Jiaxing Cheng (Institute of Information Engineering, CAS; SCS, UCAS Beijing, China), Ming Zhou (SCS, Nanjing University of Science and Technology Nanjing, Jiangsu, China), Haining Wang (ECE Virginia Tech Arlington, VA, USA), Xin Chen (Institute of Information Engineering, CAS; SCS, UCAS Beijing, China), Yuncheng Wang (Institute of Information Engineering CAS; SCS, UCAS Beijing, China), Yibo Qu (Institute of Information Engineering CAS; SCS, UCAS Beijing, China), Limin Sun (Institute of Information Engineering CAS; SCS, UCAS Beijing, China)
Programmable Logic Controllers (PLCs) automate industrial operations using vendor-supplied logic instruction libraries compiled into device firmware. These libraries may contain security flaws that, when exploited through physical control routines, network-facing services, or PLC runtime subsystems, may lead to privilege violations, memory corruption, or data leakage. This paper presents LogicFuzz, the first fuzzing framework designed specifically to target logic instructions in PLC firmware. LogicFuzz constructs a semantic dependency graph (SDG) that captures both operational semantics and inter-instruction dependencies in PLC code. Leveraging the SDG together with an enable-signal mechanism, LogicFuzz automatically synthesizes instruction-tailored seed programs, significantly reducing manual effort and enabling controlled, resettable fuzzing on real PLC hardware. To uncover bugs conditioned on control-flow triggers (i.e., invocation patterns), LogicFuzz mutates the SDG to diversify instruction-invocation contexts. To expose data-triggered faults, it performs coverage-guided parameter mutation under valid semantic constraints. In addition, LogicFuzz integrates a multi-source oracle that monitors runtime logs, status LEDs, and communication states to detect instruction-level failures during fuzzing. We evaluate LogicFuzz on six production PLCs from three major vendors and uncover 19 instruction-level bugs, including four previously unknown vulnerabilities.