CONSTRUCT: A Program Synthesis Approach for Reconstructing Control Algorithms from Embedded System Binaries in Cyber-Physical Systems
During the summer of 2021, I had the opportunity to intern at the Intelligent Systems Laboratory at PARC, where I worked on a critical security challenge:
Research Objective
How can we effectively remove backdoors from a control system?
Approach
Our approach involved three key steps:
-
Decompilation – We began by decompiling the binary firmware of the control system to understand its underlying control logic. This involved using Ghidra and extending its functionality with custom plugins tailored to our analysis.
-
Program Analysis – Next, we analyzed the decompiled code to identify program logic and control flow. Since most control systems operate as finite state machines, our goal was to reconstruct this state machine directly from the binary.
-
Program Re-synthesis – Finally, we explored program synthesis techniques to reconstruct the control logic from the decompiled binary. Given that we were working with Functional Mock-up Unit (FMU) models, which have well-defined interfaces, we leveraged these interfaces to synthesize control algorithms and map FMU inputs to the reconstructed control logic.
My Contributions
My work primarily focused on binary decompilation and program analysis, with some exploration into program re-synthesis. The overarching goal was to reconstruct control algorithms from embedded system binaries, allowing us to detect and remove potential backdoors in cyber-physical systems.
For a more detailed discussion of our approach and findings, check out our paper: CONSTRUCT: A Program Synthesis Approach for Reconstructing Control Algorithms from Embedded System Binaries in Cyber-Physical Systems.