电力物联网智能终端安全检测应用研究Research on the Application of Security Testing for Intelligent Terminals of Electric Power Internet of Things
孙昌华,李景,戴桦,汤晓冬,崔崟
SUN Changhua,LI Jing,DAI Hua,TANG Xiaodong,CUI Yin
摘要(Abstract):
随着物联网技术与电力行业生产结合日益紧密,越来越多的电力物联网智能终端在电力生产中发挥重要作用。但鉴于物联网安全领域专业性,公司用户无法全面了解电力物联网智能终端的安全风险和漏洞,无法满足大量的安全性评估需求。基于电力物联网智能终端的主要安全风险,对其固件进行安全测试、分析,实现了对常规漏洞、硬编码口令、潜在安全风险等方面的检测;利用模糊测试、远程扫描等策略实现了对电力物联网智能终端在线设备的漏洞挖掘测试。实验结果表明,进行的研究可以有效检测电力物联网智能终端设备固件安全性并对在线设备进行漏洞挖掘测试,满足公司对电力物联网智能终端的安全要求。
With the increasingly close integration of IoT technology and power industry production, more and more IoT terminal devices are playing an important role in power production. However, in view of the professionalism in the field of IoT security, company users cannot fully understand the security risks and vulnerabilities of power IoT intelligent terminals and cannot meet a large number of security assessment needs. Based on the main security risks of power IoT terminal device, ordinary vulnerabilities, hardcoded messages and potential safety risks are tested through firmware safety testing and analysis; fuzzy testing, remote scanning and other strategies are employed to achieve the vulnerability mining test on the online device of the IoT terminal. The experimental results show that the research conducted in this paper can effectively detect the firmware security of the power IoT terminal device and conduct vulnerability mining tests on online devices to meet the company's security requirements for intelligent terminals of power IoT.
关键词(KeyWords):
电力物联网智能终端;固件安全;安全检测;模糊测试;漏洞挖掘
IoT intelligent terminal;firmware security;security testing;fuzz testing;vulnerability mining
基金项目(Foundation):
作者(Author):
孙昌华,李景,戴桦,汤晓冬,崔崟
SUN Changhua,LI Jing,DAI Hua,TANG Xiaodong,CUI Yin
DOI: 10.19585/j.zjdl.202101004
参考文献(References):
- [1]FLOERKEMEIER C,LANGHEINRICH M,FLEISCH E,et al,Sarma SE(eds)(2008)The internet of things[C]//Proceedings of firstinternational conference,IOT 2008,Zurich,Switzerland.LectureNotes in Computer Science,2008:49-52.
- [2]ZHANG Z K,CHO M C Y,WANG C W,et al.IoT security:ongoing challenges and research opportunities[C]//2014IEEE 7th international conference on service-oriented computing and applications.IEEE,2014:230-234.
- [3]陈天超.物联网技术基本架构综述[J].林区教学,2013(3):64-65.
- [4]张曙.工业4.0和智能制造[J].机械设计与制造工程,2014,43(8):1-5.
- [5]宁越,王彪.“新基建”来临,物联网发展按下快进键[J].大数据时代,2020,37(4):8-14.
- [6]何湘宁,宗升,吴建德,等.配电网电力电子装备的互联与网络化技术[J].中国电机工程学报,2014,34(29):5162-5170.
- [7]李澍森,杨迎建,吴夕科,等.配电技术概况及发展趋势[J].高电压技术,2008,34(1):113-122.
- [8]HUANG X,QIN Z,LIU H.A Survey on power grid cyber security:from component-wise vulnerability assessment to system-wide impact analysis[J].IEEE Access,2018,6:69023-69035.
- [9]国家电力调度通信中心.全国电网典型事故分析1988-1998[M].北京:中国电力出版社,1999.
- [10]国家电力调度通信中心.电网典型事故分析:1999-2007年[M].北京:中国电力出版社,2008.
- [11]韩水,苑舜,张近珠.国外典型电网事故分析[M].北京:中国电力出版社,2005.
- [12]汪洋,苏斌,赵宏波.电力物联网的理念和发展趋势[J].电信科学,2010(增刊3):9-14.
- [13]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for linux-based embedded firmware[C]//NDSS.2016,16:1-16.
- [14]COSTIN A,ZADDACH J,FRANCILLON A,et al.A largescale analysis of the security of embedded firmwares[C]//23rd{USENIX}Security Symposium({USENIX}Security14).2014:95-110.
- [15]SEREBRYANY K.Continuous fuzzing with libfuzzer and addresssanitizer[C]//2016 IEEE Cybersecurity Development (SecDev).[S.l.]:IEEE,2016:157.