RT-Trace:基于指令步进识别的工控设备执行流采集技术  

作　　者：刘厚志 麻荣宽 魏强[1] LIU Houzhi;MA Rongkuan;WEI Qiang(Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,河南郑州450001

出　　处：《信息工程大学学报》2024年第1期110-119,共10页Journal of Information Engineering University

基　　金：国家重点研发计划资助项目(2020YFB2010900);中原科技创新领军人才项目(224200510002)。

摘　　要：由于薄弱的安全措施和重要的军事、经济价值,现代工业控制设备迅速成为了网络攻击的重要目标。工控设备因其在人们生产生活中的作用以及当前严峻的不安全现状,引起了研究人员的重点关注。其中,固件作为工控设备的核心部分,其安全的重要性不言而喻。然而由于固件在烧录的过程中其烧录方法和固件安全性保护的标准、等级和措施均不相同,使得固件在提取过程中依赖专家经验。同时由于大部分工控设备为了能够应对极端环境通常使用定制化专有芯片,少有配备如嵌入式跟踪宏单元(Embedded Trace Macro cell,ETM)等执行跟踪组件,因此难以采集设备执行时的信息。提出一种基于指令步进识别的工控设备执行流采集技术RT-Trace,通过对工控设备进行硬件分析、固件提取和监控采集,将工控设备的固件整体安全情况进行分析和梳理。实验结果表明,该方法能够提取出大部分的工控设备固件并且能够对设备执行过程中的函数调用次数、服务开启情况、内存污染度进行较为全面的数据采集。Due to weak security measures and important military and economic values,modern industrial control equipment has rapidly become an important target of network attacks.Due to the role of industrial control equipment in people’s production and life,as well as the current severe unsafe situation,it has attracted significant attention in the research field.As the core part of industrial control equipment,the importance of firmware security is self-evident.However,due to different manufacturers’standards,levels,and measures for firmware burning methods and security protection during the firmware burning process,expert experience matters in the firmware extraction process.Meanwhile,due to the fact that most industrial control devices are rarely equipped with chip models and execution tracking components such as ETM in order to cope with extreme environments,it is difficult to collect information during device execution.This article proposes RT-Trace,an execution flow collection technology for industrial control equipment based on instruction step recognition.Through hardware disassembly,firmware extraction,and monitoring collection,the overall security situation of the firmware of industrial control equipment is analyzed and sorted out.Experimental results show that this method can extract most of the firmware of industrial control devices and collect comprehensive data on the number of function calls,execution flow charts,service startup,and memory pollution during device execution.

关 键 词：工控设备 跟踪 固件提取 执行流跟踪 

分 类 号：TP393.1[自动化与计算机技术—计算机应用技术]