Author ORCID Identifier:

https://orcid.org/0009-0004-3269-3611

Date of Graduation

12-2025

Document Type

Dissertation

Degree Name

Doctor of Philosophy in Computer Science (PhD)

Degree Level

Graduate

Department

Computer Science & Computer Engineering

Advisor/Mentor

Li, Qinghua

Committee Member

Mallampalli, Kamesh

Second Committee Member

Jin, Kevin

Third Committee Member

Pan, Yanjun

Keywords

Fuzzing; Industrial Control Systems

Abstract

Industrial Control Systems (ICS) form the backbone of modern infrastructure, enabling real-time monitoring and automated control in domains such as energy, manufacturing, water treatment, and transportation. These systems, traditionally designed with an emphasis on reliability and safety, are increasingly integrated with information technology (IT) to improve efficiency and flexibility. While this integration has brought operational benefits, it has also exposed ICS environments to cyber threats that exploit software vulnerabilities. Fuzzing, an automated testing technique that feeds large volumes of unexpected or malformed inputs into a program to identify flaws, has emerged as a promising solution for vulnerability discovery. However, applying fuzzing methods designed for IT systems to ICS is challenging. The unique nature of ICS makes traditional fuzzers ineffective in generating test inputs, instrumenting programs, or detecting specialized behaviors, such as silent system crashes. To address the challenges of fuzzing ICS, this work provides strategies for navigating the complex nature of ICS. First, we present a specialized fuzzing framework for industrial control logic programs. This framework focuses on execution models in which PLC programming languages, such as Ladder Logic and Structured Text, are translated into general-purpose languages like C and C++. By targeting this translation layer, the framework can analyze hybrid execution environments that blend domain-specific and general-purpose code, enabling it to handle these complex scenarios effectively. The framework also incorporates a dedicated test case generation engine, ensuring that fuzzing remains both effective and domain-aware for these unique execution models. To further improve the quality of test cases, we design a reinforcement learning–driven fuzzing technique that adaptively learns optimal input mutation strategies. By modeling fuzzing as a Markov Decision Process, this approach enables the fuzzer to select mutations that maximize coverage and bug discovery. While reinforcement learning enhances the efficiency of input mutation, existing fuzzing tools still struggle to generate functionally diverse test cases that meaningfully exercise different aspects of ICS behavior. To fill this gap, this work investigates the use of large language models (LLMs) to generate inputs that are not only structurally valid but also functionally distinct. Finally, to detect silent crashes that escape traditional fuzzing monitoring strategies, we leverage side-channel analysis. Specifically, we analyze electromagnetic (EM) wave signals emitted during program execution, which are collected and statistically analyzed to identify deviations from normal system behavior. Shifts in EM wave patterns serve as reliable indicators of potential crashes or anomalies, even in the absence of explicit error codes or debugging information. In all these endeavors, we conduct several experiments to evaluate the effectiveness of our methods and compare them with existing work. The evaluations demonstrate notable advancements, including over 47 percent more crash detection using our fuzzing framework, up to 43 percent higher coverage with reinforcement learning–enabled mutation strategies, a 35 percent reduction of erroneous test cases using our LLM-based test generation, and 96 percent accuracy in silent crash identification. These results, along with other promising findings, underscore the practical impact and robustness of the proposed methods in advancing ICS fuzzing. Together, these contributions establish a comprehensive foundation for advancing fuzzing in ICS environments.

Download

Available for download on Sunday, February 13, 2028

Share

COinS