[{"language":[{"iso":"eng"}],"ddc":["000"],"file":[{"file_size":1562838,"file_name":"Security_Analysis_of_G_Codes.pdf","file_id":"58660","access_level":"open_access","date_updated":"2025-02-17T11:13:10Z","date_created":"2025-02-17T11:10:31Z","creator":"jrossel","relation":"main_file","content_type":"application/pdf"}],"abstract":[{"lang":"eng","text":"The rapid growth of 3D printing technology has transformed a wide range of industries, enabling the on-demand production of complex objects, from aerospace components to medical devices. However, this technology also introduces significant security challenges. Previous research highlighted the security implications of G-Codes—commands used to control the printing process. These studies assumed powerful attackers and focused on manipulations of the printed models, leaving gaps in understanding the full attack potential.\r\n\r\nIn this study, we systematically analyze security threats associated with 3D printing, focusing specifically on vulnerabilities caused by G-Code commands. We introduce attacks and attacker models that assume a less powerful adversary than traditionally considered, broadening the scope of potential security threats. Our findings show that even minimal access to the 3D printer can result in significant security breaches, such as unauthorized access to subsequent print jobs or persistent misconfiguration of the printer. We identify 278 potentially malicious G-Codes across the attack categories Information Disclosure, Denial of Service, and Model Manipulation. Our evaluation demonstrates the applicability of these attacks across various 3D printers and their firmware. Our findings underscore the need for a better standardization process of G-Codes and corresponding security best practices.\r\n"}],"publication":"Proceedings of the 34th USENIX Security Symposium","title":"Security Implications of Malicious G-Codes in 3D Printing","date_created":"2025-02-17T11:12:17Z","year":"2025","quality_controlled":"1","file_date_updated":"2025-02-17T11:13:10Z","user_id":"58331","department":[{"_id":"632"}],"_id":"58657","status":"public","type":"conference","main_file_link":[{"url":"https://www.usenix.org/conference/usenixsecurity25/presentation/rossel","open_access":"1"}],"conference":{"name":"34th USENIX Security Symposium","start_date":"2025-08-13","end_date":"2025-08-15","location":"Seattle, WA, USA"},"author":[{"first_name":"Jost","full_name":"Rossel, Jost","id":"58331","orcid":"0000-0002-3182-4059","last_name":"Rossel"},{"full_name":"Mladenov, Vladislav","last_name":"Mladenov","first_name":"Vladislav"},{"first_name":"Nico","full_name":"Wördenweber, Nico","last_name":"Wördenweber"},{"last_name":"Somorovsky","orcid":"0000-0002-3593-7720","full_name":"Somorovsky, Juraj","id":"83504","first_name":"Juraj"}],"date_updated":"2025-08-22T10:34:24Z","oa":"1","citation":{"mla":"Rossel, Jost, et al. “Security Implications of Malicious G-Codes in 3D Printing.” <i>Proceedings of the 34th USENIX Security Symposium</i>, 2025, pp. 1867–85.","short":"J. Rossel, V. Mladenov, N. Wördenweber, J. Somorovsky, in: Proceedings of the 34th USENIX Security Symposium, 2025, pp. 1867–1885.","bibtex":"@inproceedings{Rossel_Mladenov_Wördenweber_Somorovsky_2025, title={Security Implications of Malicious G-Codes in 3D Printing}, booktitle={Proceedings of the 34th USENIX Security Symposium}, author={Rossel, Jost and Mladenov, Vladislav and Wördenweber, Nico and Somorovsky, Juraj}, year={2025}, pages={1867–1885} }","apa":"Rossel, J., Mladenov, V., Wördenweber, N., &#38; Somorovsky, J. (2025). Security Implications of Malicious G-Codes in 3D Printing. <i>Proceedings of the 34th USENIX Security Symposium</i>, 1867–1885.","ieee":"J. Rossel, V. Mladenov, N. Wördenweber, and J. Somorovsky, “Security Implications of Malicious G-Codes in 3D Printing,” in <i>Proceedings of the 34th USENIX Security Symposium</i>, Seattle, WA, USA, 2025, pp. 1867–1885.","chicago":"Rossel, Jost, Vladislav Mladenov, Nico Wördenweber, and Juraj Somorovsky. “Security Implications of Malicious G-Codes in 3D Printing.” In <i>Proceedings of the 34th USENIX Security Symposium</i>, 1867–85, 2025.","ama":"Rossel J, Mladenov V, Wördenweber N, Somorovsky J. Security Implications of Malicious G-Codes in 3D Printing. In: <i>Proceedings of the 34th USENIX Security Symposium</i>. ; 2025:1867-1885."},"page":"1867 - 1885","publication_status":"published","has_accepted_license":"1"},{"user_id":"58331","_id":"62738","language":[{"iso":"eng"}],"keyword":["software vulnerabilities","vulnerability disclosure","security research"],"publication":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","type":"conference","status":"public","abstract":[{"text":"Vulnerability disclosures are necessary to improve the security of our digital ecosystem. However, they can also be challenging for researchers: it may be hard to find out who the affected parties even are, or how to contact them. Researchers may be ignored or face adversity when disclosing vulnerabilities. We investigate researchers' experiences with vulnerability disclosures, extract best practices, and make recommendations for researchers, institutions that employ them, industry, and regulators to enable effective vulnerability disclosures.","lang":"eng"}],"author":[{"first_name":"Harshini","orcid":"0000-0002-0000-5843","last_name":"Sri Ramulu","id":"99000","full_name":"Sri Ramulu, Harshini"},{"first_name":"Anna Lena","full_name":"Rotthaler, Anna Lena","id":"97843","last_name":"Rotthaler"},{"first_name":"Jost","last_name":"Rossel","orcid":"0000-0002-3182-4059","full_name":"Rossel, Jost","id":"58331"},{"full_name":"Gonzalez Rodriguez, Rachel","last_name":"Gonzalez Rodriguez","first_name":"Rachel"},{"first_name":"Dominik","last_name":"Wermke","full_name":"Wermke, Dominik"},{"first_name":"Sascha","full_name":"Fahl, Sascha","last_name":"Fahl"},{"last_name":"Kohno","full_name":"Kohno, Tadayoshi","first_name":"Tadayoshi"},{"full_name":"Somorovsky, Juraj","id":"83504","last_name":"Somorovsky","orcid":"0000-0002-3593-7720","first_name":"Juraj"},{"first_name":"Yasemin","last_name":"Acar","id":"94636","full_name":"Acar, Yasemin"}],"date_created":"2025-12-02T08:48:00Z","date_updated":"2025-12-02T08:54:18Z","oa":"1","publisher":"ACM","conference":{"end_date":"2025-10-17","start_date":"2025-10-13"},"doi":"10.1145/3719027.3760723","main_file_link":[{"url":"https://dl.acm.org/doi/10.1145/3719027.3760723","open_access":"1"}],"title":"Poster: Computer Security Researchers' Experiences with Vulnerability Disclosures","publication_status":"published","citation":{"apa":"Sri Ramulu, H., Rotthaler, A. L., Rossel, J., Gonzalez Rodriguez, R., Wermke, D., Fahl, S., Kohno, T., Somorovsky, J., &#38; Acar, Y. (2025). Poster: Computer Security Researchers’ Experiences with Vulnerability Disclosures. <i>Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security</i>. <a href=\"https://doi.org/10.1145/3719027.3760723\">https://doi.org/10.1145/3719027.3760723</a>","mla":"Sri Ramulu, Harshini, et al. “Poster: Computer Security Researchers’ Experiences with Vulnerability Disclosures.” <i>Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security</i>, ACM, 2025, doi:<a href=\"https://doi.org/10.1145/3719027.3760723\">10.1145/3719027.3760723</a>.","short":"H. Sri Ramulu, A.L. Rotthaler, J. Rossel, R. Gonzalez Rodriguez, D. Wermke, S. Fahl, T. Kohno, J. Somorovsky, Y. Acar, in: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2025.","bibtex":"@inproceedings{Sri Ramulu_Rotthaler_Rossel_Gonzalez Rodriguez_Wermke_Fahl_Kohno_Somorovsky_Acar_2025, title={Poster: Computer Security Researchers’ Experiences with Vulnerability Disclosures}, DOI={<a href=\"https://doi.org/10.1145/3719027.3760723\">10.1145/3719027.3760723</a>}, booktitle={Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Sri Ramulu, Harshini and Rotthaler, Anna Lena and Rossel, Jost and Gonzalez Rodriguez, Rachel and Wermke, Dominik and Fahl, Sascha and Kohno, Tadayoshi and Somorovsky, Juraj and Acar, Yasemin}, year={2025} }","chicago":"Sri Ramulu, Harshini, Anna Lena Rotthaler, Jost Rossel, Rachel Gonzalez Rodriguez, Dominik Wermke, Sascha Fahl, Tadayoshi Kohno, Juraj Somorovsky, and Yasemin Acar. “Poster: Computer Security Researchers’ Experiences with Vulnerability Disclosures.” In <i>Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security</i>. ACM, 2025. <a href=\"https://doi.org/10.1145/3719027.3760723\">https://doi.org/10.1145/3719027.3760723</a>.","ieee":"H. Sri Ramulu <i>et al.</i>, “Poster: Computer Security Researchers’ Experiences with Vulnerability Disclosures,” 2025, doi: <a href=\"https://doi.org/10.1145/3719027.3760723\">10.1145/3719027.3760723</a>.","ama":"Sri Ramulu H, Rotthaler AL, Rossel J, et al. Poster: Computer Security Researchers’ Experiences with Vulnerability Disclosures. In: <i>Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security</i>. ACM; 2025. doi:<a href=\"https://doi.org/10.1145/3719027.3760723\">10.1145/3719027.3760723</a>"},"year":"2025"},{"title":"Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth","date_created":"2023-08-15T12:21:05Z","publisher":"IEEE","year":"2023","quality_controlled":"1","language":[{"iso":"eng"}],"keyword":["Defense-in-Depth","Human Factors","Production Engineering","Product Design","Systems Engineering"],"ddc":["000"],"file":[{"content_type":"application/pdf","relation":"main_file","date_updated":"2024-09-05T13:00:09Z","date_created":"2024-09-05T13:00:09Z","creator":"jrossel","file_size":197727,"file_id":"56077","access_level":"closed","file_name":"Re_envisioning_Industrial_Control_Systems_security.pdf"}],"abstract":[{"text":"The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design.","lang":"eng"}],"publication":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","conference":{"location":"Delft, Netherlands","end_date":"2023-07-07","start_date":"2023-07-03","name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)"},"doi":"10.1109/eurospw59978.2023.00048","main_file_link":[{"url":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190647"}],"author":[{"id":"405","full_name":"Pottebaum, Jens","orcid":"http://orcid.org/0000-0001-8778-2989","last_name":"Pottebaum","first_name":"Jens"},{"first_name":"Jost","orcid":"0000-0002-3182-4059","last_name":"Rossel","full_name":"Rossel, Jost","id":"58331"},{"last_name":"Somorovsky","orcid":"0000-0002-3593-7720","full_name":"Somorovsky, Juraj","id":"83504","first_name":"Juraj"},{"id":"94636","full_name":"Acar, Yasemin","last_name":"Acar","first_name":"Yasemin"},{"last_name":"Fahr","id":"111","full_name":"Fahr, René","first_name":"René"},{"full_name":"Arias Cabarcos, Patricia","id":"92804","last_name":"Arias Cabarcos","first_name":"Patricia"},{"last_name":"Bodden","orcid":"0000-0003-3470-3647","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"},{"first_name":"Iris","id":"47565","full_name":"Gräßler, Iris","last_name":"Gräßler","orcid":"0000-0001-5765-971X"}],"date_updated":"2025-07-16T11:06:47Z","page":"379-385","citation":{"ama":"Pottebaum J, Rossel J, Somorovsky J, et al. Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth. In: <i>2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW)</i>. IEEE; 2023:379-385. doi:<a href=\"https://doi.org/10.1109/eurospw59978.2023.00048\">10.1109/eurospw59978.2023.00048</a>","chicago":"Pottebaum, Jens, Jost Rossel, Juraj Somorovsky, Yasemin Acar, René Fahr, Patricia Arias Cabarcos, Eric Bodden, and Iris Gräßler. “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.” In <i>2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW)</i>, 379–85. IEEE, 2023. <a href=\"https://doi.org/10.1109/eurospw59978.2023.00048\">https://doi.org/10.1109/eurospw59978.2023.00048</a>.","ieee":"J. Pottebaum <i>et al.</i>, “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth,” in <i>2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW)</i>, Delft, Netherlands, 2023, pp. 379–385, doi: <a href=\"https://doi.org/10.1109/eurospw59978.2023.00048\">10.1109/eurospw59978.2023.00048</a>.","bibtex":"@inproceedings{Pottebaum_Rossel_Somorovsky_Acar_Fahr_Arias Cabarcos_Bodden_Gräßler_2023, title={Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth}, DOI={<a href=\"https://doi.org/10.1109/eurospw59978.2023.00048\">10.1109/eurospw59978.2023.00048</a>}, booktitle={2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW)}, publisher={IEEE}, author={Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric and Gräßler, Iris}, year={2023}, pages={379–385} }","mla":"Pottebaum, Jens, et al. “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.” <i>2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW)</i>, IEEE, 2023, pp. 379–85, doi:<a href=\"https://doi.org/10.1109/eurospw59978.2023.00048\">10.1109/eurospw59978.2023.00048</a>.","short":"J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos, E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW), IEEE, 2023, pp. 379–385.","apa":"Pottebaum, J., Rossel, J., Somorovsky, J., Acar, Y., Fahr, R., Arias Cabarcos, P., Bodden, E., &#38; Gräßler, I. (2023). Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth. <i>2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&#38;PW)</i>, 379–385. <a href=\"https://doi.org/10.1109/eurospw59978.2023.00048\">https://doi.org/10.1109/eurospw59978.2023.00048</a>"},"has_accepted_license":"1","publication_status":"published","file_date_updated":"2024-09-05T13:00:09Z","department":[{"_id":"34"},{"_id":"152"},{"_id":"76"},{"_id":"632"},{"_id":"858"}],"user_id":"58331","_id":"46500","status":"public","type":"conference"},{"department":[{"_id":"632"}],"user_id":"58331","_id":"48012","file_date_updated":"2024-09-05T11:14:40Z","type":"conference","status":"public","author":[{"first_name":"Jost","full_name":"Rossel, Jost","id":"58331","orcid":"0000-0002-3182-4059","last_name":"Rossel"},{"last_name":"Mladenov","full_name":"Mladenov, Vladislav","first_name":"Vladislav"},{"full_name":"Somorovsky, Juraj","id":"83504","last_name":"Somorovsky","orcid":"0000-0002-3593-7720","first_name":"Juraj"}],"date_updated":"2025-07-16T11:06:49Z","oa":"1","conference":{"location":"Hongkong","end_date":"2023-10-18","start_date":"2023-10-16","name":"26th International Symposium on Research in Attacks, Intrusions and Defenses"},"doi":"10.1145/3607199.3607216","main_file_link":[{"url":"https://dl.acm.org/doi/abs/10.1145/3607199.3607216"}],"has_accepted_license":"1","publication_status":"published","citation":{"ama":"Rossel J, Mladenov V, Somorovsky J. Security Analysis of the 3MF Data Format. In: <i>Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses</i>. ACM; 2023. doi:<a href=\"https://doi.org/10.1145/3607199.3607216\">10.1145/3607199.3607216</a>","ieee":"J. Rossel, V. Mladenov, and J. Somorovsky, “Security Analysis of the 3MF Data Format,” presented at the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hongkong, 2023, doi: <a href=\"https://doi.org/10.1145/3607199.3607216\">10.1145/3607199.3607216</a>.","chicago":"Rossel, Jost, Vladislav Mladenov, and Juraj Somorovsky. “Security Analysis of the 3MF Data Format.” In <i>Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses</i>. ACM, 2023. <a href=\"https://doi.org/10.1145/3607199.3607216\">https://doi.org/10.1145/3607199.3607216</a>.","apa":"Rossel, J., Mladenov, V., &#38; Somorovsky, J. (2023). Security Analysis of the 3MF Data Format. <i>Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses</i>. 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hongkong. <a href=\"https://doi.org/10.1145/3607199.3607216\">https://doi.org/10.1145/3607199.3607216</a>","short":"J. Rossel, V. Mladenov, J. Somorovsky, in: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, ACM, 2023.","bibtex":"@inproceedings{Rossel_Mladenov_Somorovsky_2023, title={Security Analysis of the 3MF Data Format}, DOI={<a href=\"https://doi.org/10.1145/3607199.3607216\">10.1145/3607199.3607216</a>}, booktitle={Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses}, publisher={ACM}, author={Rossel, Jost and Mladenov, Vladislav and Somorovsky, Juraj}, year={2023} }","mla":"Rossel, Jost, et al. “Security Analysis of the 3MF Data Format.” <i>Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses</i>, ACM, 2023, doi:<a href=\"https://doi.org/10.1145/3607199.3607216\">10.1145/3607199.3607216</a>."},"language":[{"iso":"eng"}],"keyword":["Data Format Security","3D Manufacturing Format","3D Printing","Additive Manufacturing"],"ddc":["000"],"publication":"Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses","file":[{"relation":"main_file","content_type":"application/pdf","file_size":1054999,"access_level":"open_access","file_id":"48065","file_name":"Security_Analysis_of_the_3mf_Data_Format.pdf","date_updated":"2024-09-05T11:14:40Z","date_created":"2023-10-16T03:48:08Z","creator":"jrossel"}],"abstract":[{"lang":"eng","text":"3D printing is a well-established technology with rapidly increasing usage scenarios both in the industry and consumer context. The growing popularity of 3D printing has also attracted security researchers, who have analyzed possibilities for weakening 3D models or stealing intellectual property from 3D models. We extend these important aspects and provide the first comprehensive security analysis of 3D printing data formats. We performed our systematic study on the example of the 3D Manufacturing Format (3MF), which offers a large variety of features that could lead to critical attacks. Based on 3MF’s features, we systematized three attack goals: Data Exfiltration (dex), Denial of Service, and UI Spoofing (uis). We achieve these goals by exploiting the complexity of 3MF, which is based on the Open Packaging Conventions (OPC) format and uses XML to define 3D models. In total, our analysis led to 352 tests. To create and run these tests automatically, we implemented an open-source tool named 3MF Analyzer (tool), which helped us evaluate 20 applications."}],"date_created":"2023-10-11T13:42:09Z","publisher":"ACM","title":"Security Analysis of the 3MF Data Format","quality_controlled":"1","year":"2023"}]