A walkthrough of the stateful protocol fuzzer used internally for BACnet, Modbus, and proprietary OT protocol fuzzing — without causing process disruption in live environments.
Standard fuzzers (AFL, boofuzz) are designed for crash discovery. In OT environments, crashing a PLC or BMS controller can disrupt physical processes — HVAC shutdowns, lighting failures, or safety system trips. zsl-fuzz was built with a different priority: find parsing bugs and logic errors without taking devices offline.
The fuzzer operates in three phases:
Currently supported protocols: BACnet/IP, Modbus/TCP, KNXnet/IP, and MQTT. Each protocol module defines its own message grammar, valid state transitions, and health check mechanisms. Adding a new protocol requires implementing three interfaces: message parser, mutator, and health probe.
Over the past two years, zsl-fuzz has identified 47 unique vulnerabilities across 23 products. The most common finding categories are null pointer dereferences in malformed packet handlers, integer overflows in length fields, and authentication bypasses via state machine confusion.