CN110401581B - Industrial control protocol fuzzy test case generation method based on flow tracing - Google Patents

Abstract

The invention discloses an industrial control protocol fuzzy test case generation method based on flow tracing. The invention comprises the following steps: step 1, reading a configuration file; step 2, extracting protocol messages related to the test protocol; step 3, filling the test case template to generate a test case script; analyzing the real flow, extracting the data of the message application layer, converting the message data into Python language code expression, injecting the Python language code expression into a test case template to generate a test case script, and rapidly performing fuzzy test on the basis of not manually compiling the test case; and simultaneously using a plurality of different types of test cases to carry out targeted and random combination to test the target equipment. The invention uses a plurality of test cases of different types to carry out the combination of pertinence and randomness to test the target equipment, thereby effectively improving the coverage rate of the test. The method is suitable for vulnerability mining of the existing industrial control protocol and automatic testing of industrial control protocol research and development.

Description

Industrial control protocol fuzzy test case generation method based on flow tracing

Technical Field

The invention relates to the field of industrial network security, in particular to a flow tracing-based industrial control protocol fuzzy test case generation method.

Background

Industrial control systems are important components of each infrastructure, and with the development of computer and network technologies, more and more internet technologies are applied to the development of the computer and network technologies, while the industrial control systems face the traditional control security threat, the industrial control systems face many network attacks from the internet, and many of the attacks acquire key information of the industrial control systems through vulnerabilities on industrial control protocols, and even can control the operation of the industrial control system devices through the network, so the security of the industrial control protocols has become a focus of national information security.

The fuzz testing is a highly automated black box testing technique, and is often used for excavating bugs appearing in the implementation of a protocol stack of equipment. The fuzzy test can find the defects of program implementation through a large amount of input random data without entering the system or obtaining source codes, but the test is blind because the industrial control equipment can only stay in the initial stage of the protocol state if the industrial control equipment directly resets the connection if the industrial control equipment does not meet the protocol specification when analyzing the input data.

For such a problem, many fuzzy test technologies generate test cases through a message template, for example, network protocol test frames such as Kitty, Sulley and the like, provide a field definition protocol by using the frames after manually analyzing protocol interaction and protocol definition, and then the frames generate test messages through the definitions and send the test messages to target equipment for fuzzy test, so that the messages generated by the test can be analyzed through the equipment, and thus enter deeper test paths.

In summary, in order to solve the above problems, the present invention provides a method for intelligently generating a reusable test case script according to real traffic tracing, so that a vulnerability of an industrial control protocol can be efficiently discovered while maintaining the correctness of a protocol format and the integrity of establishment of an industrial control protocol session.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a flow tracing-based industrial control protocol fuzzy test case generation method, which comprises the steps of analyzing real flow, extracting message application layer data, converting the message data into Python language code expression, injecting the Python language code expression into a test case template to generate a test case script, and rapidly performing fuzzy test on the basis of not manually compiling the test case. Meanwhile, a plurality of test cases of different types are used for carrying out targeted and random combination to test the target equipment, so that the test coverage rate is effectively improved. The method is suitable for vulnerability mining of the existing industrial control protocol and automatic testing of industrial control protocol research and development.

The invention provides a flow tracing-based industrial control protocol fuzzy test case generation method, which comprises the following steps:

step 1, reading a configuration file;

step 2, extracting protocol messages related to the test protocol;

step 3, filling the test case template to generate a test case script;

analyzing the real flow, extracting the data of the message application layer, converting the message data into Python language code expression, injecting the Python language code expression into a test case template to generate a test case script, and rapidly performing fuzzy test on the basis of not manually compiling the test case; simultaneously using a plurality of test cases of different types to carry out targeted and random combination to test the target equipment;

the configuration file in the step 1 uses JSON format, and comprises fields: the captured message file path pcappPath and the fields required to be fuzzily tested.

The method for extracting the protocol message related to the test protocol from the existing protocol message file in the step 2 is to use the message file path of the incoming PCAP format to read the protocol information; the method comprises the following specific steps:

step 2-1, using an open source message analyzing tool to analyze the message file to obtain a protocol tree structure of a transport layer and an application layer of each message; the field of each protocol is analyzed to be a corresponding type object in an open source library Scapy, a payload field is added to each protocol for introducing a previous layer protocol data result, and finally the analyzed message is output;

and 2-2, judging the protocol of the application layer and the transport layer flag bit, filtering irrelevant messages and extracting test relevant messages.

The step 3 of the test case template filling method is to traverse the extracted protocol message, convert the protocol message into code representation, inject the code representation into the test case template, and finally obtain test case scripts, wherein each script can be independently operated for testing the message, and the test case is not required to be manually written, and the specific implementation is as follows:

step 3-1, converting the message into Python language code representation; firstly, traversing protocol messages, wherein a transport layer protocol tree structure and an application layer protocol tree structure of each message are obtained in the step 2-1, and each layer of protocol is recursively traversed for each message from bottom to top;

step 3-2, calling a conversion function to convert each layer of protocol into Python language codes; the conversion function uses different conversion methods according to different protocol field types:

(1) for the list type field, traversing each element contained in the field, recursively calling a conversion function, and finally using a code representation that brackets contain each element;

(2) for the character string type field, converting each character of the field into hexadecimal representation, and then using a single quotation mark to contain a conversion result;

(3) aiming at a field specified in a test configuration file, selecting a corresponding fuzzy function according to the field type, constructing a field value by using special characters for a character string type field through the fuzzy function, and constructing a character string exceeding the limit of the field length to detect an overflow vulnerability; for the integer field, generating a random value and a boundary value by using a fuzzy function in the field length range; after the fuzzy function is selected, the fuzzy function is converted into Python code represented by RandFunc (), wherein RandFunc is the fuzzy function selected previously;

(4) for the object type field, recursively calling a conversion function for each field of the object type field, and finally combining the fields into object constructor codes, wherein the conversion result of the field is transmitted as a constructor parameter;

step 3-3, outputting the message data represented by the Python code, and entering step 3-4;

3-4, expressing the protocol message code obtained in the step 3-3, and injecting the code into a test case template;

3-5, connecting the test related protocol messages extracted in the step 2 into a graph model in sequence, wherein the nodes are each message to be sent; and finally, injecting the codes of the graph model into the test case template and writing the codes into a file to obtain the test case script file.

The test case template of the step 3 comprises the following steps: dependency of the open source project Kitty, tool class for sending the fuzzy test message, and code for connecting the message into a graph model.

The method for converting the protocol message into the Python language code in the step 3 comprises the following steps: firstly intercepting a payload above a protocol message transport layer, wherein the payload comprises a plurality of layers of protocols, such as a Siemens S7 protocol including a TPKT protocol, a COTP protocol and a Siemens S7Comm protocol, then recursively traversing each layer of protocol for a protocol tree structure, traversing protocol fields for a current protocol layer, and converting the protocol fields into corresponding code representations according to the field types.

Compared with the prior art, the industrial control protocol fuzzy test case generation method based on the flow tracing has the following advantages by adopting the technical scheme:

compared with fuzzy testing tools such as Kitty and Sulley, the flow file and the simple configuration file are used as input, the reusable industrial control protocol testing script is automatically generated, complex manual coding is reduced, and testing efficiency is improved. The flow file contains real configuration information, so that a protocol session can be completely established in the test process, and the fuzzy test can be further performed. By combining and executing the test case scripts, the test coverage rate is effectively increased.

Drawings

Fig. 1 is a schematic diagram of an embodiment of capturing real environment traffic by using the industrial control protocol fuzzy test case generation method based on traffic tracing.

FIG. 2 is a schematic diagram of an embodiment of test case generation in the industrial control protocol fuzzy test case generation method based on traffic tracing.

FIG. 3 is an overall flowchart of the industrial control protocol fuzzy test case generation method based on traffic tracing.

Fig. 4 is an example of a configuration file format of the industrial control protocol fuzzy test case generation method based on traffic tracing.

Fig. 5 is an exemplary diagram of a tree structure obtained by analyzing an industrial control protocol according to the industrial control protocol fuzzy test case generation method based on traffic tracing.

Fig. 6 is an example of a result of analyzing a data packet captured by the industrial control protocol fuzzy test case generation method based on traffic tracing in Wireshark.

FIG. 7 is a schematic diagram of a test case script of the industrial control protocol fuzzy test case generation method based on flow tracing in the invention for independently running a test.

Fig. 8 is a schematic diagram of arranging test cases into task operation in the industrial control protocol fuzzy test case generation method based on flow tracing.

Detailed Description

The technical solution of the present invention will be fully described with reference to the accompanying drawings in the embodiments of the present invention.

The invention designs an industrial control protocol fuzzy test case generation method based on flow tracing. Before testing, an industrial control protocol message needs to be acquired, and as shown in fig. 1, a packet capturing tool is arranged between an upper computer and the tested industrial control equipment to capture the protocol message on a communication link. The packet capturing device can be a switch for opening a port mirror image or a packet capturing tool such as Wireshark, Tcpdump, Scapy and the like used on an upper computer, and finally a data message file is obtained. Then, as shown in fig. 2, the captured data message file and configuration file are used as input, and the test case script is constructed by using the method of the present invention.

The following describes an embodiment of a test case generation method. The test case script generating method shown in fig. 3 executes the following steps:

step 1, reading a configuration file filled by a user. As shown in fig. 4, the configuration file uses the JSON format, containing the fields: the captured message file path pcappPath and the fields required to be fuzzily tested. And finally entering the step 2.

Step 2, matching the captured message files, extracting messages related to the test industrial control protocol, and entering step 3

The step 2 is specifically executed as follows:

and 2.1, analyzing the message file by using an open source message analyzing tool, such as Wireshark, Scapy and the like, and obtaining a protocol tree structure of a transport layer and an application layer of each message. As shown in fig. 5, in the tree structure of the Siemens S7 protocol, the upper layers of the TCP protocol are the TPKT protocol, the COTP protocol, and the Siemens S7comm protocol, respectively, the fields of each protocol are analyzed into the corresponding type objects in the Scapy of the open source library, and simultaneously, payload fields are added to each protocol for referring to the data result of the previous layer of protocol, and finally, the analyzed message is output.

And 2.2, judging the application layer protocol and the transport layer zone bit, wherein the control messages such as FIN, SYN, ACK and the like of TCP and the protocol messages of other application layers are mixed in the existing messages, and the messages can influence the change of the protocol state, so that irrelevant messages need to be filtered, relevant test messages are extracted, and the step 3 is carried out.

And 3, filling the test case template according to the extracted protocol related data message to obtain a test case Python language script which can be directly operated, and entering the step 4.

The specific implementation steps of step 3 are as follows:

step 3.1 converts the message into Python language code representation. The protocol packets are traversed first, since in step 2.1 a transport layer, application layer protocol tree structure for each packet is already obtained, and each layer protocol is traversed for each packet recursively from bottom to top.

Step 3.2 calls a conversion function to convert each layer of protocol into Python language code. The conversion function uses different conversion methods according to different protocol field types:

(1) for the list type field, traversing each element contained in the field, recursively calling a conversion function, and finally using a code representation that brackets contain each element;

(2) for the character string type field, converting each character of the field into hexadecimal representation, and then using a single quotation mark to contain a conversion result;

(3) aiming at a field specified in a test configuration file, selecting a corresponding fuzzy function according to the field type, constructing a field value by using special characters such as \0, \\ n,% d and the like for a character string type field by using the fuzzy function, and constructing a character string exceeding the limit of the field length to detect an overflow vulnerability; for integer fields, a fuzzy function within the field length is used to generate random and boundary values. After the fuzzy function is selected, it is converted to Python code represented by RandFunc (), where RandFunc is the previously selected fuzzy function.

(4) And (4) aiming at the object type field, recursively calling a conversion function for each field of the object type field, and finally combining the fields into object constructor codes, wherein the conversion result of the field is transmitted as a constructor parameter.

And 3.3, outputting the message data represented by the Python code, and entering the step 3.2.

And 3.4, expressing the protocol message code obtained in the step 3.3 and injecting the code into a test case template.

And 3.5, connecting the test related protocol messages extracted in the step 2 into a graph model in sequence, wherein the nodes are each message to be sent. And finally, injecting the codes of the graph model into the test case template and writing the codes into a file to obtain the test case script file.

Because the Siemens S7 protocol is a common industrial control equipment protocol, the method of the invention is explained by taking the actually captured Siemens S7 protocol traffic to generate a test case script as an embodiment:

step 1, reading a configuration file, wherein the configuration file comprises a Siemens S7 protocol traffic file path pcapppath and protocol fields required to be tested, as shown in fig. 4.

Step 2, using open source software Wireshark to analyze protocol flow, converting each message into a protocol tree structure as shown in FIG. 5, and then judging an application layer protocol and a transport layer zone bit, because control messages such as FIN, SYN, ACK and the like of TCP and protocol messages of other application layers are mixed in the existing messages, the messages can affect the protocol state change, and the irrelevant messages need to be filtered to extract the relevant test messages.

And 3, filling the test case template by using the extracted protocol-related data message to obtain a test case Python language script which can be directly operated. Referring to fig. 6, the process of converting to Python code representation will be described in detail, as shown in the figure, the result of parsing the COTP protocol connection request message (COTPCR) for session establishment in Wireshark is shown. When the conversion function is traversed from the TPKT protocol to the COTP protocol, firstly, the message field of a COTP protocol Request connection (COTPConnect Request) is traversed: length, pdu type, destination reference, source reference, class option, parameters. Since the length field is automatically evaluated after being filled with other fields, no value needs to be specified; the parameters field is a list type, each element in the list type needs to be recursively converted, wherein the field type COTPOption consists of a parameter code, a parameter length and a parameter field, and then the conversion is performed according to the types of the parameters field, and other fields are the same as the default value of the type object of the protocol field, so that the conversion is not required in the generated code, and finally, Python code representation of the protocol message shown in the following is obtained:

packet0＝TPKT()/COTPCR(Parameters＝[COTPOption(Parameter

＝′\x0a′),COTPOption(Parameter

＝′\x01\x00′,ParameterCode

＝193),COTPOption(Parameter

＝′\x01\x01′,ParameterCode＝194)])

the message types COTPCR, TPKT, cottpoption are composed using field description classes provided by the open source framework Scapy.

The related protocol message is converted into a code to be expressed and then is injected into a test case template to obtain a test case script file, wherein the following codes are shown:

wherein the packet_iThe (i ═ 0,1,2) is an object of the protocol packet extracted from the real traffic file in fig. 6, which is converted into a code representation, and is used for establishing a COTP protocol connection, establishing an S7Comm protocol connection, and writing data into the target device. The parser of line 4 is used to handle runtime options including specifying the IP address of the test target, the port the target opens, the number of fuzz _ count needed to be obfuscated, and the timeout time timeout for the target response. In lines 16-19 according toAnd (4) protocol message sequence, and connecting the messages into a graph model by using a ModelGraph class of a Kitty framework. The latter code is used to establish a connection with the target device, and then sends the obfuscated message to the target device according to the protocol graph model.

In the invention, two test methods can be used according to the test case script automatically generated by the existing flow file: one directly runs a script on a host with the device IP address, port number, and number of fuzzy tests as parameters, as shown in fig. 7; the other is to establish a task to arrange a plurality of test case scripts, the order of combination can be targeted selection or random combination, as shown in fig. 8, and the task executor can sequentially execute the arranged test cases.

When each test script runs, firstly establishing connection with target equipment, then traversing a protocol graph model defined in the test script, sending an fuzzification protocol message of each node of the graph model to the target equipment in sequence, monitoring the sent data message and the equipment state through a monitor, and if the target does not respond, storing the data message.

In summary, the industrial control protocol fuzzy test case generation method based on traffic tracing of the present invention analyzes and extracts the real protocol message file, traverses each layer of protocol of the message and converts the protocol into code representation, and injects the code representation into the test case template to construct the test case script. Compared with the existing testing method, the test case is not required to be written manually, the generated test case script can be operated independently, the same protocol stack of different targets can be tested conveniently, the writing difficulty of the test case is greatly reduced, the time required in the preparation stage of the fuzzy test is reduced, a plurality of test cases are combined to test target equipment, and the test coverage rate is effectively improved. Meanwhile, based on the real protocol message, the application layer session is completely established, and the problem that the existing test method has insufficient test depth is solved.

The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (2)

1. The industrial control protocol fuzzy test case generation method based on flow tracing is characterized by comprising the following specific steps:

step 1, reading a configuration file;

step 2, extracting protocol messages related to the test protocol;

step 3, filling the test case template to generate a test case script;

analyzing the real flow, extracting the data of the message application layer, converting the message data into Python language code expression, injecting the Python language code expression into a test case template to generate a test case script, and rapidly performing fuzzy test on the basis of not manually compiling the test case; simultaneously using a plurality of test cases of different types to carry out targeted and random combination to test the target equipment;

the configuration file in the step 1 uses JSON format, and comprises fields: a captured message file path pcapPath and field fields needing to be subjected to fuzzy testing;

step 2, extracting protocol message related to the test protocol from the existing protocol message file by using the message file path of the incoming PCAP format to read protocol information; the method comprises the following specific steps:

step 2-1, using an open source message analyzing tool to analyze the message file to obtain a protocol tree structure of a transport layer and an application layer of each message; the field of each protocol is analyzed to be a corresponding type object in an open source library Scapy, a payload field is added to each protocol for introducing a previous layer protocol data result, and finally the analyzed message is output;

and 2-2, judging the protocol of the application layer and the transport layer flag bit, filtering irrelevant messages and extracting test relevant messages.

2. The industrial control protocol fuzzy test case generation method based on traffic tracing as claimed in claim 1, characterized in that: step 3, the test case template filling method traverses the extracted protocol message, converts the protocol message into code representation, injects the code representation into the test case template, and finally obtains test case scripts, wherein each script can be independently operated and is used for testing the message, and the test case is not required to be manually compiled, and the specific implementation is as follows:

step 3-1, converting the message into Python language code representation; firstly, traversing protocol messages, wherein a transport layer protocol tree structure and an application layer protocol tree structure of each message are obtained in the step 2-1, and each layer of protocol is recursively traversed for each message from bottom to top;

step 3-2, calling a conversion function to convert each layer of protocol into Python language codes; the conversion function uses different conversion methods according to different protocol field types:

(1) for the list type field, traversing each element contained in the field, recursively calling a conversion function, and finally using a code representation that brackets contain each element;

(2) for the character string type field, converting each character of the field into hexadecimal representation, and then using a single quotation mark to contain a conversion result;

(3) aiming at a field specified in a test configuration file, selecting a corresponding fuzzy function according to the field type, constructing a field value by using special characters for a character string type field through the fuzzy function, and constructing a character string exceeding the limit of the field length to detect an overflow vulnerability; for the integer field, generating a random value and a boundary value by using a fuzzy function in the field length range; after the fuzzy function is selected, the fuzzy function is converted into Python code represented by RandFunc (), wherein RandFunc is the fuzzy function selected previously;

(4) for the object type field, recursively calling a conversion function for each field of the object type field, and finally combining the fields into object constructor codes, wherein the conversion result of the field is transmitted as a constructor parameter;

step 3-3, outputting the message data represented by the Python code, and entering step 3-4;

3-4, expressing the protocol message code obtained in the step 3-3, and injecting the code into a test case template;

3-5, connecting the test related protocol messages extracted in the step 2 into a graph model in sequence, wherein the nodes are each message to be sent; and finally, injecting the codes of the graph model into the test case template and writing the codes into a file to obtain the test case script file.

Images