IRPFuzz: Fuzzing Industrial Robot Protocol Via LLM-Driven Traffic Semantic Analysis
Laile Xi, Weicheng Lin, Yang Zhang, Shenghao Lin, Hao Sun, Yimo Ren, Hongsong Zhu
AI summary
Problem
Proprietary industrial robot protocols lack documentation and source code, making it difficult for traditional fuzzers to capture complex state transitions and generate valid inputs for vulnerability discovery.
Approach
IRPFuzz captures real-world teach pendant traffic, uses LLMs to extract runtime states and request field templates, and dynamically builds state and data models to guide efficient, state-aware fuzzing and structured mutation.
Key results
- Automatically constructed accurate state and data models within 24 hours
- Discovered 36 crashes on a commercial ROKAE XB7L robot
- Outperformed Boofuzz, PCFuzzer, and MSGFuzzer by up to 157.14%
- Confirmed 5 vulnerabilities, including 3 high-severity
Why it matters
Provides a scalable, automated method for securing critical industrial automation infrastructure against protocol-level attacks without requiring vendor source code.
Abstract
Industrial robots are widely used in modern fac- tories, interacting with external systems via network protocols. Any vulnerabilities in these protocols could be exploited to control the robot, potentially disrupting production and even endangering human lives. Protocol fuzzing is commonly used to discover vulnerabilities in protocol implementation. However, existing fuzzers are inefficient due to the proprietary nature and complex state relationships of industrial robot protocols. In this paper, we present IRPFuzz, a state-aware fuzzer for industrial robot protocol. By integrating large language models (LLMs) to analyze network traffic, IRPFuzz infers robot states and request templates, enabling the automatic construction of state model and data model for efficient state- aware fuzzing and structured message mutation. Evaluated on a real robot, IRPFuzz discovered 36 crashes, outperforming boofuzz by 157.14%, PCFuzzer by 89.47%, and MSGFuzzer by 16.13%. Five of these crashes were confirmed and assigned vulnerability IDs, including three classified as high-severity, which demonstrates the effectiveness of IRPFuzz.