CN117254964A - Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar - Google Patents

Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar Download PDF

Info

Publication number
CN117254964A
CN117254964A CN202311272840.9A CN202311272840A CN117254964A CN 117254964 A CN117254964 A CN 117254964A CN 202311272840 A CN202311272840 A CN 202311272840A CN 117254964 A CN117254964 A CN 117254964A
Authority
CN
China
Prior art keywords
message
test
equipment
abnormal
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311272840.9A
Other languages
Chinese (zh)
Inventor
张坤三
张永记
罗富财
刘俊
吴丽进
纪文
郑原俊
谢静怡
高董英
陈昕昊
李铮
陈新庚
温丽清
林晋煌
张坤鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Fujian Electric Power Co Ltd
Zhangzhou Power Supply Co of State Grid Fujian Electric Power Co Ltd
Original Assignee
State Grid Fujian Electric Power Co Ltd
Zhangzhou Power Supply Co of State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Fujian Electric Power Co Ltd, Zhangzhou Power Supply Co of State Grid Fujian Electric Power Co Ltd filed Critical State Grid Fujian Electric Power Co Ltd
Priority to CN202311272840.9A priority Critical patent/CN117254964A/en
Publication of CN117254964A publication Critical patent/CN117254964A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The invention provides a power grid intelligent terminal protocol vulnerability detection method based on a high-order attribute grammar, and provides a terminal protocol analysis tree based on the high-order attribute grammar.

Description

Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar
Technical Field
The invention relates to the technical field of information security testing, in particular to a power grid intelligent terminal protocol vulnerability detection method based on a high-order attribute grammar.
Background
The existing general method for testing the safety and reliability of the industrial control protocol is to utilize packet grabbing variation to play back messages interacted with tested equipment, but for the intelligent terminal protocol of the power grid such as IEC61850 and the like, the method is limited by the complexity of a protocol model, the played back redundant messages are too many to interact with the equipment in a substantive way, and meanwhile, after the tested equipment is paralyzed due to the played back malformed messages, the tested equipment cannot respond, and the subsequent malformed message test is often automatically skipped, so that deep test cannot be carried out.
Disclosure of Invention
In view of the defects and shortcomings of the prior art, the invention aims to provide a method for detecting a power grid intelligent terminal protocol vulnerability based on a high-order attribute grammar, which is used for designing a terminal protocol analysis tree based on the high-order attribute grammar, realizing deep mining of protocol vulnerabilities through associated analysis and node variation of context semantics and according to terminal message interaction response conditions, and effectively solving the problems of low vulnerability coverage rate and low vulnerability mining efficiency of the conventional vulnerability mining technology without considering semantics.
The method specifically comprises the following technical contents:
a method for detecting a protocol vulnerability of an intelligent power grid terminal based on a high-order attribute grammar is characterized in that a terminal protocol analysis tree is designed based on the high-order attribute grammar, and the deep mining of the protocol vulnerability is realized through the association analysis and the node variation of context semantics according to the terminal message interaction response condition.
Further, adopting fuzzy test to carry out vulnerability mining of the power system communication protocol; through the communication connection with the tested object, a fuzzy message with variation or error is sent to the tested object application, and a response message of the tested object is monitored to find the error; if the equipment has abnormal conditions including communication interruption, display error and downtime, the equipment is poor in resistance to abnormal messages.
Further, the test model used includes:
1) Spacer layer intelligent electronic device for testing;
2) A machine for performing daily operations and maintenance on the intelligent electronic device;
3) The flow acquisition device is used for capturing data messages;
4) The testing system is used for testing the robustness of the IEC61850 communication module of the equipment;
5) A station control layer switch for realizing the intercommunication of the devices;
the test flow is as follows:
1) The operation and maintenance machine selects a certain device to execute normal operation and maintenance operation through an IEC61850 protocol, and generates an IEC61850 data message;
2) All the data messages are forwarded through the switch, and the flow acquisition machine captures the data messages communicated between the operation and maintenance machine and the intelligent electronic equipment from the switch;
3) Preprocessing the acquired message, removing redundant data of non-IEC 61850 protocols, forming a test message sample, and introducing the test message sample into a robustness test system;
4) Analyzing the test sample, mutating one or a plurality of fields in the normal data message, selecting one tested device, and sending an abnormal message after mutating to the device; in the whole test process, for each normal message, the system generates and transmits a plurality of different abnormal messages to the equipment, and simultaneously records the transmitted messages and real-time information of the state of the equipment;
5) After the test is finished, the system extracts abnormal messages sent when the equipment is abnormal according to the recorded information, counts the abnormal time of the equipment, sends the information of the number of the test messages, and generates a test report according to a report template;
6) And according to the abnormal message in the test report, checking the problem, confirming whether the equipment is abnormal, verifying the rationality of the test result and perfecting the test report.
Further, the adopted vulnerability detection system comprises:
1) Test sample processing module: obtaining a test sample message, removing redundant information, analyzing a sample file by using a protocol reverse analysis technology, identifying sample data according to a grammar model, and constructing a grammar analysis tree;
2) A state negotiation module: judging the protocol type, and preparing before message transmission; acquiring a configuration file in an xml format, wherein the file comprises data required to be used in the system executing process;
3) The test sample generation module: combining the history information of the abnormal message, and generating a test sample message by adopting a fuzzy test technology driven by a high-order attribute grammar;
4) And a message sending module: establishing TCP connection with the tested equipment, sending an abnormal message to the tested equipment to carry out fuzzy test, detecting the effect of the fuzzy test by judging the state of the equipment, and if the communication of the equipment is interrupted, indicating that the vulnerability of the protocol is found;
5) A report generation module: reading result information generated by the test from a real-time data storage unit, outputting a test report according to a report template in a predefined html format, wherein the report mainly includes equipment information and abnormal messages causing equipment abnormality;
6) Core scheduler: and coordinating the modules to cooperatively work, calling interfaces of the modules, and sharing data among the modules.
Further, the working process of the test sample processing module is as follows: firstly, connecting a machine provided with a message capturing tool with a tested protocol, generating an interactive message when the intelligent terminal protocol of a power grid is normally used for communication with equipment, capturing and storing a data packet by using the message capturing tool, and finally extracting an electric power protocol grammar format by using a protocol reverse technology;
after the message is acquired, for the IEC61850 message, the logic name of the tested equipment needs to be self-adapted in the test process, and the processing process is as follows;
1) Completely analyzing the test message; analyzing the test message by protocol reverse direction, analyzing and extracting the equipment interaction message, and identifying the complete content of the message;
2) Performing redundancy elimination treatment on the test message sample; removing IP header information of the message and loading the message into a memory in the form of byte arrays;
3) Acquiring equipment information and repackaging the test message; when processing the message, the correct bearing layer head is added for the message according to different bearing layer information so as to ensure that the message enters the internal processing of the tested object after being sent by the abnormal attack message, and is not directly discarded when being processed by the bottom layer network; obtaining and analyzing the logical equipment name of the tested equipment by using IEC61850 functional codes; replacing the logical device name, and repackaging the parsed message by using an ASN.1 encoder to realize sample message self-adaptation to the tested device, thereby ensuring that correct communication can be established with the tested device in the process of playing back the message.
Further, the state negotiation module is configured to perform state negotiation before sending the abnormal messages, that is, each abnormal message is sent to the device only when the protocol state machine has interacted to the most appropriate state, and for different test protocols, the test tool needs to implement basic protocol stack functions, including normal message construction of each protocol and maintenance of the protocol state machine; in order to support the expansion of more protocols, the module is realized by adopting an object-oriented system structure mode, a base class provides a public virtual interface method, and each protocol derivative class obtains the support of a specific protocol by rewriting a corresponding interface function;
after the state negotiation is completed, a configuration file in an xml format is obtained, wherein the file comprises data required to be used in the system execution process.
Further, the test sample case generation module identifies sample data according to a grammar model, constructs a grammar analysis tree, selects nodes which are not tested to conduct mutation through traversing the grammar analysis tree to generate test cases, and sends the test cases to tested equipment for testing; based on high-order attribute grammar driving, identifying sample data according to a grammar model, constructing a grammar analysis tree, and selecting nodes which are not tested to perform mutation by traversing the grammar analysis tree, wherein the execution of a mutation flow is divided into 3 loops: the outermost layer circularly traverses a plurality of sample messages in the sample, the middle layer circularly traverses a constructed grammar analysis tree by adopting a depth-first algorithm, the nodes which are not tested are selected for mutation, the innermost layer circularly traverses malformed messages generated by the test field, and the test is carried out one by one aiming at each test message.
Further, the message sending module is used for simulating a normal communication process and providing a necessary normal environment for testing the abnormal message, so that the abnormal message can achieve the effect of detecting the equipment abnormality and the loophole; the message playback flow is as follows:
1) In the preparation stage, reading a test message sample file, carrying out equipment name replacement on the sample message, analyzing a reconstructed message, then playing back an abnormal message generated in a fuzzy test mode, and observing the capability of equipment for processing the abnormal message and whether the equipment works normally or not;
2) After the equipment is abnormal, suspending the sending work of the message until the equipment is recovered to be normal;
3) The system records and stores the abnormal phenomenon, the original message and the malformed message in the database in the test process so as to conveniently replay the abnormal condition, analyze the whole abnormal process and provide visual, objective and real data for perfect vulnerability restoration;
4) Verifying the abnormality; obtaining an abnormal message through the change and the restoration of the original message and the abnormal message, then sending the abnormal message to equipment, detecting the communication state of the equipment, and verifying the validity of the abnormal message; the purpose of exception verification is to eliminate false alarms;
detecting an abnormal communication state of the equipment by using a function calling method; the socket technology is used for carrying out message sending and abnormality judgment by combining with the select model, when the message is sent, the socket is adjusted to be in a blocking mode, so that the completion of message sending when the function returns is ensured, the correctness and the integrity of the flow are ensured, when the abnormal state needs to be judged, the socket is dynamically adjusted to be in a non-blocking state, the program can be ensured to return correctly by utilizing the attribute returned by overtime, the subsequent task is continued, and the program is not in an unresponsive state for a long time due to network abnormality; to avoid the situation that the TCP connection is normal, but the communication service in the device no longer responds to any user command, a detection of whether the protocol is normal or not is added.
Further, the report generating module is used for reading result information generated by the test from the real-time data storage unit, outputting a test report according to a report template in a predefined html format, listing equipment information and abnormal messages causing equipment abnormality, analyzing equipment safety conditions and equipment vulnerability specific conditions, and providing necessary basis for evaluating equipment safety and improving equipment reliability; generating a single test step report according to the template, and finally synthesizing a complete report; and providing a visual interface, generating a loophole distribution condition chart, and displaying the loophole quantity statistics, the loophole field value distribution condition, the specific message condition of each loophole and the communication message condition of each layer of protocol.
Compared with the prior art, the method and the system construct a power grid intelligent terminal protocol vulnerability detection framework and put forward a power grid intelligent terminal protocol reference message variation playback safety test technology; the dynamic memory and playback test process improves the test depth of the power communication protocol and the unknown vulnerability recognition capability, and can quickly locate and reproduce problems. The method has the characteristics of high automation degree and strong protocol pertinence, and further designs power protocol robustness testing software on the basis of the high automation degree and the strong protocol pertinence, thereby providing powerful technical support for security testing and vulnerability mining of power system communication protocols.
Drawings
The invention is described in further detail below with reference to the attached drawings and detailed description:
FIG. 1 is a diagram of a power protocol robustness test technique framework in accordance with an embodiment of the present invention;
FIG. 2 is a diagram of a network intelligent terminal protocol vulnerability detection model according to an embodiment of the invention;
FIG. 3 is an organizational chart of a power grid intelligent terminal test system according to an embodiment of the invention;
FIG. 4 is a flow chart of message acquisition according to an embodiment of the present invention;
FIG. 5 is a flowchart of IEC61850 message processing according to an embodiment of the present invention;
FIG. 6 is a flow chart of a variation test according to an embodiment of the present invention;
FIG. 7 is a message playback flow chart according to an embodiment of the present invention;
FIG. 8 is a flow chart of abnormality detection for an apparatus according to an embodiment of the present invention;
FIG. 9 is a flow chart of a power communication test protocol robustness test according to an embodiment of the present invention;
FIG. 10 is a diagram of an IEC104 unknown vulnerability mitigation attempt according to an embodiment of the invention;
FIG. 11 is a graph showing the comparison of test cases according to an embodiment of the present invention.
Detailed Description
In order to make the features and advantages of the present patent more comprehensible, embodiments accompanied with figures are described in detail below:
the description of these embodiments is provided to assist understanding of the present invention, but is not intended to limit the present invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
Compared with the manual code audit, static analysis, model detection and other test methods, the vulnerability discovery technology taking the fuzzy test as dynamic analysis has the advantages of no need of program source codes, no limitation to the internal implementation details and complexity of a tested system, good reusability and the like. According to the invention, the vulnerability discovery of the power system communication protocol is carried out by adopting the fuzzy test, so that the security defect which is difficult to discover by adopting the logic thinking test can be discovered. The technology supports full-automatic testing of main current power grid intelligent terminal protocols such as IEC61850 (MMS, GOOSE), 104, modbus and the like, effectively simplifies the safety testing process, and can realize automatic testing of safety and reliability of an IEC61850 protocol stack.
The technical framework of the network intelligent terminal protocol vulnerability provided by the embodiment of the invention is shown in fig. 1, and the main technical idea is that a fuzzy message with variation or errors is sent to an application of a tested object through communication connection with the tested object, and a response message of the tested object is monitored to find errors. If the equipment has abnormal conditions such as communication interruption, display error, downtime and the like, the equipment has poor resistance to abnormal messages, and the robustness of the equipment needs to be improved. Since a certain power software and hardware device supports a certain power grid intelligent terminal protocol in a normal case, the power grid intelligent terminal protocol runs on a certain device, a tested protocol is also called a tested device hereinafter, and a protocol vulnerability detection is also called a device vulnerability detection.
The method is a black box test method adopted when only the communication protocol standard supported by the equipment is known and the specific implementation of the communication module inside the equipment is not known. In order to realize the core idea, taking the most widely used IEC61850 protocol in the current transformer substation as an example, a test model shown in fig. 2 is designed. The figure relates to 5 devices or systems, which are respectively:
1) Spacer layer intelligent electronic device for testing.
2) The machine is used for carrying out daily operation and maintenance on the intelligent electronic equipment.
3) And the flow acquisition device is used for capturing the data messages.
4) And the test system is used for testing the robustness of the IEC61850 communication module of the equipment.
5) And the station control layer switch is used for realizing the intercommunication of the equipment.
The model is used for simplifying the actual organization structure of the transformer substation, omits monitoring background, process layer network and equipment and related equipment for communication with dispatching, and only reserves a station-control layer switch, a spacer layer intelligent electronic device and an operation and maintenance machine. Meanwhile, in order to test the robustness of the IEC61850 communication module of the equipment, a flow acquisition device and a robustness test system are added, and the general flow of the test is as follows:
1) And the operation and maintenance machine selects a certain device to execute normal operation and maintenance operation through an IEC61850 protocol, and generates an IEC61850 data message. Since IEC61850 is an internationally common communication protocol, interoperability with individual vendor devices can be achieved by any one of the IEC61850 client software.
2) Because all data messages are forwarded through the switch, the traffic collection machine can capture the data messages communicated between the operation and maintenance machine and the intelligent electronic device from the switch. Most of the current switches are provided with a special mirror port, which is used for outputting all data passing through the switch in a backup way from the mirror port.
3) Preprocessing the acquired message, removing redundant data of non-IEC 61850 protocols, forming a test message sample, and importing the test message sample into a robustness test system.
4) And the vulnerability detection system analyzes the test sample, mutates one or more fields in the normal data message, selects one tested device, and sends an abnormal message after mutating to the device. In the whole test process, for each normal message, the system generates and transmits a plurality of different abnormal messages to the equipment, and simultaneously records the transmitted messages, the equipment state and other real-time information.
5) After the test is finished, the system extracts abnormal messages sent when the equipment is abnormal according to the recorded information, counts the abnormal time of the equipment, sends the information such as the number of the test messages and the like, and generates a test report according to the report template.
6) And the tester checks the problem according to the abnormal message in the test report, confirms whether the equipment is abnormal, verifies the rationality of the test result and perfects the test report.
In the above procedure, the first 3 steps are preparation phases, and the main purpose is to form a test message sample of the protocol. The last 3 steps are the testing phase, mainly to discover and verify abnormal messages that can cause device anomalies. In 5 devices and systems, a site-controlled layer switch, intelligent electronic equipment and an operation and maintenance machine are existing devices in a transformer substation, a flow acquisition tool can be realized by utilizing data packet capturing software such as Wireshark, and a vulnerability detection system becomes a core part in the whole test model. Although the vulnerability detection environment is aimed at the IEC61850 protocol, the core vulnerability detection system can be used for vulnerability detection of any power grid intelligent terminal protocol, and specific function implementation of the vulnerability detection system is given below.
The core functions of the vulnerability detection system are as follows: reading the test message sample file, generating an abnormal message test sample, sending the abnormal message test sample to the tested equipment, and detecting the communication state of the equipment to judge the resisting capacity of the equipment to the abnormal message. Fig. 3 shows the organization architecture of the system, and the associations between the various modules in the system. The system comprises 1 core scheduler, test sample processing module, state negotiation module, abnormal message construction module, message playback module, report generation module 5 functional modules, 2 predefined files and 2 data storage units.
1) Test sample processing module: and acquiring a test sample message, removing redundant information, analyzing the sample file by using a protocol reverse analysis technology, identifying sample data according to a grammar model, and constructing a grammar analysis tree.
2) A state negotiation module: judging the protocol type, and preparing before message transmission. Obtaining a configuration file in an xml format, wherein the configuration file comprises data required to be used in a system execution process, such as: and (3) judging the waiting time of equipment abnormality at the time interval of 2 messages transmission.
3) The test sample generation module: and combining the history information of the abnormal message, and generating a test sample message by adopting a fuzzy test technology driven by a high-order attribute grammar.
4) And a message sending module: establishing TCP connection with the tested equipment, sending an abnormal message to the tested equipment to carry out fuzzy test, detecting the effect of the fuzzy test by judging the state of the equipment, and if the communication of the equipment is interrupted, indicating that the vulnerability of the protocol is found.
5) A report generation module: and reading result information generated by the test from the real-time data storage unit, outputting a test report according to a report template in a predefined html format, wherein the report mainly contains equipment information and abnormal messages causing equipment abnormality.
6) Core scheduler: the 6 modules are coordinated to work cooperatively, interfaces of the modules are called, and data is shared among the modules, so that the Model-View-Controller (MVC) design mode is also met. The core scheduling module is a Controller, the interface display module and the report generation module are views, and the rest modules are Model.
(2) Sample processing module
The test sample message is mainly obtained through a message capturing tool. Firstly, a machine provided with a message capturing tool is connected with a tested protocol (software and hardware equipment), an interactive message is generated when the intelligent terminal protocol of a power grid is normally used for communication with the equipment, the message capturing tool is used for capturing and storing a data packet, and finally, the protocol reverse technology is used for automatically and accurately extracting the power protocol grammar format, and the flow is shown in figure 4.
After the message is acquired, the message of some power grid intelligent terminal protocols needs to be further processed, for example, for IEC61850 messages, the logic name of the tested device needs to be self-adapted in the test process, so that the processing process is as follows.
1) And completely analyzing the test message. Analyzing the test message through protocol reverse direction, analyzing and extracting the equipment interaction message, and identifying the complete content of the message.
2) And performing redundancy elimination processing on the test message sample. The IP header information of the message is removed and is loaded into the memory in the form of byte arrays. The IP header information mainly records the IP address, mac address and port number of the message, and is not the valid content of the IEC61850 protocol.
3) And acquiring equipment information, and repackaging the test message. When processing the message, the correct bearing layer head is automatically added for the message according to different bearing layer information so as to ensure that the message enters the internal processing of the tested object after being sent by the abnormal attack message, and is not directly discarded when being processed by the bottom layer network. And obtaining and analyzing the logical device name of the tested device by using the IEC61850 functional code. Replacing the logical device name, and repackaging the parsed message by using an ASN.1 encoder to realize sample message self-adaptation to the tested device, thereby ensuring that correct communication can be established with the tested device in the process of playing back the message.
The flow chart of the message processing is shown in fig. 5:
(3) State negotiation module
In order to improve the effectiveness of the abnormal attack message to the maximum extent, the abnormal message transmission needs to carry out state negotiation first, namely, each abnormal message is transmitted to the equipment only when the protocol state machine has interacted to the most proper state, so that the testing tool needs to realize basic protocol stack functions aiming at different testing protocols, including the normal message construction of each protocol, the maintenance of the protocol state machine and the like. In order to support the expansion of more protocols, the module is realized by adopting an object-oriented system structure mode, the base class provides a public virtual interface method, and each protocol derivative class obtains the support of a specific protocol by rewriting a corresponding interface function.
After the state negotiation is completed, acquiring a configuration file in an xml format, wherein the configuration file comprises data required to be used in the system execution process, such as: and (3) judging the waiting time of equipment abnormality at the time interval of 2 messages transmission.
(4) Sample generation module
The core part of the fuzzy test is to identify sample data according to a grammar model, construct a grammar analysis tree, select nodes which are not tested through traversing the grammar analysis tree to conduct mutation so as to generate test cases, and send the test cases to tested equipment for testing. The abnormal message generation mode determines the quality of the test sample, and has important influence on the detection result.
In order to find potential safety hazards of equipment as comprehensively as possible, based on high-order attribute grammar driving, sample data are identified according to a grammar model, a grammar analysis tree is constructed, untested nodes are selected to mutate by traversing the grammar analysis tree, a mutation flow is executed, as shown in fig. 6, the rectification process is divided into 3 loops, the outermost loop traverses a plurality of sample messages in a sample, the middle loop traverses the constructed grammar analysis tree by adopting a depth-first algorithm, untested nodes are selected to mutate, the innermost loop traverses malformed messages generated by test fields, and tests are carried out one by one for each test message.
The abnormal message construction algorithm provided by the technology increases the efficiency of generating the abnormal test cases through a field-by-field round robin calling mode; by executing an abnormal construction algorithm based on historical information, the coverage rate of the abnormal test cases is ensured.
(5) Message sending module
The whole message sending flow simulates the normal communication process as truly as possible, and provides necessary normal environment for the test of the abnormal message, so that the abnormal message can achieve the effect of detecting the equipment abnormality and the loophole. The message playback flow is shown in fig. 7.
1) In the preparation stage, a test message sample file is required to be read, equipment name replacement is carried out on the sample message, a reconstructed message is analyzed, abnormal messages generated in a fuzzy test mode are played back, and the capability of the equipment for processing the abnormal messages and whether the equipment works normally or not are observed.
2) After the equipment is abnormal, the sending work of the message is suspended until the equipment is recovered to be normal.
3) The system records and stores the abnormal phenomenon, the original message and the malformed message in the database in the test process, so as to conveniently replay the abnormal condition, analyze the whole abnormal process and provide visual, objective and real data for perfect vulnerability restoration.
4) And verifying the abnormality. And obtaining a malformed message through the change and the restoration of the original message and the malformed message, then sending the malformed message to equipment, detecting the communication state of the equipment, and verifying the validity of the message. The purpose of the anomaly verification is to eliminate false alarms caused by objective factors such as network interruption.
In the playback flow, the equipment abnormality detection is an important link of the playback flow, and according to the characteristics of the power communication protocol, the abnormal state of equipment communication is detected by using a function calling method. The specific principle is as follows:
the power communication protocol bottom layer is realized based on the TCP protocol, and the state of the TCP based on connection can be adopted to judge whether the communication state of the equipment is abnormal or not. Socket communication is divided into a blocking type Socket and a non-blocking type Socket, and when the blocking mode Socket executes IO operation, if the condition for executing the operation is not met, a thread is blocked on a called function. The program has to be in a waiting state but it is not known when the function returns since it is not known when the client request comes. The function returns immediately whenever the non-blocking mode socket performs an IO operation.
The Select model is the most common IO model in Socket. It implements IO management using select functions. By calling the select function, the application can determine whether the socket has data, whether data can be written to the socket. Using the select model, it is possible to cause a notification to be sent to an application program when a Socket performing an operation satisfies a readable and writable condition. Upon receipt of this notification, the application then calls the corresponding Windows Socket API to perform the function call. The core of the Select model is a Select function that is called to check the current state of each socket. And judging the readability of the socket according to the return value of the function.
The socket technology is used for combining with the select model to carry out message sending and abnormality judgment, when the message is sent, the socket is adjusted to be in a blocking mode, the completion of message sending when the function returns is ensured, the correctness and the integrity of the flow are ensured, when the abnormal state needs to be judged, the socket is dynamically adjusted to be in a non-blocking state, the program can be ensured to return correctly by utilizing the attribute returned by overtime, the subsequent tasks are continued, and the program is not in an unresponsive state for a long time due to network abnormality. To avoid the situation that the TCP connection is normal, but the communication service in the device no longer responds to any user command, a detection of whether the protocol is normal or not is added. Taking IEC61850 protocol as an example, IEC61850 function codes are adopted, and on the basis of establishing TCP connection, a request for acquiring the logical device name is sent to confirm whether the service is normal, the normal service returns the logical device name of the device, and if the service is abnormal, the user request is not responded. The flow of detecting whether the device communication is abnormal is as shown in fig. 8:
(6) Report generation module
The test system reads result information generated by the test from the real-time data storage unit, outputs a test report according to a report template in a predefined html format, mainly enumerates equipment information and abnormal messages causing equipment abnormality in the report, analyzes equipment safety conditions and equipment vulnerability specific conditions, and provides necessary basis for evaluating equipment safety and improving equipment reliability.
The system can generate a single test step report according to the template and finally synthesize a complete report; the system provides a visual interface, generates a vulnerability distribution situation chart, and can display vulnerability quantity statistics, vulnerability field value distribution situations, specific message situations and communication message situations of each vulnerability of each layer of protocol, so as to accumulate vulnerability reproduction processing.
(7) Power protocol robustness test software
Based on the technical framework of the intelligent terminal protocol vulnerability detection of the power grid, the embodiment further designs power protocol robustness testing software. The software realizes the automatic fuzzy test of the power protocol, leads the foreign Wurldtech, codenomicon protocol to test similar products in the depth of the protocol test, the test efficiency and the unknown vulnerability recognition, can be applied to the purchase centralized test of the network access equipment of the power grid, and provides necessary help for evaluating the safety of intelligent electronic equipment, improving the safety of the equipment and building safety protection.
The test flow of the power communication protocol robustness test software system is shown in fig. 9. After the program is started, the test procedure can be started after the test robustness rule setting is completed. In the test process, the security test is completed through a series of processes of test equipment selection, sample message acquisition, message processing and sending, vulnerability recording and test report generation. In addition, the software provides a historical test result checking function, and can realize the replay of loopholes.
(8) IEC104 protocol test results
The software developed by the embodiment is adopted to carry out fuzzy test on the IEC104 protocol, and 76324 total 59 types of anomalies appear in the whole test process.
And combining the exceptions with the same key codes by locating the exception codes, and finally obtaining the class 4 exceptions. And then carrying out vulnerability analysis and comparison with a published vulnerability library, and verifying that 3 of the vulnerability libraries are published vulnerabilities and 1 vulnerability library is unknown. Wherein 2 known vulnerabilities (BAGTRAQ-8445, BAGTRAQ-8440) are vulnerabilities of string overflow caused by mishandling of server names in messages returned from a client to a server, and another 1 known vulnerabilities (BAGTRAQ-8443) are vulnerabilities of formatting string processing triggered when the client processes server message messages with formatting strings from the server. The unknown vulnerability is a stack overflow vulnerability in the ACPI message, and fig. 10 shows debug information of the vulnerability.
As can be seen from fig. 10, SEH chains in the stack are covered by the very long message data, resulting in an exception in program execution. If the overlay data is carefully structured, an attacker can execute arbitrary code with system rights. The discovery of the vulnerability illustrates the testing capability of the software developed in the embodiment to the state protocol, and just because the related preamble sequence bootstrap program reaches the execution state of the search result message, the abnormal search result message sent by the software developed in the embodiment can be accepted and executed by the program, thereby causing the abnormality.
In order to verify the test efficiency of the software developed in this embodiment, we choose the current more commonly used protocol Fuzzing tool SPIKE and reach to test the same IEC104 sample messages respectively with the software developed in this embodiment, and fig. 11 shows the number of test cases generated by each type of message.
As can be seen from fig. 11: for the test of each type of message, the number of test cases generated by SPIKE is equivalent to that of the test cases generated by reach, and the test cases generated by software developed by the embodiment are fewer; for the test of the server list message and the search result message, the test cases generated by the software developed in the embodiment are even half of the test tools of the two latter types. By analyzing the sample structure of both messages, it is found that there are many repeated fields when listing multiple data information (server information in server list messages, and file search information in search result messages), whereas SPIKE and reach both test the measured fields indiscriminately, thus resulting in the generation of a large number of redundant test cases. In the same way, the software developed in this embodiment records and compares the detected fields in the testing process, and the message reject message only includes three common fields of "protocol type", "message length" and "message type", so the number of generated test cases is 0. The data show that for complex protocols, repeated testing of repeated fields is avoided, and the redundant test cases are reduced greatly.
Table 1 compares the test results of SPIKE, reach, and software developed in this embodiment when the 9 types of IEC104 protocol messages are tested completely, from six aspects of the number of test cases, the number of valid test cases, the test case efficiency, the code coverage, the test time, and the number of discovered vulnerabilities.
Table 1 iec104 protocol test effect comparison
Test tool Number of test cases Number of valid test cases Test case efficiency Code coverage Test time (h) Number of holes
SPIKE 225639 38053 10.7% 38% 58.5 2
Peach 186324 91112 48.9% 52% 43.1 4
Software developed in this embodiment 138017 76324 55.3% 65% 35.3 7
As can be seen from the data in table 1, although SPIKE is equivalent to the total number of test cases generated by Peach, the test cases are far less efficient than Peach. The SPIKE adopts a flat block sequence structure, and the expression capability of the structure and the constraint relation in the protocol message is insufficient, so that too many invalid test cases are generated, and only 2 overflow holes caused by improper processing of the server name can be found. Compared with the Peach and the software developed by the embodiment, the software developed by the embodiment discovers more loopholes, and the software developed by the embodiment uses fewer test cases to realize higher code coverage, which indicates that the efficiency of the grammar-driven Fuzzing technology test is higher. In addition, it should be noted that: when defining the test script, SPIKE and reach need to write the test script for each type of IEC104 message format, the redundancy is larger and the script work is heavy; the software developed in the embodiment can describe all types of message formats only by defining a single grammar model, and the form is simpler.
The embodiments of the present invention have been described in detail above with reference to the accompanying drawings, but the present invention is not limited to the described embodiments. It will be apparent to those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, and yet fall within the scope of the invention.
The patent is not limited to the best mode, any person can obtain other various types of power grid intelligent terminal protocol vulnerability detection methods based on high-order attribute grammar under the teaching of the patent, and all equivalent changes and modifications made according to the application scope of the invention are covered by the patent.

Claims (9)

1. A method for detecting a protocol vulnerability of an intelligent power grid terminal based on a high-order attribute grammar is characterized in that a terminal protocol analysis tree is designed based on the high-order attribute grammar, and the deep mining of the protocol vulnerability is realized through the association analysis and the node variation of context semantics according to the terminal message interaction response condition.
2. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 1, which is characterized by comprising the following steps: adopting fuzzy test to carry out vulnerability discovery of power system communication protocol; through the communication connection with the tested object, a fuzzy message with variation or error is sent to the tested object application, and a response message of the tested object is monitored to find the error; if the equipment has abnormal conditions including communication interruption, display error and downtime, the equipment is poor in resistance to abnormal messages.
3. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 1, which is characterized by comprising the following steps:
the test model adopted comprises:
1) Spacer layer intelligent electronic device for testing;
2) A machine for performing daily operations and maintenance on the intelligent electronic device;
3) The flow acquisition device is used for capturing data messages;
4) The testing system is used for testing the robustness of the IEC61850 communication module of the equipment;
5) A station control layer switch for realizing the intercommunication of the devices;
the test flow is as follows:
1) The operation and maintenance machine selects a certain device to execute normal operation and maintenance operation through an IEC61850 protocol, and generates an IEC61850 data message;
2) All the data messages are forwarded through the switch, and the flow acquisition machine captures the data messages communicated between the operation and maintenance machine and the intelligent electronic equipment from the switch;
3) Preprocessing the acquired message, removing redundant data of non-IEC 61850 protocols, forming a test message sample, and introducing the test message sample into a robustness test system;
4) Analyzing the test sample, mutating one or a plurality of fields in the normal data message, selecting one tested device, and sending an abnormal message after mutating to the device; in the whole test process, for each normal message, the system generates and transmits a plurality of different abnormal messages to the equipment, and simultaneously records the transmitted messages and real-time information of the state of the equipment;
5) After the test is finished, the system extracts abnormal messages sent when the equipment is abnormal according to the recorded information, counts the abnormal time of the equipment, sends the information of the number of the test messages, and generates a test report according to a report template;
6) And according to the abnormal message in the test report, checking the problem, confirming whether the equipment is abnormal, verifying the rationality of the test result and perfecting the test report.
4. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 1, which is characterized by comprising the following steps:
the adopted vulnerability detection system comprises:
1) Test sample processing module: obtaining a test sample message, removing redundant information, analyzing a sample file by using a protocol reverse analysis technology, identifying sample data according to a grammar model, and constructing a grammar analysis tree;
2) A state negotiation module: judging the protocol type, and preparing before message transmission; acquiring a configuration file in an xml format, wherein the file comprises data required to be used in the system executing process;
3) The test sample generation module: combining the history information of the abnormal message, and generating a test sample message by adopting a fuzzy test technology driven by a high-order attribute grammar;
4) And a message sending module: establishing TCP connection with the tested equipment, sending an abnormal message to the tested equipment to carry out fuzzy test, detecting the effect of the fuzzy test by judging the state of the equipment, and if the communication of the equipment is interrupted, indicating that the vulnerability of the protocol is found;
5) A report generation module: reading result information generated by the test from a real-time data storage unit, outputting a test report according to a report template in a predefined html format, wherein the report mainly includes equipment information and abnormal messages causing equipment abnormality;
6) Core scheduler: and coordinating the modules to cooperatively work, calling interfaces of the modules, and sharing data among the modules.
5. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 4, which is characterized by comprising the following steps:
the working process of the test sample processing module is as follows: firstly, connecting a machine provided with a message capturing tool with a tested protocol, generating an interactive message when the intelligent terminal protocol of a power grid is normally used for communication with equipment, capturing and storing a data packet by using the message capturing tool, and finally extracting an electric power protocol grammar format by using a protocol reverse technology;
after the message is acquired, for the IEC61850 message, the logic name of the tested equipment needs to be self-adapted in the test process, and the processing process is as follows;
1) Completely analyzing the test message; analyzing the test message by protocol reverse direction, analyzing and extracting the equipment interaction message, and identifying the complete content of the message;
2) Performing redundancy elimination treatment on the test message sample; removing IP header information of the message and loading the message into a memory in the form of byte arrays;
3) Acquiring equipment information and repackaging the test message; when processing the message, the correct bearing layer head is added for the message according to different bearing layer information so as to ensure that the message enters the internal processing of the tested object after being sent by the abnormal attack message, and is not directly discarded when being processed by the bottom layer network; obtaining and analyzing the logical equipment name of the tested equipment by using IEC61850 functional codes; replacing the logical device name, and repackaging the parsed message by using an ASN.1 encoder to realize sample message self-adaptation to the tested device, thereby ensuring that correct communication can be established with the tested device in the process of playing back the message.
6. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 4, which is characterized by comprising the following steps:
the state negotiation module is used for carrying out state negotiation before transmitting the abnormal messages, namely, each abnormal message is transmitted to the equipment under the condition that the protocol state machine has interacted to the most suitable state, and aiming at different test protocols, the test tool needs to realize the basic protocol stack function, including the normal message construction of each protocol and the maintenance of the protocol state machine; in order to support the expansion of more protocols, the module is realized by adopting an object-oriented system structure mode, a base class provides a public virtual interface method, and each protocol derivative class obtains the support of a specific protocol by rewriting a corresponding interface function;
after the state negotiation is completed, a configuration file in an xml format is obtained, wherein the file comprises data required to be used in the system execution process.
7. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 4, which is characterized by comprising the following steps: the test sample generation module identifies sample data according to the grammar model, constructs a grammar analysis tree, selects nodes which are not tested to mutate by traversing the grammar analysis tree to generate test samples, and sends the test samples to tested equipment for testing; based on high-order attribute grammar driving, identifying sample data according to a grammar model, constructing a grammar analysis tree, and selecting nodes which are not tested to perform mutation by traversing the grammar analysis tree, wherein the execution of a mutation flow is divided into 3 loops: the outermost layer circularly traverses a plurality of sample messages in the sample, the middle layer circularly traverses a constructed grammar analysis tree by adopting a depth-first algorithm, the nodes which are not tested are selected for mutation, the innermost layer circularly traverses malformed messages generated by the test field, and the test is carried out one by one aiming at each test message.
8. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 4, which is characterized by comprising the following steps:
the message sending module is used for simulating a normal communication process and providing a necessary normal environment for testing the abnormal message, so that the abnormal message can achieve the effect of detecting the equipment abnormality and the loophole; the message playback flow is as follows:
1) In the preparation stage, reading a test message sample file, carrying out equipment name replacement on the sample message, analyzing a reconstructed message, then playing back an abnormal message generated in a fuzzy test mode, and observing the capability of equipment for processing the abnormal message and whether the equipment works normally or not;
2) After the equipment is abnormal, suspending the sending work of the message until the equipment is recovered to be normal;
3) The system records and stores the abnormal phenomenon, the original message and the malformed message in the database in the test process so as to conveniently replay the abnormal condition, analyze the whole abnormal process and provide visual, objective and real data for perfect vulnerability restoration;
4) Verifying the abnormality; obtaining an abnormal message through the change and the restoration of the original message and the abnormal message, then sending the abnormal message to equipment, detecting the communication state of the equipment, and verifying the validity of the abnormal message; the purpose of exception verification is to eliminate false alarms;
detecting an abnormal communication state of the equipment by using a function calling method; the socket technology is used for carrying out message sending and abnormality judgment by combining with the select model, when the message is sent, the socket is adjusted to be in a blocking mode, so that the completion of message sending when the function returns is ensured, the correctness and the integrity of the flow are ensured, when the abnormal state needs to be judged, the socket is dynamically adjusted to be in a non-blocking state, the program can be ensured to return correctly by utilizing the attribute returned by overtime, the subsequent task is continued, and the program is not in an unresponsive state for a long time due to network abnormality; to avoid the situation that the TCP connection is normal, but the communication service in the device no longer responds to any user command, a detection of whether the protocol is normal or not is added.
9. The method for detecting the network intelligent terminal protocol vulnerability based on the high-order attribute grammar according to claim 4, which is characterized by comprising the following steps: the report generation module is used for reading result information generated by the test from the real-time data storage unit, outputting a test report according to a report template in a predefined html format, listing equipment information and abnormal messages causing equipment abnormality, analyzing equipment safety conditions and equipment vulnerability specific conditions, and providing necessary basis for evaluating equipment safety and improving equipment reliability; generating a single test step report according to the template, and finally synthesizing a complete report; and providing a visual interface, generating a loophole distribution condition chart, and displaying the loophole quantity statistics, the loophole field value distribution condition, the specific message condition of each loophole and the communication message condition of each layer of protocol.
CN202311272840.9A 2023-09-28 2023-09-28 Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar Pending CN117254964A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311272840.9A CN117254964A (en) 2023-09-28 2023-09-28 Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311272840.9A CN117254964A (en) 2023-09-28 2023-09-28 Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar

Publications (1)

Publication Number Publication Date
CN117254964A true CN117254964A (en) 2023-12-19

Family

ID=89131073

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311272840.9A Pending CN117254964A (en) 2023-09-28 2023-09-28 Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar

Country Status (1)

Country Link
CN (1) CN117254964A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117544960A (en) * 2024-01-09 2024-02-09 中国人民解放军61660部队 Automatic Wi-Fi protocol fuzzy test method based on generation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117544960A (en) * 2024-01-09 2024-02-09 中国人民解放军61660部队 Automatic Wi-Fi protocol fuzzy test method based on generation
CN117544960B (en) * 2024-01-09 2024-03-19 中国人民解放军61660部队 Automatic Wi-Fi protocol fuzzy test method based on generation

Similar Documents

Publication Publication Date Title
Tappler et al. Model-based testing IoT communication via active automata learning
CN111092869B (en) Security management and control method for terminal access to office network and authentication server
CN101136790B (en) Cluster managerial automatization test system and method of ethernet switchboard
US20220321440A1 (en) Interface Service Function Monitoring Method and System Based on Data Acquisition
CN110505111A (en) The industry control agreement fuzz testing method reset based on flow
US9639456B2 (en) Network-based testing service and method of testing in a network
CN114050979B (en) Industrial control protocol safety test system and device
CN111901200B (en) Power control protection industrial control protocol security test method and system
US20080168425A1 (en) Software testing techniques for stack-based environments
CN113542299A (en) Industrial internet vulnerability mining method and system based on fuzzy test
CN108092854B (en) Test method and device for train-level Ethernet equipment based on IEC61375 protocol
CN117254964A (en) Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar
CN103138988B (en) Positioning treatment method and positioning treatment device of network faults
CN106452955B (en) A kind of detection method and system of abnormal network connection
CN109104335A (en) A kind of industrial control equipment network attack test method and system
CN113934621A (en) Fuzzy test method, system, electronic device and medium
CN114500345A (en) Fuzzy test and diagnosis system based on custom protocol configuration
CN113965355B (en) Illegal IP (Internet protocol) intra-provincial network plugging method and device based on SOC (system on chip)
CN117081906A (en) Power equipment fault monitoring system, method and storage medium
CN107544830A (en) A kind of method and device of automatic installation database
CN116743447A (en) Electric power Internet of things equipment vulnerability mining method and system based on fuzzy test
CN113722129B (en) Storage reliability test method and related device
CN116708001B (en) Industrial control system private protocol vulnerability detection method and device
Zheng et al. Research and Application of Vulnerability Detection Technology for Power Grid Intelligent Terminal Protocol Based on High Order Attribute Grammar
CN115426301B (en) Device detection method, device, equipment and storage medium based on self-generated message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination