Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (4): 323-332.doi: 10.11896/jsjkx.211200258

• Information Security • Previous Articles     Next Articles

Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol

YANG Yahui1,2, MA Rongkuan2, GENG Yangyang2, WEI Qiang2, JIA Yan3   

  1. 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China
    2 School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China
    3 College of Cyber Science,Nankai University,Tianjin 300110,China
  • Received:2021-12-24 Revised:2022-06-11 Online:2023-04-15 Published:2023-04-06
  • About author:YANG Yahui,born in 1995,postgra-duate.His main research interests include unknown protocol reverse engineering and industrial control system security.
    MA Rongkuan,born in 1992,Ph.D,lecturer.His main research interests include program analysis and software security,ICS security,and Web security.
  • Supported by:
    National Key R&D Program of China(2020YFB2010900) and Fundamental Research Funds for the Central Universities(Zhejiang University NGICS Platform)(ZJUNGICS2021003).

PDF (PC)

445

Abstract: The wide application of industrial control proprietary protocols has brought great challenges to the safe operation of industrial control systems.Due to the closed-source nature of industrial control proprietary protocol specifications,it is difficult for traditional fuzzing testing tools to efficiently generate test cases,limiting the efficiency of fuzzing testing of industrial control equipment using proprietary industrial control protocols.A black box fuzzing method is proposed to solve this problem based on the reverse of a private industrial control protocol.First,an improved multiple sequence alignment algorithm and a field division algorithm are used to obtain the protocol field structure based on traffic capture.Then a series of heuristic rules are defined to identify the constant field,the serial number field,the length field,and the function code field in the protocol to infer the protocol format.After that,a protocol state machine is built according to the sequence and function code fields.In the process of fuzzing,according to the protocol format of reverse inference,various mutation strategies are used to generate test cases,and the constructed protocol state machine is used to guide the in-depth interaction between the fuzzing tool and the device under test.Based on the above methods,the ICPPfuzz tool is designed and implemented.The protocol reverse capability and fuzzing test capability of ICPPfuzz are evaluated with real equipment using three industrial control protocols(Modbus/TCP,UMAS,S7comm).Experimental results show that the tool’s field division,semantic recognition,and protocol state machine construction capabilities are significantly better than Netzob in protocol reversal.In terms of fuzzing test,the number of effective test cases generated by the tool within the same time is 1.25 times that of Boofuzz,and the quality of test cases and vulnerability discovery ability are also better than Boofuzz.At the same time,three denials of service vulnerabilities are successfully found when testing Modicon TM200/221 series PLC,which proves the tool’s effectiveness.

Key words: Industrial control system security, Proprietary protocol, Sequence alignment, Protocol reverse engineering, Fuzzing test

CLC Number: 

  • TP393
[1]KARNOUSKOS S.Stuxnet Worm Impact on Industrial Cyber-physical System Security[C]//Annual Conference on IEEE Ind.Electronics Society.Piscataway,NJ:IEEE Press,2011:4490-4494.
[2]ZALEWSKI M.American Fuzzy Lop[EB/OL].(2017-11-05)[2020-10-28].https://lcamtuf.coredump.cx/afl/.
[3]MILLER B P,FREDRIKSEN L,SO B.An Empirical Study of the Reliability of UNIX Utilities[J].Communications of the ACM,1990,(12):32-44.
[4]HU Z C,SHI J Q,HUANG Y H,et al.GANFuzz:A GAN-based Industrial Network Protocol Fuzzing Framework[C]//Proceedings of the 15th ACM International Conference on Computing Frontiers.New York:ACM Press,2018:138-145.
[5]LV W Y,XIONG J W,SHI J Q,et al.A Deep ConvolutionGenerative Adversarial Networks Based Fuzzing Framework for Industry Control Protocols[J].Journal of Intelligent Manufacturing,2021(32):441-457.
[6]DONG G F,SUN P,SHI W B,et al.A Novel Valuation Pruning Optimization Fuzzing Test Model Based on Mutation Tree for Industrial Control Systems[J].Applied Soft Computing,2018(70):896-902.
[7]ZHANG Y F,HONG Z,WU L F,et al.Form-syntax BasedFuzzing Method for Industrial Control Protocols[J].Application Research of Computers,2016,33(8):2433-2439.
[8]ZHOU B H,LI Q,SUN B W,et al.2018.An Improved Fuzzy Test of Industrial Control System[C]//Proceedings of the 2018 10th International Conference on Computer and Automation Engineering(ICCAE 2018).New York:ACM Press,2018:233-237.
[9]KIM S J,JO W Y,SHON T.A Novel Vulnerability AnalysisApproach to Generate Fuzzing Test Case in Industrial Control Systems[C]//2016 IEEE Information Technology,Networking,Electronic and Automation Control Conference.Piscataway,NJ:IEEE Press,2016:566-570.
[10]ZHANG Y F,HONG Z,WU L F,et al.Protocol State Based Fuzzing Method for Industrial Control Protocols[J].Computer Science,2017,44(5):132-140.
[11]TACLIAD F,NGUYEN T D,GONDREE M.DoS Exploitationof Allen-Bradley’s Legacy Protocol Through Fuzz Testing[C]//Proceedings of the 3rd Annual Industrial Control System Security Workshop.New York:ACM Press,2017:24-31.
[12]PAN F,WU L F,DU Y X,et al.Overviews on Protocol Reverse Engineering[J].Application Research of Computers,2011,28(8):2801-2806.
[13]BEDDOE M.The Protocol Informatics Project[EB/OL].(2018-04-07)[2021-08-07].http://phreakocious.net/PI/.
[14]CUI W D,KANNAN J,WANG H J.Discoverer:AutomaticProtocol Reverse Engineering from Network Traces[C]//Proceedings of the 16th USENIX Security Symposium.Berkeley,CA:USENIX Association,2007:1-14.
[15]LEITA C,MERMOUD K,DACIER M.ScriptGen:An Automated Script Generation Tool for Honeyd[C]//Proceedings of the 21st Annual Computer Security Applications Conference.Wa-shington DC:IEEE Computer Society,2005:203-214.
[16]SHEVERTALOV M,MAVCORIDIS S.A Reverse Engineering Tool for Extracting Protocols of Networked Applications[C]//Proceedings of the 14th Working Conference on Reverse Engineering.Washington DC:IEEE Computer Society,2007:229-238.
[17]TRIFILO A,BURSCHKA S,BIERSACK E.Traffic to Protocol Reverse Engineering[C]//Proceedings of IEEE Symposium on Computational Intelligence for Security and Defense Applications.Piscataway,NJ:IEEE Press,2009:1-8.
[18]WANG Y P,LI X J,MENG J,et al.Biprominer:AutomaticMining of Binary Protocol Features[C]//Proceedings of the 12th International Conference on Parallel and Distributed Computing,Applications and Technologies.Washington DC:IEEE Computer Society,2011:179-184.
[19]WANG Y P,YUN X C,SHAFIQ M Z,et al.A SemanticsAware Approach to Automated Reverse Engineering Unknown Protocols[C]//Proceedings of the 20th IEEE International Conference on Network Protocols.Washington DC:IEEE Computer Society,2012:1-10.
[20]GOMEZ-ADORNO H,POSADAS-DURAN J P,SIDOROV G,et al.Document Embeddings Learned on Various Types of n-grams for Cross-topicAuthorship Attribution[J].Computing,2018,100(1):741-756.
[21]PAN F,HONG Z,DU Y X,et al.Recursive Clustering Based Method for Message Structure Extraction[J].Journal of SiChuang University(Engineering Science Edition),2012,44(6):137-142.
[22]ZHANG Z,ZHANG Z B,LIU Y J,et al.Toward Unsupervised Protocol Feature Word Extraction[J].IEEE Journal on Selected Areas in Communications,2014,32(10):1894-1906.
[23]BOSSERT G,GUIHERY F,HIET G.Towards Automated Protocol Reverse Engineering Using Semantic Information[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2014:51-62.
[24]NEEDLEMAN S B,WUNSCH C D.A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins[J].Journal of Molecular Biology,1970,48(3):443-453.
[25]YE Y P,ZHANG Z,WANG F,et al.NetPlier:Probabilistic Network Protocol Reverse Engineering from Message Traces[C]//The Network and Distributed System Security(NDSS) Sympo-sium.2021.
[26]SHAPIRO R,BRATUS S,ROGERS E,et al.Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing[C]//International Conference on Critical Infrastructure Protection.Berlin:Springer,2011:57-72.
[27]VDA Labs.General Purpose Fuzzer[EB/OL].(2008-05-27)[2020-08-16].http://www.vdalabs.com/tools/efs_gpf.html.
[28]EDDINGTON M.Peach Fuzzing Platform[EB/OL].(2012-04-18)[2020-11-20].http://www.peachfuzzer.com.
[29]XIONG Q,PENG Y,ZHONG HD,et al.OPC-MFuzzer:A Novel Multi-layers Vulnerability Detection Tool for OPC Protocol Based on Fuzzing Technology[J].International Journal of Computer and Communication Engineering,2014,3(4):300-305.
[30]VOYIATZISA G,KATSIGIANNIS K,KOUBIAS S.A Modb-us/TCP Fuzzer for Testing Internetworked Industrial Systems[C]//2015 IEEE 20th Conference on Emerging Technologies & Factory Automation(ETFA).Piscataway,NJ:IEEE Press,2015:1-6.
[31]KATSIGIANNIS K,SERPANOS D.MTF-Storm:A High performance fuzzer for Modbus/TCP[C]//2018 IEEE 23rd International Conference on Emerging Technologies & Factory Automation(ETFA).Piscataway,NJ:IEEE Press,2018:926-931.
[32]CHEN K,SONG C,WANG L M,et al.Using Memory Propagation Tree to Improve Performance of Protocol Fuzzer When Testing ICS[J].Computers & Security,2019(87):101582.
[33]PATEL S C,GRAHAM J H,RALSTON P A S.Quantitatively Assessing the Vulnerability of Critical Information Systems:A New Method for Evaluating Security Enhancements[J].International Journal of Information Management,2008,28(6):483-491.
[34]NIEDERMAIER M,FISCHER F,BODISCO A V.PropFuzz-An IT-security Fuzzing Framework for Proprietary ICS Protocols[C]//2017 International Conference on Applied Electronics(AE).Piscataway,NJ:IEEE Press,2017:1-4.
[35]ZHANG W Y,ZHANG L,MAO J L,et al.An AutomatedMethod of Unknown Protocol Fuzzing Test[J].Chinese Journal of Computers,2020,43(4):653-667.
[36]WANG X W,LV K Z,LI B.IPART:An Automatic Protocol Reverse Engineering Tool Based on Global Voting Expert for Industrial Protocols[J].International Journal of Parallel,Emergent and Distributed Systems,2020,35(3):376-395.
[37]KUNZ S.Penetration Testing Framework for OCSP-Responders[D].Passau:University of Passau,2018.
[38]DEVARAJAN G.Unraveling SCADA Protocols:Using SulleyFuzzer[C]//Proceedings of the Defon 15 Hacking Conference.Las Vegas,USA,2007:27-39.
[1] HU Zhi-hao, PAN Zu-lie. Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing [J]. Computer Science, 2022, 49(5): 318-324.
[2] LI Yi-hao, HONG Zheng, LIN Pei-hong. Fuzzing Test Case Generation Method Based on Depth-first Search [J]. Computer Science, 2021, 48(12): 85-93.
[3] CHEN Qing-chao, WANG Tao, FENG Wen-bo, YIN Shi-zhuang, LIU Li-jun. Unknown Binary Protocol Format Inference Method Based on Longest Continuous Interval [J]. Computer Science, 2020, 47(8): 313-318.
[4] LI Yi-hao, HONG Zheng, LIN Pei-hong, FENG Wen-bo. Message Format Inference Method Based on Rough Set Clustering [J]. Computer Science, 2020, 47(12): 319-326.
[5] ZHANG Hong-ze, HONG Zheng, WANG Chen, FENG Wen-bo, WU Li-fa. Closed Sequential Patterns Mining Based Unknown Protocol Format Inference Method [J]. Computer Science, 2019, 46(6): 80-89.
[6] ZHANG Ya-feng, HONG Zheng, WU Li-fa, ZHOU Zhen-ji and SUN He. Protocol State Based Fuzzing Method for Industrial Control Protocols [J]. Computer Science, 2017, 44(5): 132-140.
[7] DONG Gai-fang, FU Xue-liang and LI Hong-hui. Improvement of Multiple Sequence Center Star Method and Its Parallelization in Spark [J]. Computer Science, 2017, 44(10): 55-58.
[8] CHENG Cheng and ZHOU Yan-hui. Findding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm [J]. Computer Science, 2016, 43(Z6): 328-331.
[9] ZHU Xiang-yuan, LI Ren-fa, LI Ken-li and HU Zhong-wang. Advances in Biological Sequence Alignment Parallel Processing Based on Heterogeneous Systems [J]. Computer Science, 2015, 42(Z11): 390-395.
[10] . Model Based Automatic Fuzzing Script Generation [J]. Computer Science, 2013, 40(3): 206-209.
[11] YE Jun-min,XIE Qian,JIANG Li,LI Song-song,XU Lei. Generation of a Consensus Sequence and its Applications in the Fault Location [J]. Computer Science, 2011, 38(3): 162-165.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.