Electric Power ›› 2022, Vol. 55 ›› Issue (4): 33-43.DOI: 10.11930/j.issn.1004-9649.202109105

• The Cyber Security of New Type Power System: Theory, Technology and Applications • Previous Articles     Next Articles

A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing

LIU Linbin1, MIAO Quanqiang2, LI June1   

  1. 1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education (School of Cyber Science and Engineering, Wuhan University), Wuhan 430072, China;
    2. Key Laboratory of Electro-optical Countermeasures Test & Evaluation Technology, Luoyang 471000, China
  • Received:2021-09-18 Revised:2022-02-09 Online:2022-04-28 Published:2022-04-24
  • Supported by:
    This work is supported by National Natural Science Foundation of China (Research on the Evolution Mechanism and Early Defense of Cascading Failures Across Spaces Caused by Coordinated Cyberattacks in Grid CPS, No.51977155)

Abstract: The existing fuzzing methods for industrial control protocol do not consider the characteristics of the embedded terminal systems, and have few research on the industrial control protocol without TCP/IP. Firstly, a fuzzing-based method for mining generic object-oriented substation event (GOOSE) protocol parsing vulnerabilities is proposed: the mutation mode is used to generate test cases, and three mutation strategies are presented based on GOOSE message field type, abstract syntax notation one (ASN.1) encoding mode and bit reversal; two terminal abnormalities monitoring methods are proposed based on GOOSE heartbeat message and system operation information. Then, the implementation system architecture and test process of the proposed method are designed. Two undisclosed GOOSE protocol parsing vulnerabilities are discovered in testing the embedded terminals of a manufacturer in a smart substation laboratory environment, which verifies the effectiveness of the proposed method. Finally, recommendations for preventing malformed message attacks are put forward based on such vulnerabilities.

Key words: fuzzing, GOOSE protocol, grid embedded terminal, vulnerability mining, malformed message attack