overshadow plc to detect remote control-logic injection ... · • signatures on packet headerto...
TRANSCRIPT
![Page 1: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/1.jpg)
OvershadowPLCtoDetectRemoteControl-LogicInjectionAttacks
IrfanAhmedDepartmentofComputerScienceVirginiaCommonwealthUniversity
![Page 2: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/2.jpg)
IndustrialControlSystems
Internet
SCADA System LAN
Historian
Wide Area Network
Control Server (MTU)
EngineeringWorkstationHMI
Modem
WAN CardPLC PLC
PBX
Corporate LANModem
PBX
Modem. . .
Field Sites
ModemPLC
External Communication Infrastructure
Control Center Corporate Network
2IrfanAhmed
![Page 3: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/3.jpg)
• Controllogic• thecoderunsonaPLC• defineshowaPLCcontrolsaphysicalprocess
• writteninIEC61131-3languages• LadderLogic• InstructionList,etc.
• Stuxnet injectscontrollogic• monitorsthefrequencyofvariablefrequencydrives
• targetPLChasnormalfrequencyrangeof807Hz~1,210Hz
• modifiesthemotorspeedperiodicallyfrom1,410Hzto2Hzto1,064Hz
3
Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1])Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0])
. . .
. . .
. . .
. . .
. . .
. . .
a) Ladder-logic source code snippet of a traffic-light program
b) Binary ladder-logic snippet of a traffic-light program
c) Laddis ASCII output of decompiling the binary ladder-logic snippet
d) Laddis graphical output of decompiling the binary ladder-logic snippet
. . .
. . .
LadderLogicCodeSnippet
Timer
AtypicalPLCArchitecture
PLCControllogic
IrfanAhmed
![Page 4: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/4.jpg)
StealthyControlLogicInjectionAttacks
• DataExecutionattack• Signaturesonpacketheader todetectcontrollogic• Subversion: TransfercodetodatablocksofaPLC
• NormalDataincludesensorreadings,andactuatorstate• Cannotbeblockedbysignatures
• FragmentationandNoisePaddingattack• Networkanomalydetectionwithbyte-levelfeaturesforproprietaryprotocol/applicationnetworkdata
• Subversion:Useone-bytecodefragmentoftheattacker’scodewithalargenoiseofdata
4IrfanAhmed
![Page 5: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/5.jpg)
DataExecutionattack
IrfanAhmed 5
Code frag. 1
Attacker’scontrol logic
code
PLC ProtocolAddress Space
Address ofcode block
Code block(contains
original code)
Code frag. 1
Address1 in data block
Code frag. 2…Address2 in data block
Address1Address in configuration block
Address field in header Payload
Code frag. 2
Data block
…Conf. block
![Page 6: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/6.jpg)
DataExecutionattack–ExploitableVulnerabilities• Twoobservations• Datablockscannotbeblockedbythesignaturestoexchangethecurrentstateofaphysicalprocess• PLCsdonotenforcedataexecutionprevention(DEP)
IrfanAhmed 6
![Page 7: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/7.jpg)
FragmentationandNoisePaddingattack
IrfanAhmed 7
control logic code
1-byte frag.
a) Attacker’s control logic code
N-bytes
noise
1-byte frag.
noise
1-byte frag.
noise
1st packet 2nd packet
…
Nth packet
1-byte 2-bytes N-bytes
Header Addr: x
Payload
Addr: x+1 Addr: x+N-1
Address: x
b) Attack packets containing small code fragment with large noise
c) PLC protocol address space after all the packets are transferred
noise noisenoise
…
![Page 8: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/8.jpg)
FragmentationandNoisePaddingattack– ExploitableVulnerabilities
• DPItechniquescannotdetectattackpackets• thatcontainsignificantlysmall-sizeattackpayload• becausethesepacketstendtoblendwithnormalpackets
Hadziosmanovic,D.,Simionato,L.,Bolzoni,D.,Zambon,E.,Etalle,S.:“N-gramagainstthemachine:Onthefeasibilityofthen-gramnetworkanalysisforbinaryprotocols”,In:InternationalConferenceonResearchinAttacks,Intrusions,andDefenses(RAID)(2012)
IrfanAhmed 8
![Page 9: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/9.jpg)
DataExecution&FragmentationandNoisePaddingAttacks
IrfanAhmed 9
…FNC: Write
Address
Byte size to be written
Modbus appl.header
Modbusfunction code
SessionID
PayloadAddresstype
FNC: Write
File num
Byte size to be written
Transactionnumber
Payload
File type:control logic
Elementnumber
Requestcommand
Sub-elementnumber
Protocol:ModbusPLC:Modicon M221
Protocol: PCCCPLC:Micrologix 1400
![Page 10: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/10.jpg)
Datasets
IrfanAhmed 10
ModiconM221
Micrologix 1400
![Page 11: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/11.jpg)
EffectivenessoftheAttacks
IrfanAhmed 11
Attacks #ofwriterequest packets
#ofpacketswithCode
TruePositiveRate
FalsePositiveRate
CodeInjectionWithoutEvasion
1,535 38 100% (38/38) 0%(0/1497)
DataExecution&NoisePadding
5,362 3,865 0%(0/3865) 0%(0/1497)
Attacks #ofwriterequest packets
#ofpacketswithCode
TruePositiveRate
FalsePositiveRate
CodeInjectionWithoutEvasion
5,465 684 96.78% (662/684) 0%(0/4781)
NoisePadding 29,647 24,866 0%(0/24866) 0%(0/4781)
Header-basedSignatures&Anagram-basedDeepPacketInspection againsttheattacks
Anagram-basedDeepPacketInspection againsttheattacks
Micrologix1400
Mod
icon
M221
![Page 12: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/12.jpg)
Shade- aShadowMemoryApproach
• ShadowmemoryasamirroredspaceoftheprotocoladdressspaceofaPLC• Shade• maintainsshadowmemoryofeachPLCand• detectscontrollogiccodebyscanningtheshadowmemoryratherthantheindividualpacketpayloads
IrfanAhmed 12
![Page 13: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/13.jpg)
Shadowmemoryscanning
IrfanAhmed 13
…ShadowMemory
payload
…
Addr: x len: nWrite requestmessage mirrored
payloadx x + n
b b
x - b x + n + b
scan area
PLC protocol header
![Page 14: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/14.jpg)
Shade- aShadowMemoryApproach
IrfanAhmed 14
Normalpcap files
Extractwrite request
packets
Mirror toshadowmemory
Scanshadowmemory
Extractall the
features
Selectfeatures
Generateclassification model
(e.g., SVM)
MonitoringNetwork Traffic
If write requestpackets isidentified
Mirror toshadowmemory
Scanshadowmemory
Extractselectedfeatures
Classificationusing the model(contains control
logic code?)
TrainingPhase
DetectionPhase
Yes(raise alarm)
No
Normalpcap files
Extractwrite request
packets
Mirror toshadowmemory
Scanshadowmemory
Extractall the
features
Selectfeatures
Generateclassification model
(e.g., SVM)
MonitoringNetwork Traffic
If write requestpackets isidentified
Mirror toshadowmemory
Scanshadowmemory
Extractselectedfeatures
Classificationusing the model(contains control
logic code?)
TrainingPhase
DetectionPhase
Yes(raise alarm)
No
LearningPhase
DetectionPhase
![Page 15: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/15.jpg)
Features
IrfanAhmed 15
HighSemantic
LowSemantic
PartialDecompilation
N-gram
Entropy
Opcode
Rung
FullDecompilation
![Page 16: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/16.jpg)
FullDecompilation
7c 1c 23 04 7c 8c fc e6 72 00 00 f6 73 26 00fc ea 72 3e 00
Rung 0: XIC I0.1 AND XIC I0.8 → OTE M1Rung 1: XIC M307 → OTE M498
XIC I0.1 AND XIC I0.8OTE M1
(end of rung) XIC M307
OTE M498 (end of rung)
a) Low-level code of control logic
b) Decompiled code
IrfanAhmed 16
![Page 17: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/17.jpg)
PartialDecompilation
00 00 8d 9a 20 00 e4 00 00 01 bc 4f 00 00 e8 000a 04 da 4f 0D 00 58 01 0a 00 96 04 ce 4f 00 0000 00 be f7 16 00 e4 00 0a 04 ce 4f 0e 00 bc 0001 03 cc 4f 03 00
Rung 0: XIC I1:[bc4f]/0 AND XIO T4:[da4f]/DN → TON T4:[ce4f]/0Rung 1: XIC T4:[ce4f]/TT → OTE B3:[cc4f]/3
Rung start Rung size XICFileNo.
ByteAddress
BitOffset XIO
XIC TON OTE
: Bytes which can’t be decompiled without configuration block
a) Low-level code of control logic
b) Partially decompiled code
File No. (0x04: timer)
IrfanAhmed 17
![Page 18: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/18.jpg)
PartialDecompilation - missinginfo
IrfanAhmed 18
CE4F(OffsetinLADDER)-CE4F(BaseAddressinCONFIG)=0x00
Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1])Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0])
. . .
. . .
. . .
. . .
. . .
. . .
a) Ladder-logic source code snippet of a traffic-light program
b) Binary ladder-logic snippet of a traffic-light program
c) Laddis ASCII output of decompiling the binary ladder-logic snippet
d) Laddis graphical output of decompiling the binary ladder-logic snippet
. . .
. . .
TimerInstruction
![Page 19: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/19.jpg)
ShadowMemoryResults
IrfanAhmed 19
ModiconM221
Micrologix 1400
![Page 20: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/20.jpg)
ScanBoundaryb Performance
IrfanAhmed 20
ModiconM221- L4gram
Micrologix 1400- #8gram
![Page 21: Overshadow PLC to Detect Remote Control-Logic Injection ... · • Signatures on packet headerto detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal](https://reader030.vdocuments.us/reader030/viewer/2022040820/5e68db3746dfe06c783ec09c/html5/thumbnails/21.jpg)
Conclusion
• DataExecution attackispossibleonprogrammablelogiccontroller• FragmentationandNoisePadding attackispossibleonICSprotocols• Signatureandanomalyapproachesarevulnerabletotheseattacks• ShadowPLCmemoryscanning• candetectcontrollogictransfer• ResilienttoDataExecutionandFragmentationandNoisePaddingattacks
IrfanAhmed 21