计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 323-332.doi: 10.11896/jsjkx.211200258
杨亚辉1,2, 麻荣宽2, 耿洋洋2, 魏强2, 贾岩3
YANG Yahui1,2, MA Rongkuan2, GENG Yangyang2, WEI Qiang2, JIA Yan3
摘要: 工控私有协议的广泛应用给工业控制系统的安全运行带来了很大挑战。由于工控私有协议规范的闭源性,传统的模糊测试工具难以高效地生成测试用例,限制了采用私有工业控制协议的工控设备的模糊测试效率。针对此问题,提出了一种基于私有工控协议逆向的黑盒模糊测试方法。首先,在流量捕获的基础上,采用改进的多序列比对算法与字段划分算法得到协议字段结构;然后,通过定义一系列启发式规则对协议中的常量字段、序列号字段、长度字段、功能码字段进行识别,进而推断协议格式;最后,根据时序及功能码字段构建协议状态机。在模糊测试过程中,根据逆向推断的协议格式,采用多种变异策略生成测试用例,并利用构建的协议状态机指导模糊测试工具与被测设备的深度交互。基于上述方法设计实现了ICPPfuzz工具,并利用真实设备中的3种工控协议(Modbus/TCP,UMAS,S7comm)对ICPPfuzz协议逆向分析能力及模糊测试能力进行了评估。实验结果表明,在协议逆向方面,该工具的字段划分、语义识别和协议状态机构建能力明显强于Netzob;在模糊测试方面,该工具在相同时间内生成的有效测试用例数量为Boofuzz的1.25倍,测试用例的质量以及漏洞发现能力也都优于Boofuzz;同时,在对Modicon TM200/221系列PLC进行测试时,成功发现3个拒绝服务漏洞,证明了该工具的有效性。
中图分类号:
[1]KARNOUSKOS S.Stuxnet Worm Impact on Industrial Cyber-physical System Security[C]//Annual Conference on IEEE Ind.Electronics Society.Piscataway,NJ:IEEE Press,2011:4490-4494. [2]ZALEWSKI M.American Fuzzy Lop[EB/OL].(2017-11-05)[2020-10-28].https://lcamtuf.coredump.cx/afl/. [3]MILLER B P,FREDRIKSEN L,SO B.An Empirical Study of the Reliability of UNIX Utilities[J].Communications of the ACM,1990,(12):32-44. [4]HU Z C,SHI J Q,HUANG Y H,et al.GANFuzz:A GAN-based Industrial Network Protocol Fuzzing Framework[C]//Proceedings of the 15th ACM International Conference on Computing Frontiers.New York:ACM Press,2018:138-145. [5]LV W Y,XIONG J W,SHI J Q,et al.A Deep ConvolutionGenerative Adversarial Networks Based Fuzzing Framework for Industry Control Protocols[J].Journal of Intelligent Manufacturing,2021(32):441-457. [6]DONG G F,SUN P,SHI W B,et al.A Novel Valuation Pruning Optimization Fuzzing Test Model Based on Mutation Tree for Industrial Control Systems[J].Applied Soft Computing,2018(70):896-902. [7]ZHANG Y F,HONG Z,WU L F,et al.Form-syntax BasedFuzzing Method for Industrial Control Protocols[J].Application Research of Computers,2016,33(8):2433-2439. [8]ZHOU B H,LI Q,SUN B W,et al.2018.An Improved Fuzzy Test of Industrial Control System[C]//Proceedings of the 2018 10th International Conference on Computer and Automation Engineering(ICCAE 2018).New York:ACM Press,2018:233-237. [9]KIM S J,JO W Y,SHON T.A Novel Vulnerability AnalysisApproach to Generate Fuzzing Test Case in Industrial Control Systems[C]//2016 IEEE Information Technology,Networking,Electronic and Automation Control Conference.Piscataway,NJ:IEEE Press,2016:566-570. [10]ZHANG Y F,HONG Z,WU L F,et al.Protocol State Based Fuzzing Method for Industrial Control Protocols[J].Computer Science,2017,44(5):132-140. [11]TACLIAD F,NGUYEN T D,GONDREE M.DoS Exploitationof Allen-Bradley’s Legacy Protocol Through Fuzz Testing[C]//Proceedings of the 3rd Annual Industrial Control System Security Workshop.New York:ACM Press,2017:24-31. [12]PAN F,WU L F,DU Y X,et al.Overviews on Protocol Reverse Engineering[J].Application Research of Computers,2011,28(8):2801-2806. [13]BEDDOE M.The Protocol Informatics Project[EB/OL].(2018-04-07)[2021-08-07].http://phreakocious.net/PI/. [14]CUI W D,KANNAN J,WANG H J.Discoverer:AutomaticProtocol Reverse Engineering from Network Traces[C]//Proceedings of the 16th USENIX Security Symposium.Berkeley,CA:USENIX Association,2007:1-14. [15]LEITA C,MERMOUD K,DACIER M.ScriptGen:An Automated Script Generation Tool for Honeyd[C]//Proceedings of the 21st Annual Computer Security Applications Conference.Wa-shington DC:IEEE Computer Society,2005:203-214. [16]SHEVERTALOV M,MAVCORIDIS S.A Reverse Engineering Tool for Extracting Protocols of Networked Applications[C]//Proceedings of the 14th Working Conference on Reverse Engineering.Washington DC:IEEE Computer Society,2007:229-238. [17]TRIFILO A,BURSCHKA S,BIERSACK E.Traffic to Protocol Reverse Engineering[C]//Proceedings of IEEE Symposium on Computational Intelligence for Security and Defense Applications.Piscataway,NJ:IEEE Press,2009:1-8. [18]WANG Y P,LI X J,MENG J,et al.Biprominer:AutomaticMining of Binary Protocol Features[C]//Proceedings of the 12th International Conference on Parallel and Distributed Computing,Applications and Technologies.Washington DC:IEEE Computer Society,2011:179-184. [19]WANG Y P,YUN X C,SHAFIQ M Z,et al.A SemanticsAware Approach to Automated Reverse Engineering Unknown Protocols[C]//Proceedings of the 20th IEEE International Conference on Network Protocols.Washington DC:IEEE Computer Society,2012:1-10. [20]GOMEZ-ADORNO H,POSADAS-DURAN J P,SIDOROV G,et al.Document Embeddings Learned on Various Types of n-grams for Cross-topicAuthorship Attribution[J].Computing,2018,100(1):741-756. [21]PAN F,HONG Z,DU Y X,et al.Recursive Clustering Based Method for Message Structure Extraction[J].Journal of SiChuang University(Engineering Science Edition),2012,44(6):137-142. [22]ZHANG Z,ZHANG Z B,LIU Y J,et al.Toward Unsupervised Protocol Feature Word Extraction[J].IEEE Journal on Selected Areas in Communications,2014,32(10):1894-1906. [23]BOSSERT G,GUIHERY F,HIET G.Towards Automated Protocol Reverse Engineering Using Semantic Information[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2014:51-62. [24]NEEDLEMAN S B,WUNSCH C D.A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins[J].Journal of Molecular Biology,1970,48(3):443-453. [25]YE Y P,ZHANG Z,WANG F,et al.NetPlier:Probabilistic Network Protocol Reverse Engineering from Message Traces[C]//The Network and Distributed System Security(NDSS) Sympo-sium.2021. [26]SHAPIRO R,BRATUS S,ROGERS E,et al.Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing[C]//International Conference on Critical Infrastructure Protection.Berlin:Springer,2011:57-72. [27]VDA Labs.General Purpose Fuzzer[EB/OL].(2008-05-27)[2020-08-16].http://www.vdalabs.com/tools/efs_gpf.html. [28]EDDINGTON M.Peach Fuzzing Platform[EB/OL].(2012-04-18)[2020-11-20].http://www.peachfuzzer.com. [29]XIONG Q,PENG Y,ZHONG HD,et al.OPC-MFuzzer:A Novel Multi-layers Vulnerability Detection Tool for OPC Protocol Based on Fuzzing Technology[J].International Journal of Computer and Communication Engineering,2014,3(4):300-305. [30]VOYIATZISA G,KATSIGIANNIS K,KOUBIAS S.A Modb-us/TCP Fuzzer for Testing Internetworked Industrial Systems[C]//2015 IEEE 20th Conference on Emerging Technologies & Factory Automation(ETFA).Piscataway,NJ:IEEE Press,2015:1-6. [31]KATSIGIANNIS K,SERPANOS D.MTF-Storm:A High performance fuzzer for Modbus/TCP[C]//2018 IEEE 23rd International Conference on Emerging Technologies & Factory Automation(ETFA).Piscataway,NJ:IEEE Press,2018:926-931. [32]CHEN K,SONG C,WANG L M,et al.Using Memory Propagation Tree to Improve Performance of Protocol Fuzzer When Testing ICS[J].Computers & Security,2019(87):101582. [33]PATEL S C,GRAHAM J H,RALSTON P A S.Quantitatively Assessing the Vulnerability of Critical Information Systems:A New Method for Evaluating Security Enhancements[J].International Journal of Information Management,2008,28(6):483-491. [34]NIEDERMAIER M,FISCHER F,BODISCO A V.PropFuzz-An IT-security Fuzzing Framework for Proprietary ICS Protocols[C]//2017 International Conference on Applied Electronics(AE).Piscataway,NJ:IEEE Press,2017:1-4. [35]ZHANG W Y,ZHANG L,MAO J L,et al.An AutomatedMethod of Unknown Protocol Fuzzing Test[J].Chinese Journal of Computers,2020,43(4):653-667. [36]WANG X W,LV K Z,LI B.IPART:An Automatic Protocol Reverse Engineering Tool Based on Global Voting Expert for Industrial Protocols[J].International Journal of Parallel,Emergent and Distributed Systems,2020,35(3):376-395. [37]KUNZ S.Penetration Testing Framework for OCSP-Responders[D].Passau:University of Passau,2018. [38]DEVARAJAN G.Unraveling SCADA Protocols:Using SulleyFuzzer[C]//Proceedings of the Defon 15 Hacking Conference.Las Vegas,USA,2007:27-39. |
[1] | 何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利. 面向Cisco IOS-XE的Web命令注入漏洞检测 Detection of Web Command Injection Vulnerability for Cisco IOS-XE 计算机科学, 2023, 50(4): 343-350. https://doi.org/10.11896/jsjkx.220100113 |
[2] | 黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069 |
[3] | 胡志濠, 潘祖烈. 基于QRNN的网络协议模糊测试用例过滤方法 Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing 计算机科学, 2022, 49(5): 318-324. https://doi.org/10.11896/jsjkx.210300281 |
[4] | 王田原, 武淑红, 李兆基, 辛昊光, 李璇, 陈永乐. PGNFuzz:基于指针生成网络的工业控制协议模糊测试框架 PGNFuzz:Pointer Generation Network Based Fuzzing Framework for Industry Control Protocols 计算机科学, 2022, 49(10): 310-318. https://doi.org/10.11896/jsjkx.210700248 |
[5] | 李明磊, 黄晖, 陆余良, 朱凯龙. SymFuzz:一种复杂路径条件下的漏洞检测技术 SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions 计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128 |
[6] | 李毅豪, 洪征, 林培鸿. 基于深度优先搜索的模糊测试用例生成方法 Fuzzing Test Case Generation Method Based on Depth-first Search 计算机科学, 2021, 48(12): 85-93. https://doi.org/10.11896/jsjkx.200800178 |
[7] | 李毅豪, 洪征, 林培鸿, 冯文博. 基于粗糙集聚类的报文格式推断方法 Message Format Inference Method Based on Rough Set Clustering 计算机科学, 2020, 47(12): 319-326. https://doi.org/10.11896/jsjkx.191000193 |
[8] | 赵赛, 刘昊, 王雨峰, 苏航, 燕季薇. Android组件间通信的模糊测试方法 Fuzz Testing of Android Inter-component Communication 计算机科学, 2020, 47(11A): 303-309. https://doi.org/10.11896/jsjkx.200100122 |
[9] | 张洪泽, 洪征, 王辰, 冯文博, 吴礼发. 基于闭合序列模式挖掘的未知协议格式推断方法 Closed Sequential Patterns Mining Based Unknown Protocol Format Inference Method 计算机科学, 2019, 46(6): 80-89. https://doi.org/10.11896/j.issn.1002-137X.2019.06.011 |
[10] | 李佳莉, 陈永乐, 李志, 孙利民. 基于协议状态图遍历的RTSP协议漏洞挖掘 Mining RTSP Protocol Vulnerabilities Based on Traversal of Protocol State Graph 计算机科学, 2018, 45(9): 171-176. https://doi.org/10.11896/j.issn.1002-137X.2018.09.028 |
[11] | 张亚丰,洪征,吴礼发,周振吉,孙贺. 基于状态的工控协议Fuzzing测试技术 Protocol State Based Fuzzing Method for Industrial Control Protocols 计算机科学, 2017, 44(5): 132-140. https://doi.org/10.11896/j.issn.1002-137X.2017.05.024 |
[12] | 董改芳,付学良,李宏慧. 多序列星比对算法的改进及其在Spark中的并行化研究 Improvement of Multiple Sequence Center Star Method and Its Parallelization in Spark 计算机科学, 2017, 44(10): 55-58. https://doi.org/10.11896/j.issn.1002-137X.2017.10.010 |
[13] | 程诚,周彦晖. 基于模糊测试和遗传算法的XSS漏洞挖掘 Findding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm 计算机科学, 2016, 43(Z6): 328-331. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.078 |
[14] | 张雄,李舟军. 模糊测试技术研究综述 Survey of Fuzz Testing Technology 计算机科学, 2016, 43(5): 1-8. https://doi.org/10.11896/j.issn.1002-137X.2016.05.001 |
[15] | 朱香元,李仁发,李肯立,胡忠望. 基于异构系统的生物序列比对并行处理研究进展 Advances in Biological Sequence Alignment Parallel Processing Based on Heterogeneous Systems 计算机科学, 2015, 42(Z11): 390-395. |
|