- About EITEE
- Articles Online
- For Authors
- For Reviewers
- Features
- Subscription & Service
- Personal Center
- Logout
FOLLOWUS
- About EITEE
- Introduction
- Editorial Board
- Corresponding Experts
- Events
- Honors
- Contact Us
- Articles Online
- Current Issue
- Archive
- Special Issues
- Virtual Issues
- Highlights
- In Press
- For Authors
- Submit
- Call for papers
- Guide for Authors
- Ethics & Disclosures
- Fee & Funding
- Downloads
- For Reviewers
- Guide for Reviewers
- Ethics & Disclosures
- Thanks card
- Features
- FITEE Forum
- Engineering Front
- Paper Videos
- Editors’ Corner
- Other Resources
- Subscription & Service
- Subscription
- Services
Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis
Enhanced Publication- 基于动态污点分析的工业控制系统协议自动逆向工程分析
- Frontiers of Information Technology & Electronic Engineering Vol. 23, Issue 3, Pages: 351-360(2022)
- Affiliations:
1.State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou450001, China
2.Zhejiang University NGICS Platform, Hangzhou310000, China
- Author bio:
E-mail: rongkuan233@gmail.com;
E-mail: zjuzhenghao@gmail.com;
E-mail: wangjyee@gmail.com;
E-mail: csewmf@zju.edu.cn;
‡Corresponding author
E-mail: wangqingxian2015@163.com
- Funds:
DOI:10.1631/FITEE.2000709
CLC: TP309.2Received:19 December 2020,
Accepted:15 April 2021,
Published:0 March 2022
- Accepted:
Scan QR Code
Rongkuan MA, Hao ZHENG, Jingyi WANG, et al. Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2022, 23(3): 351-360.
Rongkuan MA, Hao ZHENG, Jingyi WANG, et al. Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2022, 23(3): 351-360. DOI: 10.1631/FITEE.2000709.
摘要
私有(或半私有)协议广泛应用于工业控制系统(ICS)。通过逆向工程推断协议格式对于许多网络安全应用(例如程序测试和入侵检测)具有重要意义。传统协议逆向工程方法耗时,繁琐、易出错。最近提出的自动化逆向协议方法既不能有效处理基于网络流量分析的二进制ICS协议,也不能从协议程序实现中准确提取协议字段。本文提出一个工业控制系统协议逆向工程框架(ICSPRF),旨在以更高准确度提取ICS协议字段。ICSPRF基于以下关键见解架构:消息中单个字段通常在同一执行上下文中处理,例如基本块(BBL)组。通过监视程序的执行,ICSPRF可以在执行跟踪中收集每个BBL组中处理的污染数据信息,并将它们聚类以得出协议格式。用6个开源ICS协议实现评估所提方法。结果表明,ICSPRF可以高精度地识别各个协议字段(平均匹配率为94.3%)。ICSPRF还具有较低粗粒度匹配率和过细粒度匹配率。对于同一指标,ICSPRF比Autoformat更准确(后者对于所有评估协议匹配率为88.5%,对二进制协议匹配率为80.0%)。
Abstract
Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications
e.g.
program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming
tedious
and error-prone. Recently
automatical protocol reverse engineering methods have been proposed which are
however
neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper
we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context
e.g.
basic block (BBL) group. As a result
by monitoring program execution
we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric
ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).
关键词
Keywords
references
Airpig2011 , 2020 . IEC104 . https://github.com/airpig2011/IEC104 https://github.com/airpig2011/IEC104 [Accessed on Nov. 20, 2020 ].
Beddoe MA , 2012 . Network Protocol Analysis Using Bioinformatics Algorithms . https://raw.githubusercontent.com/wiki/unmarshal/protocol-informatics/pi.pdf https://raw.githubusercontent.com/wiki/unmarshal/protocol-informatics/pi.pdf
Bossert G , Guihéry F , Hiet G , 2014 . Towards automated protocol reverse engineering using semantic information . 9 th ACM Symp on Information, Computer and Communications Security , p. 51 - 62 . doi: 10.1145/2590296.2590346 http://doi.org/10.1145/2590296.2590346
Caballero J , Yin H , Liang ZK , et al. , 2007 . Polyglot: automatic extraction of protocol message format using dynamic binary analysis . Proc 14 th ACM Conf on Computer and Communications Security , p. 317 - 329 . doi: 10.1145/1315245.1315286 http://doi.org/10.1145/1315245.1315286
Chang Y , Choi S , Yun JH , et al. , 2017 . One step more: automatic ICS protocol field analysis . Int Conf on Critical Information Infrastructures Security , p. 241 - 252 . doi: 10.1007/978-3-319-99843-5_22 http://doi.org/10.1007/978-3-319-99843-5_22
Choi K , Son Y , Noh J , et al. , 2016 . Dissecting customized protocols: automatic analysis for customized protocols based on IEEE 802.15.4 . Proc 9 th ACM Conf on Security & Privacy in Wireless and Mobile Networks , p. 183 - 193 . doi: 10.1145/2939918.2939921 http://doi.org/10.1145/2939918.2939921
Cui WD , Kannan J , Wang HJ , 2007 . Discoverer: automatic protocol reverse engineering from network traces . Proc 16 th USENIX Security Symp , p. 199 - 212 .
Cwalter-at , 2020 . Freemodbus . https://github.com/cwalter-at/freemodbus https://github.com/cwalter-at/freemodbus [Accessed on Nov. 20, 2020 ].
Denton G , Karpisek F , Breitinger F , et al. , 2017 . Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 . Dig Invest , 22 : S26 - S38 . doi: 10.1016/j.diin.2017.06.005 http://doi.org/10.1016/j.diin.2017.06.005
Fang CR , Qi YF , Cheng P , et al. , 2020 . Optimal periodic watermarking schedule for replay attack detection in cyber–physical systems . Automatica , 112 : 108698 . doi: 10.1016/j.automatica.2019.108698 http://doi.org/10.1016/j.automatica.2019.108698
Fioraldi A , D’Elia DC , Coppa E , 2020 . WEIZZ: atomatic grey-box fuzzing for structured binary formats . Proc 29 th ACM SIGSOFT Int Symp on Software Testing and Analysis , p. 1 - 13 . doi: 10.1145/3395363.3397372 http://doi.org/10.1145/3395363.3397372
Green Energy Corporation , 2020 . gec-dnp3 . https://github.com/gec/dnp3 https://github.com/gec/dnp3 [Accessed on Nov. 20, 2020 ].
Ji R , Wang J , Tang CJ , et al. , 2017 . Automatic reverse engineering of private flight control protocols of UAVs . Secur Commun Netw , 2017 : 1308045 . doi: 10.1155/2017/1308045 http://doi.org/10.1155/2017/1308045
Lin ZQ , Jiang XX , Xu DY , et al. , 2008 . Automatic protocol format reverse engineering through context-aware monitored execution . Proc 15 th Symp on Network and Distributed System Security , p. 29 - 43 .
Luo ZX , Zuo FL , Shen YH , et al. , 2020 . ICS protocol fuzzing: coverage guided packet crack and generation . 57 th ACM/IEEE Design Automation Conf , p. 1 - 6 . doi: 10.1109/DAC18072.2020.9218603 http://doi.org/10.1109/DAC18072.2020.9218603
MZ Automation GmbH , 2020 . lib60870 . https://github.com/mz-automation/lib60870 https://github.com/mz-automation/lib60870 [Accessed on Nov. 20, 2020 ].
Nardella D , 2020 . Snap7 . https://sourceforge.net/projects/snap7/files/1.2.1/ https://sourceforge.net/projects/snap7/files/1.2.1/ [Accessed on Nov. 20, 2020 ].
Senthivel S , Ahmed I , Roussev V , 2017 . SCADA network forensics of the PCCC protocol . Dig Invest , 22 : S57 - S65 . doi: 10.1016/j.diin.2017.06.012 http://doi.org/10.1016/j.diin.2017.06.012
SharkFest , 2020 . Wireshark . https://www.wireshark.org/ https://www.wireshark.org/ [Accessed on Nov. 20, 2020 ].
Stephane , 2020 . libmodbus . https://github.com/stephane/libmodbus https://github.com/stephane/libmodbus [Accessed on Nov. 20, 2020 ].
Yang ZY , He L , Cheng P , et al. , 2020 . PLC-sleuth: detecting and localizing PLC intrusions using control invariants . 23 rd Int Symp on Research in Attacks, Intrusions and Defenses , p. 333 - 348 .
- L-PDFDownload
- Meta-XMLDownload
- BibTeXDownload
- EndnoteDownload
- RefMan Download
- NoteExpressDownload
- NoteFirstDownload
Publicity Resources
Related Articles
Related Author
Related Institution
Chat- Address:Zhejiang University Press, 148 Tianmushan Road, Hangzhou, China Postal code:310028
- Tel:+86-571-88273162 Email:fitee@zju.edu.cn
- Copyright © 2000 - 2025, Zhejiang University Press 京ICP备09064830号-19
京公网安备11010802024621 - It is recommended to read the content of this site in Chrome&IE9+. Please switch to extreme mode in browser 360.
- Cookies We use cookies to help provide and enhance our service and tailor content. By continuing, you agree to the use of cookies.
