CN112905184A - Pile-insertion-based industrial control protocol grammar reverse analysis method under basic block granularity - Google Patents
Pile-insertion-based industrial control protocol grammar reverse analysis method under basic block granularity Download PDFInfo
- Publication number
- CN112905184A CN112905184A CN202110024995.5A CN202110024995A CN112905184A CN 112905184 A CN112905184 A CN 112905184A CN 202110024995 A CN202110024995 A CN 202110024995A CN 112905184 A CN112905184 A CN 112905184A
- Authority
- CN
- China
- Prior art keywords
- function
- log
- basic block
- granularity
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 35
- 238000003780 insertion Methods 0.000 title claims abstract description 7
- 238000000034 method Methods 0.000 claims abstract description 40
- 230000008569 process Effects 0.000 claims abstract description 16
- 230000037431 insertion Effects 0.000 claims abstract description 5
- 230000006870 function Effects 0.000 claims description 101
- 238000012360 testing method Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 2
- 238000011160 research Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000012800 visualization Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/425—Lexical analysis
Abstract
The invention discloses an industrial control protocol grammar reverse analysis method under basic block granularity based on pile insertion, which specifically comprises the following steps: the method comprises the steps of realizing dynamic pile insertion of instructions, basic blocks and function granularity for an industrial control protocol binary executable program, recording taint propagation information of the instruction granularity and basic block granularity, function granularity, logic judgment and skip information in the dynamic taint analysis process, and generating a program runtime log file. And the log file realizes industrial control protocol field boundary identification under the granularity of the basic blocks through a reordering and related analysis algorithm. Compared with a field boundary identification method under function granularity, the method can acquire program context information under more basic block granularity, thereby identifying different fields processed under the same function and improving field boundary identification precision.
Description
Technical Field
The invention relates to the technical field of industrial communication network protocols and protocol reverse engineering, in particular to an industrial control protocol syntax reverse analysis method under basic block granularity based on instrumentation.
Background
The industrial control protocol is an important component of the network topology of the modern industrial control system and has important significance in the safety research of the industrial control system. Safety research on industrial control protocols can be roughly divided into two parts: protocol ontology security research and protocol security applications. One popular field of protocol ontology security research is fuzzy testing of protocol implementation programs: by presetting a certain protocol input format as a seed, the fuzz testing tool can generate different inputs to test the vulnerability of buffer overflow and the like existing in the protocol implementation program. In the application of protocol security, an intrusion detection system can be constructed through message analysis, which is also a research hotspot for network security reinforcement of a lightweight industrial control system. The development of the two fields does not require the acquisition of industrial control protocol standards.
The protocol standard can be divided into three parts of protocol syntax, protocol semantics and protocol state machine. The protocol grammar delineates the field boundaries of the protocol; the protocol syntax describes the specific functions and meanings of each field of the protocol; and the protocol state machine is the embodiment of the time sequence relation of the protocol message. Due to various factors such as market occupation and safety, industrial control manufacturers generally choose to develop unique protocols for communication of the devices produced by the industrial control manufacturers, and keep the protocol standards thereof from disclosure. For researchers in the security field, this means that they need to acquire format information of protocols through various means, namely software reverse and data-to-peer means, and this process is undoubtedly time-consuming. In addition, the industrial control protocol usually adopts a binary protocol, the format of the binary protocol is strictly regulated, and semantic information is hidden, so that the manual protocol reversal difficulty is multiplied.
At present, an automatic reverse method for an industrial control binary protocol adopts a dynamic taint analysis technology to divide field boundaries from function granularity, and the reverse method can cause the situation that the field boundaries cannot be accurately divided when protocol functions realized by conditional branch statements rather than function encapsulation are analyzed. The fine-grained protocol reverse analysis method based on the basic block granularity can effectively solve the problems.
Disclosure of Invention
The invention aims to provide an industrial control protocol grammar reverse analysis method based on the granularity of basic blocks of instrumentation, aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: a method for reversely analyzing industrial control protocol grammar under basic block granularity based on instrumentation comprises the following steps:
s1: performing instrumentation on a binary executable program of an industrial control protocol, acquiring runtime information of instructions and function granularity, and marking protocol message data received by a network receiving function as taint source data; recording taint state information of taint source data and subsequent taint data, tracking the propagation condition of taint data in a memory and a register according to taint propagation rules in the program running process, and acquiring the relationship between protocol message data and program context.
S2: performing pile insertion on the function granularity to obtain a function name and function entry and exit information; pile inserting is carried out on the granularity of the basic block, and the entry address and the length information of the basic block are obtained; and (4) performing instrumentation on the logic judgment of the instruction granularity and the assembly instruction related to the conditional jump for marking a logic boundary.
S3: according to the instrumentation method designed by S1 and S2, context information during program operation is recorded, and a formatted log file is formed.
S4: preprocessing the log file, eliminating the thread log irrelevant to the network receiving function, and reordering the function log, the basic block log and the instruction log according to the address data.
S5: analyzing the preprocessed log file, dividing a basic block sequence recorded in the log into a plurality of logic blocks by taking logic judgment and a conditional jump instruction as a logic boundary dividing basis, constructing an incidence relation between the logic blocks and protocol message data, and dividing the field boundary of the protocol message according to the incidence relation, thereby finishing syntax judgment.
Further, the step S1 specifically includes:
s11: and (3) instrumentation is carried out on the binary executable program of the industrial control protocol, and specifically, instrumentation of instruction granularity and function granularity is carried out by using a program instrumentation frame Pin.
S12: and identifying function names by using callback functions for function granularity, judging functions recv, recvfrom and recvmsg received by a Linux x86-64 operating system standard library network, and marking the received industrial control protocol message data as taint source data.
S13: and recording taint state information for taint source data and subsequently transmitted taint data, wherein the taint state information comprises byte offset addresses, data length, data shift conditions and whether the data are marked as taint states in industrial control protocol message data corresponding to the taint data.
S14: for instruction granularity, using a callback function to identify an operator and an operand of an instruction, for mov, add, or and shift instructions, identifying the operand of the instruction, and if dirty data exists in the operand, updating dirty data information.
S15: for the instruction using the taint data as an operand, the assembly instruction, the operand and the taint data information of the instruction are recorded in a log file by using a callback function.
Further, the step S2 specifically includes:
s21: recording the function name, the function state, the thread ID, the starting address, the ending address and the return address when the function enters and exits;
s22: when jumping to a new basic block, recording the entry address of the basic block, the byte length occupied by the basic block and the thread ID information;
s23: and disassembling byte codes for each executed instruction, and recording assembly instructions, thread IDs and instruction length information if the instructions are cmp, test or conditional jump related instructions.
Further, the step S3 specifically includes: according to the instrumentation method designed by S1 and S2, the function, the basic block and the instruction granularity log are orderly recorded into a txt format log file in the program running process.
Further, the step S4 specifically includes:
s41: removing log records corresponding to thread IDs without taint data, wherein the log records comprise instructions, basic blocks and function granularity; removing log records of a system calling function;
s42: reordering log records is carried out, and the specific rule is as follows: the entry log of the function is before the relevant basic block log, the basic block log is before the relevant instruction log, and the exit log of the function is after the return instruction log of the function;
s43: and outputting the reordered log records to a new log file.
Further, the step S5 specifically includes:
s51: performing off-line analysis on the log file obtained by the processing of S4, wherein the function log represents a function node, the basic block log represents a basic block node, and a taint data related instruction log between the beginning and the end of a basic block represents a message data node, and gradually establishing the following relations in the analysis process: the function node comprises a plurality of basic block node sequences, and the tail end of a basic block node is a message data node to form a tree graph structure;
s52: whether the rsp value changes or not and whether logic judgment and conditional jump instructions occur or not are used for judging whether logic boundaries exist or not, message data nodes in basic block nodes and child nodes thereof are combined according to the logic boundaries, one combined basic block node comprises a plurality of basic blocks, and a logic block during program implementation is described;
s53: performing cycle judgment on a cycle structure body possibly existing in a program, and combining basic blocks and message data nodes in the cycle structure body;
s54: and carrying out protocol message field boundary division aiming at the constructed tree graph structure.
Further, the protocol packet field boundary division in S54 is according to the following:
rule a: the bytes of the same protocol field can be processed in the same logic block, if two bytes appear in different message data nodes, the two bytes are considered as different fields;
rule b: regarding the bytes merged by the register shifting operation, the bytes are uniformly considered to belong to the same field, and the priority of rule b is higher than that of rule a;
rule c: if a byte is divided into different fields by rule b, the fields containing the byte are merged;
rule d: and (4) automatically merging the continuous bytes into the same field through the residual bytes after the division by the rules a, b and c.
Compared with the existing industrial control protocol reverse analysis method under the function granularity, the method has the following advantages:
1. the analysis granularity is refined from the function granularity to the basic block granularity, and more program context information can be captured in the dynamic running process of the program;
2. for a field which is not packaged to a function for processing and uses a conditional branch for realizing the function, conditional jump under the granularity of a basic block can be used as a logic boundary to obtain a more accurate field boundary;
3. the method also has universality for program analysis of the binary protocol implementation, and does not influence the analysis speed.
Drawings
FIG. 1 is a schematic diagram of the method of the present invention;
FIG. 2 is a schematic diagram of the taint state initialization and taint propagation involved in the dynamic taint analysis method of the present invention;
FIG. 3 is a tree diagram of the results of a function granularity analysis using a custom test protocol as an example;
FIGS. 4(a) and 4(b) are tree diagrams of the results of the basic block granularity analysis using the custom test protocol as an example;
FIG. 5 is a result tree diagram of an example Modbus/TCP protocol.
Detailed Description
The invention is described in further detail below with reference to the figures and specific examples.
The basic architecture of the invention is shown in fig. 1, in the embodiment of the invention, a binary executable program of an industrial control protocol to be tested is used as the input of a program instrumentation module, the instrumentation module is developed by using Pin, a callback function of a command, a basic block and function granularity is customized through c + + language, industrial control protocol message data is received as taint source data, and taint propagation and program operation context recording in the program dynamic operation process are performed. After a Pin dynamic running program is used, a message to be analyzed is sent to a corresponding network port through a script, a pile inserting module monitors and dynamically writes a program running log, and the log comprises records of taint propagation, function entry and exit, basic block entry, logic judgment and conditional jump instructions. After the logs are dynamically generated, the logs are processed off-line through a log analysis module, the log analysis module mainly comprises three parts, the logs are cleaned firstly, thread logs which do not need to be analyzed are filtered, and the logs are reordered to accord with visual semantics, so that subsequent analysis is facilitated; the sorted log recording sequence is the correct sequence when the program runs, and through the sequence, the tree-like relation of the function nodes, the basic block nodes and the protocol message byte data nodes is constructed and visually output; and finally, dividing the field boundary of the message and outputting the divided message to a command line through a field boundary judgment rule. And finally obtaining the grammar information corresponding to the protocol message to be tested through the processing.
The method for reversely analyzing the industrial control protocol grammar under the basic block granularity based on the pile insertion, provided by the embodiment of the invention, comprises the following specific implementation flows:
s1: FIG. 2 shows the idea of applying the dynamic taint analysis method in the present invention. For network receiving functions recv, recvfrom and recvmsg in a Linux x86-64 operating system, acquiring corresponding function parameter information by using an RTN _ InsertCall function provided by Pin to locate a received message byte address and mark the received message byte address as taint source data; in the program running process, saving the taint information corresponding to a specific address and a register, independently writing a callback function corresponding to a taint propagation rule for instructions which can cause taint state change such as memory copy, arithmetic operation and shift instructions, and analyzing the instructions and calling the callback function by using an INS _ InsertCall function. This information will be written to the log file.
S2: except for a instrumentation process necessary for dynamic taint analysis, instrumentation is respectively carried out on functions, basic blocks and instruction granularity, wherein the functions are instrumented by using RTN _ InsertCall, and the functions obtain function names, function states, thread IDs, starting addresses, ending addresses and return address information by using API functions corresponding to RTN; using a BBL _ InsertCall function for the basic block, and recording an entry address of a new basic block, the byte length occupied by the basic block and the information of a thread ID; for an instruction, if the instruction is a cmp, test, or conditional jump related instruction, the specific assembly instruction, thread ID, and instruction length information are recorded, and specific implementation examples are as follows:
s3: compiling the pintool, using Pin and the pintool running protocol to execute a binary elf program, sending a message to be analyzed to a port corresponding to the protocol, and acquiring a running log file. The obtained summary of the log file format is as follows:
specifically, the Function row characterizes the entry and exit states of the Function, and resolves the Function name; the Block line represents that a new basic Block is entered, and an entry instruction address, an rsp and basic Block size information are obtained; the Misc line records cmp, test statements and conditional jump statements; the Instruction line records Instruction information for stain propagation.
S4: the output logs are sorted, specifically as follows:
s41: when the protocol program is specifically realized, a single thread is usually adopted for receiving and processing data, for other threads, the value of continuous analysis is not provided, the thread needing to be analyzed can be locked by retrieving the thread ID corresponding to the Instruction record, and redundant information is eliminated; in addition, in the running process, the dynamic link library can be called in a process link table (plt) mode, when the optimization level is higher, Pin cannot track the return address of the function, and the subsequent analysis is influenced, so that function records with the function name with the '@ plt' related character string can be eliminated together.
S42: when Pin processes the instruction level information and the basic block level information, it will preferentially peg a callback function of the instruction layer, and then perform the initial judgment of the basic block, so that in the initial log, the related log sequence will have a dislocation phenomenon, specifically as follows:
during analysis, the reasonable sequence is that the function enters the related log line before the basic block log line contained in the related log line, the function exits the log line as the end, the basic block log line is before the instruction log contained in the related log line, so that the sequence arrangement is necessary, the exchange of the function, the basic block and the instruction line is involved in the sequence arrangement process, and whether the sequence needs to be adjusted is judged mainly by comparing the values of the addresses.
S43: and outputting the reordered log records to a new log file.
S5: restoring the tree-shaped graph structure through the program running information recorded by the log, and recovering the format information of the protocol message, which comprises the following specific steps:
s51: performing off-line analysis on the log file obtained by the processing of S4, wherein the function log represents a function node, the basic block log represents a basic block node segment, a taint data related instruction log line between the beginning and the end of a basic block represents a message data node, and the following relations are gradually established in the analysis process: the function node comprises a plurality of basic block node sequences, and the tail end of the basic block node is a message data node to form a tree graph relation;
s52: the protocol reverse basis under the basic block granularity is that bytes in the same field can be processed in the same conditional branch, the conditional branch is usually represented as a combination of a cmp instruction, a test instruction and a conditional jump instruction at an assembly instruction layer, and when the cmp instruction, the test instruction and the jump instruction appear continuously during analysis, the boundary identifier on programming logic is considered, and the previous basic block node and the attached data node are merged. The rsp value is used to assist in determining entry and exit of a function, and there is usually an operation on the stack when the function enters and returns, which results in a change in the rsp value. Specifically, when the rsp value is decreased, a newly-built basic block node is used as a child node of the current node, when the rsp value is increased, the newly-built basic block node is used as a child node of the current function node, and when the rsp value is unchanged, whether the newly-built basic block node is newly built is judged according to logic judgment and a conditional jump instruction;
s53: dividing the logic boundary by using the logic judgment and the conditional jump instruction can cause that each loop in the loop structure independently generates a basic block node, so that message bytes contained in message data nodes in child nodes of the loop structure are wrongly identified as different fields, and therefore, the information of executed basic blocks needs to be recorded;
s54: and aiming at the constructed tree graph structure, carrying out boundary division on the message, specifically according to the following steps:
rule a: the bytes of the same protocol field can be processed in the same logic block, if two bytes appear in different message data nodes, the two bytes are considered as different fields;
rule b: regarding the bytes merged by the register shifting operation, the bytes are uniformly considered to belong to the same field, and the priority of rule b is higher than that of rule a;
rule c: if a byte is divided into different fields by rule b, the fields containing the byte are merged;
rule d: and (4) automatically merging the continuous bytes into the same field through the residual bytes after the division by the rules a, b and c.
In the specific implementation, each data node is numbered, a dictionary mapping relation between the message bytes and the numbers of the data nodes containing the bytes is established, and field boundary identification is completed through logic of realizing the rule judgment.
Taking the custom test code implemented in C language as an example, the following source code shows the function of setting a value of a certain bit of the data stored in the protocol implementation program, in this implementation, one byte is used to indicate the offset of the bit to be modified in the data, and another byte indicates that the position is set to 0 or 1. Because two bytes are used under the same function dataHolding, the boundary between the two bytes cannot be accurately analyzed and obtained based on the reverse function granularity protocol, and the fine granularity analysis method can accurately position the boundary between the two bytes.
Fig. 3 shows the visualization result of the above-mentioned reverse parsing of the protocol packet syntax based on the function granularity, wherein the rectangular nodes represent function nodes, and the oval nodes represent data nodes, and the 4 th and 5 th byte boundaries related to the above-mentioned function implementation are not distinguished; fig. 4(a) and 4(b) show the visualization results of the reverse analysis of the message syntax after adding the granularity of the basic block, where the round rectangular node is the basic block sequence after refining the granularity, and fig. 4(b) shows the subsequent child nodes of the node C, which can be seen that the 4 th and 5 th bytes in the subsequent nodes of the node C appear in different data nodes, so that the boundaries thereof are accurately recognized.
Fig. 5 shows an analysis visualization result of the Modbus/TCP open source implementation protocol program libmodbus, and since the whole tree is too large, part of nodes are selected as a schematic. The sent message is "\\ x01\ x11\ x00\ x00\ x00\ x06\ x01\ x03\ x00\ x02\ x00\ x 08", the output result of the command line after the field boundary is analyzed is as follows, and the field segmentation result is obtained visually:
the reverse analysis result of the invention depends on extracting the semantic realization of the analyzed program to the protocol message field during design and development, and the unused field in the protocol program programming can not accurately analyze the more specific boundary segmentation condition in the field, and the fields usually have no key function in subsequent applications such as safety research, and the like, thereby having little restriction on the subsequent applications of the invention.
The above-described embodiments are intended to illustrate rather than to limit the invention, and any modifications and variations of the present invention are within the spirit of the invention and the scope of the appended claims.
Claims (10)
1. A method for reversely analyzing industrial control protocol grammar under basic block granularity based on instrumentation is characterized by comprising the following steps:
s1: performing instrumentation on a binary executable program of an industrial control protocol, acquiring runtime information of instructions and function granularity, and marking protocol message data received by a network receiving function as taint source data; recording taint state information of taint source data and subsequent taint data, tracking the propagation condition of taint data in a memory and a register according to taint propagation rules in the program running process, and acquiring the relationship between protocol message data and program context.
S2: performing pile insertion on the function granularity to obtain a function name and function entry and exit information; pile inserting is carried out on the granularity of the basic block, and the entry address and the length information of the basic block are obtained; and (4) performing instrumentation on the logic judgment of the instruction granularity and the assembly instruction related to the conditional jump for marking a logic boundary.
S3: according to the instrumentation method designed by S1 and S2, context information during program operation is recorded, and a formatted log file is formed.
S4: preprocessing the log file, eliminating the thread log irrelevant to the network receiving function, and reordering the function log, the basic block log and the instruction log according to the address data.
S5: analyzing the preprocessed log file, dividing a basic block sequence recorded in the log into a plurality of logic blocks by taking logic judgment and a conditional jump instruction as a logic boundary dividing basis, constructing an incidence relation between the logic blocks and protocol message data, and dividing the field boundary of the protocol message according to the incidence relation, thereby finishing syntax judgment.
2. The method according to claim 1, wherein the step S1 specifically includes:
s11: and (3) instrumentation is carried out on the binary executable program of the industrial control protocol, and specifically, instrumentation of instruction granularity and function granularity is carried out by using a program instrumentation frame Pin.
S12: and identifying function names by using callback functions for function granularity, judging functions recv, recvfrom and recvmsg received by a Linux x86-64 operating system standard library network, and marking the received industrial control protocol message data as taint source data.
S13: and recording taint state information for taint source data and subsequently transmitted taint data, wherein the taint state information comprises byte offset addresses, data length, data shift conditions and whether the data are marked as taint states in industrial control protocol message data corresponding to the taint data.
S14: for instruction granularity, using a callback function to identify an operator and an operand of an instruction, for mov, add, or and shift instructions, identifying the operand of the instruction, and if dirty data exists in the operand, updating dirty data information.
S15: for the instruction using the taint data as an operand, the assembly instruction, the operand and the taint data information of the instruction are recorded in a log file by using a callback function.
3. The method according to claim 1, wherein the step S2 specifically includes:
s21: recording the function name, the function state, the thread ID, the starting address, the ending address and the return address when the function enters and exits;
s22: when jumping to a new basic block, recording the entry address of the basic block, the byte length occupied by the basic block and the thread ID information;
s23: and disassembling byte codes for each executed instruction, and recording assembly instructions, thread IDs and instruction length information if the instructions are cmp, test or conditional jump related instructions.
4. The method according to claim 1, wherein the step S3 specifically includes: according to the instrumentation method designed by S1 and S2, the function, the basic block and the instruction granularity log are orderly recorded into a txt format log file in the program running process.
5. The method for analyzing the engineering control protocol syntax in reverse direction under the basic block granularity based on instrumentation of claim 1, wherein in the step S4, the preprocessing the log file specifically comprises: removing log records corresponding to thread IDs without taint data, wherein the log records comprise instructions, basic blocks and function granularity; and removing the log records of the system calling function.
6. The method for inverse parsing IPsyntax of claim 1, wherein in step S4, the specific rule for reordering the log is: the entry log of the function is before the relevant basic block log, the basic block log is before the relevant instruction log, and the exit log of the function is after the return instruction log of the function; and outputting the reordered log records to a new log file.
7. The method of claim 1, wherein in step S5, the log file obtained from the processing in S4 is analyzed offline, wherein the function log represents a function node, the basic block log represents a basic block node, the taint data related instruction log from beginning to end of a basic block represents a message data node, and the following relationships are gradually established during the analysis: the function node comprises a plurality of basic block node sequences, and the tail end of the basic block node is a message data node to form a tree graph structure.
8. The method according to claim 7, wherein in step S5, whether the rsp value changes and whether a logic judgment and a conditional jump instruction occur are used to judge whether a logic boundary exists, the message data nodes in the basic block nodes and their child nodes are merged according to the logic boundary, and one merged basic block node includes a plurality of basic blocks and describes a logic block when a program is implemented.
9. The method according to claim 7, wherein in step S5, a loop judgment is performed on a loop structure that may exist in a program, and a basic block and a message data node in the loop structure are merged.
10. The method for inverse analysis of industrial control protocol syntax under the granularity of basic blocks based on instrumentation according to any one of claims 7 to 9, wherein in the step S5, for the constructed tree graph structure, the protocol packet field boundary is divided according to the following:
rule a: the bytes of the same protocol field can be processed in the same logic block, if two bytes appear in different message data nodes, the two bytes are considered as different fields;
rule b: regarding the bytes merged by the register shifting operation, the bytes are uniformly considered to belong to the same field, and the priority of rule b is higher than that of rule a;
rule c: if a byte is divided into different fields by rule b, the fields containing the byte are merged;
rule d: and (4) automatically merging the continuous bytes into the same field through the residual bytes after the division by the rules a, b and c.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110024995.5A CN112905184B (en) | 2021-01-08 | 2021-01-08 | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110024995.5A CN112905184B (en) | 2021-01-08 | 2021-01-08 | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112905184A true CN112905184A (en) | 2021-06-04 |
| CN112905184B CN112905184B (en) | 2024-03-26 |
Family
ID=76112359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110024995.5A Active CN112905184B (en) | 2021-01-08 | 2021-01-08 | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112905184B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377379A (en) * | 2021-08-12 | 2021-09-10 | 四川腾盾科技有限公司 | Simulator instruction instrumentation-based operating system information statistical method |
| CN115221051A (en) * | 2022-07-12 | 2022-10-21 | 北京大学 | Program instrumentation method and device for verifying data API execution process |
| CN116108449A (en) * | 2023-01-12 | 2023-05-12 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN116775127A (en) * | 2023-05-25 | 2023-09-19 | 哈尔滨工业大学 | Static symbol execution pile inserting method based on RetroWrite framework |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060090063A1 (en) * | 2002-06-24 | 2006-04-27 | Jean-Paul Theis | Method for executing structured symbolic machine code on a microprocessor |
| US20100031241A1 (en) * | 2008-08-01 | 2010-02-04 | Leon Schwartz | Method and apparatus for detection and optimization of presumably parallel program regions |
| US20140245260A1 (en) * | 2013-02-27 | 2014-08-28 | Hewlett-Packard Development Company, L.P. | Distributed implementation of sequential code that includes a future |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN108446235A (en) * | 2018-03-21 | 2018-08-24 | 北京理工大学 | In conjunction with the fuzz testing critical data localization method of path label data variation |
| CN110213243A (en) * | 2019-05-15 | 2019-09-06 | 浙江大学 | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain |
-
2021
- 2021-01-08 CN CN202110024995.5A patent/CN112905184B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060090063A1 (en) * | 2002-06-24 | 2006-04-27 | Jean-Paul Theis | Method for executing structured symbolic machine code on a microprocessor |
| US20100031241A1 (en) * | 2008-08-01 | 2010-02-04 | Leon Schwartz | Method and apparatus for detection and optimization of presumably parallel program regions |
| US20140245260A1 (en) * | 2013-02-27 | 2014-08-28 | Hewlett-Packard Development Company, L.P. | Distributed implementation of sequential code that includes a future |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN108446235A (en) * | 2018-03-21 | 2018-08-24 | 北京理工大学 | In conjunction with the fuzz testing critical data localization method of path label data variation |
| CN110213243A (en) * | 2019-05-15 | 2019-09-06 | 浙江大学 | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377379A (en) * | 2021-08-12 | 2021-09-10 | 四川腾盾科技有限公司 | Simulator instruction instrumentation-based operating system information statistical method |
| CN113377379B (en) * | 2021-08-12 | 2021-11-16 | 四川腾盾科技有限公司 | Simulator instruction instrumentation-based operating system information statistical method |
| CN115221051A (en) * | 2022-07-12 | 2022-10-21 | 北京大学 | Program instrumentation method and device for verifying data API execution process |
| CN116108449A (en) * | 2023-01-12 | 2023-05-12 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN116108449B (en) * | 2023-01-12 | 2024-02-23 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN116775127A (en) * | 2023-05-25 | 2023-09-19 | 哈尔滨工业大学 | Static symbol execution pile inserting method based on RetroWrite framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112905184B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112905184B (en) | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity | |
| CN108052825B (en) | Vulnerability detection system combining fuzzy test and symbolic execution aiming at binary executable file | |
| US7508985B2 (en) | Pattern-matching system | |
| US8312440B2 (en) | Method, computer program product, and hardware product for providing program individuality analysis for source code programs | |
| JP2022505340A (en) | Systems and methods for dynamically identifying data arguments and instrumenting source code | |
| US7530056B1 (en) | Method and system for detecting runtime defects in a program by comparing correct and incorrect runs | |
| US5608867A (en) | Debugging system using virtual storage means, a normal bus cycle and a debugging bus cycle | |
| CN109101237A (en) | The encryption Compilation Method and device of code | |
| CN110213243B (en) | Industrial communication protocol reverse analysis method based on dynamic taint analysis | |
| CN109388573B (en) | Error detection method and system during running of interrupt-driven program without false alarm | |
| CN115269393A (en) | Program dynamic function call sequence tracking method and device based on hardware | |
| CN115544490A (en) | Method and system for detecting password constant in binary file | |
| US9436466B2 (en) | Blank bit and processor instructions employing the blank bit | |
| US3618042A (en) | Error detection and instruction reexecution device in a data-processing apparatus | |
| CN109002723B (en) | Sectional type symbol execution method | |
| CN110262753A (en) | A kind of method, system and SSD accelerating command response | |
| US8321851B2 (en) | Determining compiler efficiency | |
| JP2001101029A (en) | Method and device for recording system call information | |
| CN117762718B (en) | Instruction monitoring method, device, equipment and storage medium | |
| KR20200086093A (en) | Apparatus and method for analyzing source code of concurrent program and computer readible storage medium therefor | |
| US6795879B2 (en) | Apparatus and method for wait state analysis in a digital signal processing system | |
| CN113296833B (en) | Identification method and device for legal instructions in binary file | |
| KR102436522B1 (en) | Protocol message format reversing apparatus and method thereof | |
| WO2023067665A1 (en) | Analysis function addition method, analysis function addition device, and analysis function addition program | |
| Bruda et al. | Limitations of coverability trees for context-free parallel communicating grammar systems and why these grammar systems are not linear space |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |