Hunting for vulnerabilities in industrial environments has become increasingly important as industrial control systems and critical infrastructure face threats from state-sponsored actors and ransomware groups hoping to cash out on million-dollar payments.  

Fuzzing has long been one of our favorite ways to search for security issues or vulnerabilities in software, but when it comes to fuzzing popular systems used in ICS environments, it traditionally involved a custom hardware setup to fuzz the code in its native environment. 

However, I recently created my own fuzzer after Weston Embedded made its full µC/OS protocol stack source code openly available in 2020. µC/OS (also stylized as MicroC/OS) is a real-time operating system commonly used in resource-constrained embedded systems like industrial control systems. The operating system uses a scheduling mechanism to ensure efficient task management in industrial environments, and we recently discovered multiple vulnerabilities in the system that could allow an adversary to carry out a range of malicious actions, including causing a denial of service or gaining the ability to execute arbitrary code on the system.  

Today, we’re publishing a three-part look at how I created this fuzzer, the various hurdles I faced along the way, and how it used it to fuzz two different µC/OS protocol stacks. These individual posts are linked below. 

• Part 1: HTTP server fuzzing
• Part 2: Handling multiple requests per test case 
• Part 3: TCP/IP server fuzzing, implementing a TAP driver