CN116185842A - Vulnerability discovery use case generation method and device of industrial control equipment - Google Patents

Vulnerability discovery use case generation method and device of industrial control equipment Download PDF

Info

Publication number
CN116185842A
CN116185842A CN202310043583.5A CN202310043583A CN116185842A CN 116185842 A CN116185842 A CN 116185842A CN 202310043583 A CN202310043583 A CN 202310043583A CN 116185842 A CN116185842 A CN 116185842A
Authority
CN
China
Prior art keywords
industrial control
control protocol
protocol
test
generating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310043583.5A
Other languages
Chinese (zh)
Inventor
杨昀桦
宁力军
张彦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202310043583.5A priority Critical patent/CN116185842A/en
Publication of CN116185842A publication Critical patent/CN116185842A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to a vulnerability discovery use case generation method and device of industrial control equipment, electronic equipment and a computer readable medium. The method comprises the following steps: acquiring industrial control protocols corresponding to a plurality of industrial control devices; respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; and generating a vulnerability mining case based on the test cases passing the verification. According to the vulnerability discovery case generation method, device, electronic equipment and computer readable medium of the industrial control equipment, vulnerability test cases corresponding to different industrial control protocols can be generated efficiently, the protocols are decoupled from case generation, only the structure and the protocol of the protocols are concerned, the case generation speed is improved, and the case generation is not required to be generated by each protocol.

Description

Vulnerability discovery use case generation method and device of industrial control equipment
Technical Field
The disclosure relates to the field of computer information processing, in particular to a vulnerability discovery use case generation method and device of industrial control equipment, electronic equipment and a computer readable medium.
Background
Industrial control vulnerability mining is a method for discovering industrial control equipment vulnerabilities by providing unexpected inputs to a target system and monitoring abnormal results based on the idea of a Fuzzing test.
Most of the schemes adopted in the industry at present mainly use message playback and write relevant scripts and tools aiming at each protocol to realize vulnerability mining on industrial control equipment.
In the prior art, since many industrial control manufacturers exist on the market at present and correspond to many industrial control protocols, if vulnerability mining is required, messages are required to be collected for replay or test scripts and tools corresponding to the protocols are required to be independently developed according to related industrial control protocols, and since the number of industrial control protocols is huge and the industrial control protocols are very different, vulnerability mining which is required to support each industrial control protocol is time-consuming and labor-consuming.
Therefore, a new method, device, electronic device and computer readable medium for generating vulnerability discovery cases of industrial control equipment are needed.
The above information disclosed in the background section is only for enhancement of understanding of the background of the application and therefore it may contain information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, an electronic device, and a computer readable medium for generating a vulnerability discovery case of an industrial control device, which can efficiently generate vulnerability test cases corresponding to different industrial control protocols, decouple the protocols from the case generation, and only pay attention to the structure and the protocol of the protocols themselves, and how each protocol generates the case, thereby improving the case generation speed.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned in part by the practice of the application.
According to an aspect of the present application, a vulnerability discovery use case generation method of an industrial control device is provided, where the method includes: acquiring industrial control protocols corresponding to a plurality of industrial control devices; respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; and generating a vulnerability mining case based on the test cases passing the verification.
In an exemplary embodiment of the present application, further comprising: acquiring industrial control equipment to be subjected to vulnerability test; determining a target industrial control protocol according to the attribute of the industrial control equipment; acquiring a target industrial control protocol structure body and a target industrial control protocol template according to the target industrial control protocol; generating a plurality of vulnerability discovery cases through the target industrial control protocol structure and the target industrial control protocol template; and performing vulnerability mining on the industrial control equipment through the plurality of vulnerability mining cases.
In an exemplary embodiment of the present application, the disassembling analysis is performed on the plurality of industrial control protocols respectively, to generate a plurality of industrial control protocol structures, including: respectively carrying out disassembly analysis on the plurality of industrial control protocols to obtain a protocol name, a protocol type and protocol content; generating a plurality of personal control protocol structures through protocol names, protocol types and protocol contents, wherein the protocol structures comprise message headers, request headers, field descriptions, byte spaces and example values.
In an exemplary embodiment of the present application, generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule correspondence includes: extracting a corresponding test rule based on the industrial control protocol; generating a plurality of test state identifiers through the test rule; and respectively generating an industrial control protocol template based on the plurality of test state identifiers.
In an exemplary embodiment of the present application, generating an industrial control protocol template based on a plurality of test status identifiers, respectively, includes: and respectively determining byte number limitation, and/or corresponding range, and/or starting address, and/or register number, and/or use case number for the plurality of test state identifications to generate the industrial control protocol template.
In an exemplary embodiment of the present application, parameter filling is performed for an industrial control protocol structure corresponding to the industrial control protocol template through the industrial control protocol template, so as to generate a plurality of test cases, including: acquiring a plurality of test state identifiers in the industrial control protocol template; obtaining corresponding byte number limitation, and/or corresponding range, and/or starting address, and/or register number, and/or use case number according to the multiple test state identifiers; and performing parameter filling for the corresponding industrial control protocol structure body according to the byte number limitation, the corresponding range, the starting address, the register number and/or the case number to generate a plurality of test cases.
In an exemplary embodiment of the present application, according to byte count limitation, and/or corresponding range, and/or start address, and/or number of registers, and/or parameter filling for an industrial control protocol structure corresponding to the number of cases, generating a plurality of test cases includes: respectively generating a byte number value, and/or a corresponding range interval, and/or a starting address value, and/or a register number value, and/or a use case number value according to the byte number limitation, and/or the corresponding range, and/or the starting address, and/or the register number, and/or the use case number; and filling the numerical value into the corresponding position of the industrial control protocol structure body to generate the plurality of test cases.
In an exemplary embodiment of the present application, generating a vulnerability discovery case based on a test case that passes a verification includes: performing message structure verification on the plurality of test cases; and generating the vulnerability discovery case based on the test case passing the verification.
In an exemplary embodiment of the present application, further comprising: temporarily storing the checked vulnerability discovery cases; and outputting the vulnerability-mining use cases when the number of use case regulations corresponding to the current industrial control protocol template is met.
According to an aspect of the present application, a vulnerability discovery case generation device of an industrial control device is provided, where the device includes: the protocol module is used for acquiring industrial control protocols corresponding to a plurality of industrial control devices; the disassembly module is used for respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; the template module is used for correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; the filling module is used for carrying out parameter filling on the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; and the case module is used for generating a vulnerability mining case based on the test case passing the verification.
According to an aspect of the present application, there is provided an electronic device including: one or more processors; a storage means for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the methods as described above.
According to an aspect of the present application, a computer-readable medium is presented, on which a computer program is stored, which program, when being executed by a processor, implements a method as described above.
According to the vulnerability discovery case generation method, device, electronic equipment and computer readable medium of the industrial control equipment, industrial control protocols corresponding to a plurality of industrial control equipment are obtained; respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; based on the way that the test cases passing the verification generate the vulnerability mining cases, the vulnerability test cases corresponding to different industrial control protocols can be generated efficiently, the protocols and the case generation are decoupled, only the structure and the protocol of the protocols are concerned, and the case generation speed is improved without paying attention to how each protocol generates the case.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are only some embodiments of the present application and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a flowchart illustrating a method for generating a vulnerability discovery use case of an industrial control device according to an exemplary embodiment.
Fig. 2 is a flowchart illustrating a method for generating a vulnerability discovery use case of an industrial control device according to an exemplary embodiment.
Fig. 3 is a flowchart illustrating a vulnerability discovery use case generation method of an industrial control device according to another exemplary embodiment.
Fig. 4 is a schematic diagram illustrating a vulnerability discovery use case generation method of an industrial control device according to another exemplary embodiment.
Fig. 5 is a block diagram illustrating a vulnerability discovery use case generation apparatus of an industrial control device according to an exemplary embodiment.
Fig. 6 is a block diagram of an electronic device, according to an example embodiment.
Fig. 7 is a block diagram of a computer-readable medium shown according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present application. One skilled in the relevant art will recognize, however, that the aspects of the application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the application.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another element. Thus, a first component discussed below could be termed a second component without departing from the teachings of the present application concept. As used herein, the term "and/or" includes any one of the associated listed items and all combinations of one or more.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments, and that the modules or flows in the drawings are not necessarily required to practice the present application, and therefore, should not be taken to limit the scope of the present application.
Fig. 1 is a flowchart illustrating a method for generating a vulnerability discovery use case of an industrial control device according to an exemplary embodiment. The vulnerability discovery case generation method 10 of the industrial control device at least comprises steps S102 to S110.
As shown in fig. 1, in S102, an industrial control protocol corresponding to a plurality of industrial control devices is acquired. The industrial control protocols corresponding to the existing various industrial control devices can be obtained.
In S104, the plurality of industrial control protocols are disassembled and analyzed, respectively, to generate a plurality of industrial control protocol structures. The industrial control protocols can be disassembled and analyzed to obtain a protocol name, a protocol type and a protocol content; generating a plurality of personal control protocol structures through protocol names, protocol types and protocol contents, wherein the protocol structures comprise message headers, request headers, field descriptions, byte spaces and example values.
The detailed information of each industrial control protocol is acquired after disassembly, including but not limited to protocol name, protocol type (such as two-layer protocol, serial protocol, TCP, UDP, etc.).
In the embodiment of the present application, the fields will be illustrated by taking the industrial control protocol Modbus/TCP as an example, and it can be understood that the technical solution of the present application may also be used for analyzing and disassembling a plurality of other industrial control protocols.
And the Modbus/TCP protocol is determined to belong to the TCP protocol and the protocol port number through disassembly analysis (when the protocol types are TCP and UDP, the Modbus/TCP port number is TCP 502).
The Modbus/TCP protocol structure body mainly consists of two parts, one is a message header field, the other is specific request information, and the following table is taken as a detailed description for facilitating understanding:
Figure BDA0004051496450000061
in the above embodiment, the basic message composition structure of the Modbus/TCP protocol is composed of the above several items, and different industrial control protocol messages can be abstracted into the above form, that is, a protocol structure body corresponding to different industrial control protocols is formed.
In S106, a plurality of industrial control protocol templates are correspondingly generated based on the plurality of industrial control protocol structures and the test rule. Corresponding test rules can be extracted based on the industrial control protocol; generating a plurality of test state identifiers through the test rule; and respectively generating an industrial control protocol template based on the plurality of test state identifiers.
More specifically, a byte count limit, and/or a corresponding range, and/or a starting address, and/or a number of registers, and/or a number of use case pieces may be determined for the plurality of test state identifications, respectively, to generate the industrial control protocol template.
The industrial control protocol template is based on the filling of the contents of each protocol structure, in the above table, after each field is filled according to the protocol specification requirement in the example, a message of Modbus/TCP for reading the value of register position 2 is generated, the hexadecimal of the application layer message is 0x100100000006FF0300020001, and when each field is filled by multiple test rules, the industrial control message protocol field templates with different functions can be combined.
In a specific embodiment, by using Modbus/TCP as an example, each field in the protocol can be identified by five states, and the method is random, preset and preset illegally, and is self-defined.
Wherein, the compliance random is to randomly take one value as the value of the field in the range of meeting the limit of the field byte number and the protocol specification at the same time;
the illegal random is that in the range that the field byte number limit is satisfied but the message specification is not satisfied, for example, the Modbus/TCP protocol function code is 0x03 (read holding register function code), the sum of the start address and the number of registers is specified by the protocol to be not more than 65536 and not less than 1, and the number of addresses is required to be not less than 1, that is, when the start address is 65535, the number of registers is only 1, otherwise, the protocol specification is not satisfied, but the number of bytes of the number of registers is 2, and when the protocol specification is not considered, the range of the available value is 0-65535.
If the initial address is 65535, the number of registers can only be 1 under the condition of compliance random, the number of registers can be 0-65535 under the condition of illegal random, other protocols and related fields can be obtained by the same principle of legal or illegal random, the rule of compliance preset and illegal preset generation is basically the same as that of random, and the difference is only to adopt a fixed value for the acquisition of the value.
As in the example above, the register number compliance preset is 1 regardless of the number of address bits, which ensures that the entry is always compliant and vice versa.
The custom rule can determine the value of the corresponding field under the condition that the byte length protocol is satisfied;
and a list of use case bar digital segments and the like for specifying the use case bar digital segments generated according to the rule can be added, and the industrial control protocol templates corresponding to different protocols are formed by combining the above parts.
In S108, parameter filling is performed for the corresponding industrial control protocol structure body through the industrial control protocol template, so as to generate a plurality of test cases. A plurality of test state identifiers in the industrial control protocol template can be obtained; obtaining corresponding byte number limitation, and/or corresponding range, and/or starting address, and/or register number, and/or use case number according to the multiple test state identifiers; and performing parameter filling for the corresponding industrial control protocol structure body according to the byte number limitation, the corresponding range, the starting address, the register number and/or the case number to generate a plurality of test cases.
More specifically, a byte count value, and/or a corresponding range interval, and/or a starting address value, and/or a register count value, and/or a case count value may be generated according to a byte count limit, and/or a corresponding range, and/or a starting address, and/or a register count, and/or a case count, respectively; and filling the numerical value into the corresponding position of the industrial control protocol structure body to generate the plurality of test cases.
And filling the numerical values meeting the strategy for each parameter value in the industrial control protocol template, so as to generate the test case.
In S110, a vulnerability discovery case is generated based on the test cases that pass the verification. The message structure verification can be performed on the plurality of test cases; and generating the vulnerability discovery case based on the test case passing the verification.
In one embodiment, the vulnerability discovery cases passing the verification can also be temporarily stored; and outputting the vulnerability-mining use cases when the number of use case regulations corresponding to the current industrial control protocol template is met.
The method and the device mainly aim at optimizing the traditional use case generation flow when the vulnerability excavation is needed to be carried out on various industrial control protocols, extracting and framing the shared flow, and improving the development efficiency of vulnerability excavation scripts or tools of different industrial control protocols.
Fig. 2 is a flowchart illustrating a method for generating a vulnerability discovery use case of an industrial control device according to an exemplary embodiment. The vulnerability discovery case generation method 20 of the industrial control device may further include steps S202 to S210.
As shown in fig. 2, in S202, an industrial control device to be subjected to a vulnerability test is acquired.
In S204, a target industrial control protocol is determined according to the attribute of the industrial control device. The attribute of the industrial control equipment is obtained, for example, the industrial control equipment can be security and protection industrial control equipment, video industrial control equipment and the like, and the industrial control protocol corresponding to the industrial control equipment is determined according to the attribute of the industrial control equipment.
In S206, a target industrial control protocol structure and a target industrial control protocol template are obtained according to the target industrial control protocol. And extracting the industrial control protocol structure body obtained by pre-disassembly analysis and the corresponding industrial control protocol template according to the industrial control protocol.
In S208, a plurality of vulnerability discovery cases are generated by the target industrial control protocol structure and the target industrial control protocol template. And automatically generating a plurality of test cases, and checking the plurality of test cases to generate a vulnerability-mining case.
In a specific embodiment, the tester may modify the industrial control protocol template, such as modifying the initial number of use cases, or deleting some test items, so as to perform personalized customization setting on the present industrial control device.
In S210, performing vulnerability discovery on the industrial control device through the plurality of vulnerability discovery use cases. And inputting the plurality of vulnerability discovery cases into the industrial control equipment, and outputting a test result by the industrial control equipment according to the self security setting.
According to the vulnerability discovery case generation method of the industrial control equipment, industrial control protocols corresponding to a plurality of industrial control equipment are obtained; respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; based on the way that the test cases passing the verification generate the vulnerability mining cases, the vulnerability test cases corresponding to different industrial control protocols can be generated efficiently, the protocols and the case generation are decoupled, only the structure and the protocol of the protocols are concerned, and the case generation speed is improved without paying attention to how each protocol generates the case.
It should be clearly understood that this application describes how to make and use particular examples, but the principles of this application are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a flowchart illustrating a vulnerability discovery use case generation method of an industrial control device according to another exemplary embodiment. The flow 30 shown in fig. 3 is a detailed description of the flow shown in fig. 2.
As shown in fig. 3, in S302, the template parameters are disassembled. The protocol structure body generator initializes the protocol according to the protocol structure body transmitted from the template storage module, and provides a basic protocol framework for the subsequent use case generation;
in S304, use cases are filled and generated. And disassembling the template parameters, namely disassembling each template in the templates according to the protocol field templates corresponding to the related protocols in the template storage module and the five field identifiers. A step of
In one embodiment, the structure data obtained from the template storage module is disassembled into data similar to that shown below, by way of example using the Modbus/TCP protocol:
rule 1: { number of use cases: 500, transaction identifier high order bits: compliance random, transaction identifier high order bits: illegal presets
Rule 2: { number of use cases: 2000, transaction identifier high order bits: custom (0 x 10), transaction identifier high order: the random number of the code is legal, the use case generation provides generation rules for the next step, etc.;
in S306, the message structure is checked. And the example filling and generating module converts the template analyzed in the previous step into an actual value according to the defined rule according to the five state identifiers of each field. And carrying out cyclic generation according to the number of the use cases, and checking each generated practical use case.
In S308, temporary storage is performed. If the rule is determined to be satisfied, the rule is put into temporary storage, the step is circulated until the number of use cases required by the rule is generated, the number of use cases required by the rule is output, and then the next rule is read to generate and output the use cases.
In S310, the use case is output. For convenience of understanding, only Modbus/TCP is used as an implementation description, but the implementation description is not represented and only applicable to the protocol, but different industrial control protocols can be supported according to the framework of the invention, and finally, the rapid generation of multiple protocol use cases is realized.
According to the method for generating the vulnerability discovery cases of the industrial control equipment, optimization and improvement are carried out on the existing method for generating the vulnerability discovery cases of the industrial control equipment, and the case output efficiency is improved;
according to the vulnerability mining use case generation method of the industrial control equipment, support of different industrial control protocols is more efficient, the protocols and use case generation are decoupled, only the structure and the protocol of the protocols are concerned, and how each protocol generates the use case is not concerned.
Fig. 4 is a schematic diagram illustrating a vulnerability discovery use case generation method of an industrial control device according to another exemplary embodiment. The application finds that the specific content of the message is different for the different industrial control protocol use cases, but a plurality of common places exist. If the shared places are abstracted and formed into a frame, the efficiency of generating the industrial control vulnerability mining cases can be well improved, so that the support of industrial control vulnerability mining on different manufacturer protocols is improved. The present invention abstracts the above process into two main modules, as shown in fig. 4.
The first module is a template storage module and is mainly used for storing various industrial protocols and template rule sets corresponding to the industrial protocols, the module abstracts the industrial control protocols, and protocol related data support is provided for the use case generation module. The second module is a use case generation module, which generates the use case according to the protocol and the related information of the protocol transmitted by the template storage module, and provides an implementation process for use case generation.
Those skilled in the art will appreciate that all or part of the steps implementing the above described embodiments are implemented as a computer program executed by a CPU. When executed by a CPU, performs the functions defined by the above methods provided herein. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic disk or an optical disk, etc.
Furthermore, it should be noted that the above-described figures are merely illustrative of the processes involved in the method according to the exemplary embodiments of the present application, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
The following are device embodiments of the present application, which may be used to perform method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.
Fig. 5 is a block diagram illustrating a vulnerability discovery use case generation apparatus of an industrial control device according to an exemplary embodiment. As shown in fig. 5, the vulnerability discovery use case generation apparatus 50 of the industrial control device includes: protocol module 502, disassemble module 504, template module 506, populate module 508, use case module 510.
The protocol module 502 is configured to obtain industrial control protocols corresponding to a plurality of industrial control devices;
the disassembly module 504 is configured to disassemble and analyze the plurality of industrial control protocols respectively, so as to generate a plurality of industrial control protocol structures; the disassembly module 504 is further configured to disassemble and analyze the plurality of industrial control protocols to obtain a protocol name, a protocol type, and a protocol content, respectively; generating a plurality of personal control protocol structures through protocol names, protocol types and protocol contents, wherein the protocol structures comprise message headers, request headers, field descriptions, byte spaces and example values.
The template module 506 is configured to correspondingly generate a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; the template module 506 is further configured to extract a corresponding test rule based on the industrial control protocol; generating a plurality of test state identifiers through the test rule; and respectively generating an industrial control protocol template based on the plurality of test state identifiers.
The filling module 508 is configured to perform parameter filling for the corresponding industrial control protocol structure body through the industrial control protocol template, so as to generate a plurality of test cases; the filling module 508 is further configured to obtain a plurality of test status identifiers in the industrial control protocol template; obtaining corresponding byte number limitation, and/or corresponding range, and/or starting address, and/or register number, and/or use case number according to the multiple test state identifiers; and performing parameter filling for the corresponding industrial control protocol structure body according to the byte number limitation, the corresponding range, the starting address, the register number and/or the case number to generate a plurality of test cases.
The use case module 510 is configured to generate a vulnerability discovery use case based on the test use cases that pass the verification. The case module 510 is further configured to perform a message structure check on the plurality of test cases; and generating the vulnerability discovery case based on the test case passing the verification. The use case module 510 is further configured to temporarily store the vulnerability discovery use case that passes the verification; and outputting the vulnerability-mining use cases when the number of use case regulations corresponding to the current industrial control protocol template is met.
According to the vulnerability discovery case generation device of the industrial control equipment, industrial control protocols corresponding to a plurality of industrial control equipment are obtained; respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; based on the way that the test cases passing the verification generate the vulnerability mining cases, the vulnerability test cases corresponding to different industrial control protocols can be generated efficiently, the protocols and the case generation are decoupled, only the structure and the protocol of the protocols are concerned, and the case generation speed is improved without paying attention to how each protocol generates the case.
Fig. 6 is a block diagram of an electronic device, according to an example embodiment.
An electronic device 600 according to this embodiment of the present application is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present application.
As shown in fig. 6, the electronic device 600 is in the form of a general purpose computing device. Components of electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different system components (including the memory unit 620 and the processing unit 610), a display unit 640, etc.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs steps described in the present specification according to various exemplary embodiments of the present application. For example, the processing unit 610 may perform the steps as shown in fig. 1, 2, and 3.
The memory unit 620 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 6201 and/or cache memory unit 6202, and may further include Read Only Memory (ROM) 6203.
The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 630 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 600' (e.g., keyboard, pointing device, bluetooth device, etc.), devices that enable a user to interact with the electronic device 600, and/or any devices (e.g., routers, modems, etc.) that the electronic device 600 can communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 650. Also, electronic device 600 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 600, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, as shown in fig. 7, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiments of the present application.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The computer-readable medium carries one or more programs, which when executed by one of the devices, cause the computer-readable medium to perform the functions of: acquiring industrial control protocols corresponding to a plurality of industrial control devices; respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures; correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule; filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases; and generating a vulnerability mining case based on the test cases passing the verification.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solutions according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and include several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the methods according to the embodiments of the present application.
Exemplary embodiments of the present application are specifically illustrated and described above. It is to be understood that this application is not limited to the details of construction, arrangement or method of implementation described herein; on the contrary, the application is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (10)

1. The vulnerability discovery case generation method of the industrial control equipment is characterized by comprising the following steps of:
acquiring industrial control protocols corresponding to a plurality of industrial control devices;
respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures;
correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule;
filling parameters for the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases;
and generating a vulnerability mining case based on the test cases passing the verification.
2. The method as recited in claim 1, further comprising:
acquiring industrial control equipment to be subjected to vulnerability test;
determining a target industrial control protocol according to the attribute of the industrial control equipment;
acquiring a target industrial control protocol structure body and a target industrial control protocol template according to the target industrial control protocol;
generating a plurality of vulnerability discovery cases through the target industrial control protocol structure and the target industrial control protocol template;
and performing vulnerability mining on the industrial control equipment through the plurality of vulnerability mining cases.
3. The method of claim 1, wherein the performing a disassembly analysis on each of the plurality of industrial control protocols to generate a plurality of industrial control protocol structures comprises:
respectively carrying out disassembly analysis on the plurality of industrial control protocols to obtain a protocol name, a protocol type and protocol content;
generating a plurality of personal control protocol structures through protocol names, protocol types and protocol contents, wherein the protocol structures comprise message headers, request headers, field descriptions, byte spaces and example values.
4. The method of claim 1, wherein generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and test rule correspondence comprises:
extracting a corresponding test rule based on the industrial control protocol;
generating a plurality of test state identifiers through the test rule;
and respectively generating an industrial control protocol template based on the plurality of test state identifiers.
5. The method of claim 4, wherein generating an industrial control protocol template based on a plurality of test state identifiers, respectively, comprises:
and respectively determining byte number limitation, and/or corresponding range, and/or starting address, and/or register number, and/or use case number for the plurality of test state identifications to generate the industrial control protocol template.
6. The method of claim 1, wherein generating a plurality of test cases by parameter filling an industrial control protocol structure corresponding to the industrial control protocol template with the industrial control protocol template comprises:
acquiring a plurality of test state identifiers in the industrial control protocol template;
obtaining corresponding byte number limitation, and/or corresponding range, and/or starting address, and/or register number, and/or use case number according to the multiple test state identifiers;
and performing parameter filling for the corresponding industrial control protocol structure body according to the byte number limitation, the corresponding range, the starting address, the register number and/or the case number to generate a plurality of test cases.
7. The method of claim 6, wherein generating the plurality of test cases based on the byte count limit, and/or the corresponding range, and/or the start address, and/or the number of registers, and/or the number of use cases to parameter fill the corresponding industrial control protocol structure comprises:
respectively generating a byte number value, and/or a corresponding range interval, and/or a starting address value, and/or a register number value, and/or a use case number value according to the byte number limitation, and/or the corresponding range, and/or the starting address, and/or the register number, and/or the use case number;
and filling the numerical value into the corresponding position of the industrial control protocol structure body to generate the plurality of test cases.
8. The method of claim 1, wherein generating vulnerability discovery cases based on test cases that pass the verification comprises:
performing message structure verification on the plurality of test cases;
and generating the vulnerability discovery case based on the test case passing the verification.
9. The method as recited in claim 8, further comprising:
temporarily storing the checked vulnerability discovery cases;
and outputting the vulnerability-mining use cases when the number of use case regulations corresponding to the current industrial control protocol template is met.
10. The utility model provides a loophole excavation use case generating device of industrial control equipment which characterized in that includes:
the protocol module is used for acquiring industrial control protocols corresponding to a plurality of industrial control devices;
the disassembly module is used for respectively carrying out disassembly analysis on the plurality of industrial control protocols to generate a plurality of industrial control protocol structures;
the template module is used for correspondingly generating a plurality of industrial control protocol templates based on the plurality of industrial control protocol structures and the test rule;
the filling module is used for carrying out parameter filling on the corresponding industrial control protocol structure body through the industrial control protocol template to generate a plurality of test cases;
and the case module is used for generating a vulnerability mining case based on the test case passing the verification.
CN202310043583.5A 2023-01-26 2023-01-26 Vulnerability discovery use case generation method and device of industrial control equipment Pending CN116185842A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310043583.5A CN116185842A (en) 2023-01-26 2023-01-26 Vulnerability discovery use case generation method and device of industrial control equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310043583.5A CN116185842A (en) 2023-01-26 2023-01-26 Vulnerability discovery use case generation method and device of industrial control equipment

Publications (1)

Publication Number Publication Date
CN116185842A true CN116185842A (en) 2023-05-30

Family

ID=86441675

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310043583.5A Pending CN116185842A (en) 2023-01-26 2023-01-26 Vulnerability discovery use case generation method and device of industrial control equipment

Country Status (1)

Country Link
CN (1) CN116185842A (en)

Similar Documents

Publication Publication Date Title
CN108897691A (en) Data processing method, device, server and medium based on interface analog service
CN111428462A (en) Communication protocol template construction method and terminal equipment
US20150040142A1 (en) Efficient dfa generation for non-matching characters and character classes in regular expressions
CN103853650A (en) Test case generating method and device for fuzz testing
CN111813701B (en) HTTP-based interface testing method and device, computer equipment and storage medium
CN113923057B (en) Data processing method and device for satellite measurement, operation and control platform, electronic equipment and medium
CN104115117A (en) Automatic synthesis of unit tests for security testing
CN112671726A (en) Industrial control protocol analysis method and device, electronic equipment and storage medium
CN112163412B (en) Data verification method and device, electronic equipment and storage medium
CN110704714A (en) Method and device for quickly indexing data of pcap file
CN117156012B (en) Exception request data processing method, device, equipment and computer readable medium
CN115150024B (en) Data processing method, device, equipment and medium
Wen et al. Protocol vulnerability detection based on network traffic analysis and binary reverse engineering
CN110554877A (en) JSON data analysis method, device, equipment and storage medium
CN105824647A (en) Form page generating method and device
CN112286815A (en) Interface test script generation method and related equipment thereof
CN109683856A (en) Electronic device, Faas stage function creation method and storage medium
US8688608B2 (en) Verifying correctness of regular expression transformations that use a post-processor
CN116185842A (en) Vulnerability discovery use case generation method and device of industrial control equipment
CN111585830A (en) User behavior analysis method, device, equipment and storage medium
CN115904317A (en) Method, device, equipment and storage medium for uniformly calling front-end interface and back-end interface
CN110826074A (en) Application vulnerability detection method and device and computer readable storage medium
CN114268451B (en) Method, device, equipment and medium for constructing safety buffer zone of power monitoring network
CN109218284B (en) XSS vulnerability detection method and device, computer equipment and readable medium
CN110795338A (en) Automatic testing method and device based on front-end and back-end interaction and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication