基于动态污点分析的工控设备硬件漏洞挖掘方法研究

doi:10.3969/j.issn.1671-1122.2019.04.006

摘要/Abstract

摘要：

近年来,工业控制系统安全事件频发。CNNVD和CVND统计的漏洞情况表明,公开的工控硬件漏洞数量逐年增加。因此,针对工控硬件开展漏洞挖掘技术研究,对提高工控系统安全具有重要意义。文章选取PLC固件为漏洞挖掘对象,提出一种基于动态污点分析的工控设备硬件漏洞挖掘方法。文章给出了污点传播规则,并设计了基于危险权重的敏感字段量化规则,生成引导式信息以指导模糊测试用例的构造。文章设计并实现了PLC_TaintFuzzer漏洞挖掘系统,通过设置模糊测试对比实验,证明了该方法在PLC一类工控设备漏洞挖掘上的效率。

关键词: PLC, 引导式模糊测试, 危险权重, 漏洞挖掘

Abstract:

In recent years, security events of industrial control system have occurred frequently. The vulnerabilities statistics of CNNVD and CVND show that the number of vulnerabilities in industrial control hardware is increasing year by year. Therefore, the research on exploiting vulnerabilities in industrial control hardware is of great significance to improve the safety of industrial control system. This paper chooses PLC firmware as the object of vulnerability mining and presents a method of hardware vulnerability mining of industrial control equipment based on dynamic stain analysis. This paper gives the taint propagation rules and the sensitive field quantization rules based on risk weight, which are used to generate guidance information to construct fuzzy test cases. This paper designs and implements a PLC_Taint Fuzzer vulnerability mining system. By setting up fuzzy test contrast experiment, this paper proves the efficiency of the method in vulnerability mining of industrial control equipment such as PLC.

Key words: PLC, guided fuzzy test, risk weight, vulnerability mining

中图分类号:

TP309

段斌, 李兰, 赖俊, 詹俊. 基于动态污点分析的工控设备硬件漏洞挖掘方法研究[J]. 信息网络安全, 2019, 19(4): 47-54.

Bin DUAN, Lan LI, Jun LAI, Jun ZHAN. Research on Hardware Vulnerabilities Mining Method for Industrial Control Device Based on Dynamic Taint Analysis[J]. Netinfo Security, 2019, 19(4): 47-54.

图/表 7

表1

表2

图1

表3

危险操作指令的危险权重表

危险权重	指令分类	示例	危险性说明
3	Move指令集	mov r4, r5 若源操作寄存器r4的内容被污染,则执行操作后,寄存器r5中的内容被污染	涉及污点数据转移
	Store指令集	smw r4, 0x4(r1) 该指令将寄存器r4中的16位数据写入有效地址为r1+4的内存中。如果源操作数被污染,则执行操作后,目的操作数被污染	涉及内存破坏：通过变异存储指令访问的目标内存地址依赖的TDU,可以造成存储的目的内存不存在或内存破坏
	Load指令集	lwz r4, 0x4(r1) 该指令读取有效地址为r1+4的内存中的16位数据,加载至寄存器r4中。如果源操作数被污染,则执行操作后,目的操作数被污染	涉及访问越界：通过变异装载指令访问的目标内存地址依赖的TDU,可以造成装载的目的内存不存在或者访问特定内存地址以窃取数据
2	跳转指令	1）mtctr r4 2）bclr 指令1）将寄存器r4的值传递给专用寄存器ctr;指令2）跳转到寄存器ctr指向的地址执行,并设置寄存器lr中内容为下一条转移目标地址。如果寄存器r4的值被污染,则寄存器ctr指向的跳转地址被污染	涉及任意代码执行：通过变异跳转地址所依赖的字段,可能导致程序执行任意代码
	危险函数： Strcpy()、sprintf()、	char strcpy(char dest,const char *src) strcpy()将参数src所指向的字符串复制到参数dest所指向的地址,如果src被污染,则dest被污染	涉及缓冲区溢出：如果参数dest所指的内存空间不够大,可能会造成缓冲区溢出的错误情况
	内存敏感函数： Malloc()、realloc()、calloc()、memcpy()	void *malloc(int size) 传入malloc()的参数size如果被污染,则malloc()被污染	涉及缓冲区溢出：通过变异参数size所依赖的TDU,影响内存分配大小,可能造成缓冲区溢出
1	加减运算指令集、比较运算指令集	add r4, r5 寄存器r5的值如果被污染,则寄存器r4也被污染	涉及函数分支条件、地址运算等：为2、3级危险权重指令提供污点传播基础

表3

图2

图3

表4

参考文献 16

[1]	PENG Yong, JIANG Changqing, XIE Feng, et al.Information Security Research Progress in Industrial Control Systems[J]. Journal of Tsinghua University: Science and Technology, 2012, 52(10): 1396-1408.
	彭勇,江常青,谢丰,等.工业控制系统信息安全研究进展[J].清华大学学报:自然科学版,2012,52(10):1396-1408.
[2]	TAO Yaodong, LI Ning, ZENG Guangsheng.Review of Industrial Control Systems Security[J]. Computer Engineering and Applications, 2016, 52(13): 8-18.
	陶耀东,李宁,曾广圣.工业控制系统安全综述[J].计算机工程与应用, 2016,52(13):8-18.
[3]	PENG Yong, WANG Ting, XIONG Qi, et al.Research on Fuzzy Testing Technology for Private Protocol[J]. Journal of Beijing Jiaotong University, 2013, 37(5): 8-12.
	彭勇,王婷,熊琦,等.针对私有协议的模糊测试技术研究[J].北京交通大学学报,2013,37(5):8-12.
[4]	SUN Zhe, LIU Daguang, WU Xueli, et al.Design and Implementation of Network Protocol Auto Vulnerability Mining Tool based on Fuzzing[J]. Netinfo Security, 2014,14(6): 23-30.
	孙哲,刘大光,武学礼,等.基于模糊测试的网络协议自动化漏洞挖掘工具设计与实现[J].信息网络安全,2014,14(6):23-30.
[5]	ZHANG Yafeng, HONG Zheng, WU Lifa, et al.Protocol State Based Fuzzing Method for Industrial Control Protocols[J]. Computer Science, 2017, 44(5): 132-140.
	张亚丰,洪征,吴礼发,等.基于状态的工控协议Fuzzing测试技术[J].计算机科学,2017,44(5):132-140.
[6]	LAI Zhiquan.Research on Software Fuzzy Testing Method Based on State Protocol of Dynamic Stain Analysis[D]. Changsha: National University of Defense Technology,2010.
	赖志权. 基于动态污点分析的状态协议实现软件模糊测试方法研究[D].长沙:国防科学技术大学,2010.
[7]	ZHANG Meichao, ZENG Fanping, HUANG Yi.Fuzzing Testing Based on Vulnerability Database[J]. Journal of Chinese Computer Systems, 2011, 32(4): 651-655.
	张美超,曾凡平,黄奕.基于漏洞库的fuzzing测试技术[J].小型微型计算机系统,2011,32(4):651-655.
[8]	LI Weiming, ZHANG Aifang, LIU Jiancai, et al.An Automatic Network Protocol Fuzz Testing and Vulnerability Discovering Method[J]. Chinese Journal of Computers, 2011, 34(2): 242-255.
	李伟明,张爱芳,刘建财,等.网络协议的自动化模糊测试漏洞挖掘方法[J].计算机学报,2011,34(2):242-255.
[9]	WANG Lei, LI Feng, LI Lian, et al.Principle and Practice of Taint Analysis[J]. Journal of Software, 2017, 28(4): 860-882.
	王蕾,李丰,李炼,等.污点分析技术的原理和实践应用[J].软件学报,2017,28(4):860-882.
[10]	SHAO Lin, ZHANG Xiaosong, SU Enbiao.New Method of Software Vulnerability Detection Based on Fuzzing[J]. Application Research of Computers, 2009, 26(3): 292-294.
	邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):292-294.
[11]	BEKRAR S, BEKRAR C, GROZ R, et al.A Taint Based Approach for Smart Fuzzing[C]// IEEE.IEEE Fifth International Conference on Software Testing, Verification and Validation, April 17-21, 2012, Montreal, QC, Canada.NJ: IEEE, 2012:818-825.
[12]	SONG Zheng, WANG Yongjian, JIN Bo, et al.Review on Dynamic Taint Analysis of Binary Programs[J]. Netinfo Security, 2016, 16(3): 77-83.
	宋铮,王永剑,金波,等.二进制程序动态污点分析技术研究综述[J].信息网络安全,2016,16(3):77-83.
[13]	BASNIGHT Z, BUTTS J, JR J L, et al.Firmware Modification Attacks on Programmable Logic Controllers[J]. International Journal of Critical Infrastructure Protection, 2013, 6(2):76-84.
[14]	DAI Zhonghua, ZHAO Bo, WANG Ting, et al.A Fuzzing Test Method for Embedded Device Firmware Based on Taint Analysis[J]. Advanced Engineering Sciences, 2016, 48(2): 125-131.
	戴忠华,赵波,王婷,等.基于污点分析的嵌入式设备固件模糊测试方法[J].工程科学与技术,2016,48(2):125-131.
[15]	CHENG Ligen, LIU Shengli, XIAO Da, et al.A Heuristic Fuzzing Test Method for Cisco IOS[J]. Computer Engineering, 2014, 40(12): 68-73.
	陈立根,刘胜利,肖达,等.一种Cisco IOS引导式模糊测试方法[J].计算机工程,2014,40(12):68-73.
[16]	YI Shengwei, ZHANG Chongbin, XIE Feng, et al.Security Analysis of Industrial Control Network Protocol Based on Peach[J]. Journal of Tsinghua University: Science and Technology, 2017(1): 50-54.
	伊胜伟,张翀斌,谢丰,等.基于Peach的工业控制网络协议安全分析[J].清华大学学报:自然科学版,2017(1):50-54.

指令分类	指令示例
整数加载（Load）	lbz、lhz、lha、lwz、lmz、…
整数存储（Store）	stb、sth、stw、stmw、…

指令分类	指令示例
比较指令	cmp、cmpi、cmpw、cmpwi、…
转移指令	b、bc、bclr、bcctr、…
算数运算指令	add、sub、adde、addo、div、…
逻辑运算指令	and、xor、or、…
特殊寄存器传送指令	mfmsr、mtmsr、mfsr、mtsr、…
系统调用与返回指令	sr、rfi…

测试工具	测试用例数/个	测试时间/min	漏洞触发数/个
Peach	26923	8h50	0
PLC_TaintFuzzer	2327	4h32	3