CN112905184B - Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity - Google Patents
Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity Download PDFInfo
- Publication number
- CN112905184B CN112905184B CN202110024995.5A CN202110024995A CN112905184B CN 112905184 B CN112905184 B CN 112905184B CN 202110024995 A CN202110024995 A CN 202110024995A CN 112905184 B CN112905184 B CN 112905184B
- Authority
- CN
- China
- Prior art keywords
- function
- basic block
- granularity
- instruction
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 44
- 235000019580 granularity Nutrition 0.000 claims abstract description 61
- 238000000034 method Methods 0.000 claims abstract description 45
- 230000008569 process Effects 0.000 claims abstract description 19
- 238000003780 insertion Methods 0.000 claims abstract description 6
- 230000037431 insertion Effects 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 103
- 238000012360 testing method Methods 0.000 claims description 12
- 238000010586 diagram Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 2
- 238000011160 research Methods 0.000 description 5
- 125000004122 cyclic group Chemical group 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 238000009960 carding Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000010415 tidying Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/425—Lexical analysis
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a reverse analysis method for an industrial control protocol grammar under basic block granularity based on pile insertion, which specifically comprises the following steps: implementing dynamic instrumentation of instructions, basic blocks and function granularities on an industrial control protocol binary executable program, recording the stain propagation information of the instruction granularity, the basic block granularity, the function granularity, logic judgment and jump information in the dynamic stain analysis process, and generating a program running log file. The log file realizes industrial control protocol field boundary identification under the granularity of basic blocks through a reordering and related analysis algorithm. Compared with the field boundary identification method under the function granularity, the method can acquire more program context information under the basic block granularity, so that different fields processed under the same function are identified, and the field boundary identification precision is improved.
Description
Technical Field
The invention relates to the technical field of industrial communication network protocols and protocol reverse engineering, in particular to an industrial control protocol grammar reverse analysis method based on pile insertion under basic block granularity.
Background
The industrial control protocol is an important component of the network topology of the modern industrial control system, and has important significance in the safety research of the industrial control system. Safety studies for industrial control protocols can be largely divided into two parts: protocol ontology security research and protocol security application. One popular area of protocol ontology security research is fuzzy testing of protocol implementation programs: by presetting a certain protocol input format as a seed, the fuzzy test tool can generate different inputs to test the vulnerability such as buffer overflow existing in the protocol implementation program. In protocol security application, an intrusion detection system can be constructed through message analysis, which is also a research hotspot for network security reinforcement of lightweight industrial control systems. Both of these two areas have evolved without the availability of industrial control protocol standards.
Protocol standards can be divided into three parts, protocol syntax, protocol semantics and protocol state machine. The protocol grammar delineates the field boundaries of the protocol; the protocol syntax describes the specific function and meaning of the various fields of the protocol; the protocol state machine is the embodiment of the time sequence relation of the protocol message. For market share, security, etc., industrial control manufacturers often choose to develop unique protocols for their production device communications and keep their protocol standards unpublished. For researchers in the security field, this means that they need to obtain the format information of the protocol by various means, namely, software reverse and data comparison peer-to-peer means, and this process is certainly time consuming. In addition, the industrial control protocol usually adopts a binary protocol, the format of the binary protocol has strict regulations, and semantic information is hidden, so that the protocol reverse difficulty is multiplied manually.
At present, a dynamic stain analysis technology is adopted for an automatic reverse method of an industrial control binary protocol, and field boundaries are divided from function granularity, so that the reverse method can not accurately divide the field boundaries when analyzing protocol functions realized through conditional branch sentences rather than function encapsulation. The fine granularity protocol reverse analysis method based on the basic block granularity can effectively solve the problems.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides an industrial control protocol grammar reverse analysis method based on pile insertion under basic block granularity.
The invention aims at realizing the following technical scheme: the method for analyzing the grammar of the industrial control protocol in reverse under the granularity of basic blocks based on pile insertion comprises the following steps:
s1: inserting piles for binary executable programs of an industrial control protocol, obtaining instructions and runtime information of function granularity, and marking protocol message data received by a network receiving function as stain source data; and recording stain state information of the stain source data and the subsequent stain data, tracking the propagation condition of the stain data in the memory and the register according to the stain propagation rule in the process of program operation, and acquiring the relation between the protocol message data and the program context.
S2: inserting piles for the granularity of the function to obtain the name of the function and the entering and exiting information of the function; inserting piles for granularity of the basic blocks to obtain the entry address and length information of the basic blocks; and inserting the assembly instruction related to the logical judgment and the conditional jump of the instruction granularity for marking the logical boundary.
S3: and (3) recording the context information during program running according to the pile inserting method designed by the S1 and the S2 to form a formatted log file.
S4: preprocessing the log file, removing the irrelevant thread logs of the network receiving function, and reordering the function logs, the basic block logs and the instruction logs according to the address data.
S5: analyzing the preprocessed log file, taking logic judgment and a conditional jump instruction as logic boundary division basis, dividing a basic block sequence recorded in the log into a plurality of logic blocks, constructing association relations between the logic blocks and protocol message data, and dividing the boundary of a protocol message field according to the association relations so as to finish grammar judgment.
Further, the step S1 specifically includes:
s11: and (3) instrumentation is carried out on the binary executable program of the industrial control protocol, and specifically, the instrumentation with the instruction granularity and the function granularity is carried out by using a program instrumentation framework Pin.
S12: and identifying the function name by using a callback function for the function granularity, judging the Linux x86-64 operating system standard library network receiving function recv, recvfrom, recvmsg, and marking the received industrial control protocol message data as stain source data.
S13: and recording the taint state information of the taint source data and the taint data which are transmitted subsequently, wherein the taint state information comprises byte offset addresses, data lengths, data shift conditions and whether the data are marked as the taint state or not in the industrial control protocol message data corresponding to the taint data.
S14: the callback function is used for identifying the operator and the operand of the instruction for the instruction granularity, and for mov, add, or and shift instructions, identifying the operand of the instruction, and if the taint data exists in the operand, updating the taint data information.
S15: for an instruction using the taint data as an operand, a callback function is used for recording the assembly instruction, the operand and the taint data information in a log file.
Further, the step S2 specifically includes:
s21: recording function names, function states, thread IDs, start addresses, end addresses and return addresses when the functions enter and exit;
s22: when jumping to a new basic block, recording the basic block entry address, the basic block occupied byte length and the thread ID information;
s23: and (3) performing disassembly of byte codes for each executed instruction, and if the instruction is a cmp, test or conditional jump related instruction, performing record of assembly instruction, thread ID and instruction length information.
Further, the step S3 specifically includes: according to the instrumentation method designed by S1 and S2, function, basic block and instruction granularity logs are orderly recorded into txt format log files in the running process of the program.
Further, the step S4 specifically includes:
s41: removing log records corresponding to thread IDs without stain data, wherein the log records comprise instructions, basic blocks and function granularities; removing log records of the system call function;
s42: the log record is reordered according to the specific rules: the entry log of the function is in front of the related basic block log, the basic block log is in front of the related instruction log, and the exit log of the function is behind the return instruction log of the function;
s43: and outputting the reordered log record to a new log file.
Further, the step S5 specifically includes:
s51: performing offline analysis on the log file obtained by the S4, wherein the function log represents a function node, the basic block log represents a basic block node, the stain data related instruction log between the beginning and the end of a basic block represents a message data node, and gradually establishing the following relation in the analysis process: the function node comprises a plurality of basic block node sequences, and the tail ends of the basic block nodes are message data nodes to form a tree diagram structure;
s52: judging whether a logic boundary exists by using whether the rsp value changes or not and whether a logic judgment and a conditional jump instruction appear or not, merging message data nodes in basic block nodes and sub-nodes thereof according to the logic boundary, wherein one basic block node after merging comprises a plurality of basic blocks, and describing a logic block when a program is implemented;
s53: performing cyclic judgment on a cyclic structure possibly existing in the program, and merging basic blocks and message data nodes in the cyclic structure;
s54: and carrying out protocol message segment boundary division aiming at the constructed tree diagram structure.
Further, the protocol message segment boundary division in S54 is based on the following:
rule a: bytes of the same protocol field are processed in the same logical block, and if two bytes appear in different message data nodes, the two bytes are considered to be different fields;
rule b: for the bytes merged by the register shift operation, uniformly considering that the bytes belong to the same field, and the priority of rule b is higher than that of rule a;
rule c: if a byte is divided into different fields by rule b, then the fields containing the byte are merged;
rule d: the bytes remaining after division by rules a, b, c are automatically merged into the same field.
Compared with the existing industrial control protocol reverse analysis method under function granularity, the method has the following advantages:
1. the analysis granularity is thinned from the function granularity to the basic block granularity, and more program context information can be captured in the dynamic running process of the program;
2. for fields which are not encapsulated to the function for processing and are implemented by using conditional branches, the conditional jumps under the granularity of basic blocks can be used as logic boundaries, so that more accurate field boundaries are obtained;
3. the method also has universality for realizing program analysis on the binary protocol, and does not influence the analysis speed.
Drawings
FIG. 1 is a block diagram of the method of the present invention;
FIG. 2 is a schematic illustration of the initiation of a smear state and the spread of a smear in a dynamic smear analysis method in accordance with the method of the present invention;
FIG. 3 is a tree diagram of the result of the granularity analysis of a function, taking a custom test protocol as an example;
FIGS. 4 (a) and 4 (b) are basic block granularity analysis result tree diagrams of the custom test protocol;
fig. 5 is a resulting tree diagram of an example of the Modbus/TCP protocol.
Detailed Description
The invention will be described in further detail with reference to the drawings and the specific examples.
In the embodiment of the invention, a binary executable program of an industrial control protocol to be tested is used as the input of a program instrumentation module, the instrumentation module is developed by using Pin, receives industrial control protocol message data as stain source data through c++ language custom instructions, basic blocks and callback functions of function granularity, and performs stain propagation and program operation context recording in the dynamic operation process of the process sequence. After the Pin dynamic running program is used, a message to be analyzed is sent to a corresponding network port through a script, and the instrumentation module monitors and dynamically writes the message into a program running log, wherein the log comprises records of stain propagation, function entry and exit, basic block entry, logic judgment and conditional jump instructions. After the logs are dynamically generated, the logs are subjected to offline processing through a log analysis module, the log analysis module mainly comprises three parts, firstly, the logs are cleaned, thread logs which do not need to be analyzed are filtered, and the logs are reordered to accord with visual semantics, so that subsequent analysis is facilitated; the log record sequence after carding is the correct sequence when the program runs, and the tree-like relation of the function nodes, the basic block nodes and the protocol message byte data nodes is constructed through the sequence and visualized output is carried out; finally, the field boundary of the message is divided and output to the command line through the field boundary judging rule. And finally obtaining the grammar information corresponding to the protocol message to be tested through the processing.
The invention provides a reverse analysis method for industrial control protocol grammar under basic block granularity based on pile insertion, which comprises the following specific implementation flow:
s1: FIG. 2 shows the application concept of the dynamic stain analysis method in the present invention. For network receiving functions recv, recvfrom and recvmsg functions in a Linux x86-64 operating system, acquiring corresponding function parameter information by using an RTN_InsertCall function provided by Pin to locate a received message byte address and mark the message byte address as stain source data; during the running process of the program, the specific address and the taint information corresponding to the register are stored, and the callback functions corresponding to the taint propagation rules are independently written for the instructions which can cause the taint state change, such as memory copy, arithmetic operation and shift instructions, and the INS_InsertCall functions are used for analyzing the instructions and calling the callback functions. This information will be written to the log file.
S2: the method comprises the steps of respectively performing instrumentation on functions, basic blocks and instruction granularity except for an instrumentation process necessary for dynamic stain analysis, wherein the functions are instrumented by RTN_InsertCall, and function names, function states, thread IDs, starting addresses, ending addresses and return address information are acquired by using the corresponding API functions of RTNs; using a BBL_InertCall function for the basic block, and recording the entry address of the new basic block, the occupied byte length of the basic block and the thread ID information; for an instruction, if the instruction is a cmp, test or conditional jump related instruction, specific assembly instructions, thread ID and instruction length information are recorded, and specific implementation examples are as follows:
s3: compiling pintool, executing binary field program by using Pin and the pintool running protocol, sending message to be analyzed to the corresponding port of the protocol, and obtaining the running log file. The resulting log file format summary is as follows:
specifically, the Function line characterizes the entering and exiting states of the Function, and analyzes the Function name; the Block line represents a new basic Block, and acquires an entry instruction address, rsp and basic Block size information in the new basic Block; the Misc line records cmp, test statements and conditional jump statements; the Instruction line records Instruction information for the spread of the blemish.
S4: the output log is arranged as follows:
s41: when the protocol program is specifically realized, a single thread is generally adopted to receive and process data, and for other threads, the value of continuous analysis is not available, the thread needing to be analyzed can be locked by searching the thread ID corresponding to the Instruction record, and redundant information is removed; in addition, in the running process, the dynamic link library may be called in a process link table (plt) mode, and when the optimization level is higher, pin cannot track the return address of the function, and the subsequent analysis is affected, so that the function records with the function names having the related character strings of "@ plt" are also removed.
S42: when Pin processes the information of instruction level and basic block level information, the callback function of the pile-inserted instruction layer is preferentially inserted, and then the initial judgment of the basic block is carried out, so that the related log sequence has a dislocation phenomenon in the initial log, and the method specifically comprises the following steps:
during analysis, a reasonable sequence is that the function enters the related log line before the included basic block log line, the function exits the log line as the end, and the basic block log line is before the included instruction log, so that the sequence is necessary to be tidied, the exchange of the function, the basic block and the instruction line is involved in the tidying sequence process, and whether the sequence needs to be adjusted is judged mainly by comparing the values of the addresses.
S43: and outputting the reordered log record to a new log file.
S5: restoring the tree diagram structure through the program running information recorded by the log, and restoring the format information of the protocol message, wherein the specific steps are as follows:
s51: performing offline analysis on the log file obtained by the S4, wherein the function log represents a function node, the basic block log represents a basic block node segment, and a stain data related instruction log line between the beginning and the end of a basic block represents a message data node, and gradually establishing the following relation in the analysis process: the function node comprises a plurality of basic block node sequences, and the tail ends of the basic block nodes are message data nodes to form a tree diagram relation;
s52: the reverse direction of the protocol under the granularity of the basic block is that bytes in the same field are processed in the same conditional branch, the conditional branch is usually expressed as a combination of a cmp instruction, a test instruction and a conditional jump instruction in an assembly instruction layer, and when the cmp instruction, the test instruction and the jump instruction are continuously appeared in analysis, the combination is regarded as a demarcation mark on programming logic, and the previous basic block node and the attached data node are combined. The value of rsp is used to assist in judging the entry and exit of the function, and typically the stack is operated when the function enters and returns, which results in a change in the value of rsp, so that a basic block node needs to be newly built when rsp changes. Specifically, when the rsp value is reduced, a basic block node is newly built as a child node of the current node, when the rsp value is increased, the basic block node is newly built as a child node of the current function node, and when the rsp value is unchanged, whether the basic block node is newly built or not is judged according to logic judgment and a conditional jump instruction;
s53: dividing logic boundaries by using logic judgment and conditional jump instructions can lead to that basic block nodes are generated independently in each cycle in a cycle structure body, so that message bytes contained in message data nodes in child nodes of the basic block nodes are wrongly identified as different fields, therefore, recording of executed basic block information is needed, when a traversed basic block is accessed, namely, a cycle body is considered to exist and is combined with a previous node, and for the condition of a cycle call function, the message data can be firstly divided according to the granularity of the function, therefore, only the cycle structure of the basic block under the terminal function node can be considered, and when the function enters and exits, the record is cleared, and the memory overhead is reduced;
s54: aiming at the constructed tree diagram structure, the boundary division of the message is carried out according to the following specific steps:
rule a: bytes of the same protocol field are processed in the same logical block, and if two bytes appear in different message data nodes, the two bytes are considered to be different fields;
rule b: for the bytes merged by the register shift operation, uniformly considering that the bytes belong to the same field, and the priority of rule b is higher than that of rule a;
rule c: if a byte is divided into different fields by rule b, then the fields containing the byte are merged;
rule d: the bytes remaining after division by rules a, b, c are automatically merged into the same field.
In the specific implementation, each data node is numbered, a dictionary mapping relation between a message byte and the number of the data node containing the byte is constructed, and the field boundary identification is completed through logic for realizing the rule judgment.
Taking the custom test code implemented in the C language as an example, the source code below demonstrates the function of setting the value of a certain bit of the data stored by the protocol implementation program, in this implementation, one byte is used to indicate the offset of the bit in the data that needs to be modified, and the other byte indicates that the position 0 or 1 is set. Because two bytes are used under the same function dataHolding, the protocol based on the function granularity is reverse and can not be accurately analyzed to obtain the boundary between the two bytes, and the fine granularity analysis method can accurately position the boundary of the two bytes.
FIG. 3 illustrates the above protocol message syntax reverse analysis visualization result based on function granularity, wherein rectangular nodes represent function nodes, and oval nodes represent data nodes, and 4 th and 5 th byte boundaries related to the above function implementation are not distinguished; fig. 4 (a) and fig. 4 (b) show the visualization result of the reverse analysis of the message grammar after adding the granularity of the basic block, namely the basic block sequence after thinning the granularity of the round rectangular node, and fig. 4 (b) shows the subsequent child node of the node C, so that the 4 th and 5 th bytes in the subsequent node of the node C can be seen to appear in different data nodes, and therefore, the boundary of the node C is accurately identified.
Fig. 5 shows the analysis visualization result of the Modbus/TCP open source implementation protocol program libmodbus, and a part of nodes are selected as illustration because the whole tree is too large. The transmitted message is "\x01\x11\x00\x00\x 00\x06\x01\x03\x00\x02\x00\x08', after analyzing the field boundary, the command line output result is as follows, and the field segmentation result is intuitively obtained:
the reverse analysis result of the invention depends on extracting the semantic realization of the analyzed program to the protocol message field during design and development, and for the unused field in the protocol program programming, the more specific boundary segmentation condition inside the field cannot be accurately analyzed, and the field usually has no key effect in the follow-up application of safety research and the like, so the follow-up application of the invention is not greatly restricted.
The above-described embodiments are intended to illustrate the present invention, not to limit it, and any modifications and variations made thereto are within the spirit of the invention and the scope of the appended claims.
Claims (10)
1. The method for analyzing the grammar of the industrial control protocol in reverse direction under the granularity of basic blocks based on pile insertion is characterized by comprising the following steps:
s1: inserting piles for binary executable programs of an industrial control protocol, obtaining instructions and runtime information of function granularity, and marking protocol message data received by a network receiving function as stain source data; recording stain state information of stain source data and subsequent stain data, tracking the propagation condition of the stain data in a memory and a register according to a stain propagation rule in the process of program operation, and acquiring the relation between protocol message data and program context;
s2: inserting piles for the granularity of the function to obtain the name of the function and the entering and exiting information of the function; inserting piles for granularity of the basic blocks to obtain the entry address and length information of the basic blocks; inserting piles for the assembly instructions related to the logic judgment and the conditional jump of the instruction granularity, and marking logic boundaries;
s3: recording context information during program running according to the pile inserting method designed by the S1 and the S2 to form a formatted log file;
s4: preprocessing the log file, removing irrelevant thread logs of the network receiving function, and reordering function logs, basic block logs and instruction logs according to address data;
s5: analyzing the preprocessed log file, taking logic judgment and a conditional jump instruction as logic boundary division basis, dividing a basic block sequence recorded in the log into a plurality of logic blocks, constructing association relations between the logic blocks and protocol message data, and dividing the boundary of a protocol message field according to the association relations so as to finish grammar judgment.
2. The method for reverse analysis of industrial control protocol grammar under basic block granularity based on instrumentation according to claim 1, wherein the step S1 specifically comprises:
s11: the method comprises the steps of performing instrumentation on a binary executable program of an industrial control protocol, and specifically performing instrumentation with instruction granularity and function granularity by using a program instrumentation framework Pin;
s12: the callback function is used for identifying the function name for the function granularity, the Linux 86-64 operating system standard library network receiving function recv, recvfrom, recvmsg is judged, and the received industrial control protocol message data is marked as stain source data;
s13: recording stain state information of stain source data and subsequently transmitted stain data, wherein the stain state information comprises byte offset addresses, data lengths, data shift conditions and whether the data are marked as stain states or not in industrial control protocol message data corresponding to the stain data;
s14: identifying an operator and an operand of the instruction by using a callback function for the granularity of the instruction, identifying the operand of the instruction for mov, add, or and shift instructions, and updating the dirty data information if dirty data exists in the operand;
s15: for an instruction using the taint data as an operand, a callback function is used for recording the assembly instruction, the operand and the taint data information in a log file.
3. The method for reverse analysis of industrial control protocol grammar under basic block granularity based on instrumentation according to claim 1, wherein the step S2 specifically comprises:
s21: recording function names, function states, thread IDs, start addresses, end addresses and return addresses when the functions enter and exit;
s22: when jumping to a new basic block, recording the basic block entry address, the basic block occupied byte length and the thread ID information;
s23: and (3) performing disassembly of byte codes for each executed instruction, and if the instruction is a cmp, test or conditional jump related instruction, performing record of assembly instruction, thread ID and instruction length information.
4. The method for reverse analysis of industrial control protocol grammar under basic block granularity based on instrumentation according to claim 1, wherein the step S3 specifically comprises: according to the instrumentation method designed by S1 and S2, function, basic block and instruction granularity logs are orderly recorded into txt format log files in the running process of the program.
5. The method for reverse analysis of industrial control protocol grammar under basic block granularity based on instrumentation according to claim 1, wherein in the step S4, preprocessing the log file specifically includes: removing log records corresponding to thread IDs without stain data, wherein the log records comprise instructions, basic blocks and function granularities; and eliminating log records of the system call function.
6. The method for reverse analysis of industrial control protocol syntax under basic block granularity based on instrumentation according to claim 1, wherein in the step S4, the specific rule for reordering the log is: the entry log of the function is in front of the related basic block log, the basic block log is in front of the related instruction log, and the exit log of the function is behind the return instruction log of the function; and outputting the reordered log record to a new log file.
7. The method for reverse analysis of industrial control protocol grammar under basic block granularity based on instrumentation according to claim 1, wherein in the step S5, the log file obtained by processing in S4 is analyzed offline, wherein the function log represents a function node, the basic block log represents a basic block node, the stain data related instruction log between the beginning and the end of a basic block represents a message data node, and the following relations are gradually established in the analysis process: the function node comprises a plurality of basic block node sequences, and the tail ends of the basic block nodes are message data nodes to form a tree diagram structure.
8. The method according to claim 7, wherein in the step S5, whether a logical boundary exists is determined by using whether an rsp value changes and whether a logical determination and a conditional jump instruction occur, and the message data nodes in the basic block node and the child nodes thereof are merged according to the logical boundary, wherein the merged basic block node includes a plurality of basic blocks, and a logical block in program implementation is described.
9. The method for reverse analysis of industrial control protocol syntax under basic block granularity based on instrumentation according to claim 7, wherein in the step S5, loop judgment is performed on a loop structure body possibly existing in a program, and basic blocks and message data nodes in the loop structure body are combined.
10. The method for reverse analysis of industrial control protocol syntax under basic block granularity based on instrumentation according to any one of claims 7 to 9, wherein in the step S5, for the constructed tree diagram structure, protocol message segment boundary division is performed according to the following:
rule a: bytes of the same protocol field are processed in the same logical block, and if two bytes appear in different message data nodes, the two bytes are considered to be different fields;
rule b: for the bytes merged by the register shift operation, uniformly considering that the bytes belong to the same field, and the priority of rule b is higher than that of rule a;
rule c: if a byte is divided into different fields by rule b, then the fields containing the byte are merged;
rule d: the bytes remaining after division by rules a, b, c are automatically merged into the same field.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110024995.5A CN112905184B (en) | 2021-01-08 | 2021-01-08 | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110024995.5A CN112905184B (en) | 2021-01-08 | 2021-01-08 | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112905184A CN112905184A (en) | 2021-06-04 |
| CN112905184B true CN112905184B (en) | 2024-03-26 |
Family
ID=76112359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110024995.5A Active CN112905184B (en) | 2021-01-08 | 2021-01-08 | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112905184B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377379B (en) * | 2021-08-12 | 2021-11-16 | 四川腾盾科技有限公司 | Simulator instruction instrumentation-based operating system information statistical method |
| CN115221051B (en) * | 2022-07-12 | 2023-06-09 | 北京大学 | Program instrumentation method and device for verifying execution process of data API |
| CN116108449B (en) * | 2023-01-12 | 2024-02-23 | 清华大学 | Software fuzzy test method, device, equipment and storage medium |
| CN116775127B (en) * | 2023-05-25 | 2024-05-28 | 哈尔滨工业大学 | Static symbol execution pile inserting method based on RetroWrite frames |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN108446235A (en) * | 2018-03-21 | 2018-08-24 | 北京理工大学 | In conjunction with the fuzz testing critical data localization method of path label data variation |
| CN110213243A (en) * | 2019-05-15 | 2019-09-06 | 浙江大学 | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004001584A2 (en) * | 2002-06-24 | 2003-12-31 | Ante Vista Gmbh | A method for executing structured symbolic machine code on a microprocessor |
| US8645933B2 (en) * | 2008-08-01 | 2014-02-04 | Leon Schwartz | Method and apparatus for detection and optimization of presumably parallel program regions |
| US9465594B2 (en) * | 2013-02-27 | 2016-10-11 | Hewlett Packard Enterprise Development Lp | Distributed implementation of sequential code that includes a future |
-
2021
- 2021-01-08 CN CN202110024995.5A patent/CN112905184B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN108446235A (en) * | 2018-03-21 | 2018-08-24 | 北京理工大学 | In conjunction with the fuzz testing critical data localization method of path label data variation |
| CN110213243A (en) * | 2019-05-15 | 2019-09-06 | 浙江大学 | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112905184A (en) | 2021-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112905184B (en) | Pile-inserting-based reverse analysis method for industrial control protocol grammar under basic block granularity | |
| US10146532B2 (en) | Apparatus and method for detecting code cloning of software | |
| US7508985B2 (en) | Pattern-matching system | |
| EP3251298B1 (en) | Data extraction | |
| US20150128114A1 (en) | Parser | |
| JP2022505340A (en) | Systems and methods for dynamically identifying data arguments and instrumenting source code | |
| CN110213243B (en) | Industrial communication protocol reverse analysis method based on dynamic taint analysis | |
| CN105095425B (en) | A kind of inter-library method and device of carrying down of database | |
| US20220253369A1 (en) | Automatic configuration of logging infrastructure for software deployments using source code | |
| US20080127043A1 (en) | Automatic Extraction of Programming Rules | |
| CN110096264A (en) | A kind of code operation method and device | |
| CN111240772B (en) | Block chain-based data processing method, device and storage medium | |
| CN115269393A (en) | Program dynamic function call sequence tracking method and device based on hardware | |
| CN112579454A (en) | Task data processing method, device and equipment | |
| CN112799673B (en) | Network protocol data checking method and device | |
| JP5024252B2 (en) | Trace information acquisition device, trace information acquisition program, and trace information acquisition method | |
| CN112737831A (en) | Firmware upgrade package processing method and device, electronic equipment and storage medium | |
| CN107612919B (en) | Protocol configuration method and device | |
| CN112230895A (en) | EL expression analysis method, device, equipment and storage medium | |
| CN114595148B (en) | Java null pointer reference detection method and system based on data stream propagation analysis | |
| Yang et al. | A function level Java code clone detection method | |
| US6795879B2 (en) | Apparatus and method for wait state analysis in a digital signal processing system | |
| Bruda et al. | Limitations of coverability trees for context-free parallel communicating grammar systems and why these grammar systems are not linear space | |
| CN117093401A (en) | Method, device and equipment for processing code exception | |
| CN113296833A (en) | Method and device for identifying legal instruction in binary file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |