Abstract: Programmable Logic Controller（PLC）code vulnerability detection plays a crucial role in maintaining PLC control systems,troubleshooting control flow errors and ensuring stable system operation efficiency.To address the issue of reduced precision in vulnerability detection due to an unclear semantic understanding of PLC code,a PLC code lexing approach was proposed to generate lexical units and an abstract syntax tree based on semantic segmentation rules using instruction operators as a reference.Additionally,considering the challenge of unclear control flow caused by cross-domain vulnerabilities within the PLC system,specific vulnerable code slices were generated to construct a sliced control flow graph.The vulnerability detection of multi-layer calling PLC code was realized.Through experimental verification,the integrated model could quickly detect complex structural items at the field level.Compared with the direct syntax analysis method,the recall rate of “lexical+syntax” analysis method was significantly improved and the time cost was shortened.Moreover,after slicing the overall control flow,the vulnerability detection efficiency was significantly improved,and the proposed method had certain universality.

Key words: programmable logic controller, lexical analysis, grammatical analysis, control flow diagram, code slicing

摘要： 在可编程逻辑控制器（PLC）控制系统维护、控制流错误排查和稳定系统运行效率等方面,PLC代码漏洞检测发挥着重要作用。针对PLC代码语义不明确,导致漏洞检测精度降低的问题,先对PLC代码进行词法分析生成词法单元流,并基于指令操作符为基准的语义分割规则生成抽象语法树。同时针对PLC系统内部存在着跨域漏洞而导致控制流程不明确的难点,结合具体漏洞对控制流相关代码进行切片,生成切片控制流图,实现了对多层调用PLC代码的漏洞检测。通过实验验证,该集成模型能够快速检测现场级的复杂结构项目,对比直接语法分析方法,词法+语法分析方法的召回率明显提高,时间开销缩短,并且对整体控制流进行切片后,漏洞检测效率提升明显,所提方法具有一定的普适性。

关键词: 可编程逻辑控制器, 词法分析, 语法分析, 控制流图, 代码切片