基于Peach的工业控制网络协议安全分析

删除或更新信息，请邮件至freekaoyan#163.com(#换成@)

清华大学辅仁网/2017-07-07

伊胜伟, 张翀斌, 谢丰, 熊琦, 向憧, 梁露露

中国信息安全测评中心, 北京 100085

Security analysis of industrial control network protocols based on Peach

YI Shengwei, ZHANG Chongbin, XIE Feng, XIONG Qi, XIANG Chong, LIANG Lulu

China Information Technology Security Evaluation Center, Beijing 100085, China

摘要:

输出: BibTeX | EndNote (RIS)

摘要模糊测试技术是发现未公开漏洞的重要技术手段之一。该文基于Peach提出了工业控制网络协议的安全分析方法。该方法采用变异策略，构造畸形网络数据包，发送给被测目标进行测试，在测试过程中监测被测目标工控网络协议的运行状况，发现网络异常并进行异常分析。该方法以一种公开的大范围使用的工业控制网络协议Modbus TCP为例分析了其安全性。实验结果表明，该方法在工业控制网络协议的安全漏洞挖掘方面是有效的。

关键词 ：工业控制系统,工业控制网络协议,Peach,模糊测试,漏洞分析

Abstract：Fuzzing tests are important for discovery of unknown vulnerabilities and risks. A security analysis method was developed for industrial control networks using the Peach fuzzing framework. The system uses the mutation strategy by fabricating abnormal network packets, sending these packets to the target and then executing tests. The tests monitor the status of the industrial control network protocols. The system then identifies exceptions in the industrial control network protocols. Modbus TCP, a widely used industrial control network protocol is analyzed as an example using a fuzzy Modbus TCP protocol. The results show that this method can effectively identify vulnerabilities in industrial control network protocols.

Key words：industrial control systems industrial control network protocols Peach fuzzing test vulnerability analyses

收稿日期: 2015-05-30 出版日期: 2017-01-20

ZTFLH:

TP393.1

引用本文:

伊胜伟, 张翀斌, 谢丰, 熊琦, 向憧, 梁露露. 基于Peach的工业控制网络协议安全分析[J]. 清华大学学报（自然科学版）, 2017, 57(1): 50-54.
YI Shengwei, ZHANG Chongbin, XIE Feng, XIONG Qi, XIANG Chong, LIANG Lulu. Security analysis of industrial control network protocols based on Peach. Journal of Tsinghua University(Science and Technology), 2017, 57(1): 50-54.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2017.21.010或 http://jst.tsinghuajournals.com/CN/Y2017/V57/I1/50

图表:

图1 Peach模糊测试工具体系结构

图2 工业控制网络协议的安全分析方法

图3 ModbusTCP协议0x01功能码pit文件

图4 模糊测试执行命令

图5 采用ModbusSim仿真器测试ModbusTCP协议0x01功能码安全性的执行过程

参考文献:

[1]	ISA99 Committee. ISA99 committee on industrial automation and control systems security[Z/OL].[2015-05-10]. http://isa99.isa.org/ISA99%20Wiki/Home.aspx.
[2]	熊琦, 彭勇, 伊胜伟, 等. 工控网络协议Fuzzing测试技术研究综述[J]. 小型微型计算机系统, 2015, 36(3):497-502. XIONG Qi, PENG Yong, YI Shengwei, et al. Survey on the fuzzing technology in industrial network protocols[J]. Journal of Chinese Computer Systems, 2015, 36(3):497-502. (in Chinese)
[3]	李鸿培, 于旸, 忽朝俭, 等. 2013工业控制系统及其安全性研究报告[R]. 北京:绿盟科技, 2013. LI Hongpei, YU Yang, HU Chaojian, et al. 2013 Report on Industrial Control System and Its Security[R]. Beijing:NSFOCUS, 2013. (in Chinese)
[4]	吴世忠, 郭涛, 董国伟, 等. 软件漏洞分析技术[M]. 北京:科学出版社, 2014. WU Shizhong, GUO Tao, DONG Guowei, et al. Software Vulnerability Analysis Technology[M]. Beijing:Science Press, 2014. (in Chinese)
[5]	Miller B, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities[J]. Communications of the ACM, 1990, 33(12):32-44.
[6]	Roning J, et al. PROTOS:Systematic approach to eliminate software vulnerabilities, presented at microsoft research[Z/OL].[2015-05-10]. http://www.ee.oulu.fi/research/ouspg/PROTOSMSR2002-protos.
[7]	Aitel D. An introduction to SPIKE, the fuzzer creation kit, presented at the BlackHat USA conference[Z/OL].[2015-05-10]. http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-aitel-spike.ppt.
[8]	Biyani A, Sharma G, Aghav J, et al. Extension of SPIKE for encrypted protocol fuzzing[C]//The Third International Conference on Multimedia Information Networking and Security (MINES). Shanghai:IEEE Computer Society Conference Publishing Services, 2011:343-347.
[9]	Amini P. Sulley:Pure python fully automated and unattended fuzzing framework[Z/OL].[2015-05-10]. http://code.google.com/p/sulley.
[10]	Eddington M. Peach fuzzing platform[Z/OL].[2015-03-16]. http://peachfuzzer.com.
[11]	刘奇旭, 张玉清. 基于Fuzzing的TFTP漏洞挖掘技术[J]. 计算机工程, 2007, 33(20):142-144. LIU Qixu, ZHANG Yuqing. TFTP vulnerability exploiting technique based on fuzzing[J].Computer Engineering, 2007, 33(20), 142-144. (in Chinese)
[12]	TONG Yongxin, CHEN Lei, CHENG Yuyong, et al. Mining frequent itemsets over uncertain databases[C]//Proceedings of the 38th International Conference on Very Large Databases, (VLDB2012). Istanbul, Turkey:VLDB Endowment Inc, 2012:1650-1661.
[13]	TONG Yongxin, CHEN Lei, DING Bolin. Discovering threshold-based frequent closed itemsets over probabilistic data[C]//Proceedings of the 28th International Conference on Data Engineering, (ICDE 2012). Washington DC, USA:IEEE Computer Society, 2012:270-281.
[14]	TONG Yongxin, CAO Caleb Chen, CHEN Lei. TCS:Efficient topic discovery over crowd-oriented service data[C]//Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, (SIGKDD 2014). New York, NY, USA:ACM DL, 2014:861-870.
[15]	TONG Yongxin, CHEN Lei, SHE Jieying. Mining frequent itemsets in correlated uncertain databases[J]. Journal of Computer Science and Technology, 2015, 30(4):696-712.
[16]	TONG Yongxin, SHE Jieying, CHEN Lei. Towards better understanding of app functions[J]. Journal of Computer Science and Technology, 2015, 30(5):1130-1140.
[17]	YI Shengwei, XU Jize, PENG Yong, et al. Mining frequent rooted ordered tree generators efficiently[C]//CyberC2013. Beijing:IEEE Computer Society, 2013:132-139.
[18]	YI Shengwei, ZHAO Tianheng, ZHANG Yuanyuan. SeqGen:Mining sequential generator patterns from sequence databases[J].Advanced Science Letters, 2012,11(1):340-345.

[1]	马金鑫, 张涛, 李舟军, 张江霄. Fuzzing过程中的若干优化方法[J]. 清华大学学报（自然科学版）, 2016, 65(5): 478-483.
[2]	彭勇, 向憧, 张淼, 陈冬青, 高海辉, 谢丰, 戴忠华. 工业控制系统场景指纹及异常检测[J]. 清华大学学报（自然科学版）, 2016, 56(1): 14-21.
[3]	崔宝江, 王福维, 郭涛, 柳本金. 基于污点信息的函数内存模糊测试技术研究[J]. 清华大学学报（自然科学版）, 2016, 56(1): 7-13.
[4]	肖奇学, 陈渝, 戚兰兰, 郭世泽, 史元春. 堆分配大小可控的检测与分析[J]. 清华大学学报（自然科学版）, 2015, 55(5): 572-578.
[5]	梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报（自然科学版）, 2014, 54(1): 14-19.
[6]	王得金, 江常青, 彭勇. 工业控制系统上基于安全域的攻击图生成[J]. 清华大学学报（自然科学版）, 2014, 54(1): 44-52.