building hardened implementations of scada ics protocols
play

Building Hardened Implementations of SCADA/ICS Protocols Using - PowerPoint PPT Presentation

Jul 23, 2023 •217 likes •583 views

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

  1. Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org

  2. Academia + Power Industry + InfoSec Community • Sven M. Hallberg, Sergey Bratus, Adam Crain, Meredith L. Patterson, Maxwell Koo, Sean W. Smith cred-c.org | 2

  3. Outline • Introduction: Parsers, security, and the LangSec viewpoint • The Problem: Analysing the DNP3 protocol and vulnerabilities • Our Approach: Building a safer DNP3 parser from scratch “Make the parser code look like the grammar” “Make the validity expectations of data apparent from code” • Case study: a DNP3 filtering proxy • Conclusion and next steps cred-c.org | 3

  4. Data format is code's destiny • A parser takes input data, and builds a structural representation of the input • "Validating input" is judging what effect it will have on code cred-c.org | 4

  5. What goes wrong in parsing ● Object boundaries in message cross or overlap ● Object are embedded in other objects incorrectly ● Objects that should appear in a given position aren’t there ● Objects appear in a position that isn’t right ● Pre-conditions expected by the rest of the code are not met ● Code’s behavior on input is not predictable ○ Buffer overflow, memory corruption, exploitation Result: security hole! cred-c.org | 5

  6. LangSec: Mission assurance for parsers • Formal language theory: The fundamental underlying science for this problem! • Seeks to prevent recurring programmer errors in protocols by identifying and eliminating problematic syntax & ambiguity • LangSec identifies protocol/syntax features that make security an uphill battle: - specification is ambiguous: programmers disagree - validity check is too hard for a programmer to get right - several sources of truth - too much context needed to judge an object as valid or invalid

  7. Outline • Introduction: Parsers, security, and the LangSec viewpoint • The Problem: Analysing the DNP3 protocol and vulnerabilities • Our Approach: Building a safer DNP3 parser from scratch “Make the parser code look like the grammar” “Make the validity expectations of data apparent from code” • Case study: a DNP3 filtering proxy • Conclusion and next steps cred-c.org | 7

  8. DNP3 issues are not theoretical • 2013 to 2014 – Over 30 CVEs related to input validation with DNP3 implementations. (“ Robus Master Serial Killer ”, Sistrunk & Crain, 2014) • Out of dozens of implementations only a small few were defect-free. • Low-defect implementations chose a very conservative subset of DNP3 features.

  9. Security Holes Exist! cred-c.org | 9

  10. Vulnerabilities DD 82 00 00 0C 01 00 00 01 rnd(11) rnd(11) 05 64 06 44 64 00 64 00 FF F2 C0 1D 0A DD 82 00 00 0A 02 01 00 00 FF FF FA 82 00 00 01 00 02 00 00 00 00 FF FF FF FF 0 4294967295 Group 1 4 byte Unsolicited Variation 0 start/stop Response ● infinite loop Sizeless?! ● missing data ● integer overflow? ● accepts broadcast From: Adam Crain, Chris Sistrunk “Project Robus, Master Serial Killer”, S4x14

  11. DNP3 frame format cred-c.org | 11

  12. From DNP3 link layer to application layer

  13. Application layer: Sequences of DNP3 objects

  14. It is not all grammar!

  15. Outline • Introduction: Parsers, security, and the LangSec viewpoint • The Problem: Analysing the DNP3 protocol and vulnerabilities • Our Approach: Building a safer DNP3 parser from scratch “Make the parser code look like the grammar” “Make the validity expectations of data apparent from code” • Case study: a DNP3 filtering proxy cred-c.org | 15

  16. LangSec methodology • We read through the protocol specification and extracted all syntax related information from text • Gathered all text information into a grammar specification • Identified problematic and ambiguous syntax likely to cause errors • Wrote our parser very closely following the grammar cred-c.org | 16

  17. Solve language problems with a language approach • Start with a grammar • If you don’t know what valid or expected syntax/content of a message is, how can you check it? Or interoperate? • If the protocol comes without a grammar, you need to derive one. It’s the only way! :( • Write the parser to look like the grammar: succinct & incrementally testable • Don’t start processing before you’re done parsing

  18. The Recognizer design pattern Only semantically valid input passes Language grammar Recognizer Processing only well- for the typed objects and no Input language raw input Invalid, malformed and crafted packets

  19. Parsing & protocol anti-patterns • “ Shotgun parsers ”: input validity checks intermixed with processing code; no clear separation boundary • OpenSSL’s Heartbleed, GNU TLS Hello bug, … • Unnecessarily complex syntax (e.g., context-sensitive where context-free or regular would suffice) • Objects’ interpretation & legality depends on sibling object contents • Parser differentials (parsers disagree about message contents) • X.509 CA vs client bugs, Android Master Key bugs, …

  20. Parser combinators: a natural choice • Hammer parser construction kit: C/C++ • Bindings for Java, Python, Ruby, .NET, Go • Three algorithmic parsing back-ends • Freely available on GitHub: https://github.com/UpstandingHackers/hammer

  21. Parser combinators at a glance (1)

  22. Parser combinators at a glance (2)

  23. Parser Combinators: code looks like the grammar • Have primitives HParser *seqno = h_bits(4, false); HParser *bit = h_bits(1, false); ... • Combined to form higher-level structures h_choice, h_many, h_many1, ... • define own combinators

  24. Fragment Header Flags - dealing with syntax overloading across 4 types of packets /* --- uns,con,fin,fir --- */ conflags = h_sequence(bit,zro,one,one, NULL); // CONFIRM reqflags = h_sequence(zro,zro,one,one, NULL); // always fin,fir! unsflags = h_sequence(one,one,ign,ign, NULL); // unsolicited rspflags = h_sequence(zro,bit,bit,bit, NULL); Checking is declarative, not in code!

  25. CROB Object Declarative approach: parser code is generated from it. crob = h_sequence(h_bits(4, false), // op type bit, // queue flag bit, // clear flag tcc, h_uint8(), // count h_uint32(), // on-time [ms] h_uint32(), // off-time [ms] status, // 7 bits dnp3_p_reserved(1), NULL));

  26. LangSec approach makes you ask the right questions pcb = dnp3_p_g12v2_binoutcmd_pcb_oblock; pcm = dnp3_p_g12v3_binoutcmd_pcm_oblock; select_pcb = h_sequence(pcb, h_many1(pcm), NULL); select_oblock = h_choice(select_pcb, dnp3_p_g12v1_binoutcmd_crob_oblock, dnp3_p_anaout_oblock, NULL); select = h_many(select_oblock); // empty select requests valid? // is it valid to have many pcb-pcm blocks in the same request? // ... to mix pcbs and crobs? // langsec approach warns you of pitfalls! Failure to ask to ask any of these questions could result in parser bugs! Parser bugs => 0days

  27. Outline • Introduction: Parsers, security, and the LangSec viewpoint • The Problem: Analysing the DNP3 protocol and vulnerabilities • Our Approach: Building a safer DNP3 parser from scratch “Make the parser code look like the grammar” “Make the validity expectations of data apparent from code” • Case study: a DNP3 filtering proxy • Conclusion and next steps cred-c.org | 27

  28. Practical application: Validating Proxy Dissector #1 Master Outstation Bi-directional TCP Streams Dissector #2

  29. Validation: tools & techniques • Unit tests, Unit tests, Unit tests! (easy for parser combinators) • Tests based on common DNP3 implementation mistakes • Dynamic analysis with Valgrind • Fuzzing: coverage-guided ( AFL ) and model-based ( Aegis )

  30. We survived AFL and Aegis! • American Fuzzy Lop (AFL): Generic coverage-guided fuzzing (needs source) • Aegis: Specialised DNP3 fuzzer by Adam Crain

  31. Unit tests for smallest parser parts, known poison // 4-byte max range - start = 0, stop = 0xFFFFFFFF check_parse(dnp3_p_app_response, "\x00\x81\x00\x00\x1E\x02\x02\x00\x00\x00\x00\xFF\xFF\xFF\xFF", 15, "PARAM_ERROR on [0] RESPONSE"); static HParsedToken *act_range(const HParseResult *p, void *user) { // p->ast = (start, stop) uint32_t start = H_FIELD_UINT(0); uint32_t stop = H_FIELD_UINT(1); assert(start <= stop); assert(stop - start < SIZE_MAX); return H_MAKE_UINT(stop - start + 1); }

  32. Write tests as you write production code // mixing CROBs, analog output, and PCBs check_parse(dnp3_p_app_request, "\xC3\x03\x0\x02\x07\x01\x41\x03\xF4\x01\x00\x00\xD0\x07\x00\x00\x00” "\x0C\x03\x00\x05\x0F\x21\x04" "\x29\x01\x17\x01\x01\x12\x34\x56\x78\x00", 34, "[3] (fir,fin) SELECT {g12v2 qc=07 (CLOSE PULSE_ON 3x on=500ms off=2000ms)}" " {g12v3 qc=00 #5..15: 1 0 0 0 0 1 0 0 0 0 1}" " {g41v1 qc=17 #1:2018915346}");

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt 1) Kazuhiko Sakaguchi 1)2) 1) National Institute of Advanced Industrial Science and Technology, Japan 2) University of Tsukuba Motivation

352 views • 21 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli, Marcus Vlp and Paulo Esteves-Verssimo PhD start: April 2017 Areas: BFT &amp; Formal verification Univ. of Luxembourg SnT Luxembourg

314 views • 10 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P&quot;lnK Antenna

2.28k views • 183 slides
Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan Microsoft Research, Cambridge Microsoft Research INRIA Joint Centre, Paris Joint work with C. Fournet and A.D. Gordon + R. Puccella, S. Tse, N.

1.4k views • 122 slides
SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
Proximal Method with Contractions for Smooth Convex Optimization Nikita Doikov Yurii Nesterov

Proximal Method with Contractions for Smooth Convex Optimization Nikita Doikov Yurii Nesterov

Proximal Method with Contractions for Smooth Convex Optimization Nikita Doikov Yurii Nesterov Catholic University of Louvain, Belgium Grenoble September 23, 2019 Plan of the Talk 1. Proximal Method with Contractions 2. Application to

2.8k views • 19 slides
The Proximal Primal-Dual Approach for Nonconvex Linearly Constrained Problems Presenter: Mingyi

The Proximal Primal-Dual Approach for Nonconvex Linearly Constrained Problems Presenter: Mingyi

The Proximal Primal-Dual Approach for Nonconvex Linearly Constrained Problems Presenter: Mingyi Hong Joint work with Davood Hajinezhad University of Minnesota ECE Department DIMACS Workshop on Distributed Opt., Information Process., and

1.14k views • 76 slides
Stochastic Optimization for Learning over Networks Guanghui (George) Lan School of Industrial

Stochastic Optimization for Learning over Networks Guanghui (George) Lan School of Industrial

Stochastic Optimization for Learning over Networks Guanghui (George) Lan School of Industrial and Systems Engineering Georgia Institute of Technology East Coast Optimization Meeting 2019, April 4-5, 2019 Department of Mathematical Sciences

627 views • 46 slides
Inner and Outer Approximating Flowpipes for Delay Differential Equations Eric Goubault 1 Sylvie

Inner and Outer Approximating Flowpipes for Delay Differential Equations Eric Goubault 1 Sylvie

Inner and Outer Approximating Flowpipes for Delay Differential Equations Eric Goubault 1 Sylvie Putot 1 1 LIX, Ecole Polytechnique - CNRS, Universit e Paris-Saclay MRIS, March 15, 2018 Eric Goubault , Sylvie Putot ( LIX, Ecole Polytechnique -

916 views • 43 slides
Edit Timelines &amp; Efficient Streaming of Media Mangala Prabhu and Eric Reinecke Agenda

Edit Timelines &amp; Efficient Streaming of Media Mangala Prabhu and Eric Reinecke Agenda

Edit Timelines &amp; Efficient Streaming of Media Mangala Prabhu and Eric Reinecke Agenda Part I: Trailers at Netflix Part II: Edit Intelligence In Pipelines, OpenTimeLineIO Trailers at Netflix Mangala Prabhu, Compute and Storage

763 views • 64 slides
CSCE 970 Lecture 7: Earth, cant afford to visit each area to deter- Clustering: Basic Concepts

CSCE 970 Lecture 7: Earth, cant afford to visit each area to deter- Clustering: Basic Concepts

Introduction What if labels unavailable? E.g. feat. vectors are measurements of elec- tromag. energy reflected from remote parts of CSCE 970 Lecture 7: Earth, cant afford to visit each area to deter- Clustering: Basic Concepts mine

304 views • 6 slides
Convex Optimization in Machine Learning and Inverse Problems Part 3: Augmented Lagrangian Methods

Convex Optimization in Machine Learning and Inverse Problems Part 3: Augmented Lagrangian Methods

Convex Optimization in Machine Learning and Inverse Problems Part 3: Augmented Lagrangian Methods ario A. T. Figueiredo 1 and Stephen J. Wright 2 M 1 Instituto de Telecomunica c oes, Instituto Superior T ecnico, Lisboa, Portugal 2

806 views • 46 slides
New primal-dual subgradient methods for Convex Problems with Functional Constraints Yurii

New primal-dual subgradient methods for Convex Problems with Functional Constraints Yurii

New primal-dual subgradient methods for Convex Problems with Functional Constraints Yurii Nesterov, CORE/INMA (UCL) January 12, 2015 (Les Houches) Yu. Nesterov New primal-dual methods for functional constraints 1/19 Outline 1 Constrained

1.98k views • 169 slides

More recommend