Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
OvershadowPLCtoDetectRemoteControl-LogicInjectionAttacks
IrfanAhmedDepartmentofComputerScienceVirginiaCommonwealthUniversity
IndustrialControlSystems
Internet
SCADA System LAN
Historian
Wide Area Network
Control Server (MTU)
EngineeringWorkstationHMI
Modem
WAN CardPLC PLC
PBX
Corporate LANModem
PBX
Modem. . .
Field Sites
ModemPLC
External Communication Infrastructure
Control Center Corporate Network
2IrfanAhmed
• Controllogic• thecoderunsonaPLC• defineshowaPLCcontrolsaphysicalprocess
• writteninIEC61131-3languages• LadderLogic• InstructionList,etc.
• Stuxnet injectscontrollogic• monitorsthefrequencyofvariablefrequencydrives
• targetPLChasnormalfrequencyrangeof807Hz~1,210Hz
• modifiesthemotorspeedperiodicallyfrom1,410Hzto2Hzto1,064Hz
3
Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1])Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0])
. . .
. . .
. . .
. . .
. . .
. . .
a) Ladder-logic source code snippet of a traffic-light program
b) Binary ladder-logic snippet of a traffic-light program
c) Laddis ASCII output of decompiling the binary ladder-logic snippet
d) Laddis graphical output of decompiling the binary ladder-logic snippet
. . .
. . .
LadderLogicCodeSnippet
Timer
AtypicalPLCArchitecture
PLCControllogic
IrfanAhmed
StealthyControlLogicInjectionAttacks
• DataExecutionattack• Signaturesonpacketheader todetectcontrollogic• Subversion: TransfercodetodatablocksofaPLC
• NormalDataincludesensorreadings,andactuatorstate• Cannotbeblockedbysignatures
• FragmentationandNoisePaddingattack• Networkanomalydetectionwithbyte-levelfeaturesforproprietaryprotocol/applicationnetworkdata
• Subversion:Useone-bytecodefragmentoftheattacker’scodewithalargenoiseofdata
4IrfanAhmed
DataExecutionattack
IrfanAhmed 5
Code frag. 1
Attacker’scontrol logic
code
PLC ProtocolAddress Space
Address ofcode block
Code block(contains
original code)
Code frag. 1
Address1 in data block
Code frag. 2…Address2 in data block
Address1Address in configuration block
Address field in header Payload
Code frag. 2
Data block
…Conf. block
DataExecutionattack–ExploitableVulnerabilities• Twoobservations• Datablockscannotbeblockedbythesignaturestoexchangethecurrentstateofaphysicalprocess• PLCsdonotenforcedataexecutionprevention(DEP)
IrfanAhmed 6
FragmentationandNoisePaddingattack
IrfanAhmed 7
control logic code
1-byte frag.
a) Attacker’s control logic code
N-bytes
noise
1-byte frag.
noise
1-byte frag.
noise
1st packet 2nd packet
…
Nth packet
1-byte 2-bytes N-bytes
Header Addr: x
Payload
Addr: x+1 Addr: x+N-1
Address: x
b) Attack packets containing small code fragment with large noise
c) PLC protocol address space after all the packets are transferred
noise noisenoise
…
FragmentationandNoisePaddingattack– ExploitableVulnerabilities
• DPItechniquescannotdetectattackpackets• thatcontainsignificantlysmall-sizeattackpayload• becausethesepacketstendtoblendwithnormalpackets
Hadziosmanovic,D.,Simionato,L.,Bolzoni,D.,Zambon,E.,Etalle,S.:“N-gramagainstthemachine:Onthefeasibilityofthen-gramnetworkanalysisforbinaryprotocols”,In:InternationalConferenceonResearchinAttacks,Intrusions,andDefenses(RAID)(2012)
IrfanAhmed 8
DataExecution&FragmentationandNoisePaddingAttacks
IrfanAhmed 9
…FNC: Write
Address
Byte size to be written
Modbus appl.header
Modbusfunction code
SessionID
PayloadAddresstype
FNC: Write
File num
Byte size to be written
Transactionnumber
Payload
File type:control logic
Elementnumber
Requestcommand
Sub-elementnumber
Protocol:ModbusPLC:Modicon M221
Protocol: PCCCPLC:Micrologix 1400
Datasets
IrfanAhmed 10
ModiconM221
Micrologix 1400
EffectivenessoftheAttacks
IrfanAhmed 11
Attacks #ofwriterequest packets
#ofpacketswithCode
TruePositiveRate
FalsePositiveRate
CodeInjectionWithoutEvasion
1,535 38 100% (38/38) 0%(0/1497)
DataExecution&NoisePadding
5,362 3,865 0%(0/3865) 0%(0/1497)
Attacks #ofwriterequest packets
#ofpacketswithCode
TruePositiveRate
FalsePositiveRate
CodeInjectionWithoutEvasion
5,465 684 96.78% (662/684) 0%(0/4781)
NoisePadding 29,647 24,866 0%(0/24866) 0%(0/4781)
Header-basedSignatures&Anagram-basedDeepPacketInspection againsttheattacks
Anagram-basedDeepPacketInspection againsttheattacks
Micrologix1400
Mod
icon
M221
Shade- aShadowMemoryApproach
• ShadowmemoryasamirroredspaceoftheprotocoladdressspaceofaPLC• Shade• maintainsshadowmemoryofeachPLCand• detectscontrollogiccodebyscanningtheshadowmemoryratherthantheindividualpacketpayloads
IrfanAhmed 12
Shadowmemoryscanning
IrfanAhmed 13
…ShadowMemory
payload
…
Addr: x len: nWrite requestmessage mirrored
payloadx x + n
b b
x - b x + n + b
scan area
PLC protocol header
Shade- aShadowMemoryApproach
IrfanAhmed 14
Normalpcap files
Extractwrite request
packets
Mirror toshadowmemory
Scanshadowmemory
Extractall the
features
Selectfeatures
Generateclassification model
(e.g., SVM)
MonitoringNetwork Traffic
If write requestpackets isidentified
Mirror toshadowmemory
Scanshadowmemory
Extractselectedfeatures
Classificationusing the model(contains control
logic code?)
TrainingPhase
DetectionPhase
Yes(raise alarm)
No
Normalpcap files
Extractwrite request
packets
Mirror toshadowmemory
Scanshadowmemory
Extractall the
features
Selectfeatures
Generateclassification model
(e.g., SVM)
MonitoringNetwork Traffic
If write requestpackets isidentified
Mirror toshadowmemory
Scanshadowmemory
Extractselectedfeatures
Classificationusing the model(contains control
logic code?)
TrainingPhase
DetectionPhase
Yes(raise alarm)
No
LearningPhase
DetectionPhase
Features
IrfanAhmed 15
HighSemantic
LowSemantic
PartialDecompilation
N-gram
Entropy
Opcode
Rung
FullDecompilation
FullDecompilation
7c 1c 23 04 7c 8c fc e6 72 00 00 f6 73 26 00fc ea 72 3e 00
Rung 0: XIC I0.1 AND XIC I0.8 → OTE M1Rung 1: XIC M307 → OTE M498
XIC I0.1 AND XIC I0.8OTE M1
(end of rung) XIC M307
OTE M498 (end of rung)
a) Low-level code of control logic
b) Decompiled code
IrfanAhmed 16
PartialDecompilation
00 00 8d 9a 20 00 e4 00 00 01 bc 4f 00 00 e8 000a 04 da 4f 0D 00 58 01 0a 00 96 04 ce 4f 00 0000 00 be f7 16 00 e4 00 0a 04 ce 4f 0e 00 bc 0001 03 cc 4f 03 00
Rung 0: XIC I1:[bc4f]/0 AND XIO T4:[da4f]/DN → TON T4:[ce4f]/0Rung 1: XIC T4:[ce4f]/TT → OTE B3:[cc4f]/3
Rung start Rung size XICFileNo.
ByteAddress
BitOffset XIO
XIC TON OTE
: Bytes which can’t be decompiled without configuration block
a) Low-level code of control logic
b) Partially decompiled code
File No. (0x04: timer)
IrfanAhmed 17
PartialDecompilation - missinginfo
IrfanAhmed 18
CE4F(OffsetinLADDER)-CE4F(BaseAddressinCONFIG)=0x00
Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1])Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0])
. . .
. . .
. . .
. . .
. . .
. . .
a) Ladder-logic source code snippet of a traffic-light program
b) Binary ladder-logic snippet of a traffic-light program
c) Laddis ASCII output of decompiling the binary ladder-logic snippet
d) Laddis graphical output of decompiling the binary ladder-logic snippet
. . .
. . .
TimerInstruction
ShadowMemoryResults
IrfanAhmed 19
ModiconM221
Micrologix 1400
ScanBoundaryb Performance
IrfanAhmed 20
ModiconM221- L4gram
Micrologix 1400- #8gram
Conclusion
• DataExecution attackispossibleonprogrammablelogiccontroller• FragmentationandNoisePadding attackispossibleonICSprotocols• Signatureandanomalyapproachesarevulnerabletotheseattacks• ShadowPLCmemoryscanning• candetectcontrollogictransfer• ResilienttoDataExecutionandFragmentationandNoisePaddingattacks
IrfanAhmed 21