Overshadow PLC to Detect ct Remote Co Control-Logic c Inject - - PowerPoint PPT Presentation

overshadow plc to detect ct remote co control logic c
SMART_READER_LITE
LIVE PREVIEW

Overshadow PLC to Detect ct Remote Co Control-Logic c Inject - - PowerPoint PPT Presentation

Apr 11, 2024 248 likes •490 views

Overshadow PLC to Detect ct Remote Co Control-Logic c Inject ction Attack cks Irfan Ahmed Department of Computer Science Virginia Commonwealth University In Industrial ial Control l System ems Control Center Corporate Network

slide-1
SLIDE 1

Overshadow PLC to Detect ct Remote Co Control-Logic c Inject ction Attack cks

Irfan Ahmed Department of Computer Science Virginia Commonwealth University

slide-2
SLIDE 2

In Industrial ial Control l System ems

Internet

SCADA System LAN Historian Wide Area Network Control Server (MTU) Engineering Workstation HMI Modem WAN Card PLC PLC PBX Corporate LAN Modem PBX Modem

. . .

Field Sites Modem PLC External Communication Infrastructure Control Center Corporate Network

2 Irfan Ahmed

slide-3
SLIDE 3
  • Control logic
  • the code runs on a PLC
  • defines how a PLC controls a

physical process

  • written in IEC 61131-3

languages

  • Ladder Logic
  • Instruction List, etc.
  • Stuxnet injects control logic
  • monitors the frequency of

variable frequency drives

  • target PLC has normal

frequency range of 807 Hz ~ 1,210 Hz

  • modifies the motor speed

periodically from 1,410 Hz to 2 Hz to 1,064 Hz

3

. . . . . .

Ladder Logic Code Snippet Timer

A typical PLC Architecture

PL PLC Control logic

Irfan Ahmed

slide-4
SLIDE 4

Stealthy Control Logic c Inject ction Attack cks

  • Data Execution attack
  • Signatures on packet header to detect control logic
  • Subversion: Transfer code to data blocks of a PLC
  • Normal Data include sensor readings, and actuator state
  • Cannot be blocked by signatures
  • Fragmentation and Noise Padding attack
  • Network anomaly detection with byte-level features for

proprietary protocol/application network data

  • Subversion: Use one-byte code fragment of the attacker’s code

with a large noise of data

4 Irfan Ahmed

slide-5
SLIDE 5

Dat Data a Execu cutio ion at attack ack

Irfan Ahmed 5

Code frag. 1

Attacker’s control logic code PLC Protocol Address Space

Address of code block

Code block

(contains

  • riginal code)

Code frag. 1 Address1 in data block Code frag. 2

Address2 in data block Address1 Address in configuration block Address field in header Payload Code frag. 2

Data block

  • Conf. block
slide-6
SLIDE 6

Data Execu cution attack ck – Ex Exploitable Vulnerabilities

  • Two observations
  • Data blocks cannot be blocked by the signatures to exchange

the current state of a physical process

  • PLCs do not enforce data execution prevention (DEP)

Irfan Ahmed 6

slide-7
SLIDE 7

Fragmentation and Noise Padding attack ck

Irfan Ahmed 7

control logic code 1-byte frag. a) Attacker’s control logic code N-bytes noise 1-byte frag. noise 1-byte frag. noise 1st packet 2nd packet … Nth packet 1-byte 2-bytes N-bytes Header Addr: x Payload Addr: x+1 Addr: x+N-1 Address: x b) Attack packets containing small code fragment with large noise c) PLC protocol address space after all the packets are transferred noise noise noise …

slide-8
SLIDE 8

Fragmentation and Noise Padding attack ck – Ex Exploitable Vulnerabilities

  • DPI techniques cannot detect attack packets
  • that contain significantly small-size attack payload
  • because these packets tend to blend with normal packets

Hadziosmanovic, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: “N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols”, In: International Conference on Research in Attacks, Intrusions, and Defenses (RAID) (2012)

Irfan Ahmed 8

slide-9
SLIDE 9

Data Execu cution & Fr Fragmentation and Noise Padding Attack cks

Irfan Ahmed 9

FNC: Write Address Byte size to be written Modbus appl. header Modbus function code Session ID Payload Address type

FNC: Write File num Byte size to be written Transaction number Payload File type: control logic Element number Request command Sub-element number

Protocol: Modbus PLC: Modicon M221 Protocol: PCCC PLC: Micrologix 1400

slide-10
SLIDE 10

Dat Datas asets

Irfan Ahmed 10

Modicon M221 Micrologix 1400

slide-11
SLIDE 11

Effect ctiveness of the Attack cks

Irfan Ahmed 11

Attacks # of write request packets # of packets with Code True Positive Rate False Positive Rate Code Injection Without Evasion 1,535 38 100% (38 / 38) 0% (0 / 1497) Data Execution & Noise Padding 5,362 3,865 0% (0 / 3865) 0% (0 / 1497) Attacks # of write request packets # of packets with Code True Positive Rate False Positive Rate Code Injection Without Evasion 5,465 684 96.78% (662/684) 0% (0/4781) Noise Padding 29,647 24,866 0% (0 / 24866) 0% (0/4781) Header-based Signatures & Anagram-based Deep Packet Inspection against the attacks Anagram-based Deep Packet Inspection against the attacks Micrologix 1400 Modicon M221

slide-12
SLIDE 12

Sh Shade - a Shadow Memory Approach ch

  • Shadow memory as a mirrored space of the protocol

address space of a PLC

  • Shade
  • maintains shadow memory of each PLC and
  • detects control logic code by scanning the shadow memory

rather than the individual packet payloads

Irfan Ahmed 12

slide-13
SLIDE 13

Sh Shadow

  • w memor
  • ry s

scanning

Irfan Ahmed 13

… Shadow Memory payload … Addr: x len: n Write request message mirrored payload x x + n b b x - b x + n + b scan area PLC protocol header

slide-14
SLIDE 14

Sh Shade - a Shadow Memory Approach ch

Irfan Ahmed 14

Normal pcap files Extract write request packets Mirror to shadow memory Scan shadow memory Extract all the features Select features Generate classification model (e.g., SVM) Monitoring Network Traffic If write request packets is identified Mirror to shadow memory Scan shadow memory Extract selected features Classification using the model (contains control logic code?) Yes (raise alarm) No

Learning Phase Detection Phase

slide-15
SLIDE 15

Fe Features

Irfan Ahmed 15

High Semantic Low Semantic Partial Decompilation N-gram Entropy Opcode Rung Full Decompilation

slide-16
SLIDE 16

Fu Full De Deco compilat ilatio ion

7c 1c 23 04 7c 8c fc e6 72 00 00 f6 73 26 00 fc ea 72 3e 00 Rung 0: XIC I0.1 AND XIC I0.8 → OTE M1 Rung 1: XIC M307 → OTE M498

XIC I0.1 AND XIC I0.8 OTE M1 (end of rung) XIC M307 OTE M498 (end of rung)

a) Low-level code of control logic b) Decompiled code

Irfan Ahmed 16

slide-17
SLIDE 17

Pa Partial De Deco compilat ilatio ion

00 00 8d 9a 20 00 e4 00 00 01 bc 4f 00 00 e8 00 0a 04 da 4f 0D 00 58 01 0a 00 96 04 ce 4f 00 00 00 00 be f7 16 00 e4 00 0a 04 ce 4f 0e 00 bc 00 01 03 cc 4f 03 00 Rung 0: XIC I1:[bc4f]/0 AND XIO T4:[da4f]/DN → TON T4:[ce4f]/0 Rung 1: XIC T4:[ce4f]/TT → OTE B3:[cc4f]/3

Rung start Rung size XIC File No. Byte Address Bit Offset XIO XIC TON OTE

: Bytes which can’t be decompiled without configuration block

a) Low-level code of control logic b) Partially decompiled code

File No. (0x04: timer)

Irfan Ahmed 17

slide-18
SLIDE 18

Pa Partial De Deco compilat ilatio ion - mi missing info

Irfan Ahmed 18

CE 4F (Offset in LADDER)

  • CE 4F

(Base Address in CONFIG) = 0x00

. . .

Timer Instruction

slide-19
SLIDE 19

Sh Shadow

  • w Memor
  • ry R

Results

Irfan Ahmed 19

Modicon M221 Micrologix 1400

slide-20
SLIDE 20

Sc Scan Bou

  • undary b Pe

Performance

Irfan Ahmed 20

Modicon M221 - L4gram Micrologix 1400 - #8gram

slide-21
SLIDE 21

Co Conclusion

  • Data Execution attack is possible on programmable

logic controller

  • Fragmentation and Noise Padding attack is possible on

ICS protocols

  • Signature and anomaly approaches are vulnerable to

these attacks

  • Shadow PLC memory scanning
  • can detect control logic transfer
  • Resilient to Data Execution and Fragmentation and Noise

Padding attacks

Irfan Ahmed 21

slide-22
SLIDE 22

Qu Questions ?

Irfan Ahmed iahmed3@vcu.edu Virginia Commonwealth University

Irfan Ahmed 22