Research On Key Technologies Of Industrial Control Proprietary Protocol Reverse And In-Depth Analysis

Industrial Control System(ICS)is widely used in national infrastructure industries such as water treatment,electric power,and food processing.Its safety is very important for people’s production and life.With the rapid development of the industrial internet,the industrial control system is becoming more open,but also facing potential threats.As the "language" of the industrial control system,the industrial control protocol is an indispensable part of the industrial control system,and its importance is self-evident.However,there are many types of protocols involved in industrial control systems,and many manufacturers use proprietary protocols,which bring great challenges to the safe operation of industrial control systems.On the one hand,due to the unknown specification of the protocol,defense methods such as firewall and intrusion detection cannot be applied to industrial control systems.On the other hand,because these protocols have not been tested for security,the industrial control devices using these protocol stacks have different degrees of security risks.To solve the above problems,the following research is carried out in this paper:(1)Aiming at the problem that the format of industrial control proprietary protocol is unknown,a method for extracting protocol format based on sequence alignment is proposed.First,preprocess the captured network data packets to remove useless messages and session division;then use the improved multiple sequence alignment algorithm to obtain the dynamic field and static field in the message sequence;then,the field division algorithm is used to merge adjacent static fields to obtain the field structure of the protocol;finally,the heuristic rules are used to identify the semantics of some fields,and the protocol format is further obtained.In the experimental stage,the Modbus/TCP and S7 comm protocols were used to verify the accuracy of the format extraction of this method and compared with the open-source tool Netzob.The results show that the field division ability of this method on three widely used industrial control protocols,Modbus/TCP,UMAS,and S7 comm,is improved by 20%,40%,and67% respectively,and the semantic recognition ability is doubled.(2)Aiming at the problem of the unknown state machine of industrial control proprietary protocol,an inference method of protocol state machine based on staterelated fields is proposed.Based on the obtained protocol format,the function code field in the protocol format is extracted as the state-related field.The adjacency table and statistical analysis method are introduced in the process of initial state mechanism construction to construct the initial state machine.In the process of protocol state machine simplification,the state machine is simplified from the two dimensions of the original data set and initial state machine.In the experimental stage,the state machine for S7 comm and UMAS protocol is successfully constructed by using this method,and in the simplification stage,the number of states of the above state machine is reduced by 8% and 5% respectively,and the number of state transitions is reduced by 28% and31% respectively.(3)Finally,based on the above two methods,a fuzzing tool ICPPfuzz for industrial control proprietary protocol is designed and implemented.Guided by the extracted protocol format and the inferred protocol state machine,the fuzzing test was carried out on the industrial control devices.Four denial of service vulnerabilities were successfully discovered on multiple devices of mainstream industrial control equipment manufacturers Siemens and Schneider,and submitted to the China National Vulnerability Database(CNVD).Three of them were confirmed by CNVD and issued vulnerability certificates.