CN111830928A - Fuzzy test method for industrial control equipment firmware - Google Patents
Fuzzy test method for industrial control equipment firmware Download PDFInfo
- Publication number
- CN111830928A CN111830928A CN202010512591.6A CN202010512591A CN111830928A CN 111830928 A CN111830928 A CN 111830928A CN 202010512591 A CN202010512591 A CN 202010512591A CN 111830928 A CN111830928 A CN 111830928A
- Authority
- CN
- China
- Prior art keywords
- file
- firmware
- test
- protocol
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0213—Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24065—Real time diagnostics
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a fuzzy test method for firmware of industrial control equipment. The invention comprises four stages: firmware downloading, executable program extraction, program simulation operation and fuzzy test. The invention downloads the equipment firmware of each manufacturer by an automatic crawler, recursively extracts a binary executable file, simulates and executes the executable file, and performs the fuzzy test of the firmware network service. The invention realizes the high-efficiency fuzzy test method of the executable program in the industrial control equipment firmware, does not need to build various special embedded hardware execution environments aiming at the PLC industrial control firmware with a specific model, does not need to restart the embedded equipment manually in the test process, ensures that the whole fuzzy test process is more convenient and efficient, and can conveniently realize the bug excavation test of mass parallel to support the bug test work of the large-scale firmware. The method is suitable for the work of vulnerability mining of the existing industrial control system, automatic testing of the industrial control system and the like.
Description
Technology neighborhood
The invention relates to the field of network security technology, in particular to a vulnerability mining technology of industrial control equipment based on fuzzy test.
Background
According to relevant research statistics, about 95% of programmable Logic controllers (plc) (programmable Logic controllers) in the industrial control system in 2018 are products of foreign companies such as schneider (france), siemens (germany), ohm dragon (japan), and most of the products are systems developed based on real-time operating systems by secondary customization of VxWorks. The secondary development aiming at the VxWorks system is mainly to add Modbus, Siemens S7, DNP3, HTTP, FTP, SNMP, DHCP and other industrial control network protocols required by PLC industrial control equipment. The realization of the protocols depends on network protocol functional components such as an industrial control protocol network service program, a Web server program, a Telnet program, an FTP server program and the like which are arranged in the firmware of the industrial control equipment. Once the PLC control system is deployed in the industrial production process, the PLC system and the network protocol component are generally not updated in time, and most PLC systems do not open source codes, so it is very important to perform vulnerability testing, mining and analyzing on various mainstream PLC firmware in the market and to discover unknown vulnerabilities that may exist in time.
The existing industrial control firmware vulnerability mining method mainly comprises the following steps:
1. patent CN105938532A decompresses the firmware, extracts plain code fields in the file, disassembles the executable file, and analyzes the firmware correlation to match known bugs, but this method cannot find unknown bugs, and patents CN110941832A and CN108989299A also adopt similar feature matching bug methods.
2. The patent CN109740351A loads the firmware to the embedded device for running, and then performs vulnerability verification on each vulnerability in the vulnerability list through the vulnerability verification program. But this approach requires loading and executing a firmware program on the corresponding embedded hardware device. For a great variety of PLC industrial control equipment on the market, vulnerability testing and mining can be carried out only by building various corresponding special embedded hardware environments, and batch vulnerability mining tests of a great variety of PLC firmware are difficult to realize efficiently.
Disclosure of Invention
The invention provides a fuzzy test method of industrial control equipment firmware, aiming at the problems, which comprises four stages: firmware downloading, executable program extraction, program simulation operation and fuzzy test.
The firmware downloading stage specifically comprises the following steps:
1-1, creating a firmware storage directory for storing the successfully downloaded firmware.
1-2, collecting addresses of industrial control equipment websites and FTP websites of various models of manufacturers such as Schneider, Siemens, OMRON and the like, and storing the addresses into a crawling list.
1-3, compiling page analysis logic for each address of the crawling list, extracting a download address of each firmware file, and storing the download address to a firmware download address set.
1-4, using Python crawler frame Scapy to take out a firmware address to be downloaded from the firmware download address set, and using a dispatcher of Scapy to drive a downloader to download the firmware file and store the firmware file in a firmware storage directory. And repeating the steps 1-4 until the firmware downloading address set is empty, and finishing downloading all the firmware in the address set.
The executable program extraction stage of the invention carries out recursive extraction on firmware, and specifically comprises the following steps:
2-1, creating a working directory for storing the extracted binary executable file and the resources required by execution.
2-2, performing executable program extraction operation on each firmware file in the firmware storage directory, specifically comprising the following steps:
and 2-2-1, loading the firmware into the memory by calling mmap through the Linux system, and setting the offset for positioning the content of the currently identified firmware to be 0.
2-2-2, defining a firmware characteristic value of the industrial control equipment on the basis of the libmagic of the open source library, calling the libmagic of the open source library at the current byte offset, and identifying the content of the firmware to obtain the type and the length of the current file; the offset unit is in bytes.
When the file type is a compressed file, a tar tool is used for decompressing the file, and then the step 2-2 is carried out one by one recursion on the decompressed file to extract the file.
And when the file type is a directory metafile, analyzing to obtain the file number, the directory name and the current directory path of the directory, creating a corresponding directory in the working directory, and recursively performing step 2-2 extraction operation on the files contained in the corresponding directory.
When the file type is a binary Executable program, reading an Executable and Linkable Format (ELF) of the file by using a file tool of the Linux system to obtain the instruction set architecture and the byte order of the file. And saving the executable file to the working directory.
The executable program simulation operation stage specifically comprises the following steps:
3-1, using the WorkBench tool of WindRiver corporation, VxWorks system kernel files and VxWorks BSP (Board Support Package) files specifying the instruction set architecture, endianness, registers are created.
3-2, creating a disk mirror image required by simulation operation through a QEMU-IMG program, writing the disk mirror image into a DOS file system in order to write the VxWorks system mirror image, writing the BSP and a kernel file of the VxWorks system into the DOS file system, and taking the BSP file as a starting item.
3-3. create bridge and assign ip address for simulator to communicate with external network.
And 3-4, selecting a corresponding QEMU simulator version according to the instruction set architecture specified by the executable file. And starting the VxWorks system virtual machine by using the disk mirror image as a parameter through the simulator.
And 3-5, writing the binary executable files and the resource file folders in the working directory into the virtual machine through the FTP protocol, and then executing the binary executable files to wait for the fuzz test.
The fuzzy test stage specifically comprises the following steps:
and 4-1, inquiring a mapping table of the characteristic value and the network service according to the characteristic value of the binary executable file to obtain the network service type provided by the file, and performing targeted protocol fuzzy test according to the network service type. The method specifically comprises the following steps:
4-1-1, reading symbol table information of the binary executable file through a readelf tool of the Linux system, and reading an ASCII (American standard code for information interchange) coded character string of the binary executable file through a strings tool of the Linux system.
4-1-2, traversing the mapping table of the characteristic value and the network service, and inquiring whether the key (key) of each entry exists in the symbol table information and the character string obtained in the step 4-1-1. The key (key) of each entry in the mapping table is composed of a function symbol and a key character string, and the value (value) of each entry is the name of the corresponding network service type.
If no matched entry exists in the mapping table, the binary executable file to be tested at present needs to be decompiled manually to obtain an error information character string displayed when the binary executable file is executed with an error, a character string of a corresponding type of firmware and a common function symbol, a corresponding entry is established in the mapping table, and the mapping table is updated. And 4, entering the step 4-1-2 and continuing matching.
And if the matched entry is obtained in the mapping table, obtaining the network service type of the entry to obtain the network service type name provided by the binary executable file.
And 4-2, writing a script file of the test case.
4-2-1. various types of protocol fields are described using the Python language, and each layer of network protocol in the TCP/IP reference model is composed of these protocol fields. Each protocol field consists of a field length, a field default value and a field name.
4-2-2. add the protocol field description of the web service of the binary executable under test in the test case script file. And generating protocol data according to the protocol field description when the test case script file is executed. Part of the protocol field to be tested is replaced by a fuzzy function and the fuzzification times of the protocol field are set. The fuzzy function uses special characters, random values and ultra-long character strings to construct protocol field values, and the fuzzified protocol message is generated by calling the fuzzy function when the test case script file is executed.
4-2-3, adding a test target IP address and a port number in the test case script file. The test target IP is an IP address of the simulator bridge, the port number is related to the network service type of the binary executable file, if the embedded common GoAhead program provides Web service, the test target port number is 80, the test case script file is related to the network service type, and the Web service fuzzing test mainly tests the realization of the HTTP protocol.
And 4-3, executing the test case script.
And before each protocol message is sent, the simulator is connected through Socket of Linux.
If the connection fails, the tested binary executable file in the current VxWorks system is broken down, the last test case is stored in the working directory, then the simulator is operated again, and as the tested binary executable file is written into the disk mirror image, the fuzzy test can be directly carried out, namely the test case script is re-executed.
And if the connection is successful, continuously generating an fuzzification protocol message by executing the test case script, sending the fuzzification protocol message to the QEMU simulator by using Socket connection of Linux, and receiving the fuzzification protocol message by a tested binary executable file running in the VxWorks system, wherein the VxWorks system runs in the QEMU simulator.
And if the current test times exceed or are equal to the fuzzification times of the fuzzification fields in the test case script, ending the test. And if not, adding one to the current test frequency, and continuing to connect the simulator through the Socket of the Linux before each test message is sent, and continuing to perform the fuzzy test.
The invention has the advantages that:
1. compared with the methods for finding the known bugs through sample matching of the existing patents CN105938532A, CN110941832A and CN108989299A, the method disclosed by the patent finds the unknown bugs of the firmware by dynamically simulating and running binary executable programs existing in the firmware and carrying out bug mining on services provided by the executable programs through a fuzzy test method.
2. Compared with the existing method for loading the firmware to the embedded device for running test in the patent CN109740351A, the method has the advantages that the fuzzy test is carried out by extracting the instruction set architecture of the binary executable program and calling the corresponding version QEMU through the byte order, the tested program is judged to be alive through the Socket to carry out the abnormity monitoring, the embedded device does not need to be restarted manually, and the test flow is more efficient.
In summary, the invention provides a fuzzy test method suitable for industrial control equipment firmware, which resolves industrial control network protocol components in PLC firmware by crawling various industrial control PLC firmware files published on the internet by each company on line, performs fuzzy test and vulnerability discovery on industrial control equipment firmware by performing industrial control protocol components in a simulation manner, and solves the problem of efficient vulnerability test analysis and discovery of various industrial control PLC firmware on the internet.
Drawings
Fig. 1 is a flowchart illustrating a fuzzy testing method for firmware of an industrial control device according to the present invention.
FIG. 2 is a flowchart illustrating a firmware downloading phase of the fuzzy testing method for firmware of the industrial control device according to the present invention.
FIG. 3 is a flowchart illustrating an executable program extraction stage of the fuzzy testing method for firmware of the industrial control device according to the present invention.
FIG. 4 is a flowchart of a program simulation operation phase of the fuzzy test method for the firmware of the industrial control device according to the present invention.
FIG. 5 is a flowchart of a fuzzy testing stage of the fuzzy testing method for the firmware of the industrial control device according to the present invention.
FIG. 6 is a schematic diagram of a scenario of a fuzzy test case in the fuzzy test method for the firmware of the industrial control device according to the present invention.
FIG. 7 is a schematic diagram of an environment of a fuzz testing stage in the fuzz testing method for firmware of an industrial control device according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples.
In the invention, when the VxWorks system image is compiled by using an IDE tool Workbench of Windriver company, the image Format is selected to be an ELF Format (Executable and Linkable Format). And meanwhile, an FTP (file transfer protocol) service end component is required to be added for loading the binary executable program to be tested into the virtual machine, and finally generating a system image vxworks _ kernel.
As shown in fig. 1, the technical solution adopted by the present invention is a fuzzy testing method for firmware of an industrial control device, which comprises the following steps:
1. and (3) a firmware downloading stage: and respectively analyzing the mirror image download address obtained by each manufacturer to obtain a corresponding URL, and storing the downloaded firmware file in a directory.
2. The extraction stage of the executable program: and creating a working directory, performing recursive extraction operation on the firmware, and providing an executable binary program and a related resource file.
3. And (3) program simulation operation stage: and creating a disk image, constructing a VxWorks system and a Board Support Package (BSP) corresponding to the instruction set architecture, and writing the BSP into the disk image. And creating a bridge binding IP address, and finally running the VxWorks system through the QEMU simulator.
4. A fuzzing test stage: and compiling a corresponding test case script according to the characteristic value of the binary executable file to be tested, and carrying out fuzzy test on the VxWorks system which is operated in an analog mode.
As shown in fig. 2, the firmware downloading phase of the present invention specifically includes the following steps:
1.1 creating a firmware saving directory firmware _ dir for storing the successfully downloaded firmware.
1.2 collecting the addresses of industrial control equipment websites and FTP websites of various models of manufacturers such as Schneider, Siemens, OMRON and the like and saving the addresses to a crawling list crawl _ list.
1.3 writing page analysis logic for each address of the crawl list crawl _ list, extracting each firmware file download address firmware _ url, and storing the firmware file download address firmware _ url _ list.
1.4 use Python crawler framework Scapy to take out a firmware address to be downloaded from firmware _ url _ list set, and the dispatcher of Scapy drives the downloader to download the firmware file and save to firmware _ dir. Step 1.4 is repeated until the set firmware _ url _ list is empty.
As shown in fig. 3, the executable program extraction stage of the present invention specifically includes the following steps:
2.1 creating a work directory work _ dir for storing and extracting binary executable files and resources required by execution, such as Web server program related pages and Javascript scripts, MIB files required by SNMP protocol, and the like.
2.2 executing executable program extraction operation to each firmware file firmware _ file in the firmware saving directory firmware _ dir. The method specifically comprises the following steps:
2.2.1 loading the firmware _ file to the memory by calling mmap through the Linux system, and setting the offset for positioning the content of the currently identified firmware to be 0.
2.2.2 on the basis of the libmagic of the open source library, defining the firmware characteristic value of the industrial control equipment, and then calling the libmagic at the current byte offset to obtain the current file type and length.
2.2.3 when the file type is a compressed file, the file is decompressed by using a tar tool, and then the files are extracted recursively one by one.
When the file type is a directory metafile, analyzing to obtain the file number, the directory name and the current directory path of the directory, creating a corresponding directory in the work directory work _ dir, and recursively performing step 2.2 extraction operation on the files contained in the directory.
When the file type is a binary Executable program, reading an Executable Linkable file Format (ELF) of a file by using a file tool of a Linux system to obtain the file instruction set architecture (Arch) and the Endian. And storing the executable file to the working directory according to the relative path.
As shown in fig. 4, the executable program simulation operation phase of the present invention specifically includes the following steps:
3.1 use the WorkBench tool of WindRiver corporation to create a VxWorks System kernel file vxWorks _ kernel and a VxWorks Board level support Package (Board support Package, BSP) file vxWorks _ BSP that specify the instruction set architecture Arch, Endian.
3.2 creating a disk image vxworks _ image required by simulation operation through a QEMU-IMG program. In order to write the VxWorks system mirror image, the disk mirror image is required to be in a DOS file system format, then the disk mirror image is mounted, the BSP file VxWorks _ BSP and the kernel file VxWorks _ kernel are written into the file system, and meanwhile VxWorks _ BSP is used as a system starting item.
3.3 creating a network bridge and distributing an IP address IP _ addr for sending and receiving protocol messages when the simulator and the outside are subjected to fuzzy test. Preferably, a bridge is created by using a brctl tool in a Linux system, and a bridge is bridged by using an OpenVPN tool in a Windows system.
3.4 selecting the corresponding QEMU simulator version executable program QEMU according to the executable file instruction set architecture Arch and the Endian. And starting a VxWorks system virtual machine by using the simulator qemu and a disk image vxWorks _ image as a parameter.
3.5 uploading the binary executable files and the resource folders in the work directory work _ dir to the virtual machine through the FTP protocol, and then executing the binary file waiting fuzz test through an EXEC command of the FTP protocol.
The fuzz testing stage (as shown in fig. 5) of the present invention specifically includes the following steps:
4.1 according to the binary executable file characteristic value, inquiring the network service type provided by the characteristic value and the mapping table file of the network service, and performing a targeted protocol fuzzy test through the type.
The method specifically comprises the following steps:
4.1.1 reading the symbol table information of the executable file through a readelf tool of the Linux system, and reading the ASCII coded character string of the executable file through a strings tool of the Linux system.
4.1.2 traversing the mapping table of the characteristic value and the network service, and inquiring whether the key (key) of each entry exists in the function symbol table and the character string obtained in the step 4.1.1. Wherein the key (key) of each entry in the table is composed of a function symbol and a key string, and the value (value) of each entry is a corresponding network service type name.
4.1.3 if there is no matched item in the mapping table, it indicates that the binary program under test needs to use a manual mode to decompile the binary executive program to obtain the error information character string displayed when the binary executive program is in error, the character string of the corresponding type of the firmware and the common function symbol, and establishes and adds the mapping table item. And 4.1.2, continuing matching.
4.1.4 if a matching entry is obtained in the mapping table, the network service type of the entry is obtained, indicating the network service type provided by the executable binary program.
Specifically, if there is a function symbol such as socket, list, etc. in the symbol table and "Name: and Address:1212 milk Way ave. "string, which illustrates that the current binary program is the HTTP server program of the GoAhead (embedded common Web server program), then the HTTP protocol can be tested during the fuzz testing phase. The character string "Name:, Address:1212 milk Way ave." is the response content when the GoAhead server has an error.
In particular, if the function symbols such as socket, usrappInit and the like exist in the symbol table and a character string of 'noe 0401' is contained in the program, which indicates that the current binary program is a Modbus protocol server program, the Modbus protocol can be tested in the fuzzy test stage.
Similarly, other network protocols such as SNMP, TELNET, S7, DNP3, etc. can also obtain the network services provided by the binary program through function symbol and key string query mapping table. The mapping table is the mapping table of the characteristic values and the network services created in step 4.1.
4.2 write test case script file, the test case script format is shown in figure 6.
4.2.1 use Python language to describe various types of protocol fields that make up each layer of the network protocol in the TCP/IP reference model. Each protocol field consists of a field length, a field default value and a field name. For example, siemens S7 protocol test is composed of Ethernet protocol, IP protocol, TCP protocol, TPKT protocol, COTP protocol, and S7 protocol layer by layer.
4.2.2 add protocol field description of the network service under test in the test case script file. Protocol data is generated from the field descriptions and default values when the test case script executes. Part of the field to be tested is replaced with a fuzzification function and the number of fuzzifications of this field is set. The fuzzy function constructs field values by using special characters such as \0, \\ n,% d and the like, and simultaneously constructs character strings exceeding the limit of the length of the field to detect overflow holes; the protocol field values are constructed using random values within the field length range for the integer field. When the test case script file is executed, the fuzzified protocol message is generated by calling a fuzzy function.
4.2.3 add test target IP address and port number in the test case script file. The test target IP is the IP address of the simulator bridge, and the port number is related to the network service type of the executable file.
Particularly, for a Web service such as a common embedded GoAhead program, the testing target port number is 80, meanwhile, the test case content is related to the network service type, and the Web service fuzzing test mainly tests the implementation of the HTTP protocol.
Particularly, industrial control configuration software is provided for Modbus service to communicate with the PLC equipment, the test target port number is 502, meanwhile, the test case content is related to the network service type, and Modbus service fuzzy test mainly tests the implementation of the Modbus protocol.
Similarly, other protocols such as SNMP, TELNET, S7, DNP3, etc. can also perform fuzz testing of network services by corresponding test target port numbers.
4.3 executing the test case script.
4.3.1 before each test message is sent, the QEMU simulator is connected through a Linux system Socket.
4.3.2 if the Socket connection fails, the tested binary program in the current VxWorks system is broken down, the last test case is saved, and then the QEMU simulator is operated again and the tested program is executed. Since the binary program under test has been written to the disk image, the next round of fuzz testing can be performed directly.
In particular, Socket connections can be divided into TCP sockets and UDP sockets according to the type of network service provided by the program under test.
4.3.3 if Socket connection succeeds, generating fuzzification protocol messages continuously by executing the test case script, sending the fuzzification protocol messages to the QEMU simulator by using the Socket connection of Linux, and receiving the messages by a tested binary program running in the VxWorks system, wherein the VxWorks system runs in the QEMU simulator.
4.3.4 if the current number of tests exceeds or equals the number of obfuscations of the obfuscated field in the test case script then the test ends. Otherwise, the current test frequency is increased by one, and then the step 4.3.1 is carried out to continue the fuzzing test.
In the patent, because the PLC equipment can support multiple network services simultaneously, and the firmware contains multiple executable files, a plurality of QEMU simulator processes and Kitty fuzzy test case processes are opened simultaneously, the tested files in each simulator process can monitor the network service port, and different IP addresses are distributed by using the network bridge, so that the fuzzy test can be performed in parallel.
In the patent, an HTTP server program GoAhead is tested in a fuzzy test stage environment (as shown in fig. 7), a QEMU simulator process is created in a host to simulate and run a binary executable program to be tested, and a fuzzy test process is created to generate a fuzzy protocol message and send the fuzzy protocol message to a simulator by reading a test case.
In summary, the method for fuzzing the firmware of the industrial control device according to the present invention, which downloads the firmware of the device of each manufacturer by the automatic crawler, recursively extracts the binary executable file, simulates the executable file, and fuzzes the firmware web service, has the following advantages over the prior art:
1. compared with the methods for finding the known bugs through sample matching of the existing patents CN105938532A, CN110941832A and CN108989299A, the method disclosed by the patent finds the unknown bugs of the firmware by dynamically simulating and running binary executable programs existing in the firmware and carrying out bug mining on services provided by the executable programs through a fuzzy test method.
2. Compared with the existing method for loading the firmware to the embedded equipment of the corresponding type for running test by the CN109740351A patent, the method calls the QEMU virtual machine of the corresponding version to perform the fuzzy test by extracting the instruction set architecture and the byte order of the binary executable program, judges the survival of the tested program to perform the abnormity monitoring by Socket, does not need to build various special embedded hardware execution environments aiming at the PLC industrial control firmware of the specific model, does not need to manually restart the embedded equipment in the test process, enables the whole fuzzy test process to be more convenient and efficient, and can conveniently realize the mass and parallel mining test so as to support the large-scale vulnerability test work.
Finally, based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without any creative effort belong to the protection scope of the present invention.
Claims (5)
1. A fuzzy test method for firmware of industrial control equipment is characterized by specifically comprising four stages: downloading firmware, extracting an executable program, simulating and running the program and carrying out fuzzy test;
the firmware downloading stage comprises the following steps: analyzing the mirror image download address of each manufacturer respectively to obtain a corresponding URL, and storing the downloaded firmware file in a directory;
the executable program extraction stage: creating a working directory, performing recursive extraction operation on the firmware, and providing an executable binary program and a related resource file;
the program simulation operation stage is as follows: creating a disk mirror image, constructing a VxWorks system and a board-level support package corresponding to the instruction set architecture, and writing the disk mirror image into the VxWorks system and the board-level support package; creating a bridge binding IP address, and finally running a VxWorks system through a QEMU simulator;
the fuzzing test stage comprises the following steps: and compiling a corresponding test case script according to the characteristic value of the binary executable file to be tested, and carrying out fuzzy test on the VxWorks system which is operated in an analog mode.
2. The fuzz testing method of the firmware of the industrial control equipment according to claim 1, wherein: the firmware download phase comprises the following operations:
1-1, creating a firmware storage directory for storing successfully downloaded firmware;
1-2, collecting the addresses of industrial control equipment websites and FTP websites of various models of various manufacturers and storing the addresses into a crawling list;
1-3, compiling page analysis logic for each address of the crawling list, extracting a download address of each firmware file, and storing the download address to a firmware download address set;
1-4, taking out a firmware address to be downloaded from a firmware downloading address set by using a Python crawler frame Scapy, and driving a downloader to download a firmware file by using a dispatcher of the Scapy and storing the firmware file into a firmware storage directory; and repeating the steps 1-4 until the firmware downloading address set is empty, and finishing downloading all the firmware in the address set.
3. The fuzz testing method of the firmware of the industrial control equipment according to claim 2, wherein: the executable program extraction stage performs recursive extraction on firmware, and specifically comprises the following steps:
2-1, creating a working directory for storing and extracting binary executable files and executing required resources;
2-2, performing executable program extraction operation on each firmware file in the firmware storage directory, specifically comprising the following steps:
2-2-1, calling mmap through a Linux system to load the firmware into a memory, and setting the offset for positioning the content of the currently identified firmware to be 0;
2-2-2, defining a firmware characteristic value of the industrial control equipment on the basis of the libmagic of the open source library, calling the libmagic of the open source library at the current byte offset, and identifying the content of the firmware to obtain the type and the length of the current file; offset unit is byte;
when the file type is a compressed file, decompressing the file by using a tar tool, and then recursively extracting the files in the step 2-2 one by one from the decompressed file;
when the file type is a directory metafile, analyzing to obtain the file number, the directory name and the current directory path of the directory, creating a corresponding directory in the working directory, and recursively performing step 2-2 extraction operation on the files contained in the corresponding directory;
when the file type is a binary executable program, reading an executable linkable file format of a file by using a file tool of a Linux system to obtain a file instruction set architecture and a byte order; and saving the executable file to the working directory.
4. The fuzz testing method of the firmware of the industrial control equipment according to claim 3, wherein: the executable program simulation operation stage specifically comprises the following steps:
3-1, establishing a VxWorks system kernel file and a VxWorks BSP file which specify an instruction set architecture, a byte order and a register by using a Workbench tool of a WindRiver company;
3-2, establishing a disk mirror image required by simulation operation through a QEMU-IMG program, writing the disk mirror image into a DOS file system in order to write the VxWorks system mirror image, writing the BSP and a kernel file of the VxWorks system into the DOS file system, and simultaneously using the BSP file as a starting item;
3-3, creating a bridge and distributing ip addresses for communication between the simulator and an external network;
3-4, selecting a corresponding QEMU simulator version according to an executable file specified instruction set architecture; starting a VxWorks system virtual machine by using a simulator and taking a disk mirror image as a parameter;
and 3-5, writing the binary executable files and the resource file folders in the working directory into the virtual machine through the FTP protocol, and then executing the binary executable files to wait for the fuzz test.
5. The fuzz testing method of the firmware of the industrial control equipment according to claim 4, wherein: the fuzz testing stage specifically comprises the following steps:
4-1, according to the characteristic value of the binary executable file, inquiring a mapping table of the characteristic value and the network service to obtain the network service type provided by the file, and performing targeted protocol fuzzy test through the network service type; the method specifically comprises the following steps:
4-1-1, reading symbol table information of the binary executable file through a readelf tool of the Linux system, and reading an ASCII (American standard code for information interchange) coded character string of the binary executable file through a strings tool of the Linux system;
4-1-2, traversing the mapping table of the characteristic values and the network services, and inquiring whether the key (key) of each entry exists in the symbol table information and the character string obtained in the step 4-1-1; the key (key) of each entry in the mapping table consists of a function symbol and a key character string, and the value (value) of each entry is the name of the corresponding network service type;
if no matched entry exists in the mapping table, the binary executable file to be tested at present needs to be decompiled manually to obtain an error information character string displayed when the binary executable file is executed with an error, a character string of a corresponding type of firmware and a common function symbol, a corresponding entry is established in the mapping table, and the mapping table is updated; entering the step 4-1-2, and continuing matching;
if the matched entry is obtained in the mapping table, the network service type of the entry is obtained, and the network service type name provided by the binary executable file is obtained;
4-2, compiling a script file of the test case;
4-2-1, using Python language to describe various types of protocol fields, and forming each layer of network protocol in TCP/IP reference model by the protocol fields; each protocol field consists of a field length, a field default value and a field name;
4-2-2, adding protocol field description of network service of the binary executable file to be tested in the script file of the test case; when the script file of the test case is executed, generating protocol data according to the description of the protocol field; replacing part of protocol fields needing to be tested by using fuzzy functions and setting the fuzzification times of the protocol fields; the fuzzy function uses special characters, random values and ultra-long character strings to construct a protocol field value, and the fuzzy protocol message is generated by calling the fuzzy function when the test case script file is executed;
4-2-3, adding a test target IP address and a port number in the script file of the test case; the test target IP is the IP address of the simulator network bridge, and the port number is related to the network service type of the binary executable file; meanwhile, the test case script file is related to the network service type, and the Web service fuzzy test mainly tests the realization of the HTTP protocol;
4-3, executing the test case script;
before each protocol message is sent, the simulator is connected through Socket of Linux;
if the connection fails, the tested binary executable file in the current VxWorks system is broken down, the last test case is stored to the working directory, then the simulator is operated again, and as the tested binary executable file is written into the disk mirror image, the fuzzy test can be directly carried out, namely the test case script is re-executed;
if the connection is successful, continuously generating an fuzzification protocol message by executing the test case script, sending the fuzzification protocol message to a QEMU simulator by using Socket connection of Linux, and receiving the fuzzification protocol message by a tested binary executable file running in a VxWorks system, wherein the VxWorks system runs in the QEMU simulator;
if the current test times exceed or equal to the fuzzification times of the fuzzification fields in the test case script, the test is finished; and if not, adding one to the current test frequency, and continuing to connect the simulator through the Socket of the Linux before each test message is sent, and continuing to perform the fuzzy test.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010512591.6A CN111830928B (en) | 2020-06-08 | 2020-06-08 | Fuzzy test method for industrial control equipment firmware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010512591.6A CN111830928B (en) | 2020-06-08 | 2020-06-08 | Fuzzy test method for industrial control equipment firmware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111830928A true CN111830928A (en) | 2020-10-27 |
| CN111830928B CN111830928B (en) | 2021-07-30 |
Family
ID=72898565
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010512591.6A Active CN111830928B (en) | 2020-06-08 | 2020-06-08 | Fuzzy test method for industrial control equipment firmware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111830928B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112417461A (en) * | 2020-12-07 | 2021-02-26 | 北京梆梆安全科技有限公司 | Fuzzy test method and system for equipment firmware |
| CN112835543A (en) * | 2021-01-11 | 2021-05-25 | 上海电气集团股份有限公司 | Engineering drawing display method and device |
| CN113162948A (en) * | 2021-05-12 | 2021-07-23 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| CN114189395A (en) * | 2022-02-15 | 2022-03-15 | 北京安帝科技有限公司 | Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop |
| CN114666134A (en) * | 2022-03-23 | 2022-06-24 | 南昌大学 | Intelligent discovery and mining method and system for network vulnerabilities |
| CN115037649A (en) * | 2022-06-16 | 2022-09-09 | 广东电网有限责任公司 | Safety monitoring method and monitoring machine for operation environment of field station |
| CN115102774A (en) * | 2022-07-01 | 2022-09-23 | 四川大学 | Method and device for vulnerability discovery and target range building of firmware of Internet of things |
| CN115270139A (en) * | 2022-09-20 | 2022-11-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1899913A2 (en) * | 2005-05-27 | 2008-03-19 | ATI Technologies Inc. | Dynamic load balancing in multiple video processing unit (vpu) systems |
| CN101859274A (en) * | 2009-04-07 | 2010-10-13 | 西门子(中国)有限公司 | Method and system for fuzz testing |
| CN105391729A (en) * | 2015-11-30 | 2016-03-09 | 中国航天科工集团第二研究院七〇六所 | Web loophole automatic mining method based on fuzzy test |
| CN106557412A (en) * | 2015-09-25 | 2017-04-05 | 腾讯科技(深圳)有限公司 | A kind of method and device of fuzz testing |
| CN109977681A (en) * | 2019-03-25 | 2019-07-05 | 西安电子科技大学 | A kind of fuzz testing system of fuzz testing method and unmanned plane towards unmanned plane |
| CN110661778A (en) * | 2019-08-14 | 2020-01-07 | 中国电力科学研究院有限公司 | Method and system for testing industrial control network protocol based on reverse analysis fuzzy |
| CN111124926A (en) * | 2019-12-25 | 2020-05-08 | 支付宝(杭州)信息技术有限公司 | Fuzzy test method and device, electronic equipment and storage medium |
-
2020
- 2020-06-08 CN CN202010512591.6A patent/CN111830928B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1899913A2 (en) * | 2005-05-27 | 2008-03-19 | ATI Technologies Inc. | Dynamic load balancing in multiple video processing unit (vpu) systems |
| CN101859274A (en) * | 2009-04-07 | 2010-10-13 | 西门子(中国)有限公司 | Method and system for fuzz testing |
| CN106557412A (en) * | 2015-09-25 | 2017-04-05 | 腾讯科技(深圳)有限公司 | A kind of method and device of fuzz testing |
| CN105391729A (en) * | 2015-11-30 | 2016-03-09 | 中国航天科工集团第二研究院七〇六所 | Web loophole automatic mining method based on fuzzy test |
| CN109977681A (en) * | 2019-03-25 | 2019-07-05 | 西安电子科技大学 | A kind of fuzz testing system of fuzz testing method and unmanned plane towards unmanned plane |
| CN110661778A (en) * | 2019-08-14 | 2020-01-07 | 中国电力科学研究院有限公司 | Method and system for testing industrial control network protocol based on reverse analysis fuzzy |
| CN111124926A (en) * | 2019-12-25 | 2020-05-08 | 支付宝(杭州)信息技术有限公司 | Fuzzy test method and device, electronic equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 王海翔: "基于逆向分析的工控协议模糊测试方法", 《电力信息与通信技术》 * |
| 蒋轶焜: "大规模自动化固件安全分析技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 郑尧文: "物联网设备漏洞挖掘技术研究综述", 《信息安全学报》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112417461B (en) * | 2020-12-07 | 2023-10-03 | 北京梆梆安全科技有限公司 | Fuzzy test method and system for equipment firmware |
| CN112417461A (en) * | 2020-12-07 | 2021-02-26 | 北京梆梆安全科技有限公司 | Fuzzy test method and system for equipment firmware |
| CN112835543A (en) * | 2021-01-11 | 2021-05-25 | 上海电气集团股份有限公司 | Engineering drawing display method and device |
| CN112835543B (en) * | 2021-01-11 | 2024-04-12 | 上海电气集团股份有限公司 | Engineering drawing display method and device |
| CN113162948A (en) * | 2021-05-12 | 2021-07-23 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| CN114189395A (en) * | 2022-02-15 | 2022-03-15 | 北京安帝科技有限公司 | Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop |
| CN114189395B (en) * | 2022-02-15 | 2022-06-28 | 北京安帝科技有限公司 | Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop |
| CN114666134A (en) * | 2022-03-23 | 2022-06-24 | 南昌大学 | Intelligent discovery and mining method and system for network vulnerabilities |
| CN115037649A (en) * | 2022-06-16 | 2022-09-09 | 广东电网有限责任公司 | Safety monitoring method and monitoring machine for operation environment of field station |
| CN115037649B (en) * | 2022-06-16 | 2024-03-01 | 广东电网有限责任公司 | Method and machine for safely monitoring running environment of field station |
| CN115102774B (en) * | 2022-07-01 | 2023-04-07 | 四川大学 | Method and device for vulnerability discovery and target range building of firmware of Internet of things |
| CN115102774A (en) * | 2022-07-01 | 2022-09-23 | 四川大学 | Method and device for vulnerability discovery and target range building of firmware of Internet of things |
| CN115270139A (en) * | 2022-09-20 | 2022-11-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111830928B (en) | 2021-07-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111830928B (en) | Fuzzy test method for industrial control equipment firmware | |
| CN107205055A (en) | Terminal staging method and device | |
| US8726298B1 (en) | Cloud-based instrument driver system | |
| WO2007103849A2 (en) | Automated testing of mutiple device platforms through a command line interface | |
| CN105868109B (en) | A kind of improved mobile terminal application testing method and system | |
| CN106371881B (en) | Method and system for updating program version in server | |
| CN109800005B (en) | Client hot update method and device | |
| CN111104677B (en) | Vulnerability patch detection method and device based on CPE specification | |
| CN106911729A (en) | A kind of operating system remote installation method suitable for domestic processor | |
| CN109766099A (en) | Front end source code Compilation Method, device, storage medium and computer equipment | |
| US10866803B2 (en) | Generating interaction libraries | |
| CN109492181A (en) | Method for page jump, device, computer equipment and storage medium | |
| CN104134039A (en) | Virus checking and killing method, virus checking and killing client, virus checking and killing server and virus checking and killing system | |
| CN114610640A (en) | Fuzzy testing method and system for trusted execution environment of Internet of things | |
| CN112241311A (en) | Firmware simulation method and device, electronic equipment and readable storage medium | |
| CN114116134A (en) | Intelligent contract deployment and execution method, equipment and storage medium | |
| CN115062309B (en) | Vulnerability mining method based on equipment firmware simulation in novel power system and storage medium | |
| CN103561082B (en) | Compressing request processing method and server | |
| CN109840103A (en) | Update method, device and the storage medium of Application Container | |
| US9952953B2 (en) | Non-monotonic eventual convergence for desired state configuration | |
| CN112631915A (en) | Method, system, device and medium for PCIE device software simulation | |
| CN116166907B (en) | Method and device for developing Web application by using WebAsssembly and service page compiling technology | |
| CN111580822A (en) | Internet of things equipment assembly version information extraction method based on VEX intermediate language | |
| CN111880801A (en) | Application program dynamic method and device and electronic equipment | |
| CN110362317B (en) | Code conversion method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |