{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T17:24:56Z","timestamp":1783099496448,"version":"3.54.6"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"5s","license":[{"start":{"date-parts":[[2019,10,8]],"date-time":"2019-10-08T00:00:00Z","timestamp":1570492800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Embed. Comput. Syst."],"published-print":{"date-parts":[[2019,10,31]]},"abstract":"<jats:p>Industrial Control System (ICS) protocols are widely used to build communications among system components. Compared with common internet protocols, ICS protocols have more control over remote devices by carrying a specific field called \u201cfunction code\u201d, which assigns what the receive end should do. Therefore, it is of vital importance to ensure their correctness. However, traditional vulnerability detection techniques such as fuzz testing are challenged by the increasing complexity of these diverse ICS protocols.<\/jats:p>\n          <jats:p>In this paper, we present a function code aware fuzzing framework \u2014 Polar, which automatically extracts semantic information from the ICS protocol and utilizes this information to accelerate security vulnerability detection. Based on static analysis and dynamic taint analysis, Polar\u00a0initiates the values of the function code field and identifies some vulnerable operations. Then, novel semantic aware mutation and selection strategies are designed to optimize the fuzzing procedure. For evaluation, we implement Polar\u00a0on top of two popular fuzzers \u2014 AFL and AFLFast, and conduct experiments on several widely used ICS protocols such as Modbus, IEC104, and IEC 61850. Results show that, compared with AFL and AFLFast, Polar\u00a0 achieves the same code coverage and bug detection numbers at the speed of 1.5X-12X. It also gains increase with 0%--91% more paths within 24 hours. Furthermore, Polar\u00a0has exposed 10 previously unknown vulnerabilities in those protocols, 6 of which have been assigned unique CVE identifiers in the US National Vulnerability Database.<\/jats:p>","DOI":"10.1145\/3358227","type":"journal-article","created":{"date-parts":[[2019,10,10]],"date-time":"2019-10-10T13:13:05Z","timestamp":1570713185000},"page":"1-22","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":51,"title":["Polar"],"prefix":"10.1145","volume":"18","author":[{"given":"Zhengxiong","family":"Luo","sequence":"first","affiliation":[{"name":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Feilong","family":"Zuo","sequence":"additional","affiliation":[{"name":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yu","family":"Jiang","sequence":"additional","affiliation":[{"name":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jian","family":"Gao","sequence":"additional","affiliation":[{"name":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xun","family":"Jiao","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Villanova University, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jiaguang","family":"Sun","sequence":"additional","affiliation":[{"name":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2019,10,8]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"https:\/\/github.com\/OpenRCE\/sulleyAccessed August 22nd","author":"Amini Pedram","year":"2012","unstructured":"Pedram Amini and Aaron Portnoy . 2012. Sulley. ( 2012 ). https:\/\/github.com\/OpenRCE\/sulleyAccessed August 22nd , 2017. Pedram Amini and Aaron Portnoy. 2012. Sulley. (2012). https:\/\/github.com\/OpenRCE\/sulleyAccessed August 22nd, 2017."},{"key":"e_1_2_1_2_1","unstructured":"IEEE Standards Association. Accessed June 3rd 2019. IEEE C37.118. Website. https:\/\/standards.ieee.org\/standard\/C37_118_1-2011.html.  IEEE Standards Association. Accessed June 3rd 2019. IEEE C37.118. Website. https:\/\/standards.ieee.org\/standard\/C37_118_1-2011.html."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"e_1_2_1_4_1","volume-title":"Engler","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar , Daniel Dunbar , and Dawson R . Engler . 2008 . KLEE : Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI. Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2408776.2408795"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"e_1_2_1_7_1","volume-title":"EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. arXiv preprint arXiv:1807.00182","author":"Chen Yuanliang","year":"2018","unstructured":"Yuanliang Chen , Yu Jiang , Fuchen Ma , Jie Liang , Mingzhe Wang , Chijin Zhou , Zhuo Su , and Xun Jiao . 2018. EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. arXiv preprint arXiv:1807.00182 ( 2018 ). Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Zhuo Su, and Xun Jiao. 2018. EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. arXiv preprint arXiv:1807.00182 (2018)."},{"key":"e_1_2_1_8_1","unstructured":"Clang. Accessed April 5th 2019. LLVM dataFlowSanitizer. Website. https:\/\/clang.llvm.org\/docs\/DataFlowSanitizer.html.  Clang. Accessed April 5th 2019. LLVM dataFlowSanitizer. Website. https:\/\/clang.llvm.org\/docs\/DataFlowSanitizer.html."},{"key":"e_1_2_1_9_1","unstructured":"dj chen. Accessed April 5th 2019. IEC104. Website. https:\/\/github.com\/airpig2011\/IEC104.  dj chen. Accessed April 5th 2019. IEC104. Website. https:\/\/github.com\/airpig2011\/IEC104."},{"key":"e_1_2_1_10_1","unstructured":"Ying Fu Meng Ren Fuchen Ma Heyuan Shi Xin Yang Yu Jiang Huizhong Li and Xiang Shi. 2019. EVMFuzzer: Detect EVM vulnerabilities via fuzz testing. (2019).  Ying Fu Meng Ren Fuchen Ma Heyuan Shi Xin Yang Yu Jiang Huizhong Li and Xiang Shi. 2019. EVMFuzzer: Detect EVM vulnerabilities via fuzz testing. (2019)."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070546"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3275524"},{"key":"e_1_2_1_13_1","unstructured":"MZ Automation GmbH. Accessed April 5th 2019. libiec61850. Website. https:\/\/github.com\/mz-automation\/libiec61850.  MZ Automation GmbH. Accessed April 5th 2019. libiec61850. Website. https:\/\/github.com\/mz-automation\/libiec61850."},{"key":"e_1_2_1_14_1","volume-title":"Levin","author":"Godefroid Patrice","year":"2008","unstructured":"Patrice Godefroid , Adam Kiezun , and Michael Y . Levin . 2008 . Grammar-based whitebox fuzzing. In PLDI. Patrice Godefroid, Adam Kiezun, and Michael Y. Levin. 2008. Grammar-based whitebox fuzzing. In PLDI."},{"key":"e_1_2_1_15_1","volume-title":"Molnar","author":"Godefroid Patrice","year":"2008","unstructured":"Patrice Godefroid , Michael Y. Levin , and David A . Molnar . 2008 . Automated whitebox fuzz testing. In NDSS. Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated whitebox fuzz testing. In NDSS."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3264835"},{"key":"e_1_2_1_17_1","volume-title":"USENIX Security Symposium.","author":"Holler Christian","year":"2012","unstructured":"Christian Holler , Kim Herzig , and Andreas Zeller . 2012 . Fuzzing with code fragments . In USENIX Security Symposium. Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In USENIX Security Symposium."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243804"},{"key":"e_1_2_1_19_1","doi-asserted-by":"crossref","unstructured":"Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In ASE.  Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In ASE.","DOI":"10.1145\/3238147.3238176"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3275525"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"e_1_2_1_22_1","unstructured":"St\u00c3\u00a9phane Raimbault. Accessed April 5th 2019. libmodbus. Website. https:\/\/github.com\/stephane\/libmodbus.  St\u00c3\u00a9phane Raimbault. Accessed April 5th 2019. libmodbus. Website. https:\/\/github.com\/stephane\/libmodbus."},{"key":"e_1_2_1_23_1","volume-title":"Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos.","author":"Rawat Sanjay","year":"2017","unstructured":"Sanjay Rawat , Vivek Jain , Ashish Jith Sreejith Kumar , Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017 . VUzzer: Application-aware evolutionary fuzzing. In NDSS. Sanjay Rawat, Vivek Jain, Ashish Jith Sreejith Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware evolutionary fuzzing. In NDSS."},{"key":"e_1_2_1_24_1","volume-title":"Agha","author":"Sen Koushik","year":"2005","unstructured":"Koushik Sen , Darko Marinov , and Gul A . Agha . 2005 . CUTE : A concolic unit testing engine for C. Koushik Sen, Darko Marinov, and Gul A. Agha. 2005. CUTE: A concolic unit testing engine for C."},{"key":"e_1_2_1_25_1","volume-title":"USENIX Annual Technical Conference.","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany , Derek Bruening , Alexander Potapenko , and Dmitriy Vyukov . 2012 . AddressSanitizer: A fast address sanity checker . In USENIX Annual Technical Conference. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In USENIX Annual Technical Conference."},{"key":"e_1_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Heyuan Shi Runzhe Wang Ying Fu Mingzhe Wang Xiaohai Shi Xun Jiao Houbing Song Yu Jiang and Jiaguang Sun. 2019. Industry practice of coverage-guided enterprise linux kernel fuzzing. (2019).  Heyuan Shi Runzhe Wang Ying Fu Mingzhe Wang Xiaohai Shi Xun Jiao Houbing Song Yu Jiang and Jiaguang Sun. 2019. Industry practice of coverage-guided enterprise linux kernel fuzzing. (2019).","DOI":"10.1145\/3338906.3340460"},{"key":"e_1_2_1_27_1","volume-title":"Driller: Augmenting fuzzing through selective symbolic execution. In NDSS.","author":"Stephens Nick","year":"2016","unstructured":"Nick Stephens , John Grosen , Christopher Salls , Andrew Dutcher , Ruoyu Wang , Jacopo Corbetta , Yan Shoshitaishvili , Christopher Kr\u00fcgel , and Giovanni Vigna . 2016 . Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kr\u00fcgel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS."},{"key":"e_1_2_1_28_1","volume-title":"Fuzzing: Brute force vulnerability discovery.","author":"Sutton Michael J.","year":"2007","unstructured":"Michael J. Sutton , Adam Greene , and P. Amini . 2007 . Fuzzing: Brute force vulnerability discovery. Michael J. Sutton, Adam Greene, and P. Amini. 2007. Fuzzing: Brute force vulnerability discovery."},{"key":"e_1_2_1_29_1","unstructured":"Tool. Accessed April 5th 2019. AFL-Clang-Fast. Website. https:\/\/github.com\/mirrorer\/afl\/blob\/master\/llvm_mode\/README.llvm.  Tool. Accessed April 5th 2019. AFL-Clang-Fast. Website. https:\/\/github.com\/mirrorer\/afl\/blob\/master\/llvm_mode\/README.llvm."},{"key":"e_1_2_1_30_1","unstructured":"Tool. Accessed April 5th 2019. Peach Fuzzing Platform. Website. https:\/\/www.peach.tech.  Tool. Accessed April 5th 2019. Peach Fuzzing Platform. Website. https:\/\/www.peach.tech."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3183440.3183494"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.37"},{"key":"e_1_2_1_33_1","volume-title":"Heartbleed - A vulnerability in OpenSSL. (2017)","unstructured":"Website. 2017. Heartbleed - A vulnerability in OpenSSL. (2017) . http:\/\/heartbleed.com\/Accessed: 2017-05-13. Website. 2017. Heartbleed - A vulnerability in OpenSSL. (2017). http:\/\/heartbleed.com\/Accessed: 2017-05-13."},{"key":"e_1_2_1_34_1","unstructured":"Website. Accessed April 5th 2019. IEC 61850. Website. http:\/\/libiec61850.com\/libiec61850\/.  Website. Accessed April 5th 2019. IEC 61850. Website. http:\/\/libiec61850.com\/libiec61850\/."},{"key":"e_1_2_1_35_1","unstructured":"Website. Accessed April 5th 2019. vulnerabilites detected by American Fuzzy Lop. Website. http:\/\/lcamtuf.coredump.cx\/afl\/.  Website. Accessed April 5th 2019. vulnerabilites detected by American Fuzzy Lop. Website. http:\/\/lcamtuf.coredump.cx\/afl\/."},{"key":"e_1_2_1_36_1","unstructured":"Wikipedia. Accessed April 5th 2019. IEC104. Website. https:\/\/en.wikipedia.org\/w\/index.php?title&equals;IEC1048redirect&equals;no.  Wikipedia. Accessed April 5th 2019. IEC104. Website. https:\/\/en.wikipedia.org\/w\/index.php?title&equals;IEC1048redirect&equals;no."},{"key":"e_1_2_1_37_1","unstructured":"Wikipedia. Accessed April 5th 2019. Modbus. Website. https:\/\/en.wikipedia.org\/wiki\/Modbus.  Wikipedia. Accessed April 5th 2019. Modbus. Website. https:\/\/en.wikipedia.org\/wiki\/Modbus."},{"key":"e_1_2_1_38_1","unstructured":"Wikipedia. Accessed June 3rd 2019. DNP3. Website. https:\/\/en.wikipedia.org\/wiki\/DNP3.  Wikipedia. Accessed June 3rd 2019. DNP3. Website. https:\/\/en.wikipedia.org\/wiki\/DNP3."},{"key":"e_1_2_1_39_1","unstructured":"Wikipedia. Accessed June 3rd 2019. ICCP. Website. https:\/\/en.wikipedia.org\/w\/index.php?title&equals;Inter-Control_Center_Communications_Protocol8redirect&equals;no.  Wikipedia. Accessed June 3rd 2019. ICCP. Website. https:\/\/en.wikipedia.org\/w\/index.php?title&equals;Inter-Control_Center_Communications_Protocol8redirect&equals;no."},{"key":"e_1_2_1_40_1","unstructured":"Wikipedia. Accessed June 3rd 2019. IEC101. Website. https:\/\/en.wikipedia.org\/wiki\/IEC_60870-5.  Wikipedia. Accessed June 3rd 2019. IEC101. Website. https:\/\/en.wikipedia.org\/wiki\/IEC_60870-5."},{"key":"e_1_2_1_41_1","unstructured":"Wikipedia. Accessed June 3rd 2019. Profinet. Website. https:\/\/en.wikipedia.org\/wiki\/PROFINET.  Wikipedia. Accessed June 3rd 2019. Profinet. Website. https:\/\/en.wikipedia.org\/wiki\/PROFINET."},{"key":"e_1_2_1_42_1","doi-asserted-by":"crossref","unstructured":"Xuejun Yang Yang Chen Eric Eide and John Regehr. 2011. Finding and understanding bugs in C compilers. In PLDI.  Xuejun Yang Yang Chen Eric Eide and John Regehr. 2011. Finding and understanding bugs in C compilers. In PLDI.","DOI":"10.1145\/1993498.1993532"},{"key":"e_1_2_1_43_1","unstructured":"Michal Zalewski. 2015. American fuzzy lop. (2015).  Michal Zalewski. 2015. American fuzzy lop. (2015)."}],"container-title":["ACM Transactions on Embedded Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3358227","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3358227","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:23:07Z","timestamp":1750202587000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3358227"}},"subtitle":["Function Code Aware Fuzz Testing of ICS Protocol"],"short-title":[],"issued":{"date-parts":[[2019,10,8]]},"references-count":43,"journal-issue":{"issue":"5s","published-print":{"date-parts":[[2019,10,31]]}},"alternative-id":["10.1145\/3358227"],"URL":"https:\/\/doi.org\/10.1145\/3358227","relation":{},"ISSN":["1539-9087","1558-3465"],"issn-type":[{"value":"1539-9087","type":"print"},{"value":"1558-3465","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,10,8]]},"assertion":[{"value":"2019-04-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-07-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-10-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}