CN105763392B - A kind of industry control agreement fuzz testing method based on protocol status - Google Patents
A kind of industry control agreement fuzz testing method based on protocol status Download PDFInfo
- Publication number
- CN105763392B CN105763392B CN201610094014.3A CN201610094014A CN105763392B CN 105763392 B CN105763392 B CN 105763392B CN 201610094014 A CN201610094014 A CN 201610094014A CN 105763392 B CN105763392 B CN 105763392B
- Authority
- CN
- China
- Prior art keywords
- industry control
- message
- protocol
- test
- control component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of industry control agreement fuzz testing method based on protocol status, comprising the following steps: protocol state machine extraction, the building in sequence of message library, the guidance of protocol status, the transmission of test case and storage, the exception monitoring based on heartbeat and abnormal test packet is caused to position.The present invention is for the problem that industry control agreement fuzz testing blindness is larger, testing efficiency is low, according to protocol status locating for industry control component, the test case for belonging to the protocol status is sent to industry control component, is effectively extended the coverage area of fuzz testing, is improved the specific aim of test case.The present invention is based on the exception monitorings of heartbeat to have wide applicability.In addition, the present invention is to the localization method for leading to abnormal test packet, the positioning for capableing of efficiently and accurately causes the single message or sequence of message of industry control protocol anomaly, convenient for the excavation and analysis of security breaches.
Description
Technical field
The present invention relates to industry control protocol technology fields, are obtaining industry control protocol state machine in particular to a kind of
On the basis of, according to protocol status, the industry control component of Xiang Yunhang industry control protocol entity program sends test packet, excavates industry control agreement
The method of security breaches existing for entity program.
Background technique
Industrial control system (ICS, Industrial Control System, referred to as " industrial control system ") is by computer
The intelligence control system that equipment and industrial stokehold component are constituted, be widely used in electric power, water process, oil and gas,
The industries such as chemical industry, communications and transportation, manufacturing industry, it passes through to industry such as mechanical device, the vehicles, experimental provision, instrument and meters
Equipment carries out automatic monitoring, commander, control and adjusting, guarantees the normal operation of industrial plants, is national critical infrastructures
Brain and maincenter.Industrial control system mainly includes data acquisition analysis system (SCADA, Supervisory Control and
Data Acquisition), distributed process control system (DCS, Distributed Control System), programmable patrol
Collect controller (PLC, Programmable Logic Controller), remote measurement and control unit (RTU, Remote Terminal
Unit) etc..
Traditional industrial control system focuses on the integrality of function since running environment closing, specificity are strong in system design,
The safety of system is less focused on, risk protective capacities is weak.With the quickening of industrial revolution paces, industrial control system by sealing relatively
The running environment closed accelerates to networking and information-based transformation, and industrial control system of new generation is gradually compatible with Ethernet, enables
It is connected with ERP or even internet.
The industrialization of industrial control system and information-based depth integration also make industry control while improving industrial production efficiency
The tender spots of system is exposed, once by the malicious attack of criminal, it will immeasurable economic loss is caused, very
To the safety and stability for influencing society.Since 2010, there are a lot of industry control security incidents in world wide.Attack her within 2010
" shake net (Stuxnet) " virus of bright Bushire nuclear power station is considered as the network superweapon of the first investment actual combat in the whole world.
Pernicious worm " Duqu " virus of discovery in 2011, it is special to attack industrial control system and collect intelligence." the flame of discovery in 2012
(Flame) " viral, design is increasingly complex, and destructive power is stronger, may hide 5 years as long as.2014, " dragonfly tissue "
" Havex " virus is utilized, attack is implemented to more than 1,000 energy enterprises of European and American areas.
The same with common computer network or information system, why attacker can implement to attack to industrial control system,
Core reasons are that there are available security breaches for software and hardware in industry control network or system.To the software and hardware in industrial control system into
Row security test excavates wherein security breaches that may be present, takes corresponding remedial measure prior to attacker, to raising industry control
The safety of system is of great significance.
The test of fuzz testing, also referred to as Fuzzing, it uses a large amount of half effective inputs of the data as target program, leads to
The exception of monitoring programme appearance is crossed to find potential security breaches.Knowledge based engineering Fuzzing technical basis file or association
It discusses format indication and constructs test case, have the advantages that be simple and efficient, be the main research side of current Fuzzing testing field
To.
Information is ordered and controlled in industrial control system, between each component and the transmitting of monitoring data is all to pass through industry computer
Network agreement is realized.In industrial control system, there is special system component to be responsible for parsing, processing industry control network agreement, these components
The entity program of parsing industry control agreement is contained, their safety directly influences the safety of industrial control system.By fuzz testing skill
Art be applied to industry control software and hardware vulnerability analysis be current industry control security fields an important research direction.
Currently, both at home and abroad existing research be mostly by the Fuzzing testing tool of TCP/IP network protocol through improvement after
Fuzzing for industry control agreement is tested.The researcher Devarajan of TippingPoint company, the U.S. is opened exclusively for Sulley
The fuzz testing module of industry control agreement ICCP, Modbus, DNP3 are sent out.The Roland of Augsburg, Germany application technology university
Koch et al. has developed ProFuzz on the basis of Scapy fuzzer, carries out fuzzy survey specifically for Profinet protocol suite
Examination.The Byres et al. of Wurldtech company has designed and Implemented BlackPeer test frame, to two PLC device
Modbus/TCP protocol stack is tested, and successfully has found a security breaches more than 60.Bratus et al. is tested in general Fuzzing
A simple industry control agreement fuzz testing device LZFuzz is realized on the basis of device GPF.
Currently, application of the Fuzzing technology in industrial control system is primarily present following two aspects deficiency.First, it obscures and surveys
The coverage rate of examination is low.The most session-oriented of industry control agreement, has interaction mode, if not accounting for agreement during the test
Interaction mode, test are often confined to the initial stage of protocol interaction.In addition, if protocol massages and protocol status mismatch,
Also invalid packet can be considered as by protocol entity, loophole can not be triggered.Second, test mode and monitoring means are limited.Industrial control system
In many loopholes be not due to caused by single message, but since sequence of message is gradually by protocol entity from a certain agreement
State is gradually directed to the protocol status of loophole triggering, and existing monitoring method is difficult to the sequence of message that effective position causes loophole.
Summary of the invention
Aiming at the problems existing in the prior art, the present invention is intended to provide a kind of industry control agreement based on protocol status is fuzzy
Test method.Protocol status is not fully considered for fuzz testing process, the problem that testing efficiency is low is caused, using XML
Protocol state machine is described in script, on the basis of protocol state machine, by Test cases generation algorithm to measurand
Carry out state guidance sets protocol entity program to be desired with the candidate state of test, to reach higher fuzz testing
Coverage rate.Implement convenient, effective abnormal behaviour monitoring to embedded industrial control equipment is tested by the monitoring method based on heartbeat,
The accurate positionin to the sequence of message for causing security breaches is realized using the method that message backtracking determines.
To reach above-mentioned purpose, the technical solution adopted in the present invention is as follows:
A kind of industry control agreement fuzz testing method based on protocol status, comprising the following steps:
(1) protocol state machine extracts: using protocol state machine extracting method, that is, uses open source protocol conversed analysis project
The protocol state machine extracting method of Netzob, basic procedure is: on the basis of protocol communication message sample set, utilizing request
Inquiry and response feedback constantly expand original communication message sample set, the candidate protocol state machine that judgement is inferred whether with really
Protocol state machine is consistent, the output protocol state machine when meeting the protocol state machine condition of equivalence;Obtaining industry control agreement to be measured
After protocol state machine, protocol state machine is expressed as to the script file of XML language description;
(2) building in sequence of message library: being based on protocol state machine, collects and stores normal between industry control protocol entity program
Mutual message;Ensure for an industry control protocol entity program, it, can be by a series of normal when it is in original state
Mutual message, by any one the industry control protocol status of industry control protocol entity program designation into protocol state machine, in other words, report
Enough normal mutual messages are collected and stored to literary sequence library, can be directed to protocol entity by original state any one
A subsequent protocol state;
(3) guidance of protocol status: the depth in order to improve test, increase coverage rate, need include to protocol state machine
Each protocol status tested, thus effectively discovery industry control component be in existing security breaches when different agreement state;
During the test, it needs by normal mutual message to guide industry control component to need some industry control agreement shape to be tested
State implements fuzz testing to industry control component under the protocol status;
(4) transmission and storage of test case: after by industry control protocol entity program designation to state to be measured, based on fuzzy
The packet mutation knowledge of test makes a variation to industry control protocol massages, sends the message by variation to industry control protocol entity program
Implement test;In addition, for the ease of subsequent analysis, by the transmitted test case of storage;
(5) based on the exception monitoring of heartbeat: after having sent a test case, needing to send for detecting industry control component
The heartbeat message for enlivening situation is monitored tested industry control component, judges whether measurand is in normal active state, from
And protocol anomaly caused by sending due to test case is found in time;
(6) cause abnormal test packet to position: the processing of industry control agreement may be caused extremely by single message, it is also possible to
Caused by sequence of message;Lead to abnormal test packet to be accurately positioned, needs to store survey transmitted in the recent period in test lead
Try message;When occurring abnormal, tested industry control component is reset into normal operating conditions, is returned according to the message stored
It traces back, determination leads to abnormal message or sequence of message.
The workflow in the building stage in abovementioned steps (2) sequence of message library is as follows: protocol state machine is based on, using network
Monitoring technique carries out message information collection;Each industry control protocol status, generally requiring a series of message interaction can just reach;It adopts
With Network monitor technology, captures since industry control agreement original state, reaches the message interaction sequence of each specific protocol state,
And message interaction sequence and message status that they can be reached are stored in together in sequence of message library;
The workflow of the vectoring phase of abovementioned steps (3) protocol status is as follows: for the ease of setting industry control component to
Different protocol status carries out fuzz testing, needs to carry out the guidance of protocol status;For any one selected protocol status,
Original state is set by industry control component first, according to the information in sequence of message library, message is sent to industry control component, passes through one
The message interaction of series makes industry control component reach specified tested state;Need industry control protocol status to be tested.
The transmission of abovementioned steps (4) test case and the workflow of memory phase are as follows: being directed to by industry control component
It after state to be measured, will make a variation to the proper network message for belonging to the protocol status, generate test case;The variation of message will
Variation knowledge according to fuzz testing is implemented, and uses overlength (ultrashort) character string for the data of character string type, formats word
Symbol string is substituted;Value type can trigger the numerical value replacement of integer overflow loophole using 0xff+1,0xffff etc.;It is testing
After use-case generates, use-case is sent to tested industry control component by test lead, to abnormal in tested end triggering;Meanwhile by
In needing to analyze the test case sent in the recent period when triggering abnormal, therefore, using the queue of first in first out to transmission
Test case stored.
The workflow in exception monitoring stage of the abovementioned steps (5) based on heartbeat is as follows: during fuzz testing, needing
The exception of discovery measurand in time, to targetedly be analyzed and processed;Since the industry controls component such as PLC, RTU belongs to insertion
Formula system, computing capability and storage resource are strictly restricted, it is difficult to the monitoring of third party's debugging tool is installed on industry control component
Anomalous event, or form log recording exception information;In view of industry control built-in module often due to can not correctly handle exception
Message and cause the components such as PLC, RTU cannot respond to, therefore the method for monitoring abnormality based on heartbeat can be used;So-called heartbeat report
Text refers to the probe messages sent to equipment under test, judges whether be in active state to equipment under test;In fuzz testing mistake
Cheng Zhong after a bit of time of setting, sends heartbeat to equipment under test as soon as every send a test packet to equipment under test
Message judges whether equipment under test is in active state according to whether equipment under test sends back to expected response message;If received
The response message arrived, it is believed that exception does not occur in equipment;If not receiving response, then it is assumed that test case is triggered in equipment end
Exception;
Abovementioned steps (6) cause the workflow of abnormal test packet positioning stage as follows: during fuzz testing,
If it find that exception occurs in equipment under test, need to stop to test, determination is since which message or which sequence of message cause
Exception;For the ease of analysis, in test lead storage test packet transmitted in the recent period, while the industry control tested recently is recorded
Protocol status;When occurring abnormal, it is first depending on the industry control protocol status tested recently, resets tested industry control component;Foundation
Industry control component is directed to the protocol status tested recently by normal message interaction by sequence of message library, then starts to recall
Determine;First test packet sent recently is sent first, observes whether tested industry control component shows exception;If do not gone out
It is now abnormal, then tested industry control component is reset into normal operating conditions, and successively send two test packets sent recently, seen
Examine whether tested industry control component exception occurs;If there is not exception, by the progress state resetting of tested industry control component, and according to
It is secondary to send three test packets sent recently;And so on, until determination leads to abnormal sequence of message.
It is real to industry control component by technical solution of the present invention it is found that the beneficial effects of the present invention are according to protocol status
Apply fuzz testing, advantageously reduce the blindness of test, extend the coverage area of test, at the same avoid due to state mismatch and
Caused invalid use-case improves testing efficiency.In addition, method can effectively find the exception of industry control component in testing, and quasi-
The test packet or sequence of message of true orientation triggering exception, convenient for the excavation and analysis of security breaches.
Detailed description of the invention
Fig. 1 is whole implementation process schematic diagram of the invention.
Fig. 2 is the example that Modbus/TCP industry control protocol state machine describes in xml format in the present invention.
Specific embodiment
In order to be better understood by technology contents of the invention, spy lifts specific embodiment and cooperates Detailed description of the invention as follows.
As shown in Figure 1, preferred embodiment according to the present invention, the protocol state machine active deduction side based on protocol knowledge
Method, comprising the following steps:
(1) protocol state machine extracts: obtaining industry control agreement to be measured using the reverse field protocol state machine extracting method of agreement
Protocol state machine, and protocol state machine is described using the form of XML script;
(2) building in sequence of message library: sequence of message library, which will be played, takes office protocol entity program from original state guidance
Mean to determine the effect of protocol status.In order to construct sequence of message library, need using between Network monitor technology collection protocol entity
Normal mutual message.Ensure, when it is in original state, one can be passed through for the industry control component as protocol entity program
The mutual message of series makes it reach any protocol status in protocol state machine.
(3) guidance of protocol status: according to sequence of message library, industry control component is guided by normal mutual message to it
Protocol status to be tested is needed, in this, as the basis of fuzz testing.
(4) transmission and storage of test case: the packet mutation knowledge based on fuzz testing, under specific protocol state
Protocol massages make a variation, and generate test case.Then, the industry control component of Xiang Zuowei measurand sends test case and implements to survey
Examination.For the ease of the incidence relation between analysis test case and program exception, by the transmitted test case of storage.
(5) based on the exception monitoring of heartbeat: after having sent a test case, needing to send the heartbeat report for detection
Text is monitored tested industry control component.If industry control component is in normal active state, response message will be returned;If work
It controls component and exception occurs, will not give and respond.It is detected using heartbeat message, can find to send out due to test case in time
Protocol anomaly caused by sending.
(6) cause abnormal test packet to position: producing exception when handling test case once discovery industry control component,
It needs to position and leads to abnormal test packet.Firstly, tested industry control component is reset to normal operating conditions, then, according to institute
The message of storage is recalled, and determination leads to abnormal message or sequence of message.
With reference to whole implementation process shown in FIG. 1, the protocol state machine estimating method of the present embodiment mainly includes agreement shape
The extraction of state machine, the building in sequence of message library, the guidance of protocol status, the transmission of test case and storage, the exception based on heartbeat
Monitoring and cause abnormal test packet 6 parts, the specific embodiment such as to position to illustrate individually below.
(1) protocol state machine extracts
The embodiment of the present invention sufficiently collects the industry control component as industry control protocol entity program in network communication process first
The input and output message of middle generation, using the protocol status of open source protocol conversed analysis project Netzob (www.netzob.org)
Machine extracting method obtains protocol state machine.
Protocol state machine extracts the specific format for requiring to infer communication message first, on this basis, as unit of session,
Network communication behavior is abstracted.Session indicates the partial data carried out between communication participant exchange, is able to reflect
The migration situation of protocol status in communication process.Based on a large amount of industry control protocol conversation sample, the agreement shape of Netzob is utilized
State owner moves estimating method, infers the protocol state machine for obtaining target industry control agreement.
Protocol state machine generated is described using special XML script.By taking Modbus/TCP industry control agreement as an example,
The description script StateMachine.xml of its state machine is as shown in Figure 2.In protocol state machine description script, < SCADA-
The root element of Fuzz > be script, script type is identified with type attribute, and attribute type=" StateMachine " indicates description
It is protocol state machine.The name attribute of<StateMachine>element is used to definition status machine title.Element <
StateMachine>in comprising description state node daughter element<State>and description state transition daughter element<Trans>.<
State > element name attribute definition state node title.<Trans>element has the attributes such as name, from, to, wherein
Name is the name on state transfer side, the current state of from presentation protocol entity, and to indicates in execution<Action>to act it
Afterwards, the state that protocol entity moves to.Corresponding when<Action>element representation state transition to execute movement, name attribute indicates
Execute denomination of dive.Each<Action>movement corresponds to the transmission or reception of a test packet.<Message>element
The descriptive model of presentation protocol message, ref attribute therein indicate the type of message of reference.
(2) building in sequence of message library
Implement fuzz testing according to industry control component of the protocol status to operation protocol entity program in order to efficient, needs structure
Build sequence of message library.Sequence of message library is by mutual message normal between record protocol entity.Information in sequence of message library can be with
Ensure protocol entity program since original state, by a series of mutual message, appointing in protocol state machine can be reached
Meaning protocol status.
Sequence of message library is constructed using the method for network monitoring.In the process, pass through network monitoring industry control agreement
Network communication determine tested end industry control component protocol status locating at present according to the protocol status machine information grasped.
If reaching a new protocol status m, the mutual message that the state is reached from original state is all recorded in message sequence
It arranges in library, is formed from original state to the leader record of protocol status m.After the guidance information for having recorded a protocol status,
Tested end industry control component is reset to original state, starts the interaction of a new round.And so on, it is stored until in sequence of message library
Guidance industry control component is from original state to the record of every other protocol status.
(3) guidance of protocol status
It to the fuzz testing of industry control agreement, will implement according to protocol status, and can guarantee that test case covering is all in this way
Protocol status, sufficiently excavate security breaches present in each protocol status.
The guidance of protocol status is implemented according to sequence of message library.Industry control component is reset to original state first, then
Positioning needs the target protocol state reached to be pressed according to the sequence of message stored in sequence of message library in sequence of message library
Message is sent to industry control component according to sequence, guidance industry control component reaches target protocol state.
(4) transmission and storage of test case
In order to implement fuzz testing for the industry control component of operation industry control protocol entity program, need efficiently to generate test
Use-case.The method of the embodiment of the present invention is to implement variation on the basis of existing message, and the variation of message will be according to fuzz testing
Variation knowledge implement, for example, the data for character string type are substituted and are used using overlength or ultrashort character string
Format string substitution (adds the format strings such as similar %d, %x and %s) in character string;Value type uses
0xff+1,0xffff etc. can trigger the numerical value replacement of integer overflow loophole;There is no the binary type field of general semantics, adopts
With bit map method, i.e., certain positions in random selection data are overturn and (become 1 for 0 or become 0 for 1), and are used and deleted
Except field, increases filling length and make a variation, etc. using the method for other character set filling.
Test case and protocol status are closely connected, and the message of most of type is only in the just meeting of specific protocol state
By protocol procedure receiving processing.Therefore, it is necessary to generate test case according to protocol status and implement to test.In particular, it is desirable to
After industry control component is first directed to specific protocol state, then it is sent to it the test case for belonging to the protocol status.
The purpose of test case is the exception of trigger processing, but after triggering exception, more crucially positioning is drawn
Play abnormal test case or test case sequence.It, will in order to analyze the incidence relation between test case and program exception
The test case of transmission is stored, convenient for being verified subsequently through playback.
(5) based on the exception monitoring of heartbeat
In industrial control field, the industry controls component such as PLC, RTU belongs to embedded system, and computing capability and storage resource are by stringent
It restricts, it is difficult to which anomalous event is monitored or using log come recording exceptional information by third party's debugging tool.But PLC, RTU
Equal built-in modules have such a feature during the test, they often due to can not correctly handle fuzz testing message and
It cannot respond to external message, it is necessary to which restarting equipment could continue to test.In consideration of it, the present invention uses the exception monitoring based on heartbeat
Method, monitors whether tested industry control component is in normal active state.
So-called heartbeat message, the probe messages sent to equipment under test referred to judge whether be in active to equipment under test
State.In the embodiment of the present invention, during fuzz testing, as soon as every send a test packet to equipment under test, in setting
After time, heartbeat message is sent to equipment under test, judges tested set according to whether equipment under test sends back to expected response message
It is standby whether to be in active state.If the response message received, it is believed that exception does not occur in equipment;If not receiving response,
Then think that test case triggers exception in equipment end, test process will be suspended, which test case or which test analyzed
Use-case sequence triggers program exception.
(7) abnormal test packet is caused to position
During fuzz testing, if it find that exception occurs in equipment under test, need to stop to test, determination is due to which
It is abnormal caused by message or which sequence of message.Needs based on analysis, the embodiment of the present invention store hair recently in test lead
10 test packets out, while recording the industry control component protocol status locating in test.
When the tested industry control component of discovery occurs abnormal, resetting industry control component is original state first.Then according to survey
Industry control component is directed to based on sequence of message library by normal message interaction by protocol status locating for industry control component when examination
The locating protocol status of test recently then starts backtracking and determines.
In decision process, first test packet sent recently is first sent, whether observation MUT module under test shows exception;
If there is not exception, tested industry control component is reset into normal operating conditions, and successively send two sent recently
Whether test packet, observation MUT module under test there is exception;If there is not exception, tested industry control component is subjected to state weight
It sets, and successively sends three test packets sent recently.And so on, until determination leads to abnormal sequence of message.
From the above technical solution of the present invention shows that, the industry control agreement fuzz testing side of the invention based on protocol status
The protocol state machine of industry control agreement is described method with XML script, building sequence of message library record by protocol entity program by
Original state is directed to the normal communication message of other different agreement states, on this basis, according to protocol status to industry control group
Part implements fuzz testing.It is not necessarily to be suitble in tested end installation and debugging tool embedding the present invention is based on the method for monitoring abnormality of heartbeat
It is used on embedded system, meets the application scenarios of industrial control system.In test process, after the exception of triggering industry control component, pass through
Message reset, can effective position lead to abnormal test packet or test packet sequence, provide foundation for anomaly analysis.It adopts
It needs to obtain the industry control component of operation protocol entity program with the method, and industry control component, Xiang Qifa can be run as needed
It delivers newspaper and text and observes its response, in this, as the basis of industry control agreement fuzz testing.
In conclusion the industry control agreement fuzz testing method of the invention based on protocol status, according to locating for industry control component
Protocol status, sent to industry control component and belong to the test case of the protocol status, can effectively extend the covering of fuzz testing
Range improves the specific aim of test case.Secondly, industry control component wide variety, the present invention is based on the method for monitoring abnormality of heartbeat
With wide applicability, the exception monitoring of all kinds of industry control components can be applied to.In addition, the present invention is to leading to abnormal test
The localization method of message, the positioning for capableing of efficiently and accurately cause the single message or sequence of message of industry control protocol anomaly, are convenient for
The excavation and analysis of security breaches.
Although the present invention has been disclosed as a preferred embodiment, however, it is not to limit the invention.Skill belonging to the present invention
Has usually intellectual in art field, without departing from the spirit and scope of the present invention, when can be used for a variety of modifications and variations.Cause
This, the scope of protection of the present invention is defined by those of the claims.
Claims (6)
1. a kind of industry control agreement fuzz testing method based on protocol status, which comprises the following steps:
(1) protocol state machine extracts: using protocol state machine extracting method, that is, uses open source protocol conversed analysis project Netzob
Protocol state machine extracting method, basic procedure is: on the basis of protocol communication message sample set, using request query and
Response feedback constantly expands original communication message sample set, judge the candidate protocol state machine inferred whether with true agreement shape
State machine is consistent, the output protocol state machine when meeting the protocol state machine condition of equivalence;In the agreement shape for obtaining industry control agreement to be measured
After state machine, protocol state machine is expressed as to the script file of XML language description;
(2) building in sequence of message library: it is based on protocol state machine, collects and stores the normal interaction between industry control protocol entity program
Message;Ensure for an industry control protocol entity program, when it is in original state, a series of normal interaction can be passed through
Message, by any one the industry control protocol status of industry control protocol entity program designation into protocol state machine, in other words, message sequence
Enough normal mutual messages are collected and are stored in column library, can take office industry control protocol entity program by original state guidance
It anticipates a subsequent protocol state;
(3) guidance of protocol status: the depth in order to improve test increases coverage rate, and need to include to protocol state machine is each
A protocol status is tested, so that effectively discovery industry control component is in existing security breaches when different agreement state;It is surveying
During examination, need by normal mutual message to guide industry control component to need some industry control protocol status to be tested,
Fuzz testing is implemented to industry control component under the protocol status;
(4) transmission and storage of test case: after by industry control protocol entity program designation to state to be measured, it is based on fuzz testing
Packet mutation knowledge make a variation to industry control protocol massages, to industry control protocol entity program send by variation message implement
Test;In addition, for the ease of subsequent analysis, by the transmitted test case of storage;
(5) based on the exception monitoring of heartbeat: after having sent a test case, needing to send active for detecting industry control component
The heartbeat message of situation is monitored tested industry control component, judges whether measurand is in normal active state, thus and
Protocol anomaly caused by Shi Faxian is sent due to test case;
(6) cause abnormal test packet to position: the processing of industry control agreement can be caused extremely by single message, also can be by message sequence
Column cause;Lead to abnormal test packet to be accurately positioned, needs to store test packet transmitted in the recent period in test lead;When
When occurring abnormal, tested industry control component is reset into normal operating conditions, is recalled according to the message stored, determination causes
Abnormal message or sequence of message.
2. the industry control agreement fuzz testing method according to claim 1 based on protocol status, which is characterized in that aforementioned step
Suddenly the workflow in the building stage in (2) sequence of message library is as follows: being based on protocol state machine, is reported using Network monitor technology
Literary information is collected;Each industry control protocol status, needs a series of message interaction that can just reach;Using Network monitor technology, catch
Obtain the message interaction sequence that each specific protocol state is reached since industry control agreement original state, and by message interaction sequence
And the message status that they can be reached is stored in together in sequence of message library.
3. the industry control agreement fuzz testing method according to claim 1 based on protocol status, which is characterized in that aforementioned step
Suddenly the workflow of the vectoring phase of (3) protocol status is as follows: for the ease of setting different protocol status for industry control component
Fuzz testing is carried out, needs to carry out the guidance of protocol status;For any one selected protocol status, first by industry control component
It is set as original state, according to the information in sequence of message library, message is sent to industry control component, is handed over by a series of message
Mutually, industry control component is made to reach specified tested state;Need industry control protocol status to be tested.
4. the industry control agreement fuzz testing method according to claim 1 based on protocol status, which is characterized in that aforementioned step
Suddenly the transmission of (4) test case and the workflow of memory phase are as follows:, will be right after industry control component is directed to state to be measured
The proper network message for belonging to the protocol status makes a variation, and generates test case;The variation of message will be according to fuzz testing
Variation knowledge is implemented, and the data of character string type are substituted using overlength or ultrashort character string, format string;Number
Value Types can trigger the numerical value replacement of integer overflow loophole using 0xff+1,0xffff;After Test cases technology, it will use
Example is sent to tested industry control component by test lead, to abnormal in tested end triggering;Simultaneously as being needed when triggering abnormal
The test case sent in the recent period is analyzed, therefore, the test case of transmission is stored using the queue of first in first out.
5. the industry control agreement fuzz testing method according to claim 1 based on protocol status, which is characterized in that aforementioned step
Suddenly the workflow in the exception monitoring stage of (5) based on heartbeat is as follows: using the method for monitoring abnormality based on heartbeat, the heartbeat
Message refers to the probe messages sent to equipment under test, judges whether be in active state to equipment under test;In fuzz testing
In the process, as soon as every send a test packet to equipment under test, after a bit of time of setting, the heart is sent to equipment under test
Message is jumped, judges whether equipment under test is in active state according to whether equipment under test sends back to expected response message;If
The response message received, it is believed that exception does not occur in equipment;If not receiving response, then it is assumed that test case is touched in equipment end
Exception is sent out.
6. the industry control agreement fuzz testing method according to claim 1 based on protocol status, which is characterized in that aforementioned step
Suddenly (6) cause the workflow of abnormal test packet positioning stage as follows: during fuzz testing, if it find that tested set
It is standby exception occur, it needs to stop to test, determination is abnormal as caused by which message or which sequence of message;For the ease of
Analysis in test lead storage test packet transmitted in the recent period, while recording the industry control protocol status tested recently;Work as appearance
When abnormal, it is first depending on the industry control protocol status tested recently, resets tested industry control component;According to sequence of message library, pass through
Industry control component, is directed to the protocol status tested recently by normal message interaction, is then started backtracking and is determined;It sends first most
First test packet closely sent, observes whether tested industry control component shows exception;If there is not exception, will be tested
Industry control component resets to normal operating conditions, and successively sends two test packets sent recently, observes tested industry control component
Whether exception is occurred;If there is not exception, tested industry control component is subjected to state resetting, and successively send and send recently
Three test packets;And so on, until determination leads to abnormal sequence of message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610094014.3A CN105763392B (en) | 2016-02-19 | 2016-02-19 | A kind of industry control agreement fuzz testing method based on protocol status |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610094014.3A CN105763392B (en) | 2016-02-19 | 2016-02-19 | A kind of industry control agreement fuzz testing method based on protocol status |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105763392A CN105763392A (en) | 2016-07-13 |
| CN105763392B true CN105763392B (en) | 2019-03-08 |
Family
ID=56330488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610094014.3A Active CN105763392B (en) | 2016-02-19 | 2016-02-19 | A kind of industry control agreement fuzz testing method based on protocol status |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105763392B (en) |
Families Citing this family (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
| CN106326119A (en) * | 2016-08-19 | 2017-01-11 | 北京匡恩网络科技有限责任公司 | Method and device for generating test case |
| CN106656564A (en) * | 2016-11-11 | 2017-05-10 | 北京匡恩网络科技有限责任公司 | Automatic test method, device and system for industrial control network |
| CN106778210B (en) * | 2016-12-16 | 2020-04-07 | 成都巧班科技有限公司 | Industrial control system function safety verification method based on immune learning |
| CN106647612A (en) * | 2017-02-17 | 2017-05-10 | 上海云剑信息技术有限公司 | PLC vulnerability discovery method based on state relational map |
| CN107479531B (en) * | 2017-07-31 | 2019-08-20 | 杭州电子科技大学 | The access device communication protocol frame format information of Embedded PLC remotely determines method |
| CN110232012A (en) * | 2018-03-06 | 2019-09-13 | 国家计算机网络与信息安全管理中心 | A kind of fuzz testing language protocol test script and testing engine based on xml |
| CN108337266B (en) * | 2018-03-07 | 2020-08-11 | 中国科学院信息工程研究所 | Efficient protocol client vulnerability discovery method and system |
| CN108683554A (en) * | 2018-04-04 | 2018-10-19 | 国家计算机网络与信息安全管理中心 | A kind of various dimensions method for monitoring abnormality of fuzz testing effect |
| CN108600195B (en) * | 2018-04-04 | 2022-01-04 | 国家计算机网络与信息安全管理中心 | Rapid industrial control protocol format reverse inference method based on incremental learning |
| CN108924102B (en) * | 2018-06-21 | 2020-03-10 | 电子科技大学 | Efficient industrial control protocol fuzzy test method |
| CN108933784B (en) * | 2018-06-26 | 2021-02-09 | 北京威努特技术有限公司 | Industrial control protocol decoding rule expression and optimized decoding method |
| CN109150654B (en) * | 2018-07-25 | 2021-08-17 | 深圳市吉祥腾达科技有限公司 | Use case design method based on protocol consistency of path |
| CN108897695A (en) * | 2018-08-06 | 2018-11-27 | 中国电力科学研究院有限公司 | A kind of the interconnection test method and system of demand side apparatus |
| CN109525457B (en) * | 2018-11-14 | 2020-08-04 | 中国人民解放军陆军工程大学 | Network protocol fuzzy test method based on state transition traversal |
| CN109462590B (en) * | 2018-11-15 | 2021-01-15 | 成都网域复兴科技有限公司 | Unknown protocol reverse analysis method based on fuzzy test |
| CN111628900B (en) * | 2019-02-28 | 2023-08-29 | 西门子股份公司 | Fuzzy test method, device and computer readable medium based on network protocol |
| CN109698841A (en) * | 2019-03-06 | 2019-04-30 | 成都明得科技有限公司 | The unknown bug excavation system and method for industry control based on video monitoring |
| CN111917692A (en) * | 2019-05-10 | 2020-11-10 | 北京车和家信息技术有限公司 | Fuzzy test method, device, equipment and computer readable storage medium |
| CN110336827B (en) * | 2019-07-15 | 2021-06-18 | 北京工业大学 | Modbus TCP protocol fuzzy test method based on abnormal field positioning |
| CN110661778A (en) * | 2019-08-14 | 2020-01-07 | 中国电力科学研究院有限公司 | Method and system for testing industrial control network protocol based on reverse analysis fuzzy |
| CN110808962B (en) * | 2019-10-17 | 2022-04-29 | 奇安信科技集团股份有限公司 | Malformed data packet detection method and device |
| CN112918406A (en) * | 2019-12-06 | 2021-06-08 | 中车永济电机有限公司 | Tramcar monitoring system and tramcar system |
| CN111427305B (en) * | 2020-03-29 | 2021-09-24 | 博智安全科技股份有限公司 | Method for Siemens PLC vulnerability mining |
| CN111835733B (en) * | 2020-06-24 | 2022-06-14 | 广州海颐信息安全技术有限公司 | Method for realizing DLT645-2007 protocol vulnerability discovery state machine |
| CN112019403B (en) * | 2020-08-24 | 2021-10-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112055003B (en) * | 2020-08-26 | 2022-12-23 | 上海电力大学 | Method for generating private protocol fuzzy test case based on byte length classification |
| CN112395209A (en) * | 2021-01-21 | 2021-02-23 | 博智安全科技股份有限公司 | Industrial control protocol fuzzy test case generation method, device, equipment and storage medium |
| CN113055374B (en) * | 2021-03-10 | 2022-07-08 | 湖南大学 | Detection method and system for IEC104 power protocol security test |
| CN112714047B (en) * | 2021-03-29 | 2021-06-29 | 北京网测科技有限公司 | Industrial control protocol flow based test method, device, equipment and storage medium |
| CN113132366B (en) * | 2021-04-07 | 2023-03-21 | 深圳市奇虎智能科技有限公司 | Method, system, storage medium and computer device for interactive protocol reversal |
| CN113472739B (en) * | 2021-05-19 | 2022-08-23 | 中国科学院信息工程研究所 | Vulnerability discovery method and device for control equipment private protocol |
| CN113535731B (en) * | 2021-07-21 | 2024-04-16 | 北京威努特技术有限公司 | Heuristic-based message state interaction self-learning method and device |
| CN113572760B (en) * | 2021-07-22 | 2023-05-30 | 全球能源互联网研究院有限公司 | Device protocol vulnerability detection method and device |
| CN113934621A (en) * | 2021-09-06 | 2022-01-14 | 中国科学院信息工程研究所 | Fuzzy test method, system, electronic device and medium |
| CN113886225A (en) * | 2021-09-18 | 2022-01-04 | 国网河南省电力公司电力科学研究院 | Unknown industrial control protocol-oriented fuzzy test system and method |
| CN114024884B (en) * | 2021-11-18 | 2023-05-12 | 百度在线网络技术(北京)有限公司 | Test method, test device, electronic equipment and storage medium |
| CN114173344B (en) * | 2021-12-08 | 2024-08-30 | 百度在线网络技术(北京)有限公司 | Method, device, electronic equipment and storage medium for processing communication data |
| CN114265360A (en) * | 2021-12-28 | 2022-04-01 | 四川启睿克科技有限公司 | Industrial control system network security test box, fuzzy test method and attack demonstration method |
| CN114650163B (en) * | 2022-01-21 | 2023-08-22 | 中国人民解放军战略支援部队信息工程大学 | Fuzzy test method and system for stateful network protocol |
| CN114661621B (en) * | 2022-05-13 | 2022-08-23 | 上海交通大学宁波人工智能研究院 | Industrial control protocol fuzzy test system and method based on reinforcement learning |
| CN115174194A (en) * | 2022-06-30 | 2022-10-11 | 浙江极氪智能科技有限公司 | System vulnerability mining method, device, equipment and storage medium |
| CN115174441B (en) * | 2022-09-06 | 2022-12-13 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115695161A (en) * | 2022-10-27 | 2023-02-03 | 南方电网科学研究院有限责任公司 | Fuzzy test abnormal message positioning method, device, terminal and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102087631A (en) * | 2011-03-09 | 2011-06-08 | 中国人民解放军国发科学技术大学 | Method for realizing fuzzing of software on the basis of state protocol |
| CN103036730A (en) * | 2011-09-29 | 2013-04-10 | 西门子公司 | Method and device for achieving safety testing on protocol implementation |
| CN104796240A (en) * | 2015-04-30 | 2015-07-22 | 北京理工大学 | Fuzz testing system for stateful network protocol |
| CN105095075A (en) * | 2015-07-16 | 2015-11-25 | 北京理工大学 | Case generation method for semi-legalized fuzz test of network protocol based on finite-state machine |
-
2016
- 2016-02-19 CN CN201610094014.3A patent/CN105763392B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102087631A (en) * | 2011-03-09 | 2011-06-08 | 中国人民解放军国发科学技术大学 | Method for realizing fuzzing of software on the basis of state protocol |
| CN103036730A (en) * | 2011-09-29 | 2013-04-10 | 西门子公司 | Method and device for achieving safety testing on protocol implementation |
| CN104796240A (en) * | 2015-04-30 | 2015-07-22 | 北京理工大学 | Fuzz testing system for stateful network protocol |
| CN105095075A (en) * | 2015-07-16 | 2015-11-25 | 北京理工大学 | Case generation method for semi-legalized fuzz test of network protocol based on finite-state machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105763392A (en) | 2016-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105763392B (en) | A kind of industry control agreement fuzz testing method based on protocol status | |
| Ahmed et al. | Programmable logic controller forensics | |
| Huang et al. | Assessing the physical impact of cyberattacks on industrial cyber-physical systems | |
| CA2844225C (en) | Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems | |
| Huang et al. | Real-time detection of false data injection in smart grid networks: An adaptive CUSUM method and analysis | |
| Mallouhi et al. | A testbed for analyzing security of SCADA control systems (TASSCS) | |
| Lin et al. | Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol | |
| Yi et al. | An intelligent communication warning vulnerability detection algorithm based on IoT technology | |
| Markman et al. | A new burst-DFA model for SCADA anomaly detection | |
| Matoušek et al. | Efficient modelling of ICS communication for anomaly detection using probabilistic automata | |
| CN113886225A (en) | Unknown industrial control protocol-oriented fuzzy test system and method | |
| CN103209173A (en) | Vulnerability mining method of network protocols | |
| CN108337266A (en) | A kind of efficient protocol client vulnerability mining method and system | |
| Kelli et al. | Attacking and defending DNP3 ICS/SCADA systems | |
| Inçki et al. | Runtime verification of IoT systems using complex event processing | |
| Iturbe et al. | On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control | |
| Bashendy et al. | Design and implementation of cyber-physical attacks on modbus/tcp protocol | |
| CN114143099A (en) | Network security policy self-checking attack and defense test method and device | |
| Gokhale et al. | Industrial control systems honeypot: A formal analysis of conpot | |
| Havlena et al. | Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication | |
| WO2017004867A1 (en) | Device testing and evaluation method and system for plc security protection | |
| Koucham et al. | Cross-domain alert correlation methodology for industrial control systems | |
| CN106789156A (en) | A kind of industry control network method of testing, apparatus and system | |
| Tu et al. | A vulnerability mining system based on fuzzing for IEC 61850 protocol | |
| Chen et al. | Research on intrusion detection based on BP neural network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |