CN113901475A - Fuzzy mining method for input verification vulnerability of industrial control terminal equipment - Google Patents
Fuzzy mining method for input verification vulnerability of industrial control terminal equipment Download PDFInfo
- Publication number
- CN113901475A CN113901475A CN202111135803.4A CN202111135803A CN113901475A CN 113901475 A CN113901475 A CN 113901475A CN 202111135803 A CN202111135803 A CN 202111135803A CN 113901475 A CN113901475 A CN 113901475A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- seed
- seeds
- rtu
- input verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a fuzzy mining method aiming at input verification bugs of industrial control terminal equipment, which comprises the steps of firstly collecting information, and acquiring script language type, protocol type, IP address, network segment, domain name, port, software and hardware information of a terminal and system configuration information; then a vulnerability discovery stage: firstly, extracting input verification by using a structural analysis technology, then identifying sensitive input verification by using a classifier, and then carrying out vulnerability detection; and finally, in a vulnerability utilization stage, testing and attacking the main function of the system by adopting a script injection method, a replay attack method and a program dimension attack method, acquiring and recording data, and recovering the system after the data is acquired and recorded. The method can effectively solve the safety problem of input verification of the industrial terminal, finds potential threats such as data tampering, denial of service, authority acquisition, malicious script injection and the like caused by input verification bugs, and provides a safety protection idea for industrial control network safety improvement and equipment safety protection.
Description
Technical Field
The invention belongs to the technical field of industrial control, and particularly relates to an industrial control terminal vulnerability mining method.
Background
With the longitudinal extension of the internet of things and the industrial internet to the equipment terminal, the security problem of the equipment terminal is likely to become a system vulnerability and directly affect important infrastructure and networks. Therefore, before the deployment of important industrial control system infrastructure, industrial control system network terminals involved in control, sensing, storage and communication need to perform security testing and verification of the terminals. In recent years, security incidents around industrial control system terminals occur occasionally, causing serious impact and damage to enterprise and national security.
A paper (Patel H J, temperature M/, Baldwin R O. Improporting ZigBee Device Network Authentication Using Embedded Decision Tree Classifiers With Radio Frequency identification Property printing [ J ]. IEEE Transactions on Reliability,2015,64(1): 221-. The architecture and safety technology standard of the industrial control safety are systematically introduced by reference data (the diabatic, the Panquan and the like, the information safety of an industrial control system [ M ], the information safety of the Western-An electronic technology university Press, 2019, 8 months.) and (the information safety technology Internet of things safety reference model and the general requirements [ S ], GB/T37044 supplement 2018, 2018.), and the invention is an important reference for the basis of the invention.
In the prior art, a simulation system is utilized in a paper (Zhao Gui Cheng., intrusion detection platform and algorithm research [ D ]. Zhejiang university, 2019.) based on industrial control network traffic analysis, and the attack types which can be realized in an industrial control network are summarized by analyzing the vulnerability of typical industrial control protocols MODBUS/TCP, ETHERNET/IP and S7C0 MM. A paper (horse Jun Wei, Industrial control System Ethernet intrusion detection method research and design [ D ]. Beijing post and telecommunications university, 2016.) utilizes an algorithm to extract the state of an industrial control network, designs and realizes an industrial control Ethernet-based intrusion detection system, tests and analyzes the intrusion detection system, and proves the effectiveness of the algorithm and the system. A paper (Mokhtari Sohrab et al. A Machine Learning Approach for analysis Detection in Industrial Control Systems Based on Measurement Data [ J ]. Electronics,2021,10(4): 407) is as above-mentioned), although the research is effective in the aspect of intrusion Detection of an Industrial Control system, the research stays at the network level, and the corresponding infiltration and research on the safety problem of the Industrial Control terminal is not carried out.
A paper (ANSI/ISA 99.00.01-2007, safety of industrial automation and control system, part 1: terms, concepts and models [ S ]) takes a SCADA dispatch management system of a certain water company as an example, pays attention to strengthening tests on network boundary access, safety and availability of mobile terminals, industrial control communication protocols and the like, and introduces a general penetration test flow and method of industrial control system terminals. The paper (Wang navigation, Zhang commander, Dujun, Yanfan. industrial control system authentication bypasses vulnerability empirical analysis [ J ]. network space security, 2018,9(03):8-13.) carries out vulnerability mining analysis on a specific PLC according to several common vulnerability forms. The research is based on prior vulnerability knowledge and cannot be expanded to the aspect of input verification vulnerability analysis. A Testing Strategy method based on defect hypothesis is proposed in the paper (Nguyen T D, Austin S C, Irvine C E.A Stratagy for Security Testing Industrial wastewater [ C ]// the Fine Industrial Control System Security (ICSS) Workshop.2019.), and mature vulnerability analysis tools Nessus and Metaploit can be used for penetration Testing of a terminal. A paper (Zhouweiping, Yangweiong, Wangxuehua, Mao soldier, research on an infiltration testing tool facing an industrial control system [ J ] computer engineering, 2019,45(08):92-101.) based on a shell interaction technology constructs an infiltration testing tool framework facing the industrial control system, wherein the framework contains a terminal vulnerability testing tool, but the tool still cannot test and analyze input verification vulnerabilities. The thesis (Lilinfeng, Huangjinglin, Lilin, Industrial control system safety analysis and penetration test experience sharing [ J ] automated exposition, 2021,38(01):48-53.) takes the industrial control system safety analysis as a starting point, analyzes the current situation of industrial control safety from the aspects of industrial control assets, industrial control protocols, industrial control leaks and the like, provides a common terminal PLC (programmable logic controller) leak hole excavation method, and does not relate to how to analyze input verification leaks.
Aiming at the situation that the input verification loopholes are not involved in the terminal security analysis of the industrial control system, the method provides an input verification loophole analysis method capable of crossing different industrial control terminal platforms. The method can successfully discover the input verification loopholes of the common RTU equipment in the typical industrial control scene in China. High-risk input verification bugs of some terminals are reported and published in the 5 th (total 559 th) of 2021 of information security bugs, and can trigger different attack behaviors such as denial of service attack, script injection attack and the like.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a fuzzy mining method aiming at the input verification vulnerability of industrial control terminal equipment, which comprises the steps of firstly collecting information, and acquiring the script language type, the protocol type, the IP address, the network segment, the domain name, the port, the software and hardware information of the terminal and the system configuration information; then a vulnerability discovery stage: firstly, extracting input verification by using a structural analysis technology, then identifying sensitive input verification by using a classifier, and then carrying out vulnerability detection; and finally, in a vulnerability utilization stage, testing and attacking are carried out on the main function of the system by adopting a script injection method, a replay attack method and a program dimension attack method, data are obtained and recorded, and the system is recovered after the completion. The method can effectively solve the safety problem of input verification of the industrial terminal, finds potential threats such as data tampering, denial of service, authority acquisition, malicious script injection and the like caused by input verification bugs, and provides a safety protection idea for industrial control network safety improvement and equipment safety protection.
The technical scheme adopted by the invention for solving the technical problem comprises the following steps:
step 1: an information collection stage;
acquiring a script language type and a protocol type from a human-computer interface;
enabling a host and a terminal to be in the same network segment, and scanning industrial control terminal equipment by adopting a scanning tool to obtain an IP address, a network segment, a domain name and port basic information;
acquiring feedback information of the network service and the open port to obtain software and hardware information of a terminal providing the network service function;
obtaining system configuration information after the authority is obtained to enter the system;
step 2: a vulnerability discovery stage;
step 2-1: extracting input verification by using a structural analysis technology;
the industrial control terminal inputs verification, compares the input with preset data, and immediately terminates normal execution of a program when the verification fails;
step 2-2: identifying a sensitive input validation using a classifier;
using the degree of association with the business data as a feature mining sensitive input verification, and finding the sensitive input of other related groups by using the sensitive input verification group related to the business data as a seed;
step 2-3: detecting a vulnerability;
vulnerability mining is carried out on the terminal system from three different dimensions, wherein the three dimensions are 'packageName', 'uid' and 'dataframe';
step 2-3-1: selecting initial seeds;
step 2-3-2: constructing a seed pool: the seed pool is composed of initial seeds and newly generated seeds, and provides base seeds for seed variation;
step 2-3-3: seed selection: selecting an example to be tested from a seed pool, wherein the initially selected seed is an initial seed, and in the subsequent steps, the seed selection is generated from the seed pool according to a statistical effect;
step 2-3-4: mutation strategy: listing ranges of values for all seed portions that can be altered in terms of the composition of the initial seed;
step 2-3-5: in the execution stage, randomly and sequentially mutating each part of the seeds, simultaneously collecting the output of each test, measuring the relative information entropy output after each mutation of the seeds, and counting the probability distribution of the relative information entropy; adopting Gibbs to sample the varied seeds according to the statistical characteristics of each part of the seeds;
step 2-3-6: generating new seeds as input for test execution by the seed mutation strategy of steps 2-3-4;
step 2-3-7: and (3) test execution: inputting new seeds, testing the vulnerability detection program and collecting and analyzing an execution result;
step 2-3-8: and (3) convergence analysis: taking the relative information entropy, the execution time and the program coverage rate as indexes of convergence;
step 2-3-9: setting the priority of seeds, and putting the seeds into a seed pool again;
and step 3: a vulnerability exploiting stage;
and testing and attacking the main function of the system by adopting script injection, replay attack and program dimension attack methods, acquiring and recording data, and finally recovering the system.
Further, the scanning tool is nmap.
Further, the configuration information includes a system directory, a startup item, a process, and a configuration file.
Further, the relative information entropy is a KL distance.
Further, the system main function is a main function and a starting function.
Further, the vulnerabilities of the exploit stage include the following:
step 3-1: input verification: since the RTU control software does not check and verify the file type, format and content of the control file of the equipment, the RTU control software downloads any file named as the control file to the RTU; when the RTU downloads the wrong file, the RTU cannot normally identify and read the content of the file, so that the function is lost and the machine is down;
step 3-2: non-verification of data reliability: after the RTU control software downloads the control files which are not in compliance, the RTU cannot normally identify and read the file contents, so that the function is lost, the RTU equipment loses the communication capacity with the RTU software, and the service is refused;
step 3-3: any command execution: downloading an unconventional control file by RTU debugging software, and inserting a malicious script into the unconventional control file by an attacker so as to implant a back door process or program into RTU equipment, so that the communication of the RTU equipment is monitored, utilized or tampered;
step 3-4: lack of safety control of the device: penetration testing is carried out aiming at function control, parameter configuration, parameter maintenance, information feedback and synchronous timing of the RTU, and the information feedback and the synchronous timing are found to be stable and reliable, but the function control, the parameter configuration and the parameter maintenance lack safety control and can be attacked by tampering and denial of service;
step 3-5: the equipment is lack of safety control during startup: on the basis of not influencing the functions of the master control function file, an attacker modifies the master control function file, and is attacked after the system is started, so that the problems of authority promotion, privacy disclosure, system file removal and malicious script injection are caused.
The invention has the following beneficial effects:
the method can effectively solve the safety problem of input verification of the industrial terminal, finds potential threats such as data tampering, denial of service, authority acquisition, malicious script injection and the like caused by input verification bugs, and provides a safety protection idea for industrial control network safety improvement and equipment safety protection.
Drawings
FIG. 1 is a flow chart of the permeation test of the present invention.
FIG. 2 is a flowchart of the vulnerability discovery overall architecture of the industrial control terminal.
FIG. 3 is a diagram illustrating a security vulnerability seed generation model related to sensitive input verification according to the present invention.
FIG. 4 is a general flow chart of the fuzz testing of the present invention.
Detailed Description
The invention is further illustrated with reference to the following figures and examples.
The general process of the penetration test is summarized under the research background and the research trend of the safety of the current industrial control terminal. For the test terminal, the terminal is deeply known by starting with information collection and infiltration tools. On the basis, according to various vulnerability detection methods such as static analysis and the like, insecurity test consideration is designed in combination with the aspects of confidentiality, integrity and usability of equipment, so that typical vulnerabilities are discovered. The invention takes the input verification loophole as an example to carry out penetration test, designs a typical fuzzy test method, utilizes the change of communication package sending, detects the reaction of a terminal to carry out test, finds out the input verification loophole and the buffer overflow loophole of a main application program by combining with reverse analysis, and finds out the potential safety problems of replay attack, script injection attack and the like which are possibly generated by the input verification loophole and the buffer overflow loophole.
The penetration test is an active test, which adopts a controllable and non-destructive method and means to find the weaknesses in the target and the network equipment, helps the manager know the problems of the network, provides safety reinforcement suggestions and helps the client to improve the safety of the system. The PTES penetration test execution standard defines a standard flow framework of a general penetration test in seven stages, and a KillChain model and an ATT & CK knowledge base model of the Roma company are widely used in the field of network security. For an industrial control system terminal, the penetration testing process used by the invention is as shown in fig. 1, and can be roughly divided into three stages: information collection, vulnerability discovery, and vulnerability exploitation.
(1) In the information collection stage, firstly, the range of the test is determined, the rule is determined, and the requirement is determined. It is necessary to collect various information about the target terminal as much as possible from the man-machine interface, such as: type of scripting language, type of protocol, etc. Using tools such as nmap and the like, and utilizing an active scanning mode to carry out basic information such as IP, network segments, domain names, ports and the like of the target; system information for system architecture, version, etc.; for all detected version information; the information of the person such as the name of the administrator is collected in all directions.
(2) And in the vulnerability discovery stage, the service information is analyzed from the aspects of functions and protocols by using the information obtained in the previous stage, and vulnerabilities are detected. Common bugs are buffer overflows, port service bugs, plaintext transmission, and the like. All vulnerabilities that are found to be likely to be successfully exploited are then verified. Experiments were performed in combination with the actual situation. And finally, analyzing the acquired vulnerability information to prepare for implementing infiltration.
(3) And in the vulnerability exploiting stage, according to the results of the previous steps, attacking is carried out. Common attack modes include script injection, replay attack and the like. Furthermore, the system main function is tested and attacked from the dimension of the program, and the related functions comprise a main function, a starting function and the like. In the process of completing the attack, attention needs to be paid to data acquisition and recording, and finally, the system is recovered.
After the infiltration is finished, the information also needs to be arranged. The method comprises the steps of arranging all information collected in the infiltration process and arranging leak information by using all infiltration tools.
A fuzzy mining method for input verification bugs of industrial control terminal equipment comprises the following steps:
step 1: an information collection stage;
acquiring a script language type and a protocol type from a human-computer interface;
enabling a host and a terminal to be in the same network segment, and scanning industrial control terminal equipment by adopting a scanning tool to obtain an IP address, a network segment, a domain name and port basic information;
acquiring feedback information of the network service and the open port to obtain software and hardware information of a terminal providing the network service function;
obtaining system configuration information after the authority is obtained to enter the system;
step 2: a vulnerability discovery stage;
step 2-1: extracting input verification by using a structural analysis technology;
the industrial control terminal inputs verification, compares the input with preset data, and immediately terminates normal execution of a program when the verification fails;
step 2-2: identifying a sensitive input validation using a classifier;
using the degree of association with the business data as a feature mining sensitive input verification, and finding the sensitive input of other related groups by using the sensitive input verification group related to the business data as a seed;
step 2-3: detecting a vulnerability;
vulnerability mining is carried out on the terminal system from three different dimensions, wherein the three dimensions are 'packageName', 'uid' and 'dataframe';
step 2-3-1: selecting initial seeds;
step 2-3-2: constructing a seed pool: the seed pool is composed of initial seeds and newly generated seeds, and provides base seeds for seed variation;
step 2-3-3: seed selection: selecting an example to be tested from a seed pool, wherein the initially selected seed is an initial seed, and in the subsequent steps, the seed selection is generated from the seed pool according to a statistical effect;
step 2-3-4: mutation strategy: listing ranges of values for all seed portions that can be altered in terms of the composition of the initial seed;
step 2-3-5: in the execution stage, randomly and sequentially mutating each part of the seeds, simultaneously collecting the output of each test, measuring the relative information entropy output after each mutation of the seeds, and counting the probability distribution of the relative information entropy; adopting Gibbs to sample the varied seeds according to the statistical characteristics of each part of the seeds;
step 2-3-6: generating new seeds as input for test execution by the seed mutation strategy of steps 2-3-4;
step 2-3-7: and (3) test execution: inputting new seeds, testing the vulnerability detection program and collecting and analyzing an execution result;
step 2-3-8: and (3) convergence analysis: taking the relative information entropy, the execution time and the program coverage rate as indexes of convergence;
step 2-3-9: setting the priority of seeds, and putting the seeds into a seed pool again;
and step 3: a vulnerability exploiting stage;
and testing and attacking the main function of the system by adopting script injection, replay attack and program dimension attack methods, acquiring and recording data, and finally recovering the system.
The specific embodiment is as follows:
1. information collection
For any terminal, the information acquisition step is as follows:
(1) and discovering the equipment. To acquire device information, a device is first discovered, and device discovery may be divided into physical discovery and network discovery. The invention focuses on the network aspect, so for network discovery, a host and a terminal are in the same network segment firstly. After the terminal is in the same network segment, the ip address of the terminal needs to be obtained, and the terminal can be really connected. Scanning is performed using a tool such as nmap.
(2) And analyzing the software and the hardware. Different software and hardware have corresponding fingerprint information, the fingerprint information is acquired, and the subsequent acquisition permission is effectively utilized, so that after equipment is discovered, the software and hardware information of the terminal is analyzed by acquiring feedback information of a network service and an open port, for example, version information, software and hardware environment information and the like of two services can be acquired by trying ftp or telnet service. Obtaining specific version information can utilize existing vulnerabilities.
(3) A system is recognized. After the acquisition authority enters the system, more system information, such as configuration information, can be obtained through analysis. Configuration information is key to discovering vulnerabilities and conducting penetrations. The configuration information includes system directories, startup items, processes, configuration files, and the like. The important information of the system, such as network service, system static files, initialization files, network databases, environment variable configuration files, DNS client configuration files, user information files, password information files, service files and the like, is analyzed through the configuration files.
2. Vulnerability discovery
Vulnerability mining can be performed on the basis of the information collection. Fuzzing detection is a typical vulnerability discovery technique. A great deal of research work is carried out on applying the Fuzzing technology to networks, services, software, mobile terminals and the like. The method mainly involves three parts, as shown in fig. 2. Firstly, the method extracts the man-machine system service and the corresponding function or communication protocol interface thereof from the Linux system mirror image, and identifies all input verifications in the Linux system service by using a code structure analysis method. These input verifications are then passed to a classification module associated with the business for identifying sensitive input verifications associated with the business. Then, the vulnerability identification module searches unsafe input verification from experience and models and discovers potential security vulnerabilities. And finally, verifying the authenticity of the vulnerability through manual security analysis. The implementation principle of each functional module is briefly described below.
(1) Extracting input validation using structural analysis techniques
Input verification is the most common core security problem of industrial control terminals, and automatic identification input verification is a very challenging problem. Thus requiring manual work to solve this problem from inherent structural features. Specifically, industrial control terminal input verification not only compares the input with its predetermined data, but also immediately terminates normal execution of the program if verification fails. Thus, verification is required in terms of inputting verified features and associated business data, etc.
(2) Identifying sensitive input validation using classifiers
The present invention uses the degree of association with business data as a sensitive input validation for feature mining. The specific principle is that a small part of sensitive input verification groups related to business data which are found manually are used as seeds to find sensitive inputs of other related groups. For example:
seed={“packageName”,“uid”,dataframe1,dataframe2,...,dataframen},
in terms of sensitivity, there is often a correlation between input verifications, so selecting a seed in the above format may find a valid sensitive input.
(3) Vulnerability detection
In the invention, vulnerability mining is carried out on a terminal system from three different dimensions, namely 'packageName', 'uid' and n dataframes, as shown in FIG. 3:
the seeds generated by the model of FIG. 3 may be injected as initial seeds into the logic of the fuzzy test for vulnerability detection.
The specific operation is shown in fig. 4:
(1) initial seeds (Initial seeds) selected from fig. 3, and in the fuzzy test stage, the rules for seed generation are also set according to the flow of fig. 3.
(2) Seed pools (Seed pool) are mainly composed of initial seeds and newly generated seeds, and provide the base seeds for Seed variation.
(3) Seed selection (Seed select) is the selection of the instance to be tested from the Seed pool. The initially selected seeds are initial seeds, and as the statistical effect of the seeds gradually appears, the seeds are selected to be generated from the seed pool according to the corresponding statistical effect.
(4) Mutation strategy (Mutation strategy) is the key to the performance of the fuzz test. First in a preparation phase it is decided which parts can be changed depending on the initial seed composition, and then the range of values of the seed parts that are likely to be changed is listed.
(5) Then, in the execution stage, all parts of the seeds are mutated in sequence randomly, the output of each test is collected simultaneously, the relative information entropy (KL distance) output after each mutation of the seeds is measured, and the probability distribution of the relative information entropy is counted. After a large number of tests are performed, the subsequent corresponding seed portions can be sampled and varied by gibbs according to the statistical characteristics of each seed portion.
(6) New seeds (New seeds), which are generated by the seed mutation strategy of the previous step, as input for test execution.
(7) Execution (Execution), inputting new seeds into the program, testing the program and collecting and analyzing the Execution results, thereby supporting better convergence and setting seed priority.
(8) Convergence analysis (convergence analysis) is an important indicator of seed quality. On the one hand, it is necessary to consider how much variation can be covered and used for testing; on the other hand, the tested seeds have not covered meaningful programs or inputs as much as possible. In the mutation seed calculation algorithm, relative information entropy is generated, and is taken as one index of convergence, and other indexes can comprise execution time, program coverage and the like.
(9) Seed priority (Seed prioritization), encourages seeds that may trigger an exception or produce meaningful output. In the event of an abnormality being found, the priority setting should affect or alter gibbs sampling of the mutant seed.
3. Vulnerability exploitation
The invention proves the validity of the image of the signed vulnerability mining method, and the selected experimental test object is information acquisition and control RTU equipment which is common in a typical industrial control scene in China. According to the input verification vulnerability mining method for the industrial control terminal, three typical vulnerabilities are selected from the vulnerabilities, and how the vulnerabilities affect the security of the system and the potential threats which may be utilized are explained.
(1) Input verification: the RTU control software can download any file named as a control file to the RTU because the strict verification and verification of the file type, format and content are not carried out on the control file of the equipment. When the RTU downloads the wrong file, the RTU cannot normally recognize and read the content of the file, causing a loss of functionality and a downtime.
(2) Data reliability was not fully verified: after the RTU control software downloads the control files which are not in compliance, the RTU cannot normally identify and read the file contents, so that the function is lost, the RTU equipment loses the communication capacity with the RTU software, and the service rejection occurs.
(3) Any command execution: the RTU debug software may download control files that are not compliant. An attacker can insert a malicious script into this file, thereby implanting a back door process or program into the RTU device so that the RTU device communication can be intercepted, exploited, or tampered with.
(4) Lack of safety control of the device: penetration tests are carried out on function control (RTU control), parameter configuration (config), parameter maintenance (parameter), information feedback (read) and synchronous timing (timing) of the RTU, and it is found that the information feedback and the synchronous timing are relatively stable and reliable, but the function control, the parameter configuration and the parameter maintenance lack safety control and can be attacked by tampering and denial of service. In the fuzz test, each round of a seed iteration may trigger a deviation in information entropy.
(5) The equipment is lack of safety control during startup: the attacker can modify the master control function file on the basis of not influencing the function of the master function file, so that various attackers can achieve the aim of self-achieving. The consequences caused by the attack of the system starting include the problems of authority promotion, privacy disclosure, system file clearing, malicious script injection and the like.
In addition to the above 5 cases, the present invention also finds that other suspected sensitive verification problems cause the RTU to fail.
The method can successfully discover the input verification loopholes of the common RTU equipment in the typical industrial control scene in China. High-risk input verification bugs of some terminals are reported and published in the 5 th (total 559 th) of 2021, namely information security bugs weekly report, and can trigger different attack behaviors such as denial of service attack, script injection attack and the like.
Claims (6)
1. A fuzzy mining method for input verification bugs of industrial control terminal equipment is characterized by comprising the following steps:
step 1: an information collection stage;
acquiring a script language type and a protocol type from a human-computer interface;
enabling a host and a terminal to be in the same network segment, and scanning industrial control terminal equipment by adopting a scanning tool to obtain an IP address, the network segment, a domain name and port basic information;
acquiring feedback information of the network service and the open port to obtain software and hardware information of a terminal providing the network service function;
obtaining system configuration information after the authority is obtained to enter the system;
step 2: a vulnerability discovery stage;
step 2-1: extracting input verification by using a structural analysis technology;
the industrial control terminal inputs verification, compares the input with preset data, and immediately terminates normal execution of a program when the verification fails;
step 2-2: identifying a sensitive input validation using a classifier;
using the degree of association with the business data as a feature mining sensitive input verification, and finding the sensitive input of other related groups by using the sensitive input verification group related to the business data as a seed;
step 2-3: detecting a vulnerability;
vulnerability mining is carried out on the terminal system from three different dimensions, wherein the three dimensions are 'packageName', 'uid' and 'dataframe';
step 2-3-1: selecting initial seeds;
step 2-3-2: constructing a seed pool: the seed pool is composed of initial seeds and newly generated seeds, and provides base seeds for seed variation;
step 2-3-3: seed selection: selecting an example to be tested from a seed pool, wherein the initially selected seed is an initial seed, and the seed selection in the subsequent steps is generated from the seed pool according to a statistical effect;
step 2-3-4: mutation strategy: listing ranges of values for all seed portions that can be altered in terms of the composition of the initial seed;
step 2-3-5: in the execution stage, randomly and sequentially mutating each part of the seeds, simultaneously collecting the output of each test, measuring the relative information entropy output after each mutation of the seeds, and counting the probability distribution of the relative information entropy; adopting Gibbs to sample the varied seeds according to the statistical characteristics of each part of the seeds;
step 2-3-6: generating new seeds as input for test execution by the seed mutation strategy of steps 2-3-4;
step 2-3-7: and (3) test execution: inputting new seeds, testing the vulnerability detection program and collecting and analyzing an execution result;
step 2-3-8: and (3) convergence analysis: taking the relative information entropy, the execution time and the program coverage rate as indexes of convergence;
step 2-3-9: setting the priority of seeds, and putting the seeds into a seed pool again;
and step 3: a vulnerability exploiting stage;
and testing and attacking the main function of the system by adopting script injection, replay attack and program dimension attack methods, acquiring and recording data, and finally recovering the system.
2. The fuzzy mining method for the input verification vulnerability of industrial control terminal equipment as claimed in claim 1, wherein the scanning tool is nmap.
3. The fuzzy mining method for the input verification vulnerability of industrial control terminal equipment as claimed in claim 1, wherein the configuration information comprises system directory, startup items, processes and configuration files.
4. The fuzzy mining method for the input verification vulnerability of industrial control terminal equipment according to claim 1, wherein the relative information entropy is a KL distance.
5. The fuzzy mining method for the input verification vulnerability of industrial control terminal equipment as claimed in claim 1, wherein the system main function is main function and start function.
6. The fuzzy mining method for the input verification vulnerability of the industrial control terminal equipment as claimed in claim 1, wherein the vulnerability of the vulnerability exploiting stage comprises the following:
step 3-1: input verification: since the RTU control software does not check and verify the file type, format and content of the control file of the equipment, the RTU control software downloads any file named as the control file to the RTU; when the RTU downloads the wrong file, the RTU cannot normally identify and read the content of the file, so that the function is lost and the machine is down;
step 3-2: non-verification of data reliability: after the RTU control software downloads the control files which are not in compliance, the RTU cannot normally identify and read the file contents, so that the function is lost, the RTU equipment loses the communication capacity with the RTU software, and the service is rejected;
step 3-3: any command execution: the RTU debugging software downloads an unconventional control file, and an attacker inserts a malicious script into the unconventional control file, so that a back door process or program is implanted into the RTU equipment, and the communication of the RTU equipment is monitored, utilized or tampered;
step 3-4: lack of safety control of the device: penetration testing is carried out aiming at the function control, parameter configuration, parameter maintenance, information feedback and synchronous timing of the RTU, and the information feedback and synchronous timing are found to be stable and reliable, but the function control, the parameter configuration and the parameter maintenance lack safety control and can be attacked by tampering and denial of service;
step 3-5: the equipment is lack of safety control during startup: an attacker modifies the master control function file on the basis of not influencing the function of the master control function file, and is attacked after the system is started, so that the problems of authority promotion, privacy disclosure, system file removal and malicious script injection are caused.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111135803.4A CN113901475A (en) | 2021-09-27 | 2021-09-27 | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111135803.4A CN113901475A (en) | 2021-09-27 | 2021-09-27 | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113901475A true CN113901475A (en) | 2022-01-07 |
Family
ID=79029598
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111135803.4A Pending CN113901475A (en) | 2021-09-27 | 2021-09-27 | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113901475A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598509A (en) * | 2022-02-23 | 2022-06-07 | 烽台科技(北京)有限公司 | Method and device for determining vulnerability result |
| CN115270139A (en) * | 2022-09-20 | 2022-11-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
-
2021
- 2021-09-27 CN CN202111135803.4A patent/CN113901475A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598509A (en) * | 2022-02-23 | 2022-06-07 | 烽台科技(北京)有限公司 | Method and device for determining vulnerability result |
| CN114598509B (en) * | 2022-02-23 | 2023-06-20 | 烽台科技(北京)有限公司 | Method and device for determining vulnerability result |
| CN115270139A (en) * | 2022-09-20 | 2022-11-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | IoT equipment network service automatic vulnerability analysis method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109379329B (en) | Network security protocol fuzzy test method and system based on LSTM | |
| CN108092948B (en) | Network attack mode identification method and device | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| Sachidananda et al. | Let the cat out of the bag: A holistic approach towards security analysis of the internet of things | |
| Sha et al. | IIoT-SIDefender: Detecting and defense against the sensitive information leakage in industry IoT | |
| CN108809951A (en) | A kind of penetration testing frame suitable for industrial control system | |
| CN113901475A (en) | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment | |
| CN113704767A (en) | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system | |
| CN110677381A (en) | Penetration testing method and device, storage medium and electronic device | |
| CN113315767B (en) | Electric power internet of things equipment safety detection system and method | |
| CN112818352B (en) | Database detection method and device, storage medium and electronic device | |
| CN108965251B (en) | A kind of safe mobile phone guard system that cloud combines | |
| CN111884989A (en) | Vulnerability detection method and system for power web system | |
| CN111049828B (en) | Network attack detection and response method and system | |
| Guo et al. | Survey of mobile device authentication methods based on RF fingerprint | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| Jiwen et al. | Cyber security vulnerability assessment for Smart substations | |
| CN116318783B (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| CN114205153B (en) | Self-adaptive penetration test method for complex defense mechanism | |
| Aarya et al. | Web scanning: existing techniques and future | |
| Wang et al. | Research on network information security penetration test based on IP port service technology | |
| Satria et al. | The investigation on cowrie honeypot logs in establishing rule signature snort | |
| Rencelj Ling et al. | Securing Communication and Identifying Threats in RTUs: A Vulnerability Analysis | |
| Lin et al. | Mobile malware detection in sandbox with live event feeding and log pattern analysis | |
| Bouafia et al. | Automatic Protection of Web Applications Against SQL Injections: An Approach Based On Acunetix, Burp Suite and SQLMAP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |