OvershadowPLCtoDetectRemoteControl-LogicInjectionAttacks

IrfanAhmedDepartmentofComputerScienceVirginiaCommonwealthUniversity

IndustrialControlSystems

Internet

SCADA System LAN

Historian

Wide Area Network

Control Server (MTU)

EngineeringWorkstationHMI

Modem

WAN CardPLC PLC

PBX

Corporate LANModem

PBX

Modem. . .

Field Sites

ModemPLC

External Communication Infrastructure

Control Center Corporate Network

2IrfanAhmed

• Controllogic• thecoderunsonaPLC• defineshowaPLCcontrolsaphysicalprocess

• writteninIEC61131-3languages• LadderLogic• InstructionList,etc.

• Stuxnet injectscontrollogic• monitorsthefrequencyofvariablefrequencydrives

• targetPLChasnormalfrequencyrangeof807Hz~1,210Hz

• modifiesthemotorspeedperiodicallyfrom1,410Hzto2Hzto1,064Hz

3

Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1])Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0])

. . .

. . .

. . .

. . .

. . .

. . .

a) Ladder-logic source code snippet of a traffic-light program

b) Binary ladder-logic snippet of a traffic-light program

c) Laddis ASCII output of decompiling the binary ladder-logic snippet

d) Laddis graphical output of decompiling the binary ladder-logic snippet

. . .

. . .

LadderLogicCodeSnippet

Timer

AtypicalPLCArchitecture

PLCControllogic

IrfanAhmed

StealthyControlLogicInjectionAttacks

• DataExecutionattack• Signaturesonpacketheader todetectcontrollogic• Subversion: TransfercodetodatablocksofaPLC

• NormalDataincludesensorreadings,andactuatorstate• Cannotbeblockedbysignatures

• FragmentationandNoisePaddingattack• Networkanomalydetectionwithbyte-levelfeaturesforproprietaryprotocol/applicationnetworkdata

• Subversion:Useone-bytecodefragmentoftheattacker’scodewithalargenoiseofdata

4IrfanAhmed

DataExecutionattack

IrfanAhmed 5

Code frag. 1

Attacker’scontrol logic

code

PLC ProtocolAddress Space

Address ofcode block

Code block(contains

original code)

Code frag. 1

Address1 in data block

Code frag. 2…Address2 in data block

Address1Address in configuration block

Address field in header Payload

Code frag. 2

Data block

…Conf. block

DataExecutionattack–ExploitableVulnerabilities• Twoobservations• Datablockscannotbeblockedbythesignaturestoexchangethecurrentstateofaphysicalprocess• PLCsdonotenforcedataexecutionprevention(DEP)

IrfanAhmed 6

FragmentationandNoisePaddingattack

IrfanAhmed 7

control logic code

1-byte frag.

a) Attacker’s control logic code

N-bytes

noise

1-byte frag.

noise

1-byte frag.

noise

1st packet 2nd packet

…

Nth packet

1-byte 2-bytes N-bytes

Header Addr: x

Payload

Addr: x+1 Addr: x+N-1

Address: x

b) Attack packets containing small code fragment with large noise

c) PLC protocol address space after all the packets are transferred

noise noisenoise

…

FragmentationandNoisePaddingattack– ExploitableVulnerabilities

• DPItechniquescannotdetectattackpackets• thatcontainsignificantlysmall-sizeattackpayload• becausethesepacketstendtoblendwithnormalpackets

Hadziosmanovic,D.,Simionato,L.,Bolzoni,D.,Zambon,E.,Etalle,S.:“N-gramagainstthemachine:Onthefeasibilityofthen-gramnetworkanalysisforbinaryprotocols”,In:InternationalConferenceonResearchinAttacks,Intrusions,andDefenses(RAID)(2012)

IrfanAhmed 8

DataExecution&FragmentationandNoisePaddingAttacks

IrfanAhmed 9

…FNC: Write

Address

Byte size to be written

Modbus appl.header

Modbusfunction code

SessionID

PayloadAddresstype

FNC: Write

File num

Byte size to be written

Transactionnumber

Payload

File type:control logic

Elementnumber

Requestcommand

Sub-elementnumber

Protocol:ModbusPLC:Modicon M221

Protocol: PCCCPLC:Micrologix 1400

Datasets

IrfanAhmed 10

ModiconM221

Micrologix 1400

EffectivenessoftheAttacks

IrfanAhmed 11

Attacks #ofwriterequest packets

#ofpacketswithCode

TruePositiveRate

FalsePositiveRate

CodeInjectionWithoutEvasion

1,535 38 100% (38/38) 0%(0/1497)

DataExecution&NoisePadding

5,362 3,865 0%(0/3865) 0%(0/1497)

Attacks #ofwriterequest packets

#ofpacketswithCode

TruePositiveRate

FalsePositiveRate

CodeInjectionWithoutEvasion

5,465 684 96.78% (662/684) 0%(0/4781)

NoisePadding 29,647 24,866 0%(0/24866) 0%(0/4781)

Header-basedSignatures&Anagram-basedDeepPacketInspection againsttheattacks

Anagram-basedDeepPacketInspection againsttheattacks

Micrologix1400

Mod

icon

M221

Shade- aShadowMemoryApproach

• ShadowmemoryasamirroredspaceoftheprotocoladdressspaceofaPLC• Shade• maintainsshadowmemoryofeachPLCand• detectscontrollogiccodebyscanningtheshadowmemoryratherthantheindividualpacketpayloads

IrfanAhmed 12

Shadowmemoryscanning

IrfanAhmed 13

…ShadowMemory

payload

…

Addr: x len: nWrite requestmessage mirrored

payloadx x + n

b b

x - b x + n + b

scan area

PLC protocol header

Shade- aShadowMemoryApproach

IrfanAhmed 14

Normalpcap files

Extractwrite request

packets

Mirror toshadowmemory

Scanshadowmemory

Extractall the

features

Selectfeatures

Generateclassification model

(e.g., SVM)

MonitoringNetwork Traffic

If write requestpackets isidentified

Mirror toshadowmemory

Scanshadowmemory

Extractselectedfeatures

Classificationusing the model(contains control

logic code?)

TrainingPhase

DetectionPhase

Yes(raise alarm)

No

Normalpcap files

Extractwrite request

packets

Mirror toshadowmemory

Scanshadowmemory

Extractall the

features

Selectfeatures

Generateclassification model

(e.g., SVM)

MonitoringNetwork Traffic

If write requestpackets isidentified

Mirror toshadowmemory

Scanshadowmemory

Extractselectedfeatures

Classificationusing the model(contains control

logic code?)

TrainingPhase

DetectionPhase

Yes(raise alarm)

No

LearningPhase

DetectionPhase

Features

IrfanAhmed 15

HighSemantic

LowSemantic

PartialDecompilation

N-gram

Entropy

Opcode

Rung

FullDecompilation

FullDecompilation

7c 1c 23 04 7c 8c fc e6 72 00 00 f6 73 26 00fc ea 72 3e 00

Rung 0: XIC I0.1 AND XIC I0.8 → OTE M1Rung 1: XIC M307 → OTE M498

XIC I0.1 AND XIC I0.8OTE M1

(end of rung) XIC M307

OTE M498 (end of rung)

a) Low-level code of control logic

b) Decompiled code

IrfanAhmed 16

PartialDecompilation

00 00 8d 9a 20 00 e4 00 00 01 bc 4f 00 00 e8 000a 04 da 4f 0D 00 58 01 0a 00 96 04 ce 4f 00 0000 00 be f7 16 00 e4 00 0a 04 ce 4f 0e 00 bc 0001 03 cc 4f 03 00

Rung 0: XIC I1:[bc4f]/0 AND XIO T4:[da4f]/DN → TON T4:[ce4f]/0Rung 1: XIC T4:[ce4f]/TT → OTE B3:[cc4f]/3

Rung start Rung size XICFileNo.

ByteAddress

BitOffset XIO

XIC TON OTE

: Bytes which can’t be decompiled without configuration block

a) Low-level code of control logic

b) Partially decompiled code

File No. (0x04: timer)

IrfanAhmed 17

PartialDecompilation - missinginfo

IrfanAhmed 18

CE4F(OffsetinLADDER)-CE4F(BaseAddressinCONFIG)=0x00

Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1])Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0])

. . .

. . .

. . .

. . .

. . .

. . .

a) Ladder-logic source code snippet of a traffic-light program

b) Binary ladder-logic snippet of a traffic-light program

c) Laddis ASCII output of decompiling the binary ladder-logic snippet

d) Laddis graphical output of decompiling the binary ladder-logic snippet

. . .

. . .

TimerInstruction

ShadowMemoryResults

IrfanAhmed 19

ModiconM221

Micrologix 1400

ScanBoundaryb Performance

IrfanAhmed 20

ModiconM221- L4gram

Micrologix 1400- #8gram

Conclusion

• DataExecution attackispossibleonprogrammablelogiccontroller• FragmentationandNoisePadding attackispossibleonICSprotocols• Signatureandanomalyapproachesarevulnerabletotheseattacks• ShadowPLCmemoryscanning• candetectcontrollogictransfer• ResilienttoDataExecutionandFragmentationandNoisePaddingattacks

IrfanAhmed 21

Questions?IrfanAhmed

iahmed3@vcu.eduVirginiaCommonwealthUniversity

IrfanAhmed 22