Computer Science ›› 2017, Vol. 44 ›› Issue (5): 132-140.doi: 10.11896/j.issn.1002-137X.2017.05.024

Previous Articles     Next Articles

Protocol State Based Fuzzing Method for Industrial Control Protocols

ZHANG Ya-feng, HONG Zheng, WU Li-fa, ZHOU Zhen-ji and SUN He   

  • Online:2018-11-13 Published:2018-11-13

Abstract: Traditional fuzzing methods for industrial control system(ICS) have shortcomings of small coverage,low effectiveness and limitation of fault monitoring in fuzzing.This paper proposed a protocol state machine based fuzzing method for ICS protocols.Firstly,it describes the protocol state machine model with XML scripts,and designs a protocol state based test sequences generating method (PSTSGM) to achieve higher coverage rate during fuzzing process.Then,it puts forward a heart-beat based detecting and locating method for faults (HDLMF).It aims to detect embedded equipment behavior faults and locate the abnormal cases via the way of heart-beat detection and loop location.On the basis of the proposed method,we designed and implemented a fuzzing tool SCADA-Fuzz,and performed tests on a power control SCADA system.Experimental results show that SCADA-Fuzz can effectively and efficiently trigger behavior faults and locate security vulnerabilities.

Key words: Industrial control protocol,Fuzzing test,Protocol state,Vulnerability mining

[1] 李鸿培,于旸,忽朝俭,等.2013工业控制系统及其安全性研究报告[EB/OL].(2013-06-24) [2016-03-11].http://www.nsfocus.com.cn/content/details_62_881.html.
[2] CLAYTON M.Stuxnet malware is weapon out to destroy Iran’sBushehr Nuclear Plant[R].Christian Science Monitor,2010.
[3] BENCSTH B,PK G,BUTTYN L,et al.Duqu:A Stuxnet-like malware found in the wild[R].CrySyS Lab Technical Report,2011.
[4] Wikipedia.Flame[EB/OL].[2016-03-11].http://en.wikipedia.org/wiki/Flame_(malware).
[5] 李鸿培,王晓鹏,王洋.2014 绿盟科技工业控制系统安全态势报告[EB/OL].(2014-09-15) [2016-03-11].http://www.nsfocus.com.cn/content/details_62_887.html.
[6] 乌克兰电网遭黑客攻击[EB/OL].(2016-01-06)[2016-02-17].http://www.ftchinese.com/story/001065610.
[7] TANKARD C.Advanced Persistent threats and how to monitor and deter them[J].Network security,2011,2011(8):16-19.
[8] 王清.0day 安全:软件漏洞分析技术[M].北京:电子工业出版社,2008.
[9] TAKANEN A,DEMOTT J D,MILLER C.Fuzzing for software security testing and quality assurance[M].Artech House,2008.
[10] SHAPIRO R,BRATUS S,ROGERS E,et al.Identifying vulne-rabilities in SCADA systems via fuzz-testing[M]∥Critical Infrastructure Protection V.Springer Berlin Heidelberg,2011:57-72.
[11] DEVARAJAN G.Unraveling SCADA Protocols:Using SulleyFuzzer[C]∥Defon Conference.2007.
[12] HOU Y,HONG Z,PAN F,et al.Model Based Automatic Fuzzing Script Generation[J].Computer Science,2013,0(3):206-209.(in Chinese) 侯莹,洪征,潘璠,等.基于模型的Fuzzing测试脚本自动化生成[J].计算机科学,2013,40(3):206-209.
[13] 匡恩网络.工控网络安全漏洞挖掘检测平台[EB/OL].[2016-03-11].http://www.kuangn.com/product/vulnerability.
[14] LI H.From “0”to “1”:China’s Industrial control protocol communictaion robustness test platform based on our independent research and development[J].Automation Exhibition,2015(9):70-73.(in China) 李航.从“0”到“1”:我国自主研发工控协议通讯健壮性测试平台[J].自动化博览,2015(9):70-73.
[15] DEVARAJAN G.Unraveling SCADA protocols:Using Sulleyfuzzer,presented at the DefCon 15 Hacking Conference[EB/OL].[2016-03-11].http://www.defcon.org/html/defcon-15/dc15-speakers.html.
[16] KOCH R.Profuzz.[EB/OL].[2016-03-11].https://github.com/HSASec/ProFuzz.
[17] BYRES E J,KUBE N,DAN H.On Shaky Ground-A Study of Security Vulnerabilities in Control Protocols[C]∥5th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation,Controls,and Human Machine Interface Technology,American Nuclear Society.2006.
[18] General Purpose Fuzzer[EB/OL].[2016-03-11].http://www.vdalabs.com/tools/efs_gpf.html.
[19] BRATUS S,HANSEN A,SHUBINA A.LZFuzz:a fast compression-based fuzzer for poorly documented protocols[R].Dartmouth Computer Science Technical Report TR 2008-634,2008.
[20] DigitalBond.ICCPSic assessment tool set released,sunrise[EB/OL].[2016-03-11].http://www.digitalbond.com/2007/08/28/iccpsic-assessment-toolset-released.
[21] DYNAMICS M.Mu test suite[EB/OL].[2016-03-11].http://http://www.mudynamics.com/products/mu-test-suite.html.
[22] Wurldtech.Achilles test platform[EB/OL].[2016-03-11].http://www.wurldtech.com.
[23] Codenomicon.Defensics test platform[EB/OL].[2016-03-11].http://www.codenomicon.com/products /protocols.shtml.
[24] BeSTORM Software Testing Framework[EB/OL].[2016-03-11].www.beyondsecurity.com/black-box-testing.html.
[25] Peach[EB/OL].[2016-03-11].http://www.peachFuzzer.com.
[26] BOSSERT G,GUIHRY F,HIET G.Netzob:un outil pour la rétro-conception de protocoles de communication[C]∥Actes Du Symposium Sur La Sécurité Des Technologies De Linformation Et Des Communications.2012.
[27] ZHANG Y F,HONG Z,WU L F,et al.From-syntax based fuz-zing method for industrial control protocols[J].Application Research of Computers,2016,3(8):2433-2439.(in Chinese) 张亚丰,洪征,吴礼发,等.基于范式语法的工控协议Fuzzing测试技术[J].计算机应用研究,2016,3(8):2433-2439.
[28] Siemens.SIMATIC WinCC[EB/OL].[2016-03-11].http://www.wincc.com.cn.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!