TR-CTIT-1602 Ghost in the PLC Stealth OnThe-Fly Manipulation of Programmable Logic Controllers

Programmable Logic Controllers (PLCs) are a family of embedded devices used for physical process control. Similar to other embedded devices, PLCs are vulnerable to cyber attacks. Because they are used to control the physical processes of critical infrastructures, compromised PLCs constitute a significant security and safety risk. In this paper, we investigate attacks against PLCs by introducing a specific type of attack against a PLC that allows the adversary to stealthily manipulate the physical process it controls by tampering with the device I/O at a low level. We implemented two variant of the attack in the form of a rootkit and a user-space malicious code over a candidate PLC. However in this technical edition we do not include the design information of the rootkit or the user-space malicious software. Our study is meant to be used as a basis for the design of more robust detection techniques specifically tailored for PLCs. 1 A New Kind of Attack In this section, we describe a new type of attack that targets PLCs. PLCs are embedded devices that are sensitive components of critical infrastructures and are used in various industrial environments to control physical processes. Because of the manner in which PLCs operate, we have identified new possible means for attackers to exploit them. We assume one of the main goals to attack a PLC is to manipulate the physical process by sending signals to the sensors and actuators controlled by the PLC, while simultaneously remaining undetectable to the PLC logic, firmware, and its operators. Physical process manipulation can have serious consequences for the safety of equipment and human life. For example, an adversary may manipulate the value of tank pressure sensors in a pressure sensitive boiler thus leading to the explosion of the boiler, or, similarly to Stuxnet, change the frequency of variable speed drives of centrifuges in a uranium enrichment facility, leading to damage of the centrifuge cascades. The novelty of our attack lies in the fact that to manipulate the physical process like others [4,5,9,24,25,39], we do not modify the PLC logic instructions or firmware. Instead, we target the interaction between the firmware and the PLC I/O. This can be achieved without leveraging traditional function hooking techniques and by placing the entire malicious code in dynamic memory, thus circumventing detection mechanisms such as Autoscopy Jr. and Doppelganger. Additionally, the attack causes the PLC firmware to assume that it is interacting effectively with the I/O while, in reality, the connection between the I/O and the PLC process is being manipulated. 1.1 PLC operation The main components of a PLC firmware is a software called runtime. The runtime software interprets or executes another code (or executable) known as the logic. The logic is a compiled form of the PLC’s programming language, such as function blocks or ladder logic. Ladder Logic and Function Block Diagrams are graphical programming languages that describe the control process. A plant operator programs the logic and can change it when required. The logic is dynamic code, whereas the runtime software is static code. The purpose of a PLC is to control equipment, and to do so, it must interact with its I/O. The first requirement for I/O interaction is to map the physical I/O addresses into memory. The drivers or PLC runtime map the I/O memory ranges. Additionally, at the beginning of logic execution, the PLC runtime software must initialize the processor registers related to the I/O used in the logic. During the initialization, the appropriate modes for the I/O are set by the runtime software. For example, it sets the “output” mode for I/O pins that are used for write operations in the logic or the “input” mode for I/O pins that are used for read operations in the logic. This stage is called the I/O initialization sequence. After I/O initialization, the PLC runtime software executes the logic in every

[1]  Frank Adelstein,et al.  Malicious code detection for open firmware , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[2]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[3]  Philip Koopman,et al.  Embedded System Security , 2004, Computer.

[4]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[5]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[6]  Carl A. Gunter,et al.  Cumulative Attestation Kernels for Embedded Systems , 2009, ESORICS.

[7]  Claude Castelluccia,et al.  Defending embedded systems against control flow attacks , 2009, SecuCode '09.

[8]  Kevin Borders,et al.  Malnets: Large-scale Malicious Networks via Compromised Wireless Access Points , 2010, Secur. Commun. Networks.

[9]  Benjamin Morin,et al.  What If You Can't Trust Your Network Card? , 2011, RAID.

[10]  Stephen E. McLaughlin On Dynamic Malware Payloads Aimed at Programmable Logic Controllers , 2011, HotSec.

[11]  Salvatore J. Stolfo,et al.  Defending Embedded Systems with Software Symbiotes , 2011, RAID.

[12]  Vasilis Pappas,et al.  kBouncer : Efficient and Transparent ROP Mitigation , 2012 .

[13]  Patrick D. McDaniel,et al.  Programmable Logic Controllers , 2012 .

[14]  Sergey Bratus,et al.  Intrusion detection for resource-constrained embedded control systems in the power grid , 2012, Int. J. Crit. Infrastructure Prot..

[15]  Frederik Armknecht,et al.  A security framework for the analysis and design of software attestation , 2013, CCS.

[16]  Lui Sha,et al.  On-chip control flow integrity check for real time embedded systems , 2013, 2013 IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA).

[17]  Salvatore J. Stolfo,et al.  When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.

[18]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[19]  Claudia Eckert,et al.  Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data , 2014, USENIX Security Symposium.

[20]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[21]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[22]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[23]  Moritz Contag,et al.  Evaluating the Effectiveness of Current Anti-ROP Defenses , 2014, RAID.

[24]  Angelos Stavrou,et al.  A Framework to Secure Peripherals at Runtime , 2014, ESORICS.

[25]  Laura A. McNamara,et al.  Enhanced Mitigation Experience Toolkit (EMET): A Retrospective Case Study in Commercial Technology Adoption at Sandia National Laboratories. , 2015 .