基于模糊测试的GOOSE协议解析漏洞挖掘方法  被引量：6

作　　者：刘林彬 苗泉强 李俊娥[1] LIU Linbin;MIAO Quanqiang;LI June(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education(School of Cyber Science and Engineering,Wuhan University),Wuhan 430072,China;Key Laboratory of Electro-optical Countermeasures Test&Evaluation Technology,Luoyang 471000,China)

机构地区：[1]空天信息安全与可信计算教育部重点实验室(武汉大学国家网络安全学院),湖北武汉430072 [2]光电对抗测试评估技术重点实验室,河南洛阳471000

出　　处：《中国电力》2022年第4期33-43,共11页Electric Power

基　　金：国家自然科学基金资助项目(协同网络攻击下电网CPS跨空间级联故障演化机理及早期防御研究,51977155)。

摘　　要：现有工控协议模糊测试方法未考虑嵌入式终端系统特点,且对未采用传输控制协议/网际协议(TCP/IP)的工控协议研究较少。基于模糊测试提出一种通用面向对象变电站事件(GOOSE)协议解析漏洞挖掘方法。使用变异方式构造测试用例,给出基于GOOSE报文字段类型、抽象语法标记1(ASN.1)编码方式和比特翻转的3类变异策略;提出基于心跳报文和系统运行信息的终端异常监测方法。设计所提方法的实施系统架构和测试流程,在智能变电站实验室环境中,对某厂家嵌入式终端进行测试,发现2个未公开的GOOSE协议解析漏洞,验证所提方法的有效性,提出防范基于此类漏洞的畸形报文攻击的建议。The existing fuzzing methods for industrial control protocol do not consider the characteristics of the embedded terminal systems,and have few research on the industrial control protocol without TCP/IP.Firstly,a fuzzing-based method for mining generic object-oriented substation event(GOOSE)protocol parsing vulnerabilities is proposed:the mutation mode is used to generate test cases,and three mutation strategies are presented based on GOOSE message field type,abstract syntax notation one(ASN.1)encoding mode and bit reversal;two terminal abnormalities monitoring methods are proposed based on GOOSE heartbeat message and system operation information.Then,the implementation system architecture and test process of the proposed method are designed.Two undisclosed GOOSE protocol parsing vulnerabilities are discovered in testing the embedded terminals of a manufacturer in a smart substation laboratory environment,which verifies the effectiveness of the proposed method.Finally,recommendations for preventing malformed message attacks are put forward based on such vulnerabilities.

关 键 词：模糊测试 GOOSE协议 电网嵌入式终端 漏洞挖掘 畸形报文攻击 

分 类 号：TM73[电气工程—电力系统及自动化] TP393.08[自动化与计算机技术—计算机应用技术]