TROPICS ­ Timely and RObust Patching of Industrial Control Systems


Industrial Control Systems (ICS/SCADA) control the most crucial resources in factories, powerplants, and
production facilities. Safety and security for such systems is of the highest priority. Paradoxially, these
systems are often among the worst protected against the latest cyber attacks. The problem is that even if
an update is available, adminisitrators are reluctant to apply it, as bugs or unexpected side effects in the
new code may jeopardize the very safety and stability of mission critical systems. In addition, the updates
(or security patches) typically become available weeks or months after the discovery of the vulnerability--
extending the window of vulnerability to many months (or even years). The goal of the TROPICS proposal
is to close this window as soon as possible.

In today's world security updates for ICS are problematic, because almost all the relevant information
is lacking: we do not know about vulnerabilities until is too late, and if we do hear about them, we are
often not sure about the severity of the vulnerability (" how urgent is this?"). Also, there may be no patch
available yet ("how do I fix this?" ), and even if there is a patch, it is typically unclear how risky it is
to apply it ("may it crash or destabilize the system?"). Finally, there is no reasonable solution when the
problem is serious and there is no patch, or the patch is risky--the only (unacceptable) option is to stay

In the TROPICS project, we will address these issues by developing novel techniques to:

- Determine the severity of the vulnerability to help adminstrators decide whether an immediate patch
is needed. We will do so by finding and analyzing vulnerabilities with an aim of automatic exploit
generation. Specifically, we explore how easily the vulnerability can lead to control over the registers,
access to data (via read and write primitives), and an end-to-end exploit.

- Score the impact of the patch in how it may interfere with the stability or functionality of the software.
The analysis consists of patch validation that verifies to what extent the functions affected by a patch
exhibit behavior that is the maximal strict subset of the original behavior (i.e., covers the largest
possible fraction of the original input/output and rejects only the inputs corresponding to exploitation).

- Generate a hardened program that stops the attacks and is guaranteed to be safe with respect to
stability and functionality (at the cost of some efficiency) by applying hardening techniques such as
control flow integrity (CFI), software fault isolation (SFI), or memory safety, selectively. Specifically,
we want to apply the hardening (and thus the overhead) only to the vulnerable execution paths.


Project number


Main applicant

Prof. dr. ir. H.J. Bos

Affiliated with

Vrije Universiteit Amsterdam, Faculteit der Bètawetenschappen, Afdeling Informatica


01/02/2018 to 01/02/2022