Vulnerability Mining For Modbus TCP Based On Exception Field Positioning

With the development of industry 4.0,the industrial control equipment is connected to the Internet,which presents a double-edged sword.The application of open protocol will make ICS equipment more vulnerable to attack.How to ensure the safe operation of industrial equipment has become an important problem.Using fuzzing technology to mine the vulnerability is a common method.A large amount of illegal data is sent to the target system and the system is monitored to find the vulnerability.The test case is composed of random and illogical data packets,which are sent to the tested equipment.However,the application of fuzzing in ICS protocol has some limitations.The quality of test case generation strategy is the key factor to determine the ability of vulnerability mining.Traditional fuzzy testing technology uses code coverage to reflect the test results,so as to adjust the test case generation strategy and improve the effectiveness of test cases.However,the ICS is closed and cannot calculate the code coverage,so it is difficult to determine whether the test case has a good test effect after entering the target object,and it is also unable to automatically adjust the test case generation strategy in the test.In this paper,a fuzzing method of ICS protocol based on exception field positioning is proposed,and the Modbus TCP,which is the most widely used protocol in the field of industrial control network,is taken as an example for illustration and experiment.By locating the specific fields that trigger the vulnerability,the strategy of test case generation is constantly optimized,so that the test case has a better effect of vulnerability mining.While improving the problem of lack of guidance and low efficiency of test case generation,the field positioning is realized.Firstly,we investigate the protocol vulnerabilities of industrial control network in authoritative vulnerability database,analyze the information of known vulnerabilities,and construct mutation operators for generating test cases according to the causes of Modbus TCP vulnerabilities and the characteristics of different protocol fields.Next,an exception field positioning method is proposed,which uses the attribute reduction algorithm based on rough set to reduce the field attributes of the test case and locate the key fields that trigger the vulnerability in the exception test case.Finally,through a test case generation method based on mutation probability function,the results of field positioning are fed back to the test case generation process,the mutation probability of different fields is dynamically adjusted,the mutation frequency of protocol fields that are easy to trigger vulnerabilities is increased,the mutation frequency of unrelated fields is reduced,the test case is optimized,and the blindness of mutation in fuzzy test is avoided.The real ICS equipment is taken as the tested object,and the proposed method is tested.Three Modbus TCP protocol vulnerabilities were found,including one found for the first time,which was granted the originality certificate by CNVD(China National Vulnerability Database).Compared with other methods,it also has advantages.