Research On Vulnerability Mining Technology Of Industrial Control System

Industrial programmable logic controllers are widely used in industrial production.Once an attacker successfully exploits its existing vulnerabilities,it will easily cause production interruption and bring economic losses to the enterprise,and serious casualties.Therefore,how to quickly excavate the loopholes in the industrial programmable logic controller and improve its security is gradually becoming a research focus of security researchers.In order to mine the loopholes of industrial programmable logic controllers more quickly,this paper proposes a method for mining industrial control loopholes based on the fuzzy testing of industrial control protocols.It sends out specially constructed deformed data packets to the PLC under test to mine the loopholes in the PLC.The specific content includes:(1)Constructed an industrial control protocol description model.In order to describe the industrial control protocol uniformly and to facilitate the subsequent research on the structure of the private protocol,this paper constructs a five-tuple to describe the attributes of the fields in the industrial control protocol and the relationship between adjacent bytes.(2)The fuzzing method of public protocol based on genetic algorithm is designed.When performing public protocol fuzzing,this article takes Modbus TCP as an example.For protocol fuzzing,there are problems such as generating test cases with high redundancy and unable to adjust fuzzing test case generation based on the feedback of the PLC under test.TCP protocol structure,the Modbus TCP protocol field value rule is proposed to guide the value range of each field when the genetic algorithm generates test cases,so as to reduce the number of invalid test cases and reduce the redundancy.Secondly,a test case queue was established to store the fuzzy test cases that have been sent and the abnormal codes in the PLC response message under test after receiving the test cases,and when calculating the fitness of individuals in the genetic algorithm,from the individual similarity of the seed in the seed queue and the abnormal code of the seed are calculated to achieve the goal of adjusting the generation of fuzzy test cases based on the feedback of the PLC under test.(3)Designed a private protocol structure analysis method based on information theory.Aiming at the problem that the existing tools cannot analyze the private protocols of unknown structures,this paper starts from the perspective of information theory and introduces information entropy,mutual information and joint entropy in information theory,combining the mutual information rate and adjacent two proposed in this paper.Three judgment conditions where the byte does not belong to the same field are used to analyze the structure of the private protocol,thereby improving the applicability of the protocol fuzzing system.(4)Designed a private protocol fuzzy test method based on genetic algorithm.On the basis of completing the analysis of the private protocol structure,a genetic algorithm is used to generate private protocol fuzzy test cases.By calculating the similarity between the test case and the data packets in the initial population,and then calculating the fitness value of the test case according to the constructed fitness function,in order to select the test case that meets the private protocol format and has a high degree of variability.(5)Design and implement the proposed fuzzy test method of industrial control protocol,and conduct experimental verification.In conducting a public protocol fuzzing experiment,this article uses the proposed method to fuzz two PLCs that support Modbus TCP protocol,and finally found two 0-day Denial of Service(Do S)vulnerabilities;in conducting a private protocol structure analysis experiment,This paper uses the proposed method to first analyze the structure of the Modbus TCP protocol data set and the S7 Comm protocol data set respectively.The analytical results verify the effectiveness of the method,and then the structural analysis of a private protocol with unknown structure.In conducting a private protocol fuzzing experiment,based on the analysis of the structure of the private protocol,this article fuzzed two PLCs supporting the private protocol,and finally found two Do S vulnerabilities,one of which was a 0-day vulnerability.Experimental results prove that the method proposed in this paper can effectively improve the efficiency of exploiting vulnerabilities in PLCs supporting public protocols or private protocols with unknown structures.