韩嘉佳,孙歆,吕磅,孙昌华,钱锦
HAN Jiajia,SUN Xin,LYU Bang,SUN Changhua,QIAN Jing

• 1:国网浙江省电力有限公司电力科学研究院

摘要(Abstract)：

现有新型电力系统终端大都采用第三方厂商私有协议，难以对其进行解析分析。针对现有新型电力系统终端常用的Modbus协议开展逆向分析解析，基于协议分层的特点，通过从网络报文头部字段提取未知协议的有效字段部分，基于统计N-gram算法对协议字段进行分词，利用协议关键词构建Modbus协议状态机。对协议源码编译插桩，通过生成随机测试用例对Modbus服务器端程序进行模糊测试，并对测试崩溃结果进行了分析。实验结果表明，该方法能对新型电力系统终端的私有协议进行快速逆向识别和模糊测试，有较高的实用价值。
Most of the existing new power system terminals use private protocols of third-party vendors, which often proves to be challenging to analyze. The Modbus protocol commonly used in existing new power system terminals is analyzed in reverse. Based on the characteristics of protocol hierarchy, the valid fields of the unknown protocol are extracted from the header fields of network messages, and the protocol fields are divided into words based on the statistical N-gram algorithm, and a Modbus protocol state machine is constructed using protocol keywords. Further, by protocol source code compilation and instrumentation, the Modbus server-side program is fuzzy tested by generating random test cases, and the test crash results are analyzed. The experimental results show that the scheme is capable of fast reverse identification and fuzzy testing of private protocols from third-party vendors and holds substantial practical value.

关键词(KeyWords)： 新型电力系统终端;协议逆向分析;动态二进制插桩;状态机比对;模糊测试
new power system terminals;protocol reverse analysis;dynamic binary instrumentation;state machine comparison;fuzzy testing

Abstract:

Keywords:

基金项目(Foundation): 国网浙江省电力有限公司科技项目（B311DS21000F）

作者(Author): 韩嘉佳,孙歆,吕磅,孙昌华,钱锦
HAN Jiajia,SUN Xin,LYU Bang,SUN Changhua,QIAN Jing

DOI: 10.19585/j.zjdl.202311007

参考文献(References)：

• [1] BARMPATSALOU K,CRUZ T,MONTEIRO E,et al.Current and future trends in mobile device forensics[J].ACM Computing Surveys,2019,51(3):1-31.
• [2] HUSSAIN M,ZAIDAN A A,ZIDAN B B,et al.Conceptual framework for the security of mobile health applications on Android platform[J].Telematics and Informatics,2018,35(5):1335-1354.
• [3] STOYANOVA M, NIKOLOUDAKIS Y,PANAGIOTAKIS S,et al. A survey on the Internet of Things(IoT)forensics:challenges,approaches,and open issues[J]. IEEE Communications Surveys&Tutorials,2020,22(2):1191-1221.
• [4] AL-DHAQM A,RAZAK S A,IKUESAN R A,et al.A review of mobile forensic investigation process models[J].IEEE Access,2020,8:173359-173375.
• [5] GOLUBEVA T,LINDER N,ZOIDOV K,et al.Criterion analysis of cloud-based tools in database basics training[J]. Revista Inclusiones,2020:520-534.
• [6]张明远，祁欣妤，宋宇波，等.基于协议逆向的移动终端通信数据解析[J].网络与信息安全学报，2018,4(12):54-61.ZHANG Mingyuan,QI Xinyu,SONG Yubo,et al.Analysis of communication data of mobile terminal based on protocol reversal[J].Chinese Journal of Network and Information Security,2018,4(12):54-61.
• [7] CASINO F,DASAKLIS T K,SPATHOULAS G P,et al.Research trends,challenges,and emerging topics in digital forensics:a review of reviews[J].IEEE Access,2022,10:25464-25493.
• [8] KHAN S,GANI A,WAHAB A W A,et al.Network forensics:review, taxonomy, and open challenges[J].Journal of Network and Computer Applications,2016,66:214-235.
• [9] LI S C,CHOO K K R,SUN Q D,et al.IoT forensics:Amazon echo as a use case[J].IEEE Internet of Things Journal,2019,6(4):6487-6497.
• [10] AB RAHMAN N H,CHOO K K R.A survey of information security incident handling in the cloud[J].Computers&Security,2015,49:45-69.
• [11] SUN F H,WANG S,ZHANG C R,et al.Unsupervised field segmentation of unknown protocol messages[J].Computer Communications,2019,146:121-130.
• [12] YANG F F,TANG M,SINANOGLU O.Stripped functionality logic locking with hamming distance-based restore unit(SFLL-hd)-unlocked[J].IEEE Transactions on Information Forensics and Security,2019,14(10):2778-2786.