Design And Implementation Of A Fuzzer For PROFINET Industrial Control Protocol

As the development and popularization of the Internet and information technology,the field of industrial control system is willing to carry out industrial reform.The development of industrial informatization and intelligence has an irreversible trend.At the meantime,serious security incidents happened to industrial facilities occur with the development of industrial control technology.Profinet protocol is a typical industrial control protocol,which is the carrier for communication data of industrial facilities.Like other types of network protocols,PROFINET has potential security vulnerabilities.In this paper,the vulnerability scanning method of PROFINET will be researched in depth.An efficient way to find vulnerabilities of network protocol is fuzz testing,which is to inject illegal testcases to trigger the potential vulnerabilities of the protocol.Fuzz testing has been widely used in cybersecurity research and found many high-risk vulnerabilities.By combing and referring to fuzz testing frameworks such as Spike and AFL,this paper designs and implements a fuzz solution for PROFINET.The main work of this paper is as follows:An input method of fuzz testcase for PROFINET is designed.Fuzz testing towards all the devices in the LAN is implemented without destroying the physical connection by using the penetration test techniques such as sniffing and session hijacking.At the meantime,a protocol fuzz method based on man-in-the-middle attack technique is proposed.A state-based testcase generation method for PROFINET is designed,and a state machine description script for PROFINET session state model is introduced,and a fuzz packets sequence generation algorithm is given.After that,three testcase generation methods are implemented,which can generate testcases as the payload of fuzz packets sequences.An automated and state-based fuzzer for PROFINET protocol is designed and implemented by integrating the methods proposed in the solution.The general framework,function division and implementation of the tool are given.By testing the real industrial control devices,A comparative test experiment is carried out using ProFuzz,a fuzzer for PROFINET,and the message-based fuzzer in the solution and the state-based PROFINET fuzzer implemented by the solution.The results prove that the state-based fuzzer implemented by the solution has a more efficient testcase generation method,a relatively high hit rate of fuzz testing,and can find the vulnerabilities more effectively.