基于模糊测试的GOOSE协议解析漏洞挖掘方法

现有工控协议模糊测试方法未考虑嵌入式终端系统特点，且对未采用传输控制协议/网际协议（TCP/IP）的工控协议研究较少。基于模糊测试提出一种通用面向对象变电站事件（GOOSE）协议解析漏洞挖掘方法。使用变异方式构造测试用例，给出基于GOOSE报文字段类型、抽象语法标记1（ASN.1）编码方式和比特翻转的3类变异策略；提出基于心跳报文和系统运行信息的终端异常监测方法。设计所提方法的实施系统架构和测试流程，在智能变电站实验室环境中，对某厂家嵌入式终端进行测试，发现2个未公开的GOOSE协议解析漏洞，验证所提方法的有效性，提出防范基于此类漏洞的畸形报文攻击的建议。

A Method for Mining GOOSE Protocol Parsing Vulnerabilities Based on Fuzzing

The existing fuzzing methods for industrial control protocol do not consider the characteristics of the embedded terminal systems, and have few research on the industrial control protocol without TCP/IP. Firstly, a fuzzing-based method for mining generic object-oriented substation event (GOOSE) protocol parsing vulnerabilities is proposed: the mutation mode is used to generate test cases, and three mutation strategies are presented based on GOOSE message field type, abstract syntax notation one (ASN.1) encoding mode and bit reversal; two terminal abnormalities monitoring methods are proposed based on GOOSE heartbeat message and system operation information. Then, the implementation system architecture and test process of the proposed method are designed. Two undisclosed GOOSE protocol parsing vulnerabilities are discovered in testing the embedded terminals of a manufacturer in a smart substation laboratory environment, which verifies the effectiveness of the proposed method. Finally, recommendations for preventing malformed message attacks are put forward based on such vulnerabilities.