Testing security of CPS with Formal Methods Application (in - - PowerPoint PPT Presentation

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT

Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier

• Univ. Grenoble Alpes

LIG/Vasco + Vérimag/PACSS

Kobe – Université Grenoble-Alpes Workshop

Industrial systems & security

n Hot topic since Stuxnet (Iran 2009)

¨ Even military-nuclear protected industrial sites

can be damaged by cyberattacks

n ~1000 centrifuges destroyed

¨ Significant attacks (before and) after Stuxnet

n E.g.: Ukraine black out (2015), German steel plant,

Finland heating breakdown… n Protection becoming a priority for

government agencies (France: ANSSI, LPM 2013, OIV)

2

Testing for security (LIG)

n Goal: early detection of vulnerabilities (security

flaws) in systems

n Approach: based on models, Model-Driven

Engineering (MDE) and Model Based Testing (MBT), with Formal Methods

n Main techniques:

¨ Model learning, reverse engineering ¨ Model checking and analysis ¨ Test generation, fuzzing

3

Past and current projects

n European: Diamonds, SPaCIoS

¨ + many national projects

n Application domains:

¨ Internet of Services (web applications) ¨ Communication protocols ¨ Transport systems (automotive, aerospace,

rail)

¨ Industrial systems, CPS

4

Industrial (&IoT) vs Business IT

n Security priorities differ from IT

¨ IT: Confidentiality > Authentication > Integrity >

Availability

¨ (Indus) Availability > Integrity > Authent. > Confid. ¨ IoT: domain dependent, e.g. Integrity > Avail. > Conf.

n Long lived, hard to patch, legacy (+Indus, -IoT) n Proprietary protocol implementations (~IoT) n Real-time n Cyber Physical Systems (physical/vital hazards)

5

SCADA (Supervisory Control and Data Acquisition)

n SCADA controls variable Motor Status on PLC

(Programmable Logic Controller)

6

Industrial Communication Protocols

n MODBUS (1979)

¨ Mostly read/write PLC variables (+config…) ¨ No security

n OPC-UA (2006)

¨ Open PF Communications, Unified Arch. ¨ Complex standard (978 pages) ¨ Provisions for security

n Signed or encrypted messages n OPC-UA SecureConversation (similar to TLS with

handshake)

7

Current responses to threats

n Legal requirements on companies: risk

analysis, human and technical measures

n Zoning: Data diodes, Firewalls for ICS

protocols…

n Intrusion Detection Systems & IPS

¨ Multiple systems (cf hierarchical distributed

structure)

n Research: advanced IDS/IPS, vulnerability

detection in protocol specs & implems

8

LIG security projects for SCADA

n ARAMIS (PIA)

¨ Isolation device (~firewall based on protocol

rupture)

n SACADE (ASTRID)

¨ SCADA platform for detecting and playing

attacks

n SRED (PIAVE)

¨ Intrusion detection for electric distribution

9

ARAMIS security gateway

n Deep Packet Inspection n Rewriting packet contents, with protocol-specific rules n Physically separated processors

10

SACADE

n Started 2017 n Investigating Attack scenarios against PLC n Special focus on scenarios combining

Distribution and Encapsulation:

¨ Payload recombined from multiple

encapsulated sources

11

Focus: encapsulation+distrib

Encapsulation: Payload is legal at all levels of protocols, so espaces protocol filtering Distribution: Noxious behaviour is obtained by combining commands from several legal commands from distributed sources

Examples of attack elements

n Playing on protocol levels

¨ Data injection to move towards dangerous

states

¨ Device reconfiguration ¨ Combining reconfiguration followed by

injection

n Timing dependence

¨ Commands sent in transient states of CPS

13

Experimental Pla.orm (Grenoble)

Execu&on pla-orm G-ICS Hierarchical architecture model Test genera&on Security proper&es Sta&c analysis Monitor synthesis Func&onal proper&es Monitors AAack library

Model Based analysis to detect vulnerabilities in protocol implem.

n Previous work for vulnerability detection

¨ SPaCIoS: tool box for vulnerability in IoS

(Internet of Services: Web applications),

n Based on model of cryptographic protocols +

Model-checking, model based testing, model inference…

¨ Kameleon Fuzz: smart fuzzing

n Based on protocol model and grammar

15

SPaCIoS tool

n Modelling with

¨ ASLan++

n Models can be

retrieved

¨ From source

code (jModex)

¨ Black box

testing (SIMPA)

16

Abstract execution trace

The SPaCIoS Tool

Model

• f the

SUV

Security Analyst

Legend :

Test Stub

System Under Validation (SUV)

Test drivers

Model inference and adjustment

Test Results

SUV source code

Vulnerabilities Attack Patterns Security Goals Attacker Models Libraries

User guidance Test case generation Model of the attacker Security goals

Model of the SUV

Property-driven and vulnerability-driven test case generation

Trace- driven fault localization Source based inference

Fault location

User interface

Objectives Results WP 3 § Validation techniques

• model checking
• property-driven testing
• vulnerability-driven testing
• bridge components

ü Working prototypes of (and more)

• Model inference SIMPA
• Model extraction jModex
• Mutation-based testing SPaCiTE
• Instrumentation-based testing IBT
• LTL separation for testing Fred
• Low level attacker models Vera
• Fuzzing KameleonFuzz & SVCov

WP 4 § SPaCIoS Tool § Validation methodology patterns

ü SPaCIoS Tool released

ü Valid. method. patterns & Tutorials

Model of the SUV Abstract execution trace Test case

The SPaCIoS Tool

Test Execution Engine

Vulnerabilities Attack Patterns Security Goals Attacker Models

User Interface

Model

• f the

SUV Security goals User guidance

Security Analyst

Model inference and adjustment Property-driven and vulnerability-driven test case generation Libraries

Test Results

Model of the attacker Fault location SUV source code Source based inference Trace- driven fault localization

SUV Model Property Model Checker Attack trace

Real system

26/02/18 18

• B. Approximate

Taint Dataflow

• taint inputs
• infer taint in outputs
• annotate model

C.1. Malicious Inputs Generation

• generate inputs

C.2. Precise Taint Dataflow

• attack successful?
• A. Inferring

SUT state model

Evolutionary Algorithm if new page or state discovered evolve inputs

KameleonFuzz overview

D.

Other approach: test patterns

19

Back to SCADA & CPS security

n Weak protocols => easily found attacks n Difficulties lie in concretization

¨ Bypassing security architecture

n firewall through encapsulation & multiple interface n IDS through non monitored channels

¨ Dealing with proprietary undocumented

protocols and features

n Methods above might be too

sophisticated ?

20

THANK YOU FOR YOUR ATTENTION.

Contact: Roland.Groz@univ-grenoble-alpes.fr Professor at Grenoble INP Ensimag

21

BACKUP SLIDES

22

Architecture of Industrial Control Systems

23

24

Projet: AAP sécurité SCADA

21/10/2013 – V1

Architecture Générique SCADA à sécuriser - Draft Schéma d’aRchitecture SCADA.VSD Atos Worldgrid

Stations SCADA Clients Lourds RTU DMZ Externe DMZ Interne Relais Proxy FW VPN ERP SAP Archivage Central Boursorama Météo France

Niveau 1 Zones Automatismes Niveau 2 Zones SCADA Niveau 3 Zone Hypervision métiers

Protocoles Automates : OPC UA, Modbus TCP, protocoles spécifiques constructeur sur TCP ou UDP Flux de services administration, FTP...

Site Extérieur Entreprise

Postes Consultation Métiers

Zone Isolation « DMZ »

FW Admin / Log : Anti Viris Domaine de Confiance FW n°2 FW n°1 Serveurs de dépôt / pubication

Autres Systémes Serveurs SCADA

Salles de Commande

Concentrateur Automates Bases de Données Métier / Historian Télé Maintenance des Infrastructures Point Coupure

National Entreprise Local Entreprise

Légende RTU = Remote Transmission Unit serveur anti virus

Reduction de surface - Zoning

Ethernet TCP IP Automates Concentrateur / Agrégateur RTU RTU Procédés Concentrateur / Agrégateur Capteurs / Compteurs Intélligents Capteurs / compteurs Intélligents

Niveau 0 Capteurs / Actionneurs Procédés

Equipements Réseaux Switchs etc Firewall IPS/IDS – Data Diode Autre Zone Automatisme Autre SCADA Local ou Distant

SCADA Hyperviseur Administration Système / Logs / Accounta.. Reduction de surface - Zoning

Ateliers

Autres Systémes Autres Systémes Server Administration Ethernet TCP IP Ethernet TCP IP Nombreux protocoles internes SCADA Protocoles Standards : OPC UA, Autres Flux de services administration, FTP... Surveillance / corrélation événements

ARAMIS

25

Low-level attacker models: Vera

Attacker model library Instantiation Library Concrete Attack trace Real system

Vulnerabilities?

Model of the SUV Abstract execution trace Test case

The SPaCIoS Tool

Test Execution Engine

Vulnerabilities Attack Patterns Security Goals Attacker Models

User Interface

Model

• f the

SUV Security goals User guidance

Security Analyst

Model inference and adjustment Property-driven and vulnerability-driven test case generation Libraries

Test Results

Model of the attacker Fault location SUV source code Source based inference Trace- driven fault localization

SUV

26

KameleonFuzz

Inferred tainted model Attack input grammar Genetic fuzzing Real system

Vulnerabilities?

Model of the SUV Abstract execution trace Test case

The SPaCIoS Tool

Test Execution Engine

Vulnerabilities Attack Patterns Security Goals Attacker Models

User Interface

Model

• f the

SUV Security goals User guidance

Security Analyst

Model inference and adjustment Property-driven and vulnerability-driven test case generation Libraries

Test Results

Model of the attacker Fault location SUV source code Source based inference Trace- driven fault localization

SUV

Interactions with the system 27

26/02/18 28

• Attack Input Grammar
• Mutation & Crossover
• Fitness & Test Verdict
• B. Approximate

Taint Dataflow

• taint inputs
• infer taint in outputs
• annotate model

C.1. Malicious Inputs Generation

• generate inputs

C.2. Precise Taint Dataflow

• attack successful?
• A. Inferring

SUT state model

Evolutionary Algorithm if new page or state discovered evolve inputs

• C. Evolutionary Fuzzing

D.

Attack Input Grammar

26/02/18 29

Payloads production rules

several realistic payloads

anti-filters production rules

considered SUT filters

Attack Input Grammar

browser specific string transformations

Sets of Attack Vectors (evtly structured)

hacker sources (Shazzer ..)

Mutation (at input param. value)

26/02/18 30

Crossover (at input param. value)

26/02/18 31

Other approach: test patterns

n Developed by FEMTO-ST & Smartesting

(Besançon)

n Based on CertifyIt tool n « High level » test patterns based on

¨ Expert knowledge ¨ Known high level vulnerability classes ¨ Tool uses TP to guide symbolic exploration of model ¨ Unfolding of patterns based on constraint solving

32

Language for security properties

n TOCL: Temporal OCL (Dwyer99, patterns) n TOCL property = Pattern+Scope n Pattern: event ordering

¨ (always, never, eventually k times, precedes, follows)

n Scope: restricts pattern to interval

¨ (globally, between, after, before)

33