Research On Vulnerability Mining Technology Of Industrial Control PLC System Based On Fuzzing

Industrial control system is an important part of the country's critical infrastructures.With the application of industrial network technology,industrial control systems face severe network security risks.Programmable logic controller(PLC)is the core control equipment in the industrial control system,where Vx Works is the core operation system.Existing kernel fuzzing technology is difficult to directly apply to Vx Works.So this article focuses on the research of PLC system vulnerability mining technology.Based on the in-depth investigation and analysis of the existing industrial control system vulnerability mining and testing technology,we proposed the Vx Works kernel fuzzing based on coverage guidance and the PLC industrial control protocol fuzzing based on traffic tracing,developed the Vx Works kernel fuzzing tool and industrial control protocol fuzzing tool.Specific research work is as follows:(1)Vx Works kernel fuzzing is designed based on coverage guidance: for the Vx Works system widely used in industrial control system PLC equipment,we realize the path information collection function during kernel execution on the basis of the QEMU simulator.In view of the situation that the coverage of the QEMU basic block chaining is inaccurate,the TCG intermediate code is introduced to implement the coverage recording logic to avoid a reduction in execution speed.Then We design the test function positioning module,parse the ELF format of the Vx Works kernel image,obtain the runtime address of the kernel function,set a breakpoint on the key kernel function through the debugger.And We propose a fast virtual machine state management method by recording memory write operations and processors State,quickly restore the kernel state after each test case is executed.vx AFL,a Vx Works kernel fuzzing tool based on coverage boot,was developed and implemented.By fuzzing the Vx Works kernel RPC component,three crash test cases of Vx Works were found.One example reproduces the integer overflow vulnerability in the?authenticate function(CVE-2015-7599).(2)Industrial control protocol fuzzing is designed based on traffic tracing: For the existing mutation-based fuzzing method for mutation,it fails prematurely in the process of checking the legitimacy of the protocol message of the PLC device,leading to the problem of low pass rate.An industrial control protocol test case generation method with flow generation and executable test case scripts.By analyzing and mapping the packets to the Scapy framework protocol field primitives and generating a directed graph model for the session information existing in the flow,the existing methods are avoided.It's more effective to write testcase scripts and generate protocol by using case messages during testing.ICSFuzzer,an industrial control protocol fuzzing tool was developed and implemented.By verifying and testing the Siemens S7 protocol library named SNAP7,two crash test cases were found.One example is a stack overflow vulnerability(CVE-2017-1000230).