基于模糊测试的GOOSE协议解析漏洞挖掘方法

doi:10.11930/j.issn.1004-9649.202109105

中国电力 ›› 2022, Vol. 55 ›› Issue (4): 33-43.DOI: 10.11930/j.issn.1004-9649.202109105

• 新型电力系统信息安全：理论、技术与应用 • 上一篇下一篇

基于模糊测试的GOOSE协议解析漏洞挖掘方法

刘林彬¹, 苗泉强², 李俊娥¹

1. 空天信息安全与可信计算教育部重点实验室（武汉大学国家网络安全学院），湖北武汉 430072;
2. 光电对抗测试评估技术重点实验室，河南洛阳 471000

收稿日期:2021-09-18 修回日期:2022-02-09 出版日期:2022-04-28 发布日期:2022-04-24
作者简介:刘林彬（1996—），男，硕士研究生，从事电力工控系统安全研究，E-mail：linbinl@whu.edu.cn;苗泉强（1989—），男，工程师，硕士，从事网络安全、大数据处理研究，E-mail：miaoquanqiang@163.com;李俊娥（1966—），女，通信作者，教授，博士生导师，从事网络安全、电信息物理系统、电力工控安全等研究，E-mail：jeli@whu.edu.cn
基金资助:
国家自然科学基金资助项目（协同网络攻击下电网CPS跨空间级联故障演化机理及早期防御研究，51977155）。

A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing

LIU Linbin¹, MIAO Quanqiang², LI June¹

1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education (School of Cyber Science and Engineering, Wuhan University), Wuhan 430072, China;
2. Key Laboratory of Electro-optical Countermeasures Test & Evaluation Technology, Luoyang 471000, China

Received:2021-09-18 Revised:2022-02-09 Online:2022-04-28 Published:2022-04-24
Supported by:
This work is supported by National Natural Science Foundation of China (Research on the Evolution Mechanism and Early Defense of Cascading Failures Across Spaces Caused by Coordinated Cyberattacks in Grid CPS, No.51977155)

摘要/Abstract

摘要： 现有工控协议模糊测试方法未考虑嵌入式终端系统特点，且对未采用传输控制协议/网际协议（TCP/IP）的工控协议研究较少。基于模糊测试提出一种通用面向对象变电站事件（GOOSE）协议解析漏洞挖掘方法。使用变异方式构造测试用例，给出基于GOOSE报文字段类型、抽象语法标记1（ASN.1）编码方式和比特翻转的3类变异策略；提出基于心跳报文和系统运行信息的终端异常监测方法。设计所提方法的实施系统架构和测试流程，在智能变电站实验室环境中，对某厂家嵌入式终端进行测试，发现2个未公开的GOOSE协议解析漏洞，验证所提方法的有效性，提出防范基于此类漏洞的畸形报文攻击的建议。

关键词: 模糊测试, GOOSE协议, 电网嵌入式终端, 漏洞挖掘, 畸形报文攻击

Abstract: The existing fuzzing methods for industrial control protocol do not consider the characteristics of the embedded terminal systems, and have few research on the industrial control protocol without TCP/IP. Firstly, a fuzzing-based method for mining generic object-oriented substation event (GOOSE) protocol parsing vulnerabilities is proposed: the mutation mode is used to generate test cases, and three mutation strategies are presented based on GOOSE message field type, abstract syntax notation one (ASN.1) encoding mode and bit reversal; two terminal abnormalities monitoring methods are proposed based on GOOSE heartbeat message and system operation information. Then, the implementation system architecture and test process of the proposed method are designed. Two undisclosed GOOSE protocol parsing vulnerabilities are discovered in testing the embedded terminals of a manufacturer in a smart substation laboratory environment, which verifies the effectiveness of the proposed method. Finally, recommendations for preventing malformed message attacks are put forward based on such vulnerabilities.

Key words: fuzzing, GOOSE protocol, grid embedded terminal, vulnerability mining, malformed message attack

刘林彬, 苗泉强, 李俊娥. 基于模糊测试的GOOSE协议解析漏洞挖掘方法[J]. 中国电力, 2022, 55(4): 33-43.

LIU Linbin, MIAO Quanqiang, LI June. A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing[J]. Electric Power, 2022, 55(4): 33-43.

导出引用管理器 EndNote|Ris|BibTeX

链接本文: https://www.electricpower.com.cn/CN/10.11930/j.issn.1004-9649.202109105

https://www.electricpower.com.cn/CN/Y2022/V55/I4/33

参考文献

[1] IEC. Wind energy generation systems-Part 25-1: communications for monitoring and control of wind power plants-overall description of principles and models: IEC 61400-25-1[S]. IEC, 2017.
[2] IEC. Communication networks and systems for power utility automation-part 90-7: object models for power converters in distributed energy resources (DER) systems: IEC 61850-90-7[S]. IEC, 2017.
[3] IEC. Communication networks and systems for power utility automation-part 7-420: basic communication structure-Distributed energy resources and distribution automation logical nodes: IEC 61850-7-420[S]. IEC, 2021.
[4] 郝晓光, 耿少博, 任江波, 等. 智能变电站二次电缆回路建模方法研究与应用[J]. 电力科学与技术学报, 2020, 35(4): 161–168
HAO Xiaoguang, GENG Shaobo, REN Jiangbo, et al. Research and application of modeling method of secondary cable loop in intelligent substation[J]. Journal of Electric Power Science and Technology, 2020, 35(4): 161–168
[5] 戴志辉, 鲁浩,刘媛,等. 基于改进D-S证据理论的智能站保护二次回路故障诊断方法[J].电力系统保护与控制, 2020, 48(9): 59-67.
DAI Zhihui, LU Hao, LIU Yuan, et al. A fault diagnosis method for the secondary circuits of protection systems in smart substations based on improved D-S evidence theory[J]. Power System Protection and Control, 2020, 48(9): 59-67.
[6] 姚浩, 习伟, 陈浩敏, 等. 基于SoC的单芯片保护装置架构设计优化[J]. 电力科学与技术学报, 2021, 36(5): 20-27.
YAO Hao, XI Wei, CHEN Haomin, et al. Structure optimization of intelligent substation relay protection device based on SoC[J]. Journal of Electric Power Science and Technology, 2021, 36(5): 20-27.
[7] KUSH N S, AHMED E, BRANAGAN M, et al. Poisoned GOOSE: exploiting the GOOSE protocol[C]// 12 th Australasian Information Security Conference, January 20-23, 2014, Auckland, New Zealand: 17–22.
[8] STROBEL M, WIEDERMANN N, ECKERT C. Novel weaknesses in IEC 62351 protected smart grid control systems[C]// 7 th IEEE International Conference on Smart Grid Communications, November 6-9, 2016, Sydney, Australia: 266–270.
[9] 王珍珍. 基于IEC 61850 Ed2.0的电力自动化设备一致性测试方法研究[D]. 南京: 东南大学, 2017.
WANG Zhenzhen. Research on the comformance testing method of power utility automation devices based on IEC 61850 Ed2.0[D]. Nanjing: Southeast University, 2017.
[10] 任泽众, 郑晗, 张嘉元, 等. 模糊测试技术综述[J]. 计算机研究与发展, 2021, 58(5): 944–963
REN Zezhong, ZHENG Han, ZHANG Jiayuan, et al. A review of fuzzing techniques[J]. Journal of Computer Research and Development, 2021, 58(5): 944–963
[11] 熊琦, 彭勇, 伊胜伟, 等. 工控网络协议Fuzzing测试技术研究综述[J]. 小型微型计算机系统, 2015, 36(3): 497–502
XIONG Qi, PENG Yong, YI Shengwei, et al. Survey on the fuzzing technology in industrial network protocols[J]. Journal of Chinese Computer Systems, 2015, 36(3): 497–502
[12] BYRES E J, HOFFMAN D, KUBE N. On shaky ground-a study of security vulnerabilities in control protocols[C]//5 th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology, November 12-16, 2006, Albuquerque, USA: 782–788.
[13] Profuzz: Simple PROFINET fuzzer based on scapy [EB/OL]. [2012-12-6]. https://github.com/HSASec/ProFuzz.
[14] DEVARAJAN G. Unraveling SCADA protocols: using Sulleyfuzzer, presented at the DefCon 15 Hacking Conference [EB/OL]. [2015-06-21]. http://www.defcon.org/html/defcon-15/dc15-speakers.html.
[15] 伊胜伟, 张翀斌, 谢丰, 等. 基于Peach的工业控制网络协议安全分析[J]. 清华大学学报(自然科学版), 2017, 57(1): 50–54
YI Shengwei, ZHANG Chongbin, XIE Feng, et al. Security analysis of industrial control network protocols based on Peach[J]. Journal of Tsinghua University (Science and Technology), 2017, 57(1): 50–54
[16] 黄影, 邹颀伟, 范科峰. 基于Fuzzing测试的工控网络协议漏洞挖掘技术[J]. 通信学报, 2018, 39(增刊2): 181–188
HUANG Ying, ZOU Qiwei, FAN Kefeng. Fuzzing test-based vulnerability mining for industrial control network protocol[J]. Journal on Communications, 2018, 39(S2): 181–188
[17] 张亚丰, 洪征, 吴礼发, 等. 基于范式语法的工控协议Fuzzing测试技术[J]. 计算机应用研究, 2016, 33(8): 2433–2439
ZHANG Yafeng, HONG Zheng, WU Lifa, et al. Form-syntax based Fuzzing method for industrial control protocols[J]. Application Research of Computers, 2016, 33(8): 2433–2439
[18] KIM S J, SHON T. Field classification-based novel fuzzing case generation for ICS protocols[J]. The Journal of Supercomputing, 2018, 74(9): 4434–4450.
[19] 向騻, 赵波, 纪祥敏, 等. 一种基于改进Fuzzing架构的工业控制设备漏洞挖掘框架[J]. 武汉大学学报(理学版), 2013, 59(5): 411–415
XIANG Shuang, ZHAO Bo, JI Xiangmin, et al. Vulnerability detection framework of industrial control equipment based on improved fuzzing[J]. Journal of Wuhan University (Natural Science Edition), 2013, 59(5): 411–415
[20] 赖英旭, 杨凯翔, 刘静, 等. 基于模糊测试的工控网络协议漏洞挖掘方法[J]. 计算机集成制造系统, 2019, 25(9): 2265–2279
LAI Yingxu, YANG Kaixiang, LIU Jing, et al. Vulnerability mining method for industrial control network protocol based on fuzz testing[J]. Computer Integrated Manufacturing Systems, 2019, 25(9): 2265–2279
[21] 工控漏洞挖掘平台-威努特[EB/OL]. (2020-02-03)[2020-04-01]. http://www.winicssec.com/product/d30.html.
VHunter IVM [EB/OL]. (2020-02-03)[2020-04-01]. http://www.winicssec.com/product/d30.html.
[22] Mu test suite [EB/OL]. (2018-02-01)[2018-03-01]. http://www.mudynamics.com/products/mu-test-suite.html.
[23] 窦仁晖, 任辉, 姚志强, 等. 自主可控变电站站控层服务协议设计[J]. 电网技术: 1–8 [2021-09-16]. https://doi.org/10.13335/j.1000-3673.pst.2020.1784.
DOU Renhui, REN Hui, YAO Zhiqiang, et al. Design of autonomous and controllable substation control level service protocol[J]. Power System Technology: 1–8[2021-09-16]. https://doi.org/10.13335/j.1000-3673.pst.2020.1784.

基于模糊测试的GOOSE协议解析漏洞挖掘方法

A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 1

编辑推荐

Metrics

模态框（Modal）标题

基于模糊测试的GOOSE协议解析漏洞挖掘方法

A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 1

编辑推荐

Metrics