do as i say not as i do stealth modification of ... · pdf filestealth modification of...
If you can't read please download the document
TRANSCRIPT
DoasISaynotasIDoStealthModificationof
ProgrammableLogicControllersI/ObyPinControlAttack
ALI ABBASI
SYSSEC GROUP, RUHRUNIVERSITY BOCHUM, GERMANY& SCS GROUPUNIVERSITY OF TWENTE, NETHERLANDS
MAJ ID HASHEMI
PARIS , FRANCE
Whoweare
AliAbbasi,visitingresearcheratchairofsystemsecurityofRuhrUniversityBochumandPhDstudentatDistributedandEmbeddedSystemsSecurityGroup,UniversityofTwente,TheNetherlands.
(@bl4ckic3)
MajidHashemi,R&Dresearcher(@m4ji_d).
2
Agenda BackgroundonProcessControl Backgroundonexistingattacksanddefensesforembeddedsystems ApplicableDefensesforPLCs BackgroundonPinControl TheProblemwithPinControl Rootkitvariant Non-rootkitvariant Demo Discussions
3
Whatthistalkisabout?
ThetalkistryingtouncoverexistingdesignflawinPLCs. Theattackcanbeusedinfuturebyattackers. WearenotunveilingfullyfunctionalmalwareforPLCs. Noexploitationtechniques,no0dayleak Wearenotgoingtomentionanyvendorname.
4
IndustrialControlSystem
Physicalapplication
InformationTechnology(IT)
OperationalTechnology(OT)
5
IndustrialControlSystemhacking
Physicalapplication 6
Processcontrol101
Processcontrol
Runningupstairstoturnonyourfurnaceeverytimeitgetscoldgetstiringafterawhilesoyouautomateitwithathermostat
Setpoint
8
Controlloop
Actuators
Controlsystem
Physicalprocess Sensors
Measureprocessstate
Computescontrolcommandsfor
actuators
Adjustthemselvestoinfluence
processbehavior
9
Controlequipment
Inlargescaleoperationscontrollogicgetsmorecomplexthanathermostat
Onewouldneedsomethingbiggerthanathermostattohandleit
Mostofthetimethisisaprogrammablelogiccontroller(PLC)
10
What is a PLC?
AnEmbeddedSystemwithRTOSrunninglogic.
11
[ifinput1]AND[input2orinput11]->[dosomethinginoutput6]
IftankpressureinPLC1>1800reduceinflowinPLC3
Itisprogrammedgraphicallymostofthetime Defineswhatshould/shouldnothappen
Underwhichconditions Atwhattime YesorNoproposition
Controllogic
1. Copydatafrominputstotemporarystorage2. Runthelogic3. Copyfromtemporarystoragetooutputs
Inputs
Outputs
SensorsActuators
HowPLCWorks
Read Inputs
Logic Program
Update Outputs
Logic Variable Table (VT)
Runtime
Inputs
Outputs
Physical I/O
Read/Write I/O
Inputs from I/O
Set Points
Outputs to I/O
Read/Write VT
Usedtocomputeoutputbasedoninputsreceivedfromcontrollogic
JacquesSmutsProcessControlforPractitioners
Controlalgorithm
PID:proportional,integral,derivative mostwidelyusedcontrolalgorithmontheplanet
PIcontrollersaremostoftenused
ExistingAttacksandDefensesforEmbeddedSystemsApplicabletothePLCs
15
Current attacks against embedded systems
Authenticationbypass AttackerfindabackdoorpasswordinthePLC.
Firmwaremodificationattacks AttackeruploadnewfirmwaretothePLC
Configurationmanipulationattacks Attackermodifythelogic
ControlFlowattacks AttackerfindabufferoverfloworRCEinthePLC
HookingfunctionsforICSmalwares
16
Current defenses for embedded systems
Attestation memoryattestation
Firmwareintegrityverification Verifytheintegrityoffirmwarebeforeitsbeinguploaded
Hookdetection Codehookingdetection
Detectcodehooking
Datahookingdetection Detectdatahooking
17
DesignedforembeddeddevicesrunningmodernOS.
Nohardwaremodifications.
LimitedCPUoverhead.
Novirtualization.
Requirement for Applicable Defenses for PLCs
18
System-level protection for PLCs
TrivialDefenses: LogicChecksum Firmwareintegrityverification
Non-trivialsoftware-basedHIDSapplicabletoPLCs Doppelganger(Symbiote Defense):animplementationforsoftwaresymbiotes forembeddeddevices
AutoscopyJR:Ahostbasedintrusiondetectionwhichisdesignedtodetectkernelrootkitsforembeddedcontrolsystems
19
How Doppelganger Works
Scanthefirmwareofthedeviceforlivecoderegionsandinsertsymbiotes randomly.
1 2
TextLive Code Region 1 Live Code Region 2Symbiote1
(Checksum of Region 1)
Symbiote2 (Checksum of
Region 2)Other Memory
regions
Symbiote Manager
Breakpoint 1 Breakpoint 2
Firmware
Other Memory regions
20
How Autoscopy Jr works
TriestoDetectsfunctionhookingbylearning VerifiesthedestinationfunctionaddressandreturnswiththevaluesandaddressesinTLL(TrustedLocationList)
21
DebugRegisters
Designedfordebuggingpurpose. Functionhookinginterceptthefunctioncallandmanipulatethefunctionargument.
WeusedebugregistersinARMprocessorstointerceptmemoryaccess(Nofunctioninterception,nofunctionargumentmanipulation)
22
23
PinControl
BackgroundonPinControlPinControlsubsystem
Pinmultiplexing(type) Pinconfiguration(in/out)
Systemonchip(SoC)SystemonChip
1 2
3
Pinmultiplexing 24
PinConfiguration
InputPin readablebutnotwriteable
OutputPin readableand writeable
25
HowPLCcontrolsI/O
26
IntroducingPinControlAttack:AMemoryIllusionOperating
System/KernelMap (I/O Memory, +16bytes)
Request for mapping the physical I/O Memory
ReadPin24
Write 0/1 every 5 sec
PLC Runtime
Pin24==Input(bit==0)
Pin22==Output(bit==1)
Write register
Virtual I/O Memory (mapped)
State Register
Read register
0forbit241forbit22
0/1
1
State Register
Physical I/O Memory
Read register
Write register
0forbit241forbit22
0/1
1
map via MMU
LogicBlinkLEDevery5secinPin22if
Pin24isTrue
27
IntroducingPinControlAttack:AMemoryIllusionOperating
System/KernelMap (I/O Memory, +16bytes)
Request for mapping the physical I/O Memory
ReadPin24
Write 0/1 every 5 sec
PLC Runtime
Write register
Virtual I/O Memory (mapped)
State Register
Read register
0/1
1
State Register
Physical I/O Memory
Read register
Write register 0/1
1
map via MMU
LogicBlinkLEDevery5secinPin22if
Pin24isTrue
Pin22==Input(bit==0)0 for bit 22
0 for bit 22
Write Failure!!
Pin is in Input Mode
28
ThinkofcopyingfilestoUSBdrive
29
Similarmappingbetweenphysicalandvirtualaddresses
IfUSBdriveisremovedduringcopyoperation,OSreportsawarningback
Letslookatit.
Demo1Digital
30
NobodythoughtaboutthesameissueforPLCs
31
ShouldntthePLCruntimefailorgetterminatedbecauseofI/Ofailure?
Nope!
PLCdesignwasalwaysaboutparamountreliabilityofreal-timeexecution,HIGHup-timeandlong-termusefullifeinharshenvironmentalconditions
MaliciousmanipulationofPLCwerenotpartofdesignconsiderations:-)
Securityconcernsregardingpincontrol
Nointerruptforpinconfiguration
HowtheOSknowsaboutthemodificationofpinconfiguration? Whatifsomebodymodifiesconfigurationofapinatruntime? Byswitchinginput pinintooutput pin,itispossibletowritearbitraryvalueintoitsphysicaladdress
NoInterruptforpinmultiplexing
HowOSknowsaboutmodificationofpinmultiplexing? Whatifsomebodymultiplexapinatruntime? Bymultiplexingpinitispossibletoprevent runtimefromwriting valueintooutputpin
32
Problem statement
Whatifwecreateanattackusingpincontrolthat: Donotdofunctionhooking DonotmodifyexecutablecontentsofthePLCruntime. Donotchangethelogicfile
Obviouslyweconsiderotherdefensesavailable(e.g.logicchecksumisalsothere)
33
PinControlAttack
34
PinControlAttack
PinControlAttack: manipulatetheI/Oconfiguration(PinConfigurationAttack) manipulatetheI/O multiplexing(PinMultiplexingAttack)
PLCOSwillneverknowsaboutit.
35
Twooptionstoachievethesame
q Firstversion:rootkit Rootprivilege KnowledgeofSoC registers KnowledgeofmappingbetweenI/Opinsandthelogic
q Secondversion:C-code(shellcode) EqualprivilegeasPLCruntime KnowledgeofmappingbetweenI/Opinsandthelogic
1
2
Nofunctionhooking NomodificationofPLCruntime
executablecontent Nochangetologicfile
36
HowPinConfigurationAttackWorks?
1. Put I/O Address into Debug
register
Manipulate Read
2. Intercept Read Operation from I/O
3. Set Pin to Output Mode
4. Write Desired Value to Output
read(I/O, Pin)
Pin Control Attack actions
PLC runtime actions
read() continue....
1. Put I/O Address into Debug
register
Manipulate Write
2. Intercept Write Operation to I/O
3. Set Pin to Input (write-ignore)
write(I/O, Pin)
write() continue...
37
SimpleLogic
LetstestitwithasimpleFunctionBlockLanguageLogic.
38
SimpleLogic2
SecondLogicforarealPLC
39
40
41
Letslookatit.
Demo2Digital
42
Letslookatit.
Demo3Digital
43
APLCruntimeDynamicandStaticAnalysis
I/OMapping
LookforBaseAddresses of I/O
44
I/OAttack:Rootkit
RootkitneedsrootusertoinstallitscodeasaLoadableKernelModule(LKM).
vmalloc()allocatesourLKM.ItevadesDoppelganger. Donotdoanykindoffunctionhooking,evadesAutoscopy Jr. Can