning (observing the input/output dependences), considering first autonomous automata and then studying the extension to timed and/or hybrid automata;

- Code analysis of the embedded PLC software, namely the operation blocks and/or the communication layer implementations, combining static and dynamic analysis of binary code and execution traces. The main objective is to discover abnormal or unexpected behaviors that may be exploited by an attacker to modify or disrupt the physical process.

This study will be hosted by research teams CTRL-A (LIG department) and PACS (Verimag department), which hold strong knowledge in industrial systems analysis, reverse engineering and code analysis techniques.

This Master thesis can be continued with a PhD research position.


[1] Franck de Goër, Christopher Ferreira, Laurent Mounier. SCAT: Learning from a single execution of a binary. SANER 2017, Klagenfurt, Austria, February 2017.

[2] Franck de Goër, Roland Groz, Laurent Mounier. Lightweight heuristics to retrieve parameter associations from binaries. PPREW@ACSAC Workshop, Los Angeles, USA, December 2015.

[3] Muzammil Shahbaz, Roland Groz. Analysis and testing of black-box component-based systems by inferring partial models. Software Testing, Verifification and Reliability, volume 24, number 4, 2014

[4] Oualid Koucham, Stéphane Mocanu, Guillaume Hiet, Jean-Marc Thiriet, Frédéric Majorczyk. Efficient Mining of Temporal Safety Properties for Intrusion Detection in Industrial Control Systems. accepted to 10th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SafeProcess 2018), Warsaw, Poland

[5] Oualid Koucham, Stéphane Mocanu, Guillaume Hiet, Jean-Marc Thiriet, Frédéric Majorczyk. Detecting Process-Aware Attacks in Sequential Control Systems. 21st Nordic Conference on Secure IT Systems (NordSec 2016), Nov 2016, Oulu, Finland. <>.

[6] Maëlle Kabir-Querrec, Stéphane Mocanu, Jean-Marc Thiriet, Eric Savary. A Test bed dedicated to the Study of Vulnerabilities in IEC 61850 Power Utility Automation Networks. 21st IEEE Emerging Technologies and Factory Automation, Sep 2016, Berlin, Germany. Proceedings of IEEE 21th Conference on Emerging Technologies & Factory Automation (ETFA 2016), Berlin, Germany, September 2016, 2016, <>.

[7] Maëlle Kabir-Querrec, Stéphane Mocanu, Pascal Bellemain, Jean-Marc Thiriet, Eric Savary. Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications. GreHack 2015, Nov 2015, Grenoble, France. <hal-01237725>