Discovering Blind-Trust Vulnerabilities in PLC Binaries via State Machine Recovery
Fangzhou Dong
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Program Analysis
Programmable Logic Controllers (PLCs) are the industrial computers running critical infrastructure -- traffic lights, warehouse lifters, conveyor systems, water treatment plants. This talk introduces a new class of safety vulnerability called **Blind Trust Vulnerabilities (BTVs)**, which are logic bugs caused by PLC programmers placing blind trust in assumptions about system inputs without sufficient sanitization or validation. When a system receives an input outside these assumptions -- whether from faulty sensors or adversarial manipulation -- it can cause catastrophic safety failures.
AI review
A well-executed piece of binary analysis work that defines a new vulnerability class (Blind Trust Vulnerabilities) in PLC programs and backs it up with a technically sound FSM recovery framework, formal completeness proofs, and real findings in ArduCopter. The Boeing 737 MAX framing powerfully illustrates the stakes. The cross-architecture, cross-toolchain evaluation across 5 ISAs and 4 toolchains demonstrates genuine generalizability, and the open-source artifacts enable reproduction.