计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 323-332.doi: 10.11896/jsjkx.211200258

• 信息安全 • 上一篇    下一篇

基于工控私有协议逆向的黑盒模糊测试方法

杨亚辉1,2, 麻荣宽2, 耿洋洋2, 魏强2, 贾岩3   

  1. 1 郑州大学网络空间安全学院 郑州 450001
    2 信息工程大学网络空间安全学院 郑州 450001
    3 南开大学网络空间安全学院 天津 300110
  • 收稿日期:2021-12-24 修回日期:2022-06-11 出版日期:2023-04-15 发布日期:2023-04-06
  • 通讯作者: 麻荣宽(rongkuan307@163.com)
  • 作者简介:(yongyh2020@163.com)
  • 基金资助:
    国家重点研发计划(2020YFB2010900);中央高校基本科研业务费专项资金(浙江大学NGICS大平台)(ZJUNGICS2021003)

Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol

YANG Yahui1,2, MA Rongkuan2, GENG Yangyang2, WEI Qiang2, JIA Yan3   

  1. 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China
    2 School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China
    3 College of Cyber Science,Nankai University,Tianjin 300110,China
  • Received:2021-12-24 Revised:2022-06-11 Online:2023-04-15 Published:2023-04-06
  • About author:YANG Yahui,born in 1995,postgra-duate.His main research interests include unknown protocol reverse engineering and industrial control system security.
    MA Rongkuan,born in 1992,Ph.D,lecturer.His main research interests include program analysis and software security,ICS security,and Web security.
  • Supported by:
    National Key R&D Program of China(2020YFB2010900) and Fundamental Research Funds for the Central Universities(Zhejiang University NGICS Platform)(ZJUNGICS2021003).

摘要: 工控私有协议的广泛应用给工业控制系统的安全运行带来了很大挑战。由于工控私有协议规范的闭源性,传统的模糊测试工具难以高效地生成测试用例,限制了采用私有工业控制协议的工控设备的模糊测试效率。针对此问题,提出了一种基于私有工控协议逆向的黑盒模糊测试方法。首先,在流量捕获的基础上,采用改进的多序列比对算法与字段划分算法得到协议字段结构;然后,通过定义一系列启发式规则对协议中的常量字段、序列号字段、长度字段、功能码字段进行识别,进而推断协议格式;最后,根据时序及功能码字段构建协议状态机。在模糊测试过程中,根据逆向推断的协议格式,采用多种变异策略生成测试用例,并利用构建的协议状态机指导模糊测试工具与被测设备的深度交互。基于上述方法设计实现了ICPPfuzz工具,并利用真实设备中的3种工控协议(Modbus/TCP,UMAS,S7comm)对ICPPfuzz协议逆向分析能力及模糊测试能力进行了评估。实验结果表明,在协议逆向方面,该工具的字段划分、语义识别和协议状态机构建能力明显强于Netzob;在模糊测试方面,该工具在相同时间内生成的有效测试用例数量为Boofuzz的1.25倍,测试用例的质量以及漏洞发现能力也都优于Boofuzz;同时,在对Modicon TM200/221系列PLC进行测试时,成功发现3个拒绝服务漏洞,证明了该工具的有效性。

关键词: 工控安全, 私有协议, 序列比对, 协议逆向工程, 模糊测试

Abstract: The wide application of industrial control proprietary protocols has brought great challenges to the safe operation of industrial control systems.Due to the closed-source nature of industrial control proprietary protocol specifications,it is difficult for traditional fuzzing testing tools to efficiently generate test cases,limiting the efficiency of fuzzing testing of industrial control equipment using proprietary industrial control protocols.A black box fuzzing method is proposed to solve this problem based on the reverse of a private industrial control protocol.First,an improved multiple sequence alignment algorithm and a field division algorithm are used to obtain the protocol field structure based on traffic capture.Then a series of heuristic rules are defined to identify the constant field,the serial number field,the length field,and the function code field in the protocol to infer the protocol format.After that,a protocol state machine is built according to the sequence and function code fields.In the process of fuzzing,according to the protocol format of reverse inference,various mutation strategies are used to generate test cases,and the constructed protocol state machine is used to guide the in-depth interaction between the fuzzing tool and the device under test.Based on the above methods,the ICPPfuzz tool is designed and implemented.The protocol reverse capability and fuzzing test capability of ICPPfuzz are evaluated with real equipment using three industrial control protocols(Modbus/TCP,UMAS,S7comm).Experimental results show that the tool’s field division,semantic recognition,and protocol state machine construction capabilities are significantly better than Netzob in protocol reversal.In terms of fuzzing test,the number of effective test cases generated by the tool within the same time is 1.25 times that of Boofuzz,and the quality of test cases and vulnerability discovery ability are also better than Boofuzz.At the same time,three denials of service vulnerabilities are successfully found when testing Modicon TM200/221 series PLC,which proves the tool’s effectiveness.

Key words: Industrial control system security, Proprietary protocol, Sequence alignment, Protocol reverse engineering, Fuzzing test

中图分类号: 

  • TP393
[1]KARNOUSKOS S.Stuxnet Worm Impact on Industrial Cyber-physical System Security[C]//Annual Conference on IEEE Ind.Electronics Society.Piscataway,NJ:IEEE Press,2011:4490-4494.
[2]ZALEWSKI M.American Fuzzy Lop[EB/OL].(2017-11-05)[2020-10-28].https://lcamtuf.coredump.cx/afl/.
[3]MILLER B P,FREDRIKSEN L,SO B.An Empirical Study of the Reliability of UNIX Utilities[J].Communications of the ACM,1990,(12):32-44.
[4]HU Z C,SHI J Q,HUANG Y H,et al.GANFuzz:A GAN-based Industrial Network Protocol Fuzzing Framework[C]//Proceedings of the 15th ACM International Conference on Computing Frontiers.New York:ACM Press,2018:138-145.
[5]LV W Y,XIONG J W,SHI J Q,et al.A Deep ConvolutionGenerative Adversarial Networks Based Fuzzing Framework for Industry Control Protocols[J].Journal of Intelligent Manufacturing,2021(32):441-457.
[6]DONG G F,SUN P,SHI W B,et al.A Novel Valuation Pruning Optimization Fuzzing Test Model Based on Mutation Tree for Industrial Control Systems[J].Applied Soft Computing,2018(70):896-902.
[7]ZHANG Y F,HONG Z,WU L F,et al.Form-syntax BasedFuzzing Method for Industrial Control Protocols[J].Application Research of Computers,2016,33(8):2433-2439.
[8]ZHOU B H,LI Q,SUN B W,et al.2018.An Improved Fuzzy Test of Industrial Control System[C]//Proceedings of the 2018 10th International Conference on Computer and Automation Engineering(ICCAE 2018).New York:ACM Press,2018:233-237.
[9]KIM S J,JO W Y,SHON T.A Novel Vulnerability AnalysisApproach to Generate Fuzzing Test Case in Industrial Control Systems[C]//2016 IEEE Information Technology,Networking,Electronic and Automation Control Conference.Piscataway,NJ:IEEE Press,2016:566-570.
[10]ZHANG Y F,HONG Z,WU L F,et al.Protocol State Based Fuzzing Method for Industrial Control Protocols[J].Computer Science,2017,44(5):132-140.
[11]TACLIAD F,NGUYEN T D,GONDREE M.DoS Exploitationof Allen-Bradley’s Legacy Protocol Through Fuzz Testing[C]//Proceedings of the 3rd Annual Industrial Control System Security Workshop.New York:ACM Press,2017:24-31.
[12]PAN F,WU L F,DU Y X,et al.Overviews on Protocol Reverse Engineering[J].Application Research of Computers,2011,28(8):2801-2806.
[13]BEDDOE M.The Protocol Informatics Project[EB/OL].(2018-04-07)[2021-08-07].http://phreakocious.net/PI/.
[14]CUI W D,KANNAN J,WANG H J.Discoverer:AutomaticProtocol Reverse Engineering from Network Traces[C]//Proceedings of the 16th USENIX Security Symposium.Berkeley,CA:USENIX Association,2007:1-14.
[15]LEITA C,MERMOUD K,DACIER M.ScriptGen:An Automated Script Generation Tool for Honeyd[C]//Proceedings of the 21st Annual Computer Security Applications Conference.Wa-shington DC:IEEE Computer Society,2005:203-214.
[16]SHEVERTALOV M,MAVCORIDIS S.A Reverse Engineering Tool for Extracting Protocols of Networked Applications[C]//Proceedings of the 14th Working Conference on Reverse Engineering.Washington DC:IEEE Computer Society,2007:229-238.
[17]TRIFILO A,BURSCHKA S,BIERSACK E.Traffic to Protocol Reverse Engineering[C]//Proceedings of IEEE Symposium on Computational Intelligence for Security and Defense Applications.Piscataway,NJ:IEEE Press,2009:1-8.
[18]WANG Y P,LI X J,MENG J,et al.Biprominer:AutomaticMining of Binary Protocol Features[C]//Proceedings of the 12th International Conference on Parallel and Distributed Computing,Applications and Technologies.Washington DC:IEEE Computer Society,2011:179-184.
[19]WANG Y P,YUN X C,SHAFIQ M Z,et al.A SemanticsAware Approach to Automated Reverse Engineering Unknown Protocols[C]//Proceedings of the 20th IEEE International Conference on Network Protocols.Washington DC:IEEE Computer Society,2012:1-10.
[20]GOMEZ-ADORNO H,POSADAS-DURAN J P,SIDOROV G,et al.Document Embeddings Learned on Various Types of n-grams for Cross-topicAuthorship Attribution[J].Computing,2018,100(1):741-756.
[21]PAN F,HONG Z,DU Y X,et al.Recursive Clustering Based Method for Message Structure Extraction[J].Journal of SiChuang University(Engineering Science Edition),2012,44(6):137-142.
[22]ZHANG Z,ZHANG Z B,LIU Y J,et al.Toward Unsupervised Protocol Feature Word Extraction[J].IEEE Journal on Selected Areas in Communications,2014,32(10):1894-1906.
[23]BOSSERT G,GUIHERY F,HIET G.Towards Automated Protocol Reverse Engineering Using Semantic Information[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2014:51-62.
[24]NEEDLEMAN S B,WUNSCH C D.A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins[J].Journal of Molecular Biology,1970,48(3):443-453.
[25]YE Y P,ZHANG Z,WANG F,et al.NetPlier:Probabilistic Network Protocol Reverse Engineering from Message Traces[C]//The Network and Distributed System Security(NDSS) Sympo-sium.2021.
[26]SHAPIRO R,BRATUS S,ROGERS E,et al.Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing[C]//International Conference on Critical Infrastructure Protection.Berlin:Springer,2011:57-72.
[27]VDA Labs.General Purpose Fuzzer[EB/OL].(2008-05-27)[2020-08-16].http://www.vdalabs.com/tools/efs_gpf.html.
[28]EDDINGTON M.Peach Fuzzing Platform[EB/OL].(2012-04-18)[2020-11-20].http://www.peachfuzzer.com.
[29]XIONG Q,PENG Y,ZHONG HD,et al.OPC-MFuzzer:A Novel Multi-layers Vulnerability Detection Tool for OPC Protocol Based on Fuzzing Technology[J].International Journal of Computer and Communication Engineering,2014,3(4):300-305.
[30]VOYIATZISA G,KATSIGIANNIS K,KOUBIAS S.A Modb-us/TCP Fuzzer for Testing Internetworked Industrial Systems[C]//2015 IEEE 20th Conference on Emerging Technologies & Factory Automation(ETFA).Piscataway,NJ:IEEE Press,2015:1-6.
[31]KATSIGIANNIS K,SERPANOS D.MTF-Storm:A High performance fuzzer for Modbus/TCP[C]//2018 IEEE 23rd International Conference on Emerging Technologies & Factory Automation(ETFA).Piscataway,NJ:IEEE Press,2018:926-931.
[32]CHEN K,SONG C,WANG L M,et al.Using Memory Propagation Tree to Improve Performance of Protocol Fuzzer When Testing ICS[J].Computers & Security,2019(87):101582.
[33]PATEL S C,GRAHAM J H,RALSTON P A S.Quantitatively Assessing the Vulnerability of Critical Information Systems:A New Method for Evaluating Security Enhancements[J].International Journal of Information Management,2008,28(6):483-491.
[34]NIEDERMAIER M,FISCHER F,BODISCO A V.PropFuzz-An IT-security Fuzzing Framework for Proprietary ICS Protocols[C]//2017 International Conference on Applied Electronics(AE).Piscataway,NJ:IEEE Press,2017:1-4.
[35]ZHANG W Y,ZHANG L,MAO J L,et al.An AutomatedMethod of Unknown Protocol Fuzzing Test[J].Chinese Journal of Computers,2020,43(4):653-667.
[36]WANG X W,LV K Z,LI B.IPART:An Automatic Protocol Reverse Engineering Tool Based on Global Voting Expert for Industrial Protocols[J].International Journal of Parallel,Emergent and Distributed Systems,2020,35(3):376-395.
[37]KUNZ S.Penetration Testing Framework for OCSP-Responders[D].Passau:University of Passau,2018.
[38]DEVARAJAN G.Unraveling SCADA Protocols:Using SulleyFuzzer[C]//Proceedings of the Defon 15 Hacking Conference.Las Vegas,USA,2007:27-39.
[1] 何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利.
面向Cisco IOS-XE的Web命令注入漏洞检测
Detection of Web Command Injection Vulnerability for Cisco IOS-XE
计算机科学, 2023, 50(4): 343-350. https://doi.org/10.11896/jsjkx.220100113
[2] 黄松, 杜金虎, 王兴亚, 孙金磊.
以太坊智能合约模糊测试技术研究综述
Survey of Ethereum Smart Contract Fuzzing Technology Research
计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069
[3] 胡志濠, 潘祖烈.
基于QRNN的网络协议模糊测试用例过滤方法
Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing
计算机科学, 2022, 49(5): 318-324. https://doi.org/10.11896/jsjkx.210300281
[4] 王田原, 武淑红, 李兆基, 辛昊光, 李璇, 陈永乐.
PGNFuzz:基于指针生成网络的工业控制协议模糊测试框架
PGNFuzz:Pointer Generation Network Based Fuzzing Framework for Industry Control Protocols
计算机科学, 2022, 49(10): 310-318. https://doi.org/10.11896/jsjkx.210700248
[5] 李明磊, 黄晖, 陆余良, 朱凯龙.
SymFuzz:一种复杂路径条件下的漏洞检测技术
SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions
计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128
[6] 李毅豪, 洪征, 林培鸿.
基于深度优先搜索的模糊测试用例生成方法
Fuzzing Test Case Generation Method Based on Depth-first Search
计算机科学, 2021, 48(12): 85-93. https://doi.org/10.11896/jsjkx.200800178
[7] 李毅豪, 洪征, 林培鸿, 冯文博.
基于粗糙集聚类的报文格式推断方法
Message Format Inference Method Based on Rough Set Clustering
计算机科学, 2020, 47(12): 319-326. https://doi.org/10.11896/jsjkx.191000193
[8] 赵赛, 刘昊, 王雨峰, 苏航, 燕季薇.
Android组件间通信的模糊测试方法
Fuzz Testing of Android Inter-component Communication
计算机科学, 2020, 47(11A): 303-309. https://doi.org/10.11896/jsjkx.200100122
[9] 张洪泽, 洪征, 王辰, 冯文博, 吴礼发.
基于闭合序列模式挖掘的未知协议格式推断方法
Closed Sequential Patterns Mining Based Unknown Protocol Format Inference Method
计算机科学, 2019, 46(6): 80-89. https://doi.org/10.11896/j.issn.1002-137X.2019.06.011
[10] 李佳莉, 陈永乐, 李志, 孙利民.
基于协议状态图遍历的RTSP协议漏洞挖掘
Mining RTSP Protocol Vulnerabilities Based on Traversal of Protocol State Graph
计算机科学, 2018, 45(9): 171-176. https://doi.org/10.11896/j.issn.1002-137X.2018.09.028
[11] 张亚丰,洪征,吴礼发,周振吉,孙贺.
基于状态的工控协议Fuzzing测试技术
Protocol State Based Fuzzing Method for Industrial Control Protocols
计算机科学, 2017, 44(5): 132-140. https://doi.org/10.11896/j.issn.1002-137X.2017.05.024
[12] 董改芳,付学良,李宏慧.
多序列星比对算法的改进及其在Spark中的并行化研究
Improvement of Multiple Sequence Center Star Method and Its Parallelization in Spark
计算机科学, 2017, 44(10): 55-58. https://doi.org/10.11896/j.issn.1002-137X.2017.10.010
[13] 程诚,周彦晖.
基于模糊测试和遗传算法的XSS漏洞挖掘
Findding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm
计算机科学, 2016, 43(Z6): 328-331. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.078
[14] 张雄,李舟军.
模糊测试技术研究综述
Survey of Fuzz Testing Technology
计算机科学, 2016, 43(5): 1-8. https://doi.org/10.11896/j.issn.1002-137X.2016.05.001
[15] 朱香元,李仁发,李肯立,胡忠望.
基于异构系统的生物序列比对并行处理研究进展
Advances in Biological Sequence Alignment Parallel Processing Based on Heterogeneous Systems
计算机科学, 2015, 42(Z11): 390-395.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!