CN114417355A - Lightweight safety detection system and method for industrial control system - Google Patents

Lightweight safety detection system and method for industrial control system Download PDF

Info

Publication number
CN114417355A
CN114417355A CN202210017397.XA CN202210017397A CN114417355A CN 114417355 A CN114417355 A CN 114417355A CN 202210017397 A CN202210017397 A CN 202210017397A CN 114417355 A CN114417355 A CN 114417355A
Authority
CN
China
Prior art keywords
taint
ics
analysis
input
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210017397.XA
Other languages
Chinese (zh)
Other versions
CN114417355B (en
Inventor
陈力波
黄培扬
王轶骏
薛质
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN202210017397.XA priority Critical patent/CN114417355B/en
Publication of CN114417355A publication Critical patent/CN114417355A/en
Application granted granted Critical
Publication of CN114417355B publication Critical patent/CN114417355B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a lightweight safety detection system and a method for an industrial control system, which comprises the following steps: ICS system loading module: preprocessing an ICS system to obtain an executable file; a static analysis module: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram; a dynamic analysis module: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram; a detection report output module: and carrying out normalization processing and visual display on the results of the taint analysis.

Description

Lightweight safety detection system and method for industrial control system
Technical Field
The invention relates to the technical field of network security, in particular to a lightweight security detection system and a lightweight security detection method for an industrial control system.
Background
In recent years, with the rapid development of 5G networks, industrial internets, artificial intelligence and internet of things, the era of smart mobile internet of everything is coming, and various types of industrial control systems are layered on the networks, such as smart homes, industrial robots, unmanned aerial vehicles and the like. Different from a PC terminal, the industrial control system has huge difference in application scenes, and meets the personalized and customized requirements of customers on the basis of adapting to heterogeneous transmission networks and various CPU architectures. Therefore, the terminal device often applies an embedded system developed in a customized manner, and each type of device manufacturer selects a system development mode suitable for self application and matching business purposes under the condition of balancing various expenses and costs according to actual requirements and performance requirements. At present, a terminal system comprises two major categories of an embedded Linux system and an Industrial Control System (ICS), wherein the embedded Linux system depends on an open source Linux community, is more convenient to develop and maintain, and is widely applied; the latter is rapidly developed in recent years, replaces simple and specific bare computer firmware on various MCU microprocessors step by step, uniformly forms middle layer abstraction under various real-time task scenes, can schedule various concurrent tasks, and is greatly improved in universality and expansibility compared with the traditional bare computer firmware.
The initial design of the industrial control system is to meet real-time business requirements in an industrial environment, such as industrial production lines, aerospace vehicles, medical devices and other task scenes sensitive to time performance requirements, the system cuts application distribution into a plurality of atomization tasks so as to complete a deterministic operation in a short time, and a plurality of tasks are concurrently executed by meeting a real-time scheduling algorithm, so that the execution efficiency is improved. In recent years, with the rapid development of communication technologies such as industrial internet and 5G, the interconnection and intercommunication of industrial terminals has become a common application scene requirement, and various terminal systems isolated in the original closed environment face brand new security threats. Taking unmanned driving as an example, hundreds of MCU automobile terminals are running through vehicle networking architectures such as V2X and the like, low-delay and high-speed interconnection and intercommunication are kept with the outside under the support of 5G network communication, interconnection and intercommunication are realized in a vehicle system through a LAN (local area network) bus, a CAN (controller area network) bus or near field communication, a telecommunication network and the like, terminal components with different functions are exposed to more and more attack surfaces of an external network, and thus the security threat is increased sharply. However, while the ICS unifies various MCU system layers, it does not develop a mature system security defense scheme similar to that of the PC terminal, so that the ICS terminal will be greatly broken if there is a security hole. On the Blackhat Asia 2020, an attacker directly attacks the entire intelligent manufacturing plant through industrial control system vulnerabilities, only through one data message. Meanwhile, the ICS is widely applied to the key infrastructure due to its natural reliability and low latency, so it is very necessary to give timely repair in advance of the attacker discovering and detecting the security vulnerability existing in the ICS system.
However, the existing security detection method has obvious defects in the application of ICS: in the aspect of a dynamic analysis method, the test based on actual equipment faces the problems that the automatic gray box test is difficult to realize and the large-range application cost is high, and meanwhile, because each task module in the ICS is packed in an executive binary SYSTEM, the coupling degree is high, process-Mode simulation cannot be performed on an individual task, and SYSTEM-Mode simulation is needed. However, due to the fact that the diversity of peripherals is large due to the scene customization of the ICS system, the simulation of various different peripherals in the whole system is difficult, a source code or an SDK provided by a developer is needed to describe a specific hardware interface, and the universality is poor; in the aspect of static analysis, the analysis difficulty is high due to lack of basic symbol information, an ICS system statically compiles a plurality of tasks into one executive body, semantic information such as a symbol table and an import function is lack, the import of user data and dangerous function operation cannot be positioned, the size of firmware of the ICS device is often several times or even dozens of times that of a common ELF file in a single embedded Linux, and therefore, the path explosion caused by branch and circulation is often caused in simple symbol execution, and the logic of a program cannot be deeply inserted.
Patent document CN108737417A (application number: 201810492275.X) discloses a vulnerability detection method for an industrial control system: and performing network detection based on industrial Ethernet characteristics on the target environment, identifying industrial control equipment and capturing a session data packet. And analyzing the data packet according to the industrial control protocol specification and the proprietary protocol reverse technology, and constructing a characteristic code data packet for further system detection to obtain specific fingerprint information. And comparing the vulnerability information of the matched target based on the characteristics of the industrial control proprietary vulnerability library, and carrying out related vulnerability detection based on strategy driving. And carrying out fuzzy test based on the vulnerability of the industrial control protocol, excavating the security vulnerability of the industrial control system network and detecting the security vulnerability.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a lightweight safety detection system and a lightweight safety detection method for an industrial control system.
According to the invention, the lightweight safety detection system for the industrial control system comprises:
ICS system loading module: preprocessing an ICS system to obtain an executable file;
a static analysis module: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram;
a dynamic analysis module: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram;
a detection report output module: and carrying out normalization processing and visual display on the results of the taint analysis.
Preferably, in the ICS system loading module, the image file of the ICS system is automatically identified according to the characteristic character string, and the ICS system executors in the image file are extracted.
Preferably, in the static analysis module,
the identification and extraction module: analyzing and obtaining a binary loading base address of the execution body through a heuristic method, unpacking and restoring the mirror image file to obtain code segments, positions of data segments in an entity and corresponding symbol files;
the semantic rebuilding module facing the ICS firmware comprises: the ICS system executive body realizes binary semantic synthesis through symbol table-based recovery, data stream simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
an input data stream dependency metric module: and realizing coarse-grained point spread from the input function by using the intermediate Code P-Code of the Ghidra, recording conditional branches and sub-function call parameters forming a dependency relationship with input data, forming a spread graph of a data stream in the ICS, and outputting a data dependency graph corresponding to each input point.
Preferably, the input function is automatically abstracted through semantic recovery, and coarse-grained taint diffusion from the abstracted input function is realized through the intermediate Code P-Code of Ghidra.
Preferably, in the dynamic analysis module,
a control flow graph pruning module: based on a diffusion graph of the data flow in the ICS, cutting a path which influences the taint data flow and can reach a sensitive function in the conditional branch, and simultaneously cutting a subfunction call with parameters irrelevant to input, thereby forming a control flow call graph guided by the taint data flow;
a directional spot analysis module: and performing mixed symbol execution starting from an input function based on the control flow call graph guided by the taint data flow, and finally outputting input conditions, vulnerability positions and execution paths which cause the taint to trigger the security vulnerability.
Preferably, in the detection report output module, the results of the taint analysis are normalized and visually displayed, the security loopholes caused by each input are combined, different types of divisions are formed, and the fundamental principle of loophole formation is displayed.
The invention provides a lightweight safety detection method for an industrial control system, which comprises the following steps:
step S1: preprocessing an ICS system to obtain an executable file;
step S2: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram;
step S3: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram;
step S4: and carrying out normalization processing and visual display on the results of the taint analysis.
Preferably, the step S1 adopts: and automatically identifying the image file of the ICS system according to the characteristic character string, and extracting an ICS system executive body in the image file.
Preferably, the step S2 adopts:
step S2.1: analyzing and obtaining a binary loading base address of the execution body through a heuristic method, unpacking and restoring the mirror image file to obtain code segments, positions of data segments in an entity and corresponding symbol files;
step S2.2: the ICS system executive body realizes binary semantic synthesis through symbol table-based recovery, data stream simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
step S2.3: and realizing coarse-grained point spread from the input function by using the intermediate Code P-Code of the Ghidra, recording conditional branches and sub-function call parameters forming a dependency relationship with input data, forming a spread graph of a data stream in the ICS, and outputting a data dependency graph corresponding to each input point.
Preferably, the step S3 adopts:
step S3.1: based on a diffusion graph of the data flow in the ICS, cutting a path which influences the taint data flow and can reach a sensitive function in the conditional branch, and simultaneously cutting a subfunction call with parameters irrelevant to input, thereby forming a control flow call graph guided by the taint data flow;
step S3.2: and performing mixed symbol execution starting from an input function based on the control flow call graph guided by the taint data flow, and finally outputting input conditions, vulnerability positions and execution paths which cause the taint to trigger the security vulnerability.
Compared with the prior art, the invention has the following beneficial effects:
1. the method can judge whether the ICS system has a safety problem or not under the condition of extracting the specific sensitive control flow and greatly reducing the analysis complexity, and positions the corresponding safety loophole and execution path, thereby achieving the purpose of lightweight detection and greatly improving the actual feasibility of spot analysis;
2. the invention introduces a semantic recovery reconstruction function facing ICS firmware, utilizes data flow analysis to perform dependency analysis on a target firmware system, combines the two technologies to realize detection analysis aiming at specific sensitive control flow and can position corresponding security loopholes and execution paths, thereby greatly reducing analysis complexity, realizing lightweight detection compared with the existing loophole detection technology, and greatly improving the practical feasibility of taint analysis.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
fig. 1 is a block diagram of a lightweight security detection system for an industrial control system according to a preferred embodiment of the present invention.
FIG. 2 is a block diagram of a lightweight security detection system for an industrial control system according to a preferred embodiment of the present invention.
Fig. 3 is a flowchart of a lightweight security detection method for an industrial control system according to a preferred embodiment of the present invention.
FIG. 4 is a flow of binary code control flow clipping.
Fig. 5 is a control flow splicing diagram.
Fig. 6 is an exemplary diagram of an output report.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
The invention provides a lightweight safety detection method and a system for an Industrial Control System (ICS), which is a set of static analysis method for the industrial control system. Firstly, carrying out binary level function semantic reconstruction; then, program slices guided by taint input streams are established around taint input and sensitive function positions, namely, each slice corresponds to a calling tree starting from the program position where external input is located until the sensitive function execution position, and each node is a sub-function call; finally, taint analysis within a limited range is performed starting from the input point position, and on the basis of the accessibility of the taint data flow graph, conditions for judging whether dangerous operation executed by sensitive functions can be achieved or not are performed by using dynamic symbolic execution (for example, character string copy exceeding the size of a cache region, command execution function parameters are controlled externally, and the like). Generally, the method can judge whether the ICS system has a safety problem or not under the condition of extracting a specific sensitive control flow and greatly reducing the analysis complexity, and positions the corresponding safety loophole and execution path, thereby achieving the purpose of light-weight detection and greatly improving the actual feasibility of spot analysis.
Example 1
According to the invention, as shown in fig. 1, a lightweight safety detection system for an industrial control system includes:
ICS system loading module: preprocessing an ICS system to obtain an executable file;
a static analysis module: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram;
a dynamic analysis module: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram;
a detection report output module: and carrying out normalization processing and visual display on the results of the taint analysis.
Specifically, in the ICS system loading module, the image file of the ICS system is automatically identified according to the characteristic character string, and the ICS system executer in the image file is extracted.
In particular, in the static analysis module,
the identification and extraction module: analyzing and obtaining a binary loading base address of the executive body by a heuristic method (a character string offset address difference method and the like), thereby completing system image identification and extraction, unpacking and restoring an image file to obtain positions of code segments and data segments in an entity, a corresponding symbol file and the like;
the semantic rebuilding module facing the ICS firmware comprises: the ICS system executive body realizes binary semantic synthesis through symbol table-based recovery, data stream simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
an input data stream dependency metric module: and realizing coarse-grained point spread from the input function by using the intermediate Code P-Code of the Ghidra, recording conditional branches and sub-function call parameters forming a dependency relationship with input data, forming a spread graph of a data stream in the ICS, and outputting a data dependency graph corresponding to each input point.
In particular, in the dynamic analysis module,
a control flow graph pruning module: based on a diffusion graph of the data flow in the ICS, cutting a path which influences the taint data flow and can reach a sensitive function in the conditional branch, and simultaneously cutting a subfunction call with parameters irrelevant to input, thereby forming a control flow call graph guided by the taint data flow;
a directional spot analysis module: the control flow call graph based on the taint data flow guidance carries out efficient mixed symbolic execution from the input function, the complex function automatically forms an abstract through early semantic recovery, the operation complexity is further reduced, the symbolic execution usability is improved, and finally the input condition, the vulnerability position and the execution path which cause the taint triggering security vulnerability are output.
Specifically, in the detection report output module, the results of the taint analysis are normalized and visually displayed, the security vulnerability problems caused by each input are combined, different types of divisions are formed, and the fundamental principle of vulnerability formation is displayed, so that a developer can be guided to quickly repair the taint.
The invention provides a lightweight safety detection method for an industrial control system, which comprises the following steps:
loading an ICS system: preprocessing an ICS system to obtain an executable file;
a static analysis step: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram;
dynamic analysis step: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram;
and a detection report output step: and carrying out normalization processing and visual display on the results of the taint analysis.
Specifically, the ICS system loading step adopts automatically identifying an ICS system image file according to the characteristic character string, and extracting an ICS system executive in the image file.
In particular, the static analysis step employs,
identification and extraction: analyzing and obtaining a binary loading base address of the executive body by a heuristic method (a character string offset address difference method and the like), thereby completing system image identification and extraction, unpacking and restoring an image file to obtain positions of code segments and data segments in an entity, a corresponding symbol file and the like;
a semantic rebuilding step facing ICS firmware: the ICS system executive body realizes binary semantic synthesis through symbol table-based recovery, data stream simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
input data stream dependency metric step: and realizing coarse-grained point spread from the input function by using the intermediate Code P-Code of the Ghidra, recording conditional branches and sub-function call parameters forming a dependency relationship with input data, forming a spread graph of a data stream in the ICS, and outputting a data dependency graph corresponding to each input point.
In particular, the dynamic analysis step employs,
and (3) cutting a control flow graph: based on a diffusion graph of the data flow in the ICS, cutting a path which influences the taint data flow and can reach a sensitive function in the conditional branch, and simultaneously cutting a subfunction call with parameters irrelevant to input, thereby forming a control flow call graph guided by the taint data flow;
and (3) analyzing directional stains: the control flow call graph based on the taint data flow guidance carries out efficient mixed symbolic execution from the input function, the complex function automatically forms an abstract through early semantic recovery, the operation complexity is further reduced, the symbolic execution usability is improved, and finally the input condition, the vulnerability position and the execution path which cause the taint triggering security vulnerability are output.
Specifically, the detection report output step is adopted, the results of the taint analysis are subjected to normalization processing and visual display, the security vulnerability problems caused by all inputs are combined, different types of division are formed, and the fundamental principle of vulnerability formation is displayed, so that developers can be guided to quickly repair the taint analysis.
Example 2
Example 2 is a preferred example of example 1
Aiming at the defects of the prior art, the invention provides a brand-new lightweight security detection method aiming at an industrial control system, which is a lightweight taint data flow detection method and system facing an ICS (integrated control system), and comprehensively applies the key technologies of three aspects of binary semantic reconstruction, control flow slicing, taint data flow analysis and the like. Firstly, on the basis of restoring function and reconstructing corresponding semantics at the disassembled instruction level of an ICS system, carrying out taint data stream dependency measurement to obtain a control flow range influenced by each taint input; secondly, slicing control flow input by the taint into dangerous calling, performing taint reachable control flow analysis and irrelevant subfunction cutting by taint input guidance, shielding influence of irrelevant variables to the control flow with current taint input, and improving feasibility and efficiency of symbolic execution; and finally, performing mixed symbolic execution on the cut control flow diagram, performing complex function call and other interference inputs through function abstract quick symbolic execution, and trying to obtain trigger vulnerability inputs conforming to the original control flow through constraint solving so as to judge whether a safety problem exists.
According to the lightweight security detection method for the industrial control system provided by the invention, as shown in fig. 2, discovering the security vulnerability of the industrial control system by a lightweight high-efficiency analysis method includes:
binary semantic reconstruction: restoring high-level functional semantics and corresponding parameter syntax of the function on the basis of disassembling through a binary reverse analysis method, thereby supporting subsequent control flow analysis;
controlling flow slicing: inputting related function and sensitive function calling positions by positioning external taints, starting from an input point, obtaining a taint data stream dependency directed graph through coarse-grained taint analysis, carrying out difference with a calling tree taking a function where the input position is located as a root node, reserving the calling tree influenced by the taint data stream, and forming an input-oriented program slice;
and a step of analyzing taint data flow: and performing taint data flow analysis on the input-oriented program slices by using a symbolic execution method to obtain constraint conditions of each execution path, and solving and judging whether dangerous calling of a trigger sensitive function exists or not so as to obtain whether security holes exist or not.
Specifically, the binary semantic reconstructing step employs: reconstructing the semantics of a data stream processing function through comprehensive application of three aspects of image recognition and extraction of an ICS (Internet connection sharing) system, image loading base address recognition, binary system level semantic recovery and the like, and obtaining the specific functions of each function corresponding to the stain, wherein:
and (3) recovering the semantics of the binary level function: the method mainly comprises five processes of symbol table based recovery, data stream analog simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
reconstructing data stream processing function semantics: the method mainly comprises the steps of extracting and matching four kinds of function features, namely a taint introduction function, a taint propagation function, a taint inspection function and a taint trigger function.
In particular, a taint-oriented control flow clipping is performed by inputting a measure of data flow dependency, wherein:
input data stream dependency metric: the method mainly comprises the steps of clarifying the dependency relationship of taint data among various function parameters by analyzing the spread of taint variables among functions such as taint introduction functions, taint propagation functions and taint high-risk use functions to obtain taint variable sets and propagation trees, and establishing a data dependency graph corresponding to each input point;
cutting the control flow guided by the stain: mainly in order to enhance feasibility of simulation execution and symbolic execution efficiency of an industrial control system, an input data dependency graph is used as a guide, and the obtained taint input related control flow graph is cut, so that efficient taint analysis and symbolic execution can be conveniently carried out in a subsequent specified program space range.
Performing symbolic execution in a limited control flow slice, fully utilizing the function semantics of the previous stage to perform summarization, and reducing the symbolic execution complexity, wherein:
the dynamic symbol executing step: performing taint data symbolization at the starting position of a control flow slice, and instantiating input parameters if complex function calls such as system and peripheral calls are met in the execution process, so that the possibility of explosion of a state space is reduced, and the effectiveness of symbolic execution is improved;
and (4) automatically abstracting functions: corresponding function abstracts are automatically established through function semantic recovery in the early stage, particularly function functions related to data stream processing, corresponding data stream transfer operation is executed during taint analysis, specific instructions do not need to be executed, and complexity of taint propagation processing is greatly reduced.
Example 3
Example 3 is a preferred example of example 1 and/or example 3
The invention provides a lightweight security detection method for an industrial control system, as shown in fig. 3, comprising:
firstly, a class of industrial control system image files are selected to be loaded, wherein the class of industrial control system image files can be RTOS and other PLC programs, for example, RTOS systems such as VxWorks, FreeRTOS, eCos and the like, and binary execution can pack functional codes and resources of all tasks to form an executive body. After loading, the analysis program starts to call an unpacking tool to process the system file, and a binary program corresponding to a system executive is separated, wherein the program comprises all functional codes of the ICS system;
secondly, performing static analysis on the binary system of the ICS system, firstly performing binary semantic recovery to obtain corresponding functions of most functions, mainly input functions such as Socket operation functions, file read-write functions and the like, and data stream operation related functions such as strcpy functions which are sensitive functions and serve as Sink points of subsequent taint analysis; then, carrying out input data stream dependence analysis, for example, starting from Socket operation function recvfrom, analyzing all paths and taint objects which receive possible data transmission, including transmission of global variables, and implementing through intermediate language P-Code, wherein pseudo codes of an algorithm for processing the global variables are as follows:
Figure BDA0003460372720000091
Figure BDA0003460372720000101
forming a control flow dependency graph on the basis of the control flow dependency graph;
and thirdly, cutting the binary control flow codes on the basis of the input control flow dependency graph. Specifically, the input related code calling node is reserved on the basis of the control flow Graph Call Graph, and a path which can reach a sensitive function is directionally selected in the conditional jump, wherein the whole process is divided into four steps as shown in fig. 4:
step 1: taking an input function S node as a root, extracting all sub-function calls starting from the function, and forming a Call Graph;
step 2: positioning sensitive function nodes in the Call tree, such as X, Y and Z in the figure, forming a Call sequence starting from an S node to the sensitive functions, namely Sink Call routes, and noting that no pass-through function is included;
and step 3: starting coarse grain Taint Analysis (Taint Analysis) on the nodes in the path, and reserving the calling nodes influenced by the data in the nodes, wherein the calling nodes are represented by dotted lines in the graph;
and 4, step 4: and finally, deleting the calling nodes which are not influenced by input, and reserving the rest nodes to form a target calling tree.
If the input dependency graph spans two different input functions, the control flow is spliced while clipping, and as shown in fig. 5, the control flow is spliced to form a complete control flow through the data transfer pair operation of NVRAM _ Set/Get; and on the basis of obtaining the directional control flow, performing function-level taint propagation and mixed symbol execution by using the automatic abstract to obtain a vulnerability triggering condition and a corresponding execution path.
Fourthly, normalization and visualization processing are carried out on the taint analysis result, and a complete report is output, wherein the report comprises the type of the bug, the input parameters causing the bug, the location of the bug, the execution path and the like, and a typical report example is shown in fig. 6.
Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (10)

1. A lightweight safety detection system for an industrial control system, comprising:
ICS system loading module: preprocessing an ICS system to obtain an executable file;
a static analysis module: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram;
a dynamic analysis module: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram;
a detection report output module: and carrying out normalization processing and visual display on the results of the taint analysis.
2. The lightweight security detection system for industrial control systems as claimed in claim 1, wherein in said ICS system loading module, the image file of the ICS system is automatically identified according to the characteristic character string, and the ICS system executors in the image file are extracted.
3. The lightweight safety detection system for industrial control systems of claim 1, wherein in said static analysis module,
the identification and extraction module: analyzing and obtaining a binary loading base address of the execution body through a heuristic method, unpacking and restoring the mirror image file to obtain code segments, positions of data segments in an entity and corresponding symbol files;
the semantic rebuilding module facing the ICS firmware comprises: the ICS system executive body realizes binary semantic synthesis through symbol table-based recovery, data stream simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
an input data stream dependency metric module: and realizing coarse-grained point spread from the input function by using the intermediate Code P-Code of the Ghidra, recording conditional branches and sub-function call parameters forming a dependency relationship with input data, forming a spread graph of a data stream in the ICS, and outputting a data dependency graph corresponding to each input point.
4. The lightweight security detection system for industrial control systems as claimed in claim 3, wherein the input function is automatically abstracted by semantic recovery, and coarse grain taint diffusion from the abstracted input function is realized by the intermediate Code P-Code of Ghidra.
5. The lightweight safety detection system for industrial control systems of claim 1, wherein in said dynamic analysis module,
a control flow graph pruning module: based on a diffusion graph of the data flow in the ICS, cutting a path which influences the taint data flow and can reach a sensitive function in the conditional branch, and simultaneously cutting a subfunction call with parameters irrelevant to input, thereby forming a control flow call graph guided by the taint data flow;
a directional spot analysis module: and performing mixed symbol execution starting from an input function based on the control flow call graph guided by the taint data flow, and finally outputting input conditions, vulnerability positions and execution paths which cause the taint to trigger the security vulnerability.
6. The lightweight security detection system for industrial control systems according to claim 1, wherein in the detection report output module, the results of taint analysis are normalized and visually displayed, security loopholes caused by each input are combined to form different types of divisions, and the fundamental principle of loophole formation is displayed.
7. A lightweight security detection method for an industrial control system, comprising:
step S1: preprocessing an ICS system to obtain an executable file;
step S2: performing binary semantic reconstruction on the executable file through a binary reverse analysis frame, and inputting data stream dependency measurement to obtain a data stream diffusion diagram;
step S3: performing directional taint analysis on the basis of cutting a control flow on the basis of a data flow diffusion diagram;
step S4: and carrying out normalization processing and visual display on the results of the taint analysis.
8. The method for detecting lightweight safety of industrial control system according to claim 7, wherein said step S1 employs: and automatically identifying the image file of the ICS system according to the characteristic character string, and extracting an ICS system executive body in the image file.
9. The method for detecting lightweight safety of industrial control system according to claim 7, wherein said step S2 employs:
step S2.1: analyzing and obtaining a binary loading base address of the execution body through a heuristic method, unpacking and restoring the mirror image file to obtain code segments, positions of data segments in an entity and corresponding symbol files;
step S2.2: the ICS system executive body realizes binary semantic synthesis through symbol table-based recovery, data stream simulation, front-end service semantic extraction, task message mechanism recovery and manual analysis supplement recovery;
step S2.3: and realizing coarse-grained point spread from the input function by using the intermediate Code P-Code of the Ghidra, recording conditional branches and sub-function call parameters forming a dependency relationship with input data, forming a spread graph of a data stream in the ICS, and outputting a data dependency graph corresponding to each input point.
10. The method for detecting lightweight safety of industrial control system according to claim 7, wherein said step S3 employs:
step S3.1: based on a diffusion graph of the data flow in the ICS, cutting a path which influences the taint data flow and can reach a sensitive function in the conditional branch, and simultaneously cutting a subfunction call with parameters irrelevant to input, thereby forming a control flow call graph guided by the taint data flow;
step S3.2: and performing mixed symbol execution starting from an input function based on the control flow call graph guided by the taint data flow, and finally outputting input conditions, vulnerability positions and execution paths which cause the taint to trigger the security vulnerability.
CN202210017397.XA 2022-01-07 2022-01-07 Lightweight safety detection system and method for industrial control system Active CN114417355B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210017397.XA CN114417355B (en) 2022-01-07 2022-01-07 Lightweight safety detection system and method for industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210017397.XA CN114417355B (en) 2022-01-07 2022-01-07 Lightweight safety detection system and method for industrial control system

Publications (2)

Publication Number Publication Date
CN114417355A true CN114417355A (en) 2022-04-29
CN114417355B CN114417355B (en) 2022-11-08

Family

ID=81271398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210017397.XA Active CN114417355B (en) 2022-01-07 2022-01-07 Lightweight safety detection system and method for industrial control system

Country Status (1)

Country Link
CN (1) CN114417355B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115033881A (en) * 2022-08-12 2022-09-09 中国电子科技集团公司第三十研究所 PLC (programmable logic controller) virus detection method, device, equipment and storage medium
CN115292723A (en) * 2022-10-09 2022-11-04 支付宝(杭州)信息技术有限公司 Method and device for detecting side channel loophole
CN115510451A (en) * 2022-09-20 2022-12-23 中国人民解放军国防科技大学 Method and system for judging existence of firmware patch based on random walk

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104834837A (en) * 2015-04-03 2015-08-12 西北大学 Binary code anti-obfuscation method based on semanteme
CN106709356A (en) * 2016-12-07 2017-05-24 西安电子科技大学 Static taint analysis and symbolic execution-based Android application vulnerability discovery method
WO2018086292A1 (en) * 2016-11-14 2018-05-17 平安科技(深圳)有限公司 Method and system for detecting security hole of application software, device, and storage medium
CN109002721A (en) * 2018-07-12 2018-12-14 南方电网科学研究院有限责任公司 A kind of mining analysis method of information security loophole
CN112800423A (en) * 2021-01-26 2021-05-14 北京航空航天大学 Binary code authorization vulnerability detection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104834837A (en) * 2015-04-03 2015-08-12 西北大学 Binary code anti-obfuscation method based on semanteme
WO2018086292A1 (en) * 2016-11-14 2018-05-17 平安科技(深圳)有限公司 Method and system for detecting security hole of application software, device, and storage medium
CN106709356A (en) * 2016-12-07 2017-05-24 西安电子科技大学 Static taint analysis and symbolic execution-based Android application vulnerability discovery method
CN109002721A (en) * 2018-07-12 2018-12-14 南方电网科学研究院有限责任公司 A kind of mining analysis method of information security loophole
CN112800423A (en) * 2021-01-26 2021-05-14 北京航空航天大学 Binary code authorization vulnerability detection method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115033881A (en) * 2022-08-12 2022-09-09 中国电子科技集团公司第三十研究所 PLC (programmable logic controller) virus detection method, device, equipment and storage medium
CN115033881B (en) * 2022-08-12 2022-12-09 中国电子科技集团公司第三十研究所 PLC (programmable logic controller) virus detection method, device, equipment and storage medium
CN115510451A (en) * 2022-09-20 2022-12-23 中国人民解放军国防科技大学 Method and system for judging existence of firmware patch based on random walk
CN115510451B (en) * 2022-09-20 2023-09-19 中国人民解放军国防科技大学 Random walk-based firmware patch existence judging method and system
CN115292723A (en) * 2022-10-09 2022-11-04 支付宝(杭州)信息技术有限公司 Method and device for detecting side channel loophole
CN115292723B (en) * 2022-10-09 2023-03-24 支付宝(杭州)信息技术有限公司 Method and device for detecting side channel loophole

Also Published As

Publication number Publication date
CN114417355B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
CN114417355B (en) Lightweight safety detection system and method for industrial control system
CN106156186B (en) Data model management device, server and data processing method
AU2022202972A1 (en) Tools and methods for real-time dataflow programming language
US20140250429A1 (en) Code analysis for simulation efficiency improvement
CN109117170B (en) Operation environment building method and device and code incorporating method and system
JP2007012003A (en) System for providing development environment of feature-oriented software product line
CN113590454A (en) Test method, test device, computer equipment and storage medium
CN111666572A (en) Automatic change infiltration test frame
CN111309589A (en) Code security scanning system and method based on code dynamic analysis
CN113935041A (en) Vulnerability detection system and method for real-time operating system equipment
EP1394677A2 (en) Generation of compiled code for speeding up a simulator
WO2024129753A2 (en) Highly tested systems
CN102541592A (en) Communication device and method for updating software thereof
JP2012181666A (en) Information processing device, information processing method and information processing program
CN111597115A (en) Automatic closed-loop test system and test method for embedded operating system
CN114579457A (en) Novel power system firmware operation simulation platform and simulation method
CN108171061B (en) Android system kernel safety detection method and device
CN116401670A (en) Vulnerability patch existence detection method and system in passive code scene
US8954310B2 (en) Automatic designation of equivalent variable values
Dwinandana et al. Extended finite state machine-model based testing on mobile application
CN107577946A (en) Analysis method, device, system and the PC equipment of iOS application programs
JP2022136983A (en) Automatic generation of integrated test procedures using system test procedures
Kang et al. Safety & security analysis of a manufacturing system using formal verification and attack-simulation
Schlingloff et al. A Framework for Cloud-based Testing of Multi-variant Cyber-physical Systems
Vandercammen et al. Prioritising Server Side Reachability via Inter-process Concolic Testing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant