Upload
vokien
View
228
Download
5
Embed Size (px)
Citation preview
Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Developmenthttp://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu
Dartmouth CollegeDartmouth College
IINSTITUTE NSTITUTE FORFOR SSECURITYECURITYTTECHNOLOGY ECHNOLOGY SSTUDIESTUDIES
Fuzzing proprietary SCADA protocols
Sergey Bratus, ISTS/Dartmouth Bigezy, Fortune 500 utility company
Black Hat 2008
www.ISTS.dartmouth.edu
TCIP Project INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
http://www.iti.uiuc.edu/tcip/
• Ganesh Devarajan (TippingPoint)– DNP3 module for Sulley the fuzzer
(BH 07, Amini & Portnoy) – BH 07 talk caused much media stir
• Digital Bond's ICCPSic test tools– released to “subscribers who are
vetted asset owners” – “...will crash vulnerable ICCP servers.”
• SecuriTeam's beSTORM DNP3 fuzzer– crashed Wireshark's parser
• Mu Security's hardware fuzzer, ...
www.ISTS.dartmouth.edu
Fuzzing SCADA INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Image
Image
• Generation-based: input created from models (knowledge) of:
– protocol specs (SPIKE, Peach, Sulley, ...)
– file formats (SPIKEfile, FileFuzz, ...)
• Mutation-based: input created from samples of traffic/data:
– packet captures (e.g., the GPF)
– proxying ongoing communications
www.ISTS.dartmouth.edu
Kinds of fuzzing INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Requires little knowledge of protocol
• Proprietary protocol: cannot get specs
– Luckily, protocol is plain text
• Access to actual live equipment
– Isolated test control network
– Ability to observe and inject packets
• SCADA: traffic is continual and repetitive
– Endpoints will keep trying to re-establish connections that went wrong.
www.ISTS.dartmouth.edu
This ...is ...SCADA! (1) INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
• Distinct, elaborate initial handshake
– fuzz it to test initial auth code, or
– let it happen, and fuzz data parsing code
• Frequent keep-alives / status messages
– easier to see if target crashed: TCP RSTs
– back off automatically, let the connection be re-established, then fuzz again
• Regular, repeating structure of data packets
www.ISTS.dartmouth.edu
This ...is ...SCADA! (2) INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
• Fuzzer must mimic the protocol well enough to not be rejected outright– Purpose of the protocol model
• Most generation fuzzers use block models
– “Aitel had it had it right with SPIKE” -- Sulley
• How to guess blocks of unknown protocols?
– Just (im)precisely enough to mutate them
– better than inserting/deleting runs of random or special bytes
www.ISTS.dartmouth.edu
Protocol blocks? INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
• Guesses blocks (“tokens”) based on repeated occurrence
– runs a variant of the Lempel-Ziv compression algorithm (cf. GZIP)
– frequently repeated byte strings end up in a string table
– seeds the table with likely tokens/blocks from packet captures
• Applies GPF-like mutations to tokens:
– long byte runs for buffers
– extra delimiters, bit flips, ...
www.ISTS.dartmouth.edu
LZfuzz /Lazy-fuzz/ INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
http://lzfuzz.cs.dartmouth.edu
LZ tokenizer: Perl +
“GzPF” : modified GPF fuzzer
(accepts pre-tokenized input and other hints from LZ tokenizer)
+MITM scripts (ARP spoofing, libIPQ, etc.)
www.ISTS.dartmouth.edu
LZfuzz: INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
www.ISTS.dartmouth.edu
LZfuzz INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Desktop Server
Laptop
Intercept packetsLZfuzz string table
xxx gjhjhgjhgjhg http get put aquire resetxxx gjhjhg http get put aquire resexxx gj hjhgjhgjhg http get put aquire resetxxx gjhjhgj hgjhg http get put aquire resetxxx g jhg http get put aquire resett
Tokenize &mutate
Reassemble& send
www.ISTS.dartmouth.edu
Components INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
ip_queue raw socketsIP
forwarding/routing
libipq libnet
LZfuzzlearning
GPFtoken
fuzzingLZfuzz
tokenizer
ARP spoofing:arp-sk
sniffing/interception
injection/spoofing
ip_forward
Guessing protocol field boundaries in ICMP
www.ISTS.dartmouth.edu
LZfuzz is lazy INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
• MITMs and forwards live communications
– Standard LAN ARP-poisoning tricks
– Rewrites packets in transit
• Reacts to broken connections by backing off and changing fuzzing mode– Detects RSTs and repeated SYNs
– Waits (passes packets unmolested) till normal data exchange resumes
– Shifts window of fuzzed tokens
• Must know locations and algorithms of integrity checksums for packet fix-up
www.ISTS.dartmouth.edu
... but it tries INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Unless authenticated and integrity checked with crypto, packets can be
– modified in transit even if sent by a well-behaved peer
– selectively dropped or fragmented by MITM
– crafted and inserted into the network by an entirely different stack
www.ISTS.dartmouth.edu
Misplaced trust in peers INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
“You are far too trusting.”
• Vendors' false assumptions?
– Unauthorized connections the only threat?
– Making sure connected peers do not emit bad packets is enough?
– Control network does not allow packet injection or link layer attacks?
• Control networks need anti-injection measures more than others!
– IPSec, other VPNs: must know a secret to join (must be an insider)
– L2 measures, monitoring may help, too
www.ISTS.dartmouth.edu
Lessons learned? INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Contact Information
Institute for Security Technology StudiesDartmouth College
6211 Sudikoff LaboratoryHanover, NH 03755
---------------------------------Phone: 603.646.0700
Fax: 603.646.1672
Email: [email protected]
Thanks!
Talk to Bigezy if you are a SCADA asset owner :-)