摘要
协议的传统漏洞挖掘方法一般有2种:模糊测试方法和逆向分析方法,模糊测试方法有自动化程度高、不依赖源代码等优点,但测试用例针对性不强,无法适用于工控专用协议。传统协议逆向分析方法使用N-gram模型划分协议报文序列时存在混入噪声过多、逆向效果不理想等缺陷,文章提出协议逆向分析与模糊测试相结合的漏洞挖掘方法;提出基于局部贪心算法的改进有效计数法,使协议关键字提取准确率平均提高65%;结合有损计数法构造协议语法树,减少了40%的生成树节点。根据协议ε机最小化马尔科夫模型得到协议状态机,指导模糊测试有效用例的生成。使用模糊测试框架Sulley对工控协议进行漏洞挖掘,发现了整数溢出等漏洞,验证了方法的有效性。
There are generally two methods for protocol vulnerability mining,fuzzy method and reverse analysis method.The fuzzy method has the advantages of high automation and no dependence on the source code,but the test cases are not targeted and cannot be applied to the industrial control proprietary protocol.Moreover,the traditional protocol reverse method uses the N-gram model to divide the protocol message sequence,which has many defects such as excessive noise and unsatisfactory reverse effect.This paper proposes a vulnerability mining method combining protocol reverse analysis and fuzzy method.An improved effective counting method based on local greedy algorithm is proposed to improve the accuracy of protocol keyword extraction by 65%.Combining the lossy counting method to construct a protocol syntax tree reduces the number of spanning tree nodes by 40%.The protocol state machine is obtained according to Markov model of protocol machine minimization,and the generation of effective use cases of the fuzzy method is guided.Using the fuzzy framework Sulley to exploit the vulnerability of the industrial control proprietary protocol WDB RPC protocol,we found the integer overflow vulnerability,and verified the effectiveness of the method.
作者
王海翔
朱朝阳
应欢
缪思薇
WANG Haixiang;ZHU Chaoyang;YING Huan;MIAO Siwei(Institute of Information and Communication,China Electric Power Research Institute,Beijing 100192,China)
出处
《电力信息与通信技术》
2019年第4期1-9,共9页
Electric Power Information and Communication Technology
基金
国家自然科学基金项目(U1766215)
国家电网有限公司总部科技项目资助(52110418001K)
关键词
工控专用协议
逆向分析
模糊测试
隐马尔科夫模型
industrial control proprietary protocol
reverse analysis
fuzzy testing
hidden Markov model
