Research On Program Based Industrial Protocol Reverse Analysis

Industrial control systems are widely used in all aspects of industrial production,their security is vital to the economy.With the advance of industrial internet,industrial control systems have become more open and intelligent,meanwhile also facing greater challenges.As an important part of the industrial control systems,the network protocol is the key to many industrial security studies However,in the ICS network,private protocols from different vendors bring potential risks.On the one hand,without public testing,the design flaws in the protocol may be exploited.On the other hand,many defenses that rely on protocol formats cannot be used to enhance system security.Therefore,to enhance the security of the systems,it is necessary to reverse analyze the private protocols.In order to reverse analyze the industrial control protocols,the thesis investigates the related work and applications,and analyzes the shortcomings of existing methods when applied to indus-trial protocols.Thus,we propose a method for industrial protocol format analysis which is based on the dynamic taint analysis technique.The method includes two parts:a taint analysis platform and format analysis algorithms.The principle of the method is to regard the received protocol message as taint data,then instrument the program of the industrial protocol with through dynamic binary analysis tools,record the taint data's trace of the program during the processing of the protocol message.At last,the protocol format is analyzed offline from the trace according to the designed algorithms.As taint analysis platform,the thesis defines the lifetime and state of the taint data,especially the number and endianness of the taint bytes,designs the rules for the initialization and propagation of taint data,which take the balance of efficiency and accuracy into consideration,and implements it on Linux x64 system based on Pin,a dynamic binary instrumentation tool.The protocol format contains the boundaries and semantics of the fields.For the field boundary,the thesis designs the field tree generation algorithm,which extracts the field boundary information from the trace generated by the taint analysis platform,and visualizes the output by the tree structure.For the field semantics,the thesis defines the common field categories in the industrial protocols and designs different identification methods according to their characteristics.Finally,five implementation procedures of the three industrial control protocols Modbus,DNP3,and S7 are selected from the open-source community to test the effects of our prototype,and the results are compared to each protocol's standard specifications.