Overshadow PLC to Detect ct Remote Co Control-Logic c Inject ction Attack cks Irfan Ahmed Department of Computer Science Virginia Commonwealth University
In Industrial ial Control l System ems Control Center Corporate Network Engineering HMI Workstation Corporate LAN Modem PBX PBX SCADA System LAN Internet Wide Area Network Modem External Communication Historian Control Server Infrastructure (MTU) . . . Modem Modem PLC PLC PLC WAN Card Field Sites Irfan Ahmed 2
PL PLC Control logic • Control logic • the code runs on a PLC A typical PLC Architecture • defines how a PLC controls a physical process • written in IEC 61131-3 languages • Ladder Logic • Instruction List, etc. • Stuxnet injects control logic • monitors the frequency of variable frequency drives Ladder Logic Code Snippet . . . • target PLC has normal frequency range of 807 Hz ~ 1,210 Hz • modifies the motor speed periodically from 1,410 Hz to 2 Hz to 1,064 Hz . . . Timer Irfan Ahmed 3
Stealthy Control Logic c Inject ction Attack cks • Data Execution attack • Signatures on packet header to detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal Data include sensor readings, and actuator state • Cannot be blocked by signatures • Fragmentation and Noise Padding attack • Network anomaly detection with byte-level features for proprietary protocol/application network data • Subversion: Use one-byte code fragment of the attacker’s code with a large noise of data Irfan Ahmed 4
Dat Data a Execu cutio ion at attack ack PLC Protocol Attacker’s Address Space control logic Conf. block code Address of code block Data block Address1 in data block Code frag. 1 Code frag. 1 Address2 in data block Code frag. 2 Code frag. 2 … … Address in configuration block Address1 Code block (contains original code) Address field in header Payload Irfan Ahmed 5
Data Execu cution attack ck – Ex Exploitable Vulnerabilities • Two observations • Data blocks cannot be blocked by the signatures to exchange the current state of a physical process • PLCs do not enforce data execution prevention (DEP) Irfan Ahmed 6
Fragmentation and Noise Padding attack ck N-bytes control logic code a) Attacker’s control logic code 1 st packet 2 nd packet N th packet Addr: x Addr: x+1 Addr: x+N -1 Header 1-byte frag. 1-byte frag. 1-byte frag. … Payload noise noise noise b) Attack packets containing small code fragment with large noise Address: x 1-byte 2-bytes N-bytes … noise noise noise c) PLC protocol address space after all the packets are transferred Irfan Ahmed 7
Fragmentation and Noise Padding attack ck – Ex Exploitable Vulnerabilities • DPI techniques cannot detect attack packets • that contain significantly small-size attack payload • because these packets tend to blend with normal packets Hadziosmanovic, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: “ N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols ”, In: International Conference on Research in Attacks, Intrusions, and Defenses (RAID) (2012) Irfan Ahmed 8
Data Execu cution & Fr Fragmentation and Noise Padding Attack cks Modbus appl. Modbus Session Address header ID function code Protocol: Modbus PLC: Modicon M221 Address Byte size to FNC: Payload Write type be written … Byte size to File type: Sub-element Request FNC: Write be written control logic command number Element Transaction File num Payload number number Protocol: PCCC PLC: Micrologix 1400 Irfan Ahmed 9
Dat Datas asets Modicon M221 Micrologix 1400 Irfan Ahmed 10
Effect ctiveness of the Attack cks Header-based Signatures & Anagram-based Deep Packet Inspection against the attacks # of write # of packets True Positive False Positive Attacks Modicon M221 request packets with Code Rate Rate Code Injection 1,535 38 100% (38 / 38) 0% (0 / 1497) Without Evasion Data Execution 5,362 3,865 0% (0 / 3865) 0% (0 / 1497) & Noise Padding Anagram-based Deep Packet Inspection against the attacks # of write # of packets True Positive False Micrologix 1400 Attacks request packets with Code Rate Positive Rate Code Injection 5,465 684 96.78% (662/684) 0% (0/4781) Without Evasion Noise Padding 29,647 24,866 0% (0 / 24866) 0% (0/4781) Irfan Ahmed 11
Sh Shade - a Shadow Memory Approach ch • Shadow memory as a mirrored space of the protocol address space of a PLC • Shade • maintains shadow memory of each PLC and • detects control logic code by scanning the shadow memory rather than the individual packet payloads Irfan Ahmed 12
Sh Shadow ow memor ory s scanning PLC protocol header Write request Addr: x len: n payload message mirrored b b Shadow … … payload Memory x - b x x + n x + n + b scan area Irfan Ahmed 13
Sh Shade - a Shadow Memory Approach ch Learning Phase Extract Mirror to Scan Extract Generate Select classification model write request shadow shadow all the Normal features packets memory memory features (e.g., SVM) pcap files Detection Phase Classification Yes Monitoring If write request Mirror to Scan Extract using the model (raise alarm) Network packets is shadow shadow selected (contains control Traffic identified memory memory features No logic code ?) Irfan Ahmed 14
Fe Features Full Decompilation N-gram Partial Decompilation Entropy High Low Semantic Semantic Opcode Rung Irfan Ahmed 15
Fu Full De Deco compilat ilatio ion OTE M1 XIC I0.1 AND XIC I0.8 (end of rung) XIC M307 7c 1c 23 04 7c 8c fc e6 72 00 00 f6 73 26 00 fc ea 72 3e 00 OTE M498 (end of rung) a) Low-level code of control logic Rung 0: XIC I0.1 AND XIC I0.8 → OTE M1 Rung 1: XIC M307 → OTE M498 b) Decompiled code Irfan Ahmed 16
Pa Partial De Deco compilat ilatio ion : Bytes which can’t be decompiled without configuration block File Byte Bit Rung start Rung size XIC No. Address Offset XIO 00 00 8d 9a 20 00 e4 00 00 01 bc 4f 00 00 e8 00 0a 04 da 4f 0D 00 58 01 0a 00 96 04 ce 4f 00 00 00 00 be f7 16 00 e4 00 0a 04 ce 4f 0e 00 bc 00 01 03 cc 4f 03 00 XIC TON File No. (0x04: timer) OTE a) Low-level code of control logic Rung 0: XIC I1:[ bc4f ]/0 AND XIO T4:[ da4f ]/DN → TON T4:[ ce4f ]/0 Rung 1: XIC T4:[ ce4f ]/TT → OTE B3:[ cc4f ]/3 b) Partially decompiled code Irfan Ahmed 17
Partial De Pa Deco compilat ilatio ion - mi missing info CE 4F (Offset in LADDER) - CE 4F (Base Address in CONFIG) = 0x00 . . . Timer Instruction Irfan Ahmed 18
Sh Shadow ow Memor ory R Results Modicon M221 Micrologix 1400 Irfan Ahmed 19
Sc Scan Bou oundary b Pe Performance Modicon M221 - L4gram Micrologix 1400 - #8gram Irfan Ahmed 20
Co Conclusion • Data Execution attack is possible on programmable logic controller • Fragmentation and Noise Padding attack is possible on ICS protocols • Signature and anomaly approaches are vulnerable to these attacks • Shadow PLC memory scanning • can detect control logic transfer • Resilient to Data Execution and Fragmentation and Noise Padding attacks Irfan Ahmed 21
Qu Questions ? Irfan Ahmed iahmed3@vcu.edu Virginia Commonwealth University Irfan Ahmed 22
Recommend
More recommend