An LLM-Driven Fuzzing Framework for Detecting Logic Instruction Bugs in PLCs
Jiaxing Cheng
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Program Analysis
This talk presents **LogicFuzz**, an LLM-driven fuzzing framework designed to detect **logic instruction bugs** in Programmable Logic Controllers (PLCs) -- the core control devices in industrial control systems (ICS). Logic instructions are vendor-developed library routines in PLC firmware that engineers invoke in control programs. Bugs in these routines can silently break many control programs, leading to physical hazards in critical infrastructure.
AI review
A well-engineered fuzzing framework targeting a genuinely underexplored attack surface: logic instruction libraries in PLC firmware. The finding that instruction bugs are easier to exploit than control logic injection is significant for ICS offensive operations. 19 bugs across Siemens, Rockwell, and WAGO PLCs with a demonstrated physical-impact exploit chain (crashing PLC to halt a slide rail) makes this immediately relevant. The controllable/resettable test structure and multi-armed bandit mutation guidance are solid technical contributions.