Search Icon
Register

An LLM-Driven Fuzzing Framework for Detecting Logic Instruction Bugs in PLCs

Jiaxing Cheng (Institute of Information Engineering, CAS; School of Cyber Security, UCAS), Ming Zhou (School of Cyber Science and Engineering, Nanjing University of Science and Technology), Haining Wang (Virginia Tech), Xin Chen (Institute of Institute of Information Engineering, CAS; School of Cyber Security, UCAS), Yuncheng Wang (Institute of Institute of Information Engineering, CAS; School of Cyber Security, UCAS), Yibo Qu (Institute of Institute of Information Engineering, CAS; School of Cyber Security, UCAS), Limin Sun (Institute of Institute of Information Engineering, CAS; School of Cyber Security, UCAS)

Programmable Logic Controllers (PLCs) automate industrial operations using vendor-supplied logic instruction libraries compiled into device firmware. These libraries may contain security flaws that, when exploited through physical control routines, network-facing services, or PLC runtime subsystems, may lead to privilege violations, memory corruption, or data leakage. This paper presents LogicFuzz, the first fuzzing framework designed specifically to target logic instructions in PLC firmware. LogicFuzz constructs a semantic dependency graph (SDG) that captures both operational semantics and inter-instruction dependencies in PLC code. Leveraging the SDG together with an enable-signal mechanism, LogicFuzz automatically synthesizes instruction-tailored seed programs, significantly reducing manual effort and enabling controlled, resettable fuzzing on real PLC hardware. To uncover bugs conditioned on control-flow triggers (i.e., invocation patterns), LogicFuzz mutates the SDG to diversify instruction-invocation contexts. To expose data-triggered faults, it performs coverage-guided parameter mutation under valid semantic constraints. In addition, LogicFuzz integrates a multi-source oracle that monitors runtime logs, status LEDs, and communication states to detect instruction-level failures during fuzzing. We evaluate LogicFuzz on six production PLCs from three major vendors and uncover 19 instruction-level bugs, including four previously unknown vulnerabilities.

Paper

View More Papers

Lightweight Internet Bandwidth Allocation and Isolation with Fractional Fair...

Marc Wyss (ETH Zurich), Yih-Chun Hu (University of Illinois at Urbana-Champaign), Vincent Lenders (University of Luxembourg), Roland Meier (armasuisse), Adrian Perrig (ETH Zurich)

Read More

From Paranoia to Compliance: The Bumpy Road of System...

Niklas Busch (CISPA Helmholtz Center for Information Security, Germany), Philip Klostermeyer (CISPA Helmholtz Center for Information Security, Germany), Jan H. Klemmer (CISPA Helmholtz Center for Information Security, Germany), Yasemin Acar (Paderborn University, Germany), Sascha Fahl (CISPA Helmholtz Center for Information Security, Germany)

Read More

Enhancing Website Fingerprinting Attacks against Traffic Drift

Xinhao Deng (Tsinghua University & Ant Group), Yixiang Zhang (Tsinghua University), Qi Li (Tsinghua University & Zhongguancun Laboratory), Zhuotao Liu (Tsinghua University & Zhongguancun Laboratory), Yabo Wang (Tsinghua University), Ke Xu (Tsinghua University & Zhongguancun Laboratory)

Read More