Biblio

Aiming at the specificity and complexity of the power IoT terminal, a method of power IoT terminal firmware vulnerability detection based on memory fuzzing is proposed. Use the method of bypassing the execution to simulate and run the firmware program, dynamically monitor and control the execution of the firmware program, realize the memory fuzzing test of the firmware program, design an automatic vulnerability exploitability judgment plug-in for rules and procedures, and provide power on this basis The method and specific process of the firmware vulnerability detection of the IoT terminal. The effectiveness of the method is verified by an example.

This thesis focuses on the detection of malware in industrial Internet. The basic flow of the detection of malware contains feature extraction and sample identification. API graph can effectively represent the behavior information of malware. However, due to the high algorithm complexity of solving the problem of subgraph isomorphism, the efficiency of analysis based on graph structure feature is low. Due to the different scales of API graph of different malicious codes, the API graph needs to be normalized. Considering the difficulties of sample collection and manual marking, it is necessary to expand the number of malware samples in industrial Internet. This paper proposes a method that combines PageRank with TF-IDF to process the API graph. Besides, this paper proposes a method to construct the adversarial samples of malwares based on GAN.

Unlike traditional processors, Internet of Things (IoT) devices are short of resources to incorporate mature protections (e.g. MMU, TrustZone) against modern control-flow attacks. Remote (control-flow) attestation is fast becoming a key instrument in securing such devices as it has proven the effectiveness on not only detecting runtime malware infestation of a remote device, but also saving the computing resources by moving the costly verification process away. However, few control-flow attestation schemes have been able to draw on any systematic research into the software specificity of bare-metal systems, which are widely deployed on resource-constrained IoT devices. To our knowledge, the unique design patterns of the system limit implementations of such expositions. In this paper, we present the design and proof-of-concept implementation of LAPE, a lightweight attestation of program execution scheme that enables detecting control-flow attacks for bare-metal systems without requiring hardware modification. With rudimentary memory protection support found in modern IoT-class microcontrollers, LAPE leverages software instrumentation to compartmentalize the firmware functions into several ”attestation compartments”. It then continuously tracks the control-flow events of each compartment and periodically reports them to the verifier. The PoC of the scheme is incorporated into an LLVM-based compiler to generate the LAPE-enabled firmware. By taking experiments with several real-world IoT firmware, the results show both the efficiency and practicality of LAPE.

This paper combines the common ideas and methods in offensive and defensive confrontation in recent years, and uses artificial intelligence technology-based network asset automatic mining technology and artificial intelligence technology-based vulnerability automatic exploitation technology, carries out research and specific practices in discovering and using system vulnerability based on artificial intelligence technology, designs and implemented automatic binary vulnerability discovering and exploitation system, which improves improves the efficiency and success rate of vulnerability discovering and exploitation.

In order to improve the information security level of intelligent substation, this paper proposes an intelligent substation information security assessment tool through the research and analysis of intelligent substation information security risk and information security assessment method, and proves that the tool can effectively detect it. It is of great significance to carry out research on industrial control systems, especially intelligent substation information security.

Aiming at the operation characteristics of power industry control system, this paper deeply analyses the attack mechanism and characteristics of power industry control system intrusion. On the basis of classifying and sorting out the attack characteristics of power industrial control system, this paper also attaches importance to break the basic theory and consequential technologies of industrial control network space security, and constructs the network intrusion as well as attack model of power industrial control system to realize the precise characterization of attackers' attack behavior, which provides a theoretical model for the analysis and early warning of attack behavior analysis of power industrial control systems.

Compiler optimization level recognition can be applied to vulnerability discovery and binary analysis. Due to the exists of many different compilation optimization options, the difference in the contents of the binary file is very complicated. There are thousands of compiler optimization algorithms and multiple different processor architectures, so it is very difficult to manually analyze binary files and recognize its compiler optimization level with rules. This paper first proposes a CNN-based compiler optimization level recognition model: BinEye. The system extracts semantic and structural differences and automatically recognize the compiler optimization levels. The model is designed to be very suitable for binary file processing and is easy to understand. We built a dataset containing 80028 binary files for the model training and testing. Our proposed model achieves an accuracy of over 97%. At the same time, BinEye is a fully CNN-based system and it has a faster forward calculation speed, at least 8 times faster than the normal RNN-based model. Through our analysis of the model output, we successfully found the difference in assembly codes caused by the different compiler optimization level. This means that the model we proposed is interpretable. Based on our model, we propose a method to analyze the code differences caused by different compiler optimization levels, which has great guiding significance for analyzing closed source compilers and binary security analysis.