{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,10]],"date-time":"2026-05-10T06:05:26Z","timestamp":1778393126879,"version":"3.51.4"},"reference-count":56,"publisher":"Association for Computing Machinery (ACM)","issue":"ISSTA","funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.92467201"],"award-info":[{"award-number":["No.92467201"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,22]]},"abstract":"With the advancement of digital transformation, Industrial Control Systems (ICS) are becoming increasingly open and intelligent. \nHowever, inherent vulnerabilities in ICS protocols pose significant security threats to devices and systems. \nThe proprietary nature of ICS protocols complicates the security analysis and deployment of protective mechanisms for ICS. \nProtocol reverse engineering aims to infer the syntax, semantics, and state machines of protocols in the absence of official specifications. \nTraditional protocol reverse engineering tools face considerable limitations due to the lack of executable environments, incomplete inference strategies, and low-quality network traffic. \nIn this paper, we present ICEPRE, a novel data-driven protocol reverse engineering method based on concolic execution, which uniquely integrates network trace with static analysis. \nUnlike conventional methods that rely on executable environments, ICEPRE statically tracks the program's parsing process for specific input messages. \nFurthermore, we employ an innovative field boundary inference strategy to infer the protocol's syntax by analyzing how the protocol parser handles different fields. \nOur evaluation demonstrates that ICEPRE significantly outperforms previous protocol reverse engineering tools in field boundary inference, achieving an F1 score of 0.76 and a perfection score of 0.67, while DynPRE, BinaryInferno, Nemeys, and Netzob yield (0.65, 0.35), (0.42, 0.14), (0.39, 0.09), and (0.27, 0.10), respectively. \nThese results underscore the superior overall performance of our method. \nAdditionally, ICEPRE exhibits exceptional performance with proprietary protocols in real-world scenarios, highlighting its practical applicability in downstream applications.<\/jats:p>","DOI":"10.1145\/3728982","type":"journal-article","created":{"date-parts":[[2025,6,22]],"date-time":"2025-06-22T10:52:56Z","timestamp":1750589576000},"page":"2384-2406","source":"Crossref","is-referenced-by-count":2,"title":["ICEPRE: ICS Protocol Reverse Engineering via Data-Driven Concolic Execution"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-1137-9800","authenticated-orcid":false,"given":"Yibo","family":"Qu","sequence":"first","affiliation":[{"name":"Institute of Information Engineering at Chinese Academy of Sciences, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-7484-1333","authenticated-orcid":false,"given":"Dongliang","family":"Fang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering at Chinese Academy of Sciences, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-9919-4653","authenticated-orcid":false,"given":"Zhen","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering at Chinese Academy of Sciences, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-9491-1239","authenticated-orcid":false,"given":"Jiaxing","family":"Cheng","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering at Chinese Academy of Sciences, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8805-1221","authenticated-orcid":false,"given":"Shuaizong","family":"Si","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering at Chinese Academy of Sciences, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1000-1109","authenticated-orcid":false,"given":"Yongle","family":"Chen","sequence":"additional","affiliation":[{"name":"Taiyuan University of Technology, Taiyuan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6578-0680","authenticated-orcid":false,"given":"Limin","family":"Sun","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering at Chinese Academy of Sciences, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,6,22]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"airpig2011. 2019. Protocol of IEC104 and IEC101. https:\/\/github.com\/airpig2011\/IEC104"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1016\/J.IOT.2023.100936"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/IFIPNetworking.2015.7145307"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590346"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653737"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315286"},{"key":"e_1_2_1_7_1","volume-title":"Engler","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2008, December 8-10, 2008, San Diego, California, USA, Proceedings. USENIX Association, 209\u2013224. http:\/\/www.usenix.org\/events\/osdi08\/tech\/full_papers\/cadar\/cadar.pdf"},{"key":"e_1_2_1_8_1","volume-title":"30th Annual Network and Distributed System Security Symposium, NDSS 2023","author":"Chandler Jared","year":"2023","unstructured":"Jared Chandler, Adam Wick, and Kathleen Fisher. 2023. BinaryInferno: A Semantic-Driven Approach to Field Inference for Binary Message Formats. In 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, February 27 - March 3, 2023. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/binaryinferno-a-semantic-driven-approach-to-field-inference-for-binary-message-formats\/"},{"key":"e_1_2_1_9_1","volume-title":"IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018","author":"Chen Jiongyi","year":"2018","unstructured":"Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society. https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2018\/02\/ndss2018_01A-1_Chen_paper.pdf"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639583"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.14"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455820"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1016\/J.DIIN.2017.06.005"},{"key":"e_1_2_1_14_1","unstructured":"NSA\u2019s Research Directorate. 2019. Ghidra. https:\/\/www.ghidra-sre.org\/"},{"key":"e_1_2_1_15_1","unstructured":"DynamoRIO. 2024. Dynamic Instrumentation Tool Platform. https:\/\/dynamorio.org\/"},{"key":"e_1_2_1_16_1","unstructured":"Michael Eddington. 2021. GitLab Protocol Fuzzer Community Edition. https:\/\/gitlab.com\/gitlab-org\/security-products\/protocol-fuzzer-ce"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2018.2822842"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3488028"},{"key":"e_1_2_1_19_1","unstructured":"Wireshark Foundation. 2024. The world\u2019s most popular network protocol analyzer. https:\/\/www.wireshark.org\/"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28865-9_18"},{"key":"e_1_2_1_21_1","unstructured":"Scott Gayou. 2020. A firmware base address search tool.. https:\/\/github.com\/sgayou\/rbasefind"},{"key":"e_1_2_1_22_1","unstructured":"Dan Goodin. 2021. Hard-coded key vulnerability in Logix PLCs. https:\/\/arstechnica.com\/information-technology\/2021\/02\/hard-coded-key-vulnerability-in-logix-plcs-has-severity-score-of-10-out-of-10\/"},{"key":"e_1_2_1_23_1","unstructured":"Hex-Rays. 2024. Hex-Rays Decompiler. https:\/\/www.hex-rays.com\/decompiler\/"},{"key":"e_1_2_1_24_1","unstructured":"Dick Hollenbeck. 2024. CIPster Ethernet\/IP Stack in C++. https:\/\/github.com\/liftoff-sr\/CIPster"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3203217.3203241"},{"key":"e_1_2_1_26_1","unstructured":"Intel. 2024. Pin - A Dynamic Binary Instrumentation Tool. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/tool\/pin-a-dynamic-binary-instrumentation-tool.html"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","unstructured":"Zhizhuang Jia Chao Yang Xiaoyun Zhao Xinghua Li and Jianfeng Ma. 2023. Design and Implementation of an Efficient Container Tag Dynamic Taint Analysis. Computers & Security Oct. 103528. issn:0167-4048 https:\/\/doi.org\/10.1016\/j.cose.2023.103528 10.1016\/j.cose.2023.103528","DOI":"10.1016\/j.cose.2023.103528"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","unstructured":"Jiayi Jiang Xiyuan Zhang Chengcheng Wan Haoyi Chen Haiying Sun and Ting Su. 2024. BinPRE: Enhancing Field Inference in Binary Analysis Based Protocol Reverse Engineering. https:\/\/doi.org\/10.48550\/arXiv.2409.01994 arXiv:2409.01994 10.48550\/arXiv.2409.01994","DOI":"10.48550\/arXiv.2409.01994"},{"key":"e_1_2_1_29_1","volume-title":"Jetset: Targeted Firmware Rehosting for Embedded Systems. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Johnson Evan","year":"2021","unstructured":"Evan Johnson, Maxwell Bland, Yifei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. 2021. Jetset: Targeted Firmware Rehosting for Embedded Systems. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 321\u2013338. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/johnson"},{"key":"e_1_2_1_30_1","unstructured":"jtpereyda. 2024. boofuzz: Network Protocol Fuzzing for Humans. https:\/\/github.com\/jtpereyda\/boofuzz"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2365864.2151042"},{"key":"e_1_2_1_32_1","volume-title":"12th USENIX Workshop on Offensive Technologies (WOOT 18)","author":"Kleber Stephan","year":"2018","unstructured":"Stephan Kleber, Henning Kopp, and Frank Kargl. 2018. NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages. In 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore, MD. https:\/\/www.usenix.org\/conference\/woot18\/presentation\/kleber"},{"key":"e_1_2_1_33_1","unstructured":"Galaxy Lab. 2020. A ToolSet for VxWorks Based Embedded Device Analyses.. https:\/\/github.com\/PAGalaxyLab\/vxhunter"},{"key":"e_1_2_1_34_1","unstructured":"Nozomi Networks Labs. 2021. New Research Uncovers 5 Vulnerabilities in Mitsubishi Safety PLCs. https:\/\/www.nozominetworks.com\/blog\/new-research-uncovers-5-vulnerabilities-in-mitsubishi-safety-plcs"},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium, NDSS 2008","author":"Lin Zhiqiang","year":"2008","unstructured":"Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, and Xiangyu Zhang. 2008. Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10th February - 13th February 2008. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss2008\/automatic-protocol-format-reverse-engineering-through-context-aware-monitored-execution\/"},{"key":"e_1_2_1_36_1","volume-title":"31st Annual Network and Distributed System Security Symposium, NDSS 2024","author":"Luo Zhengxiong","year":"2024","unstructured":"Zhengxiong Luo, Kai Liang, Yanyang Zhao, Feifan Wu, Junze Yu, Heyuan Shi, and Yu Jiang. 2024. DynPRE: Protocol Reverse Engineering via Dynamic Inference. In 31st Annual Network and Distributed System Security Symposium, NDSS 2024, San Diego, California, USA, February 26 - March 1, 2024. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/dynpre-protocol-reverse-engineering-via-dynamic-inference\/"},{"key":"e_1_2_1_37_1","volume-title":"Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580. https:\/\/blog.talosintelligence.com\/vulnerability-spotlight-multiple-63063210e63ef5e7e1ec3130\/","author":"Munshaw Jonathan","year":"2019","unstructured":"Jonathan Munshaw. 2019. Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580. https:\/\/blog.talosintelligence.com\/vulnerability-spotlight-multiple-63063210e63ef5e7e1ec3130\/"},{"key":"e_1_2_1_38_1","unstructured":"Davide Nardella. 2016. Step7 Open Source Ethernet Communication Suite. https:\/\/snap7.sourceforge.net\/"},{"key":"e_1_2_1_39_1","unstructured":"netplier tool. 2021. NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces. https:\/\/github.com\/netplier-tool\/NetPlier\/tree\/master\/data"},{"key":"e_1_2_1_40_1","unstructured":"OpenRCE. 2020. A pure-python fully automated and unattended fuzzing framework.. https:\/\/github.com\/OpenRCE\/sulley"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00062"},{"key":"e_1_2_1_42_1","volume-title":"Automatic Wireless Protocol Reverse Engineering. In 13th USENIX Workshop on Offensive Technologies (WOOT 19)","author":"Pohl Johannes","year":"2019","unstructured":"Johannes Pohl and Andreas Noack. 2019. Automatic Wireless Protocol Reverse Engineering. In 13th USENIX Workshop on Offensive Technologies (WOOT 19). USENIX Association, Santa Clara, CA. https:\/\/www.usenix.org\/conference\/woot19\/presentation\/pohl"},{"key":"e_1_2_1_43_1","unstructured":"St\u00e9phane Raimbault. 2024. A groovy modbus library. https:\/\/github.com\/stephane\/libmodbus"},{"key":"e_1_2_1_44_1","volume-title":"Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31st USENIX Security Symposium (USENIX Security 22)","author":"Scharnowski Tobias","year":"2022","unstructured":"Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. 1239\u20131256. isbn:978-1-939133-31-1 https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/scharnowski"},{"key":"e_1_2_1_45_1","volume-title":"AIFORE: Smart Fuzzing Based on Automatic Input Format Reverse Engineering. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Shi Ji","year":"2023","unstructured":"Ji Shi, Zhun Wang, Zhiyao Feng, Yang Lan, Shisong Qin, Wei You, Wei Zou, Mathias Payer, and Chao Zhang. 2023. AIFORE: Smart Fuzzing Based on Automatic Input Format Reverse Engineering. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA. 4967\u20134984. isbn:978-1-939133-37-3 https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/shi-ji"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616614"},{"key":"e_1_2_1_47_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Shi Qingkai","year":"2023","unstructured":"Qingkai Shi, Xiangzhe Xu, and Xiangyu Zhang. 2023. Extracting Protocol Format as State Machine via Controlled Static Loop Analysis. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA. 7019\u20137036. isbn:978-1-939133-37-3 https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/shi-qingkai"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"e_1_2_1_49_1","unstructured":"Jason Smith. 2020. A collection of ICS\/SCADA PCAPs. https:\/\/github.com\/automayt\/ICS-pcap"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3228076"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-09234-3_18"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04444-1_13"},{"key":"e_1_2_1_53_1","unstructured":"Thomas Weber. 2019. Reverse Engineering Custom ASICs by Exploiting Potential Supply-Chain Leaks. https:\/\/www.blackhat.com\/asia-19\/briefings\/schedule\/##reverse-engineering-custom-asics-by-exploiting-potential-supply-chain-leaks-13730"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.5220\/0010327902370248"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24531"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3660782"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3728982","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T16:56:08Z","timestamp":1752684968000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3728982"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,22]]},"references-count":56,"journal-issue":{"issue":"ISSTA","published-print":{"date-parts":[[2025,6,22]]}},"alternative-id":["10.1145\/3728982"],"URL":"https:\/\/doi.org\/10.1145\/3728982","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,22]]}}}