Journal of Information Security Reserach ›› 2022, Vol. 8 ›› Issue (9): 939-.

Previous Articles     Next Articles

Automatic Analysis and Reproduction Technology of Remote Code  Execution Vulnerability Based on Grid System

  

  • Online:2022-09-02 Published:2022-09-02

基于电网系统的远程代码执行漏洞自动化分析与重现技术

伍红文1王晓明2周柯2邹建明1巫聪云3温文剑1
  

  1. 1(广西电网有限责任公司梧州供电局广西梧州543002)
    2(广西电网有限责任公司电力科学研究院南宁530023)
    3(广西电网有限责任公司电力调度控制中心南宁530023)
  • 通讯作者: 伍红文 高级工程师.主要研究方向为电力系统分析运行、电力调度和继电保护整定计算管理工作. wu_hw.wzg@gx.csg.cn
  • 作者简介:伍红文 高级工程师.主要研究方向为电力系统分析运行、电力调度和继电保护整定计算管理工作. wu_hw.wzg@gx.csg.cn 王晓明 硕士,高级工程师.主要研究方向为电网信息安全. wangxiaoming_bzaq@163.com 周柯 博士,教授级高级工程师.主要研究方向为电网信息安全. kezhou_GPG@163.com 邹建明 硕士,工程师.主要研究方向为电力系统继电保护运行与管理. 5223604@qq.com 巫聪云 高级工程师.主要研究方向为电力系统调度运行管理. 252644051@qq.com 温文剑 工程师.主要研究方向为电网调度自动化. wen_wj.wzg@gx.csg.cn

Abstract: Remote code execution vulnerability is one of the most harmful vulnerabilities in industrial network security attacks and defense, which can directly control the target power grid system. After an attack, it is difficult to analyze the memory corruption type vulnerability, because the attacker may use address space randomization bypass during such vulnerability exploitation. Aiming at the circumvention of address space randomization in binary remote code execution vulnerability, this paper designs and implements an automatic analysis and utilization tool based on traffic, which can analyze and reproduce execution vulnerability. The shadow service technology is proposed to establish the same shadow service as the target service environment in a completely controllable environment. On this basis, a synchronous processing technique is proposed to deal with the recorded attack traffic. The results show that defenders can use this tool to quickly perform vulnerability investigations against remote code targeting native services, thus preventing similar exploits from being used again.

Key words: memory corruption, remote code execution, network traffic analysis, automated vulnerability reexploit, ASLRbypass

摘要: 远程代码执行漏洞是工业界的网络安全攻防中危害最大的漏洞种类之一,能够直接控制目标电网系统.在遭受攻击后,对内存破坏类型的漏洞进行分析十分困难,由于在此类漏洞利用过程中,攻击者可能会随机化地绕过地址空间.针对二进制远程代码执行类漏洞中对地址空间随机化的绕过手段,设计并实现了基于流量的自动化分析与利用工具,能够分析并且重现执行漏洞.提出影子服务技术,在完全可控的环境下建立与目标服务环境相同的影子服务;在此基础上提出同步处理技术,处理已记录攻击流量.实验结果表明,防御者可以使用该工具快速针对原生服务的远程代码执行漏洞调查,从而防止利用同类漏洞再次攻击.

关键词: 内存破坏, 远程代码执行, 网络流量分析, 自动化漏洞利用重现, 地址空间随机化绕过