overshadow plc to detect ct remote co control logic c
play

Overshadow PLC to Detect ct Remote Co Control-Logic c Inject - PowerPoint PPT Presentation

Apr 11, 2024 •248 likes •484 views

Overshadow PLC to Detect ct Remote Co Control-Logic c Inject ction Attack cks Irfan Ahmed Department of Computer Science Virginia Commonwealth University In Industrial ial Control l System ems Control Center Corporate Network

  1. Overshadow PLC to Detect ct Remote Co Control-Logic c Inject ction Attack cks Irfan Ahmed Department of Computer Science Virginia Commonwealth University

  2. In Industrial ial Control l System ems Control Center Corporate Network Engineering HMI Workstation Corporate LAN Modem PBX PBX SCADA System LAN Internet Wide Area Network Modem External Communication Historian Control Server Infrastructure (MTU) . . . Modem Modem PLC PLC PLC WAN Card Field Sites Irfan Ahmed 2

  3. PL PLC Control logic • Control logic • the code runs on a PLC A typical PLC Architecture • defines how a PLC controls a physical process • written in IEC 61131-3 languages • Ladder Logic • Instruction List, etc. • Stuxnet injects control logic • monitors the frequency of variable frequency drives Ladder Logic Code Snippet . . . • target PLC has normal frequency range of 807 Hz ~ 1,210 Hz • modifies the motor speed periodically from 1,410 Hz to 2 Hz to 1,064 Hz . . . Timer Irfan Ahmed 3

  4. Stealthy Control Logic c Inject ction Attack cks • Data Execution attack • Signatures on packet header to detect control logic • Subversion: Transfer code to data blocks of a PLC • Normal Data include sensor readings, and actuator state • Cannot be blocked by signatures • Fragmentation and Noise Padding attack • Network anomaly detection with byte-level features for proprietary protocol/application network data • Subversion: Use one-byte code fragment of the attacker’s code with a large noise of data Irfan Ahmed 4

  5. Dat Data a Execu cutio ion at attack ack PLC Protocol Attacker’s Address Space control logic Conf. block code Address of code block Data block Address1 in data block Code frag. 1 Code frag. 1 Address2 in data block Code frag. 2 Code frag. 2 … … Address in configuration block Address1 Code block (contains original code) Address field in header Payload Irfan Ahmed 5

  6. Data Execu cution attack ck – Ex Exploitable Vulnerabilities • Two observations • Data blocks cannot be blocked by the signatures to exchange the current state of a physical process • PLCs do not enforce data execution prevention (DEP) Irfan Ahmed 6

  7. Fragmentation and Noise Padding attack ck N-bytes control logic code a) Attacker’s control logic code 1 st packet 2 nd packet N th packet Addr: x Addr: x+1 Addr: x+N -1 Header 1-byte frag. 1-byte frag. 1-byte frag. … Payload noise noise noise b) Attack packets containing small code fragment with large noise Address: x 1-byte 2-bytes N-bytes … noise noise noise c) PLC protocol address space after all the packets are transferred Irfan Ahmed 7

  8. Fragmentation and Noise Padding attack ck – Ex Exploitable Vulnerabilities • DPI techniques cannot detect attack packets • that contain significantly small-size attack payload • because these packets tend to blend with normal packets Hadziosmanovic, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: “ N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols ”, In: International Conference on Research in Attacks, Intrusions, and Defenses (RAID) (2012) Irfan Ahmed 8

  9. Data Execu cution & Fr Fragmentation and Noise Padding Attack cks Modbus appl. Modbus Session Address header ID function code Protocol: Modbus PLC: Modicon M221 Address Byte size to FNC: Payload Write type be written … Byte size to File type: Sub-element Request FNC: Write be written control logic command number Element Transaction File num Payload number number Protocol: PCCC PLC: Micrologix 1400 Irfan Ahmed 9

  10. Dat Datas asets Modicon M221 Micrologix 1400 Irfan Ahmed 10

  11. Effect ctiveness of the Attack cks Header-based Signatures & Anagram-based Deep Packet Inspection against the attacks # of write # of packets True Positive False Positive Attacks Modicon M221 request packets with Code Rate Rate Code Injection 1,535 38 100% (38 / 38) 0% (0 / 1497) Without Evasion Data Execution 5,362 3,865 0% (0 / 3865) 0% (0 / 1497) & Noise Padding Anagram-based Deep Packet Inspection against the attacks # of write # of packets True Positive False Micrologix 1400 Attacks request packets with Code Rate Positive Rate Code Injection 5,465 684 96.78% (662/684) 0% (0/4781) Without Evasion Noise Padding 29,647 24,866 0% (0 / 24866) 0% (0/4781) Irfan Ahmed 11

  12. Sh Shade - a Shadow Memory Approach ch • Shadow memory as a mirrored space of the protocol address space of a PLC • Shade • maintains shadow memory of each PLC and • detects control logic code by scanning the shadow memory rather than the individual packet payloads Irfan Ahmed 12

  13. Sh Shadow ow memor ory s scanning PLC protocol header Write request Addr: x len: n payload message mirrored b b Shadow … … payload Memory x - b x x + n x + n + b scan area Irfan Ahmed 13

  14. Sh Shade - a Shadow Memory Approach ch Learning Phase Extract Mirror to Scan Extract Generate Select classification model write request shadow shadow all the Normal features packets memory memory features (e.g., SVM) pcap files Detection Phase Classification Yes Monitoring If write request Mirror to Scan Extract using the model (raise alarm) Network packets is shadow shadow selected (contains control Traffic identified memory memory features No logic code ?) Irfan Ahmed 14

  15. Fe Features Full Decompilation N-gram Partial Decompilation Entropy High Low Semantic Semantic Opcode Rung Irfan Ahmed 15

  16. Fu Full De Deco compilat ilatio ion OTE M1 XIC I0.1 AND XIC I0.8 (end of rung) XIC M307 7c 1c 23 04 7c 8c fc e6 72 00 00 f6 73 26 00 fc ea 72 3e 00 OTE M498 (end of rung) a) Low-level code of control logic Rung 0: XIC I0.1 AND XIC I0.8 → OTE M1 Rung 1: XIC M307 → OTE M498 b) Decompiled code Irfan Ahmed 16

  17. Pa Partial De Deco compilat ilatio ion : Bytes which can’t be decompiled without configuration block File Byte Bit Rung start Rung size XIC No. Address Offset XIO 00 00 8d 9a 20 00 e4 00 00 01 bc 4f 00 00 e8 00 0a 04 da 4f 0D 00 58 01 0a 00 96 04 ce 4f 00 00 00 00 be f7 16 00 e4 00 0a 04 ce 4f 0e 00 bc 00 01 03 cc 4f 03 00 XIC TON File No. (0x04: timer) OTE a) Low-level code of control logic Rung 0: XIC I1:[ bc4f ]/0 AND XIO T4:[ da4f ]/DN → TON T4:[ ce4f ]/0 Rung 1: XIC T4:[ ce4f ]/TT → OTE B3:[ cc4f ]/3 b) Partially decompiled code Irfan Ahmed 17

  18. Partial De Pa Deco compilat ilatio ion - mi missing info CE 4F (Offset in LADDER) - CE 4F (Base Address in CONFIG) = 0x00 . . . Timer Instruction Irfan Ahmed 18

  19. Sh Shadow ow Memor ory R Results Modicon M221 Micrologix 1400 Irfan Ahmed 19

  20. Sc Scan Bou oundary b Pe Performance Modicon M221 - L4gram Micrologix 1400 - #8gram Irfan Ahmed 20

  21. Co Conclusion • Data Execution attack is possible on programmable logic controller • Fragmentation and Noise Padding attack is possible on ICS protocols • Signature and anomaly approaches are vulnerable to these attacks • Shadow PLC memory scanning • can detect control logic transfer • Resilient to Data Execution and Fragmentation and Noise Padding attacks Irfan Ahmed 21

  22. Qu Questions ? Irfan Ahmed iahmed3@vcu.edu Virginia Commonwealth University Irfan Ahmed 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sequential Logic Design Process Control Flaxer Eli - Process Control Ch 2 - 1 Logic Devices

Sequential Logic Design Process Control Flaxer Eli - Process Control Ch 2 - 1 Logic Devices

Chapter 2 Sequential Logic Design Process Control Flaxer Eli - Process Control Ch 2 - 1 Logic Devices Logic devices divide into two major types: Combinational Logic Current output depends on current input only Gates, decoders,

453 views • 7 slides
Fight the Bite - Applying Remote Sensing Technologies to Detect Mosquito Breeding Habitats of

Fight the Bite - Applying Remote Sensing Technologies to Detect Mosquito Breeding Habitats of

Fight the Bite - Applying Remote Sensing Technologies to Detect Mosquito Breeding Habitats of Importance H-GAC Meeting April 4th 2018 Sarah Gunter, PhD, MPH Mosquito-Borne Diseases Aedes spp. Chikungunya o Dengue fever o Lymphatic

602 views • 21 slides
Remote Control: Remote Control: Distributed Application Configuration, Distributed Application

Remote Control: Remote Control: Distributed Application Configuration, Distributed Application

Remote Control: Remote Control: Distributed Application Configuration, Distributed Application Configuration, Management, and Visualization with Plush Management, and Visualization with Plush Jeannie Albrecht, Ryan Braud, Darren Dao, Nikolay

458 views • 17 slides
PROGRAMMABLE LOGIC CONTROLLER Control Systems Types Programmable Logic Controllers

PROGRAMMABLE LOGIC CONTROLLER Control Systems Types Programmable Logic Controllers

PROGRAMMABLE LOGIC CONTROLLER Control Systems Types Programmable Logic Controllers Distributed Control System PC- Based Controls Programmable Logic Controllers PLC Sequential logic solver PID Calculations. Advanced

292 views • 27 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
Chapter 1 Combinational Logic Process Control Ch 1- 1 Flaxer Eli - Process Control Chapter

Chapter 1 Combinational Logic Process Control Ch 1- 1 Flaxer Eli - Process Control Chapter

Chapter 1 Combinational Logic Process Control Ch 1- 1 Flaxer Eli - Process Control Chapter Outline Documentation Standards for digital systems. Combinational Logic Design Structures : - Logic Gates - Decoders - Encoders -

583 views • 9 slides
Control Overview RICHMOND AMATEUR RADIO CLUB SEPTEMBER 2015 Why operate Remote? Some of us are

Control Overview RICHMOND AMATEUR RADIO CLUB SEPTEMBER 2015 Why operate Remote? Some of us are

Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB SEPTEMBER 2015 Why operate Remote? Some of us are getting OLDER! Remote Ops can be used from Apartments, Assisted Living Facilities, Condos, and Family Member's home who might

445 views • 16 slides
V.A. Trapeznikov INSTITUTE OF CONTROL SCIENCES Institute of Automation and Remote Control: the

V.A. Trapeznikov INSTITUTE OF CONTROL SCIENCES Institute of Automation and Remote Control: the

V.A. Trapeznikov INSTITUTE OF CONTROL SCIENCES Institute of Automation and Remote Control: the Start and War Years (1939-1944) Academy Corresponding Member Professor A.F. Shorin V.I. Kovalenkov Academician . . Chernyshov Academician V.S.

425 views • 20 slides
Remote Damage Control Resuscitation: An Overview for Medical Directors and Supervisors THOR

Remote Damage Control Resuscitation: An Overview for Medical Directors and Supervisors THOR

Remote Damage Control Resuscitation: An Overview for Medical Directors and Supervisors THOR Collaboration Agenda What is Remote Damage Control Resuscitation? Putting RDCR into Practice Control Hemorrhage Resuscitate Hemorrhage

529 views • 27 slides
December 18, 2019 Control Panel - Ceiling, Closet or Remote IP / POE O3 HUB with Sensor

December 18, 2019 Control Panel - Ceiling, Closet or Remote IP / POE O3 HUB with Sensor

December 18, 2019 Control Panel - Ceiling, Closet or Remote IP / POE O3 HUB with Sensor Fusion 8 Technologies O3 CPU - w/ Module Support + 8 HUBs HVAC BACnet Solutions 1 Control Panel - Ceiling, Closet or Remote IP / POE O3 HUB with

388 views • 7 slides
Logic + Control: An example or SAT solver of Howe & King as a logic program (File

Logic + Control: An example or SAT solver of Howe & King as a logic program (File

Intro. Specification Correctness&. . . Programs Final Logic + Control: An example or SAT solver of Howe & King as a logic program (File ./LIPIcs/29.pdf ) W lodzimierz Drabent Institute of Computer Science, Polish Academy of

806 views • 41 slides
Infection Control to detect and prevent Antimicrobial Resistance in India 5 th Principal

Infection Control to detect and prevent Antimicrobial Resistance in India 5 th Principal

Capacity Building and Strengthening of Hospital Infection Control to detect and prevent Antimicrobial Resistance in India 5 th Principal Investigators meeting Purva Mathur 20/11/2018 35 participating centres 93 ICUs included 86 ICUs

1.7k views • 118 slides
8/28/2010 CONTROL UNIT CPU is partitioned into Arithmetic Logic Unit (ALU) and Control Unit

8/28/2010 CONTROL UNIT CPU is partitioned into Arithmetic Logic Unit (ALU) and Control Unit

8/28/2010 CONTROL UNIT CPU is partitioned into Arithmetic Logic Unit (ALU) and Control Unit (CU) . The function of control unit is to generate relevant timing and control signals to all operations in the MANINDER KAUR computer.

295 views • 4 slides
Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB MAY 2017 What are we trying to

Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB MAY 2017 What are we trying to

Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB MAY 2017 What are we trying to do? Internet Icom IC-7100 Specs Icom AH-4 Specs Diamond X50 Specs RARC Remote Equipment RemoteHams Android Client Remote Controlled Rig Useful 3

506 views • 15 slides
New Remote Control What is Rewote? IoT (Internet of Things) Rewote is an IoT product managed by

New Remote Control What is Rewote? IoT (Internet of Things) Rewote is an IoT product managed by

New Remote Control What is Rewote? IoT (Internet of Things) Rewote is an IoT product managed by mobile application providing to control the motors with receiver which are existing in the market. Rewote is consisted by 2 main ingredients like

333 views • 22 slides
TURN SAVINGS ON OPERA Range Remote control for lighting See all presentation See the general

TURN SAVINGS ON OPERA Range Remote control for lighting See all presentation See the general

TURN SAVINGS ON OPERA Range Remote control for lighting See all presentation See the general characteristics and the system structure See the presentation of hardware modules for remote control OPERA Range General information The OPERA

645 views • 31 slides
Login Securely from Anywhere to your Home Computer by Greg Bishop Linux Supporters Group

Login Securely from Anywhere to your Home Computer by Greg Bishop Linux Supporters Group

Login Securely from Anywhere to your Home Computer by Greg Bishop Linux Supporters Group Adelaide March 2015 Internet/www ISP ISP modem modem away home Internet/www ISP ISP 201.202.203.204 modem modem away home 201.202.203.204

324 views • 16 slides
1 Example: Modem Hierarchy (contd) V ISITOR V ISITOR as a Matrix as a Matrix Example: Modem

1 Example: Modem Hierarchy (contd) V ISITOR V ISITOR as a Matrix as a Matrix Example: Modem

Design Patterns: Set 3 Design Patterns: Set 3 V ISITOR V ISITOR The V The V The V ISITOR ISITOR family family The V ISITOR ISITOR family allows new family allows new methods to be added to existing V methods to be

281 views • 6 slides
8 ________________________ SRP: The Single Responsibility Principle None but Buddha himself

8 ________________________ SRP: The Single Responsibility Principle None but Buddha himself

________________________ 8 ________________________ SRP: The Single Responsibility Principle None but Buddha himself must take the responsibility of giving out occult secrets... E. Cobham Brewer 18101897. Dictionary of Phrase and

637 views • 6 slides
Simulation Using OMNeT++ Jeffery Weston Eric Koski Slide 1, 9/8/2015 Overview Developing

Simulation Using OMNeT++ Jeffery Weston Eric Koski Slide 1, 9/8/2015 Overview Developing

High Frequency Radio Network Simulation Using OMNeT++ Jeffery Weston Eric Koski Slide 1, 9/8/2015 Overview Developing new modems and protocols for HF radio data communications Many issues with HF make simulation attractive But with

866 views • 11 slides
Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio

Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio

Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio Honda, Laurent Mathy, Costin Raiciu, Olivier Bonaventure, and Felipe Huici. Part 1 Todays Internet Protocol Layering Link layers (eg

443 views • 32 slides
An Integrated Modeling, Synthesis and Verification Methodology Xiaojian Liu Greg Smith June

An Integrated Modeling, Synthesis and Verification Methodology Xiaojian Liu Greg Smith June

HLS Based HW and SW Co-Design of Complex IP Subsystems An Integrated Modeling, Synthesis and Verification Methodology Xiaojian Liu Greg Smith June 4th, 2013 David Hansen Jeff Wong Louie Lee PAGE 1 2 Author Page Xiaojian Liu,

469 views • 15 slides
Underwater Glider Path Planning and Population Reduction in Differential Evolution Eurocast

Underwater Glider Path Planning and Population Reduction in Differential Evolution Eurocast

Underwater Glider Path Planning and Population Reduction in Differential Evolution Eurocast 2015, Workshop on marine sensors and manipulators Science Museum of Las Palmas de Gran Canaria 11th to 13th of February 2015 Canary Islands, Spain, EU

254 views • 22 slides
SHADOZ (Southern Hemisphere Additional Ozonesondes): Recent Accomplishments & Upcoming

SHADOZ (Southern Hemisphere Additional Ozonesondes): Recent Accomplishments & Upcoming

SHADOZ (Southern Hemisphere Additional Ozonesondes): Recent Accomplishments & Upcoming Activities Anne Thompson, PI amt16@psu.edu GMAC, 22 May 13 With: J C Witte (SSAI at NASA/GSFC), S K Miller (PSU), S J Oltmans (CU/CIRES, NOAA/GMD),

400 views • 19 slides

More recommend