Industrial Control System (ICS) protocols are essential to establish communications between system components. Recent cyber-attacks have shown that the vulnerabilities in ICS protocols pose enormous threats to ICS security. However, the efficiency of traditional black-box fuzzing technique is constrained when the protocol specifications are not publicly available.

In this paper, we introduce ICS Protocol Specification Extraction (IPSpex) method to improve black-box fuzzing efficiency via analyzing the network packet construction in industrial software. We extract message field semantics from network traffic, collect execution traces from network packet construction and extract message format using backward data flow tracking and sequence alignment algorithms. Our evaluation shows that compared to Wireshark, IPSpex achieves high correctness and perfection on three common ICS protocols, including Modbus/TCP, S7Comm and FINS. We further combine IPSpex with boofuzz to test an undocumented ICS protocol, UMAS. Totally we have found five 1-day vulnerabilities and two 0-day vulnerabilities.