Key to modern smart manufacturing, industrial robots are complex and customizable machines that can be programmed in a variety of ways. In addition to the “teach by showing” paradigm, most vendors provide domain-specific programming languages to operate the robots with high precision. Besides movement instructions, such fully fledged programming languages provide access to low-level system resources like files and network. Although useful, these features create venues for unsafe programming patterns, which could lead to taint-style vulnerabilities or malware-like functionalities. In this paper, we analyze the programming languages of 8 leading industrial robot vendors, systematize their technical features, and discuss cases of vulnerable and malicious uses. We then describe the source-code analysis tool that we created to analyze robotic programs, and discover unsafe uses of programming primitives.We focused our proof-of-concept implementation on two popular languages (i.e., ABB’s RAPID and KUKA’s KRL), and evaluated it on a dataset of publicly available programs. Our results show that unsafe patterns are indeed found in real-world code, and that static source code analysis is an effective vetting mechanism, for example to prevent commissioning unsafe or malicious robotic programs. We conclude by discussing the remediation steps that can be adopted by developers and vendors to mitigate such issues in the medium and long term.
Detecting Insecure Code Patterns in Industrial Robot Programs
Pogliani, Marcello;Quarta, Davide;Zanero, Stefano
2020-01-01
Abstract
Key to modern smart manufacturing, industrial robots are complex and customizable machines that can be programmed in a variety of ways. In addition to the “teach by showing” paradigm, most vendors provide domain-specific programming languages to operate the robots with high precision. Besides movement instructions, such fully fledged programming languages provide access to low-level system resources like files and network. Although useful, these features create venues for unsafe programming patterns, which could lead to taint-style vulnerabilities or malware-like functionalities. In this paper, we analyze the programming languages of 8 leading industrial robot vendors, systematize their technical features, and discuss cases of vulnerable and malicious uses. We then describe the source-code analysis tool that we created to analyze robotic programs, and discover unsafe uses of programming primitives.We focused our proof-of-concept implementation on two popular languages (i.e., ABB’s RAPID and KUKA’s KRL), and evaluated it on a dataset of publicly available programs. Our results show that unsafe patterns are indeed found in real-world code, and that static source code analysis is an effective vetting mechanism, for example to prevent commissioning unsafe or malicious robotic programs. We conclude by discussing the remediation steps that can be adopted by developers and vendors to mitigate such issues in the medium and long term.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
