From Control Application to Control Logic: PLC Decompile Framework for Industrial Control System

Industrial Control System (ICS) depends on the underlying Programmable Logical Controllers (PLCs) to run. As such, the security of the internal control logic of the PLCs is the top concern of ICS. Reversing analysis and forensic work against PLC require extracting control logic from the control application running inside PLC, which is still an unresolved problem. To address the challenge, we propose a PLC decompile framework named CLEVER, which can analyze the control application and extract the control logic. First, we propose a simulation execution based code extraction method, which is utilized to filter the control logic related data. Then, to normalize the control application decompile process, an intermediate representation (IR) is designed, which can simplify the analysis process and enhance the extensibility of CLEVER. Finally, a heuristic data flow analysis algorithm is proposed to find variable dependency, and a sequential parsing method is utilized to reconstruct the source code from the control application. To evaluate our work, real world PLC hardware and programming software are used for the experiment. We use 22 real-world, 58 hand-written, and 150 auto-generated control applications to demonstrate the usability, correctness, and operational efficiency of CLEVER.