CN112055003A - A method for generating private protocol fuzzing test cases based on byte length classification - Google Patents

Abstract

The invention discloses a method for generating a fuzzy test case of a private protocol based on byte length classification. If the byte length of the private protocol does not change, the content of the invariant field and the upper and lower limits of the byte length will be mutated; a new test will be generated according to the mutated result. use case, and send the test case to the target device to complete the generation of the test case. The invention combines the characteristics of high real-time and high reliability of the private protocol of the industrial control system to mine the loopholes, so as to prevent problems before they occur. There is no need for higher requirements on testing techniques.

Description

A method for generating private protocol fuzzing test cases based on byte length classification

technical field

The invention relates to the technical field of private protocol fuzz testing, in particular to a method for generating a private protocol fuzz test case based on byte length classification.

Background technique

In recent years, programmable controllers in the power grid system have been attacked from time to time, which seriously endangered the national economic construction. For example, the Ukrainian power grid that shocked the world was attacked by hackers, resulting in large-scale power outages. The safe operation of the power grid requires higher requirements.

The present invention focuses on the research on the communication security of the programmable controller in the power grid. The communication protocol of the programmable controller is verified by the security experiment in the real environment. For the known problems, we can take safety protection measures to make up for the defects. , to prevent being exploited by hackers, but there is nothing we can do about unknown vulnerabilities.

Fuzz testing is widely used in vulnerability mining, but most of these tests do not consider cross-protocol or multi-protocol testing, which is not suitable for communication protocols in industrial control systems. The current fuzzing method of industrial control system has shortcomings such as too simple and random fuzzy data, low accuracy for abnormal location, and low test efficiency, especially the method of fuzzing test case generation for the private protocol of industrial control system.

Combining the characteristics of high real-time performance and high reliability of the private protocol of the industrial control system, the invention proposes a method for generating a fuzzy test case of a private protocol based on byte length classification, and exploits its loopholes to prevent problems before they occur. This method has lower requirements on the technical level of testers, does not require in-depth analysis of the protocol, and does not require higher requirements on testing technology.

SUMMARY OF THE INVENTION

The purpose of this section is to outline some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section and the abstract and title of the application to avoid obscuring the purpose of this section, abstract and title, and such simplifications or omissions may not be used to limit the scope of the invention.

In view of the above-mentioned problems of low abnormal positioning accuracy and low test efficiency, the present invention is proposed.

Therefore, the technical problem to be solved by the present invention is to improve the abnormal positioning accuracy and the testing efficiency.

In order to solve the above-mentioned technical problems, the present invention provides the following technical solutions: utilize the MSA data stream to compare and analyze the characteristics of the private protocol to determine whether the private protocol byte length is variable; if the private protocol byte length is variable, then The content of the variable field is mutated; if the byte length of the private protocol remains unchanged, the content of the invariant field and the upper and lower limits of the byte length are mutated; a new test case is generated according to the mutated result , and send the test case to the target device to complete the generation of the test case.

As a preferred solution of the method for generating a fuzz test case of a private protocol based on byte length classification according to the present invention, the characteristics of the private protocol include protocol feature value, protocol version number, field length, function code, function code Eigenvalues and data values.

As a preferred solution of the method for generating private protocol fuzzing test cases based on byte length classification according to the present invention, wherein: the private protocol field includes bytes with variable length and bytes with constant length.

As a preferred solution of the method for generating private protocol fuzzing test cases based on byte length classification according to the present invention, wherein: the definition of the upper and lower limit variation of the private protocol field value includes breaking the byte length range specified by the protocol feature , lengthen or shorten the byte length, and mutate its content again.

As a preferred solution of the method for generating a private protocol fuzzing test case based on byte length classification according to the present invention, the field format mutation includes calling a defined class to perform mutation according to the input field format.

As a preferred solution of the method for generating a fuzz test case for a private protocol based on byte length classification, wherein: the new byte data includes defining a byte flip mutation to generate the test case, based on the specified The mutated byte generates new byte data according to the method of bit flipping.

As a preferred solution of the method for generating private protocol fuzzing test cases based on byte length classification according to the present invention, wherein: the byte block mutation includes: copying a byte block from the default value, each mutation forward Move a byte class; based on part of the content in the communication protocol is a fixed value, then convert the field that needs to be mutated into a fixed value, and move half a byte at a time.

As a preferred solution of the method for generating a private protocol fuzzing test case based on byte length classification according to the present invention, wherein: performing the block data mutation includes: performing the block data according to the copy part during mutation, and placing the copied data in the After the bytes need to be mutated, change the data of the specified length.

As a preferred solution of the method for generating private protocol fuzzing test cases based on byte length classification according to the present invention, wherein: the mutation based on the seed field length bytes includes defining a base class based on performing block mutation, Generate a seed for mutation in the test case according to the mutation, and perform mutation based on the length bytes of the seed field.

As a preferred solution of the method for generating private protocol fuzzing test cases based on byte length classification according to the present invention, wherein: the sequence variation includes, the method for using full permutation of 0 to 9 within the range of the specified length includes association Test methods and layered test methods.

Beneficial effects of the present invention: the present invention combines the characteristics of high real-time performance and high reliability of the private protocol of the industrial control system to mine loopholes, so as to prevent problems before they occur. In-depth analysis of the protocol does not require higher requirements for testing technology.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort. in:

1 provides a flowchart of a test case generation method for a private protocol fuzzing test case generation method based on byte length classification according to an embodiment of the present invention;

2 provides a flowchart of a fuzzing test of a method for generating a private protocol fuzzing test case based on byte length classification according to an embodiment of the present invention;

FIG. 3 provides a private protocol feature identification and data structure design diagram of a method for generating a private protocol fuzzing test case based on byte length classification according to an embodiment of the present invention.

Detailed ways

In order to make the above objects, features and advantages of the present invention more obvious and easy to understand, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention, not all of them. Example. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

Many specific details are set forth in the following description to facilitate a full understanding of the present invention, but the present invention can also be implemented in other ways different from those described herein, and those skilled in the art can do so without departing from the connotation of the present invention. Similar promotion, therefore, the present invention is not limited by the specific embodiments disclosed below.

Second, reference herein to "one embodiment" or "an embodiment" refers to a particular feature, structure, or characteristic that may be included in at least one implementation of the present invention. The appearances of "in one embodiment" in various places in this specification are not all referring to the same embodiment, nor are they separate or selectively mutually exclusive from other embodiments.

The present invention is described in detail with reference to the schematic diagrams. When describing the embodiments of the present invention in detail, for the convenience of explanation, the sectional views showing the device structure will not be partially enlarged according to the general scale, and the schematic diagrams are only examples, which should not limit the present invention. scope of protection. In addition, the three-dimensional spatial dimensions of length, width and depth should be included in the actual production.

At the same time, in the description of the present invention, it should be noted that the orientation or positional relationship indicated in terms such as "upper, lower, inner and outer" is based on the orientation or positional relationship shown in the accompanying drawings, which is only for the convenience of describing the present invention. The invention and simplified description do not indicate or imply that the device or element referred to must have a particular orientation, be constructed and operate in a particular orientation, and therefore should not be construed as limiting the invention. Furthermore, the terms "first, second or third" are used for descriptive purposes only and should not be construed to indicate or imply relative importance.

Unless otherwise expressly specified and limited in the present invention, the term "installation, connection, connection" should be understood in a broad sense, for example: it may be a fixed connection, a detachable connection or an integral connection; it may also be a mechanical connection, an electrical connection or a direct connection. The connection can also be indirectly connected through an intermediate medium, or it can be the internal communication between two elements. For those of ordinary skill in the art, the specific meanings of the above terms in the present invention can be understood in specific situations.

Example 1

For the public industrial control system communication protocol, we can clearly know the content of the protocol according to the protocol specification, and then specify the test strategy, but for the private protocol, we cannot know the content of the protocol specification, and we need to perform a preliminary analysis of the protocol. The current fuzzing method for industrial control systems has shortcomings such as too simple and random fuzzing data, low accuracy for abnormal positioning, and low testing efficiency. In addition, testers need to be very familiar with the protocol. The current method is especially useful for fuzzing private protocols of industrial control systems. Unable to meet high standards, high coverage and high efficiency requirements.

Referring to Figures 1 to 3, an embodiment of the present invention provides a method for generating a private protocol fuzzing test case based on byte length classification, including:

S1: Use the MSA data stream to compare and analyze the characteristics of the private protocol to determine whether the byte length of the private protocol is variable. It should be noted that the characteristics of the private protocol include protocol characteristic value, protocol version number, field length, function code, function code characteristic value and data value; the private protocol field includes variable length bytes and invariable length bytes.

Among them, the invariable field length of a private protocol means that the byte length value of a certain protocol feature is a fixed value, and the variable field length of a private protocol means that the byte length of a certain protocol feature is uncertain, and the length will be adjusted as needed.

Specifically, the private protocol in the industrial control system is usually more complex than other protocols according to the needs of functional tasks, and its features mainly include protocol characteristic value, protocol version number, field length, function code, function code characteristic value and data value. Firstly, according to the original data of the test target protocol, use MSA data flow comparison to carry out feature analysis, identify the byte length of the field, and then proceed to the next step.

The byte length of its private protocol field can be divided into variable-length bytes and invariant-length bytes. The byte length of some protocol features is a fixed value, but the byte length of some fields is adjusted according to the needs of data transmission. There are corresponding connections between different fields in the same message. For example, the value of the previous field is the following: The length of a field, which separates fields with a fixed length in bytes from fields with a non-fixed length in bytes.

S2: If the byte length of the private protocol is variable, the content of the variable field is mutated; if the byte length of the private protocol remains unchanged, the content of the invariant field and the upper and lower limits of the byte length are mutated.

Among them, the definition of the upper and lower limit variation of the private protocol field value includes breaking the byte length range specified by the protocol characteristics, lengthening or shortening the byte length, and mutating its content again;

Field format mutation includes mutation according to the class defined by the input field format call;

Among them, the new byte data includes defining a byte flip mutation to generate a test case, and generating new byte data according to the method of binary bit flip based on the specified mutation byte;

Byte block mutation includes, defining copying a byte block from the default value, and moving forward a byte class for each mutation; based on some content in the communication protocol is a fixed value, then the field that needs to be mutated is transformed into a fixed value, once Move half a byte.

Executing the block data mutation includes executing the block data according to the copy part during mutation, placing the copied data after the bytes that need to be mutated, and then changing the data of its description length;

Mutation based on the seed field length bytes includes defining the base class for performing block mutation, generating the seed for mutation in the test case according to the mutation, and mutating based on the seed field length bytes.

Sequential variation includes, based on a range of specified lengths, methods using full permutation of 0 to 9, including association testing methods and hierarchical testing methods.

Specifically, for fields with a fixed byte length, we only generate test cases by mutating the content, and no longer consider the variation of the upper and lower limits of the length. If such fields exceed the length of the field, the excess part during protocol analysis will be The next eigenvalue is parsed, it is no longer the mutation content of this field, and the mutation of the next field will be reflected in the numerical mutation of the next field. Based on the field whose byte length is not fixed, we not only mutate the content, but also mutate the upper and lower limits of the field length. Defining the variation of the upper and lower limits of the field length is mainly to break the length range specified by the protocol. Outside the specified length range of the protocol, a new content mutation is performed for each additional byte or a byte decreased.

Among them, there are several mutation methods for content mutation strategies, including:

Method 1: Define a field to perform a bit-flip mutation class of N consecutive bits. After specifying the field to be mutated, perform a binary flip operation on the field that needs to be mutated to generate a test case.

Method 2. Define to copy a byte block from the default value, and move forward a byte class for each mutation. In the communication protocol, some content is a fixed value. Convert the field that needs to be mutated to a fixed value, and move half a word at a time. Festival.

Method 3: Define the use of multiple repeated block replication. Each mutation of the test case is only for the fields that need to be mutated, and the fields that do not need to be mutated repeatedly perform block replication to ensure the integrity of the communication message.

Method 4: Define a base class for performing block mutation. The mutation generation test case is to use the mutated seed to mutate based on the seed field length bytes.

Method 5. Definition Delete a byte block from the default value, move forward a byte class for each mutation, there are many byte blocks in the communication message, delete a byte block to generate a new test case.

Method 6. Definition Set a byte block from the default value to a specific value, move one byte class forward for each mutation, set the field that needs to be mutated to a fixed value of some protocols, and move one byte for each mutation.

Method 7. Define the number of consecutive bytes in the flip message, and each mutation moves forward by one byte class.

Method 8: Call the defined class to mutate according to the input field format.

Further, in the above method 1, the test case is generated by byte flip mutation, and new byte data is generated according to the method of binary bit flip in the specified mutant byte, and the new byte data is used as a new test case. In the above method 2, in the byte to be mutated, the content of the byte is converted into a fixed value, such as the function code identification character. During the mutation process, the first bit of the mutated byte is moved backward by 1 bit each time, and then from the first bit. One bit starts to move backward by 2Bit, and so on, until after the mutation from the first bit, the next shift bit is greater than the byte length; in the above method three, copy part of the execution block data during mutation, and put the copied data in the It is necessary to mutate the back of the byte, and then change the data of its description length, as a new test case. In the above-mentioned method 4, the mutated bytes are determined, the length and value range of the bytes are determined, and a new test case is generated by random mutation on this basis. In the above method five, delete one byte in the mutation byte, generate a new test case from the beginning to the end, and then delete two bytes, and also generate a new test case from the beginning to the end in turn, until the test case that needs to be mutated is generated. All content is deleted.

Among them, this method can cover other association testing and hierarchical testing methods. Because of the mutation strategy used in this method, one protocol feature is mutated each time, and other protocol features remain unchanged, so this method covers association testing and hierarchical testing methods.

S3: Generate a new test case according to the mutated result, and send the test case to the target device to complete the generation of the test case.

More specifically, as shown in Figure 2 to determine the target, the first thing to do in fuzz testing is to determine the test target and test scope. Without determining the test object and test scope, it is impossible to choose fuzzing tools or techniques. Usually we need to consider the following issues: the type of the target to be tested, such as what type of controller the target is, identify the communication protocol used, whether it is an application layer protocol or a transport layer protocol, according to the version information of the programmable controller Whether there have been loopholes in the history of the target, where is the cause of the loopholes, etc. Identify the input as shown in Figure 2. Almost all exploitable loopholes are because the device accepts the input of illegal data, and when processing the input data, it does not first clear the illegal data or operate according to the instructions of the illegal data, and enumerate the input data pairs. The success of fuzzing is critical. The failure to locate the input data to the target device will have a serious impact on the fuzzing test, and the vulnerability cannot be accurately located. Any input data sent to the target device should be structured and designed. These inputs must be set according to the protocol specification format, and the input data should contain information. Headers, parameter information, function codes and data types, etc., all of these data should be considered as fuzzing test cases and should be fuzzing variables. The fuzz test data is generated as shown in Figure 2. Once the client recognizes the input vector, it can generate fuzz test variable data according to the identification information, and can formulate corresponding fuzz test data generation strategies according to the characteristics of the test object. The data is generated dynamically from the data, and no matter what strategy is chosen, automation should be introduced in the process of generating fuzzing data. Perform fuzzing as shown in Figure 2. The execution process may include sending data packets to the target device, booting the device, or downloading a program. Similarly, there are functions such as continuous test case generation, test case sending, exception monitoring, etc. in this process, so the automation of the test process is also crucial. Without automation, effective fuzzing cannot be successfully performed. Detecting anomalies as shown in Figure 2. During the fuzzing process, the monitoring process for faults or anomalies is of great significance. For example, if we have no way to pinpoint which packet caused the crash, then send 10,000 fuzzing data to the target device. Packages that eventually crash the device are meaningless, monitoring can take many forms and should not depend on the target device and the type of fuzzing chosen. Potential vulnerabilities are detected as shown in Figure 2. There is an anomaly monitoring function in the fuzzing process. Once the target has a fault detected by the anomaly monitoring function, it is necessary to determine whether the discovered vulnerability can be reproduced. To reproduce the fault, the vulnerability must be located first. Then the most commonly used method is replay detection, that is, the data packet replay tool is called to replay the dumped network data packets. After the reproduction is successful, it is necessary to further determine whether the bug can be exploited. This is a typical manual process and requires professional knowledge in the security field.

As shown in Figure 3, the protocol features are extracted, the length of the protocol field is variable or not, and then different mutation strategies are carried out. The present invention can be used not only for private protocols, but also for public protocols.

Example 2

The technical effect adopted in this method is verified and explained. In this embodiment, OpenVAS (Open Vulnerability Assessment System) is selected to carry out a comparative test with the method of the present invention, and the test results are compared by means of scientific demonstration to verify the real effect of the method.

Among them, OpenVAS (Open Vulnerability Assessment System) is a network scanner containing related tools. Its core component is a server, including a set of network vulnerability testing programs, which can detect security problems in remote systems and applications. As shown in Figure 1, using the Kitty fuzzing framework combined with the industrial control protocol components in the ISF and traditional technical solutions to fuzz the Siemens S7comm protocol execution fuzzing protocol to mine loopholes. First, Kitty sets the interface and target, and can connect to the target three times and COTP twice, and then call the original data of the protocol in the ISF industrial control protocol component. The fuzzing module will mutate the original data according to the mutation method to generate test cases. and sent to the target device, while the Open Vulnerability Assessment System directly sends the tested vulnerabilities to the server through the network vulnerability testing program. The test data comparison results are shown in the following table:

Compare objects method of the invention OpenVAS Number of detected vulnerabilities 3 1 Vulnerability Database CVE NVT Unknown Vulnerability Detection support not support Manual verification need unnecessary waste time 24s 840s

By comparing the data between the two methods, it can be seen that three vulnerabilities can be detected by using the method of the present invention. Compared with the OpenVAS method, two more vulnerabilities can be detected. The method of the present invention can also detect unknown vulnerabilities and consume less time than the traditional solution. 816s, greatly reducing the time cost, and the present invention can perform fuzz testing without in-depth analysis of private protocols, avoiding the need for testers to be proficient in protocol-related knowledge when generating test cases in traditional fuzz testing, and greatly reducing the number of testers. It can improve the accuracy of abnormal location and test efficiency, and increase the scope of testing.

It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be Modifications or equivalent substitutions without departing from the spirit and scope of the technical solutions of the present invention should be included in the scope of the claims of the present invention.

Claims (10)

1. A method for generating private protocol fuzzing test cases based on byte length classification, which is characterized in that it comprises: Utilize the MSA data stream to compare and analyze the characteristics of the private protocol to determine whether the byte length of the private protocol is variable; If the byte length of the private protocol is variable, the content of the variable field is mutated; If the byte length of the private protocol remains unchanged, the content of the unchanged field and the upper and lower limits of the byte length are mutated; A new test case is generated according to the mutated result, and the test case is sent to the target device to complete the generation of the test case. 2. the private protocol fuzzy test case generation method based on byte length classification as claimed in claim 1, is characterized in that: the feature of described private protocol comprises protocol characteristic value, protocol version number, field length, function code, function code Eigenvalues and data values. 3. The method for generating a private protocol fuzzing test case based on byte length classification according to claim 1 or 2, wherein the private protocol field includes a variable-length byte and a non-changing length byte. 4. The method for generating a private protocol fuzzy test case based on byte length classification as claimed in claim 3, wherein the private protocol field value upper and lower limit variation definitions include: Break the byte length range specified by the protocol feature, lengthen or shorten the byte length, and mutate the content again. 5 . The method for generating a fuzz test case of a private protocol based on byte length classification according to claim 4 , wherein the field format mutation comprises calling a defined class to perform mutation according to the input field format. 6 . 6. The method for generating a fuzz test case of a private protocol based on byte length classification according to claim 5, wherein the new byte data comprises: Define a byte flip mutation to generate the test case, and generate new byte data according to the binary bit flip method based on the specified mutated byte. 7. The method for generating a private protocol fuzzy test case based on byte length classification according to claim 6, wherein the byte block variation comprises: Defines to copy a block of bytes from the default, moving forward one byte class per mutation; Based on part of the content of the communication protocol is a fixed value, the field that needs to be mutated is converted into a fixed value, and half a byte is moved at a time. 8. The method for generating a fuzzing test case of a private protocol based on byte length classification according to claim 7, wherein the execution block data mutation comprises: The block data is executed according to the part of copying when mutating, and the copied data is placed after the bytes that need to be mutated, and then the data of the specified length is changed. 9. The method for generating a private protocol fuzzy test case based on byte length classification as claimed in claim 8, wherein the variation on the basis of the seed field length byte comprises, Define a base class based on performing block mutation, generate a seed for mutation in the test case according to the mutation, and mutate based on the length bytes of the seed field. 10. The method for generating private protocol fuzzing test cases based on byte length classification according to claim 9, wherein the sequence variation comprises: The methods that utilize the full arrangement of 0 to 9 in the range of the specified length include the correlation test method and the layered test method.

Images