Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol

YANG Yahui, MA Rongkuan, GENG Yangyang, WEI Qiang, JIA Yan

doi:10.11896/jsjkx.211200258

Jisuanji kexue (Apr 2023)

Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol

YANG Yahui, MA Rongkuan, GENG Yangyang, WEI Qiang, JIA Yan

Affiliations

YANG Yahui, MA Rongkuan, GENG Yangyang, WEI Qiang, JIA Yan: 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China ;2 School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China ;3 College of Cyber Science,Nankai University,Tianjin 300110,China

DOI: https://doi.org/10.11896/jsjkx.211200258
Journal volume & issue: Vol. 50, no. 4
pp. 323 – 332

Abstract

Read online

The wide application of industrial control proprietary protocols has brought great challenges to the safe operation of industrial control systems.Due to the closed-source nature of industrial control proprietary protocol specifications,it is difficult for traditional fuzzing testing tools to efficiently generate test cases,limiting the efficiency of fuzzing testing of industrial control equipment using proprietary industrial control protocols.A black box fuzzing method is proposed to solve this problem based on the reverse of a private industrial control protocol.First,an improved multiple sequence alignment algorithm and a field division algorithm are used to obtain the protocol field structure based on traffic capture.Then a series of heuristic rules are defined to identify the constant field,the serial number field,the length field,and the function code field in the protocol to infer the protocol format.After that,a protocol state machine is built according to the sequence and function code fields.In the process of fuzzing,according to the protocol format of reverse inference,various mutation strategies are used to generate test cases,and the constructed protocol state machine is used to guide the in-depth interaction between the fuzzing tool and the device under test.Based on the above methods,the ICPPfuzz tool is designed and implemented.The protocol reverse capability and fuzzing test capability of ICPPfuzz are evaluated with real equipment using three industrial control protocols(Modbus/TCP,UMAS,S7comm).Experimental results show that the tool’s field division,semantic recognition,and protocol state machine construction capabilities are significantly better than Netzob in protocol reversal.In terms of fuzzing test,the number of effective test cases generated by the tool within the same time is 1.25 times that of Boofuzz,and the quality of test cases and vulnerability discovery ability are also better than Boofuzz.At the same time,three denials of service vulnerabilities are successfully found when testing Modicon TM200/221 series PLC,which proves the tool’s effectiveness.

industrial control system security|proprietary protocol|sequence alignment|protocol reverse engineering|fuzzing test

Published in Jisuanji kexue

ISSN: 1002-137X (Print)
Publisher: Editorial office of Computer Science
Country of publisher: China
LCC subjects: Science: Mathematics: Instruments and machines: Electronic computers. Computer science: Computer software; Technology: Technology (General)
Website: http://www.jsjkx.com/CN/1002-137X/home.shtml

About the journal

Abstract

Keywords