A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing

doi:10.11930/j.issn.1004-9649.202109105

Abstract

Abstract: The existing fuzzing methods for industrial control protocol do not consider the characteristics of the embedded terminal systems, and have few research on the industrial control protocol without TCP/IP. Firstly, a fuzzing-based method for mining generic object-oriented substation event (GOOSE) protocol parsing vulnerabilities is proposed: the mutation mode is used to generate test cases, and three mutation strategies are presented based on GOOSE message field type, abstract syntax notation one (ASN.1) encoding mode and bit reversal; two terminal abnormalities monitoring methods are proposed based on GOOSE heartbeat message and system operation information. Then, the implementation system architecture and test process of the proposed method are designed. Two undisclosed GOOSE protocol parsing vulnerabilities are discovered in testing the embedded terminals of a manufacturer in a smart substation laboratory environment, which verifies the effectiveness of the proposed method. Finally, recommendations for preventing malformed message attacks are put forward based on such vulnerabilities.

Key words: fuzzing, GOOSE protocol, grid embedded terminal, vulnerability mining, malformed message attack

LIU Linbin, MIAO Quanqiang, LI June. A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing[J]. Electric Power, 2022, 55(4): 33-43.

Add to citation manager EndNote|Ris|BibTeX

URL: https://www.electricpower.com.cn/EN/10.11930/j.issn.1004-9649.202109105

https://www.electricpower.com.cn/EN/Y2022/V55/I4/33

References

[1] IEC. Wind energy generation systems-Part 25-1: communications for monitoring and control of wind power plants-overall description of principles and models: IEC 61400-25-1[S]. IEC, 2017.
[2] IEC. Communication networks and systems for power utility automation-part 90-7: object models for power converters in distributed energy resources (DER) systems: IEC 61850-90-7[S]. IEC, 2017.
[3] IEC. Communication networks and systems for power utility automation-part 7-420: basic communication structure-Distributed energy resources and distribution automation logical nodes: IEC 61850-7-420[S]. IEC, 2021.
[4] 郝晓光, 耿少博, 任江波, 等. 智能变电站二次电缆回路建模方法研究与应用[J]. 电力科学与技术学报, 2020, 35(4): 161–168
HAO Xiaoguang, GENG Shaobo, REN Jiangbo, et al. Research and application of modeling method of secondary cable loop in intelligent substation[J]. Journal of Electric Power Science and Technology, 2020, 35(4): 161–168
[5] 戴志辉, 鲁浩,刘媛,等. 基于改进D-S证据理论的智能站保护二次回路故障诊断方法[J].电力系统保护与控制, 2020, 48(9): 59-67.
DAI Zhihui, LU Hao, LIU Yuan, et al. A fault diagnosis method for the secondary circuits of protection systems in smart substations based on improved D-S evidence theory[J]. Power System Protection and Control, 2020, 48(9): 59-67.
[6] 姚浩, 习伟, 陈浩敏, 等. 基于SoC的单芯片保护装置架构设计优化[J]. 电力科学与技术学报, 2021, 36(5): 20-27.
YAO Hao, XI Wei, CHEN Haomin, et al. Structure optimization of intelligent substation relay protection device based on SoC[J]. Journal of Electric Power Science and Technology, 2021, 36(5): 20-27.
[7] KUSH N S, AHMED E, BRANAGAN M, et al. Poisoned GOOSE: exploiting the GOOSE protocol[C]// 12 th Australasian Information Security Conference, January 20-23, 2014, Auckland, New Zealand: 17–22.
[8] STROBEL M, WIEDERMANN N, ECKERT C. Novel weaknesses in IEC 62351 protected smart grid control systems[C]// 7 th IEEE International Conference on Smart Grid Communications, November 6-9, 2016, Sydney, Australia: 266–270.
[9] 王珍珍. 基于IEC 61850 Ed2.0的电力自动化设备一致性测试方法研究[D]. 南京: 东南大学, 2017.
WANG Zhenzhen. Research on the comformance testing method of power utility automation devices based on IEC 61850 Ed2.0[D]. Nanjing: Southeast University, 2017.
[10] 任泽众, 郑晗, 张嘉元, 等. 模糊测试技术综述[J]. 计算机研究与发展, 2021, 58(5): 944–963
REN Zezhong, ZHENG Han, ZHANG Jiayuan, et al. A review of fuzzing techniques[J]. Journal of Computer Research and Development, 2021, 58(5): 944–963
[11] 熊琦, 彭勇, 伊胜伟, 等. 工控网络协议Fuzzing测试技术研究综述[J]. 小型微型计算机系统, 2015, 36(3): 497–502
XIONG Qi, PENG Yong, YI Shengwei, et al. Survey on the fuzzing technology in industrial network protocols[J]. Journal of Chinese Computer Systems, 2015, 36(3): 497–502
[12] BYRES E J, HOFFMAN D, KUBE N. On shaky ground-a study of security vulnerabilities in control protocols[C]//5 th International Topical Meeting on Nuclear Plant Instrumentation Controls, and Human Machine Interface Technology, November 12-16, 2006, Albuquerque, USA: 782–788.
[13] Profuzz: Simple PROFINET fuzzer based on scapy [EB/OL]. [2012-12-6]. https://github.com/HSASec/ProFuzz.
[14] DEVARAJAN G. Unraveling SCADA protocols: using Sulleyfuzzer, presented at the DefCon 15 Hacking Conference [EB/OL]. [2015-06-21]. http://www.defcon.org/html/defcon-15/dc15-speakers.html.
[15] 伊胜伟, 张翀斌, 谢丰, 等. 基于Peach的工业控制网络协议安全分析[J]. 清华大学学报(自然科学版), 2017, 57(1): 50–54
YI Shengwei, ZHANG Chongbin, XIE Feng, et al. Security analysis of industrial control network protocols based on Peach[J]. Journal of Tsinghua University (Science and Technology), 2017, 57(1): 50–54
[16] 黄影, 邹颀伟, 范科峰. 基于Fuzzing测试的工控网络协议漏洞挖掘技术[J]. 通信学报, 2018, 39(增刊2): 181–188
HUANG Ying, ZOU Qiwei, FAN Kefeng. Fuzzing test-based vulnerability mining for industrial control network protocol[J]. Journal on Communications, 2018, 39(S2): 181–188
[17] 张亚丰, 洪征, 吴礼发, 等. 基于范式语法的工控协议Fuzzing测试技术[J]. 计算机应用研究, 2016, 33(8): 2433–2439
ZHANG Yafeng, HONG Zheng, WU Lifa, et al. Form-syntax based Fuzzing method for industrial control protocols[J]. Application Research of Computers, 2016, 33(8): 2433–2439
[18] KIM S J, SHON T. Field classification-based novel fuzzing case generation for ICS protocols[J]. The Journal of Supercomputing, 2018, 74(9): 4434–4450.
[19] 向騻, 赵波, 纪祥敏, 等. 一种基于改进Fuzzing架构的工业控制设备漏洞挖掘框架[J]. 武汉大学学报(理学版), 2013, 59(5): 411–415
XIANG Shuang, ZHAO Bo, JI Xiangmin, et al. Vulnerability detection framework of industrial control equipment based on improved fuzzing[J]. Journal of Wuhan University (Natural Science Edition), 2013, 59(5): 411–415
[20] 赖英旭, 杨凯翔, 刘静, 等. 基于模糊测试的工控网络协议漏洞挖掘方法[J]. 计算机集成制造系统, 2019, 25(9): 2265–2279
LAI Yingxu, YANG Kaixiang, LIU Jing, et al. Vulnerability mining method for industrial control network protocol based on fuzz testing[J]. Computer Integrated Manufacturing Systems, 2019, 25(9): 2265–2279
[21] 工控漏洞挖掘平台-威努特[EB/OL]. (2020-02-03)[2020-04-01]. http://www.winicssec.com/product/d30.html.
VHunter IVM [EB/OL]. (2020-02-03)[2020-04-01]. http://www.winicssec.com/product/d30.html.
[22] Mu test suite [EB/OL]. (2018-02-01)[2018-03-01]. http://www.mudynamics.com/products/mu-test-suite.html.
[23] 窦仁晖, 任辉, 姚志强, 等. 自主可控变电站站控层服务协议设计[J]. 电网技术: 1–8 [2021-09-16]. https://doi.org/10.13335/j.1000-3673.pst.2020.1784.
DOU Renhui, REN Hui, YAO Zhiqiang, et al. Design of autonomous and controllable substation control level service protocol[J]. Power System Technology: 1–8[2021-09-16]. https://doi.org/10.13335/j.1000-3673.pst.2020.1784.