Towards Automated Safety Vetting of PLC Code in Real-World Plants

Safety violations in programmable logic controllers (PLCs), caused either by faults or attacks, have recently garnered significant attention. However, prior efforts at PLC code vetting suffer from many drawbacks. Static analyses and verification cause significant false positives and cannot reveal specific runtime contexts. Dynamic analyses and symbolic execution, on the other hand, fail due to their inability to handle real-world PLC programs that are event-driven and timing sensitive. In this paper, we propose VetPLC, a temporal context-aware, program analysis-based approach to produce timed event sequences that can be used for automatic safety vetting. To this end, we (a) perform static program analysis to create timed event causality graphs in order to understand causal relations among events in PLC code and (b) mine temporal invariants from data traces collected in Industrial Control System (ICS) testbeds to quantitatively gauge temporal dependencies that are constrained by machine operations. Our VetPLC prototype has been implemented in 15K lines of code. We evaluate it on 10 real-world scenarios from two different ICS settings. Our experiments show that VetPLC outperforms state-of-the-art techniques and can generate event sequences that can be used to automatically detect hidden safety violations.

[1]  Jun Sun,et al.  Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[2]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  Sang C. Park,et al.  PLCStudio: Simulation based PLC code verification , 2008, 2008 Winter Simulation Conference.

[4]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[5]  Yuriy Brun,et al.  Behavioral resource-aware model inference , 2014, ASE.

[6]  Sidi Ould Biha A Formal Semantics of PLC Programs in Coq , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[7]  Sam Malek,et al.  Testing android apps through symbolic execution , 2012, ACM SIGSOFT Softw. Eng. Notes.

[8]  Jean-Marc Roussel,et al.  Safety Properties Verification of Ladder Diagram Programs , 2002 .

[9]  Meng Wu,et al.  Symbolic execution of programmable logic controller code , 2017, ESEC/SIGSOFT FSE.

[10]  Teodor Tóth,et al.  Failure analysis of belt conveyor damage caused by the falling material. Part II: Application of computer metrotomography , 2013 .

[11]  Saman Zonouz,et al.  Detecting PLC control corruption via on-device runtime verification , 2016, 2016 Resilience Week (RWS).

[12]  P. I. Barton,et al.  Formal verification of sequence controllers , 2000 .

[13]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[15]  Mukul R. Prasad,et al.  Automated testing with targeted event sequence generation , 2013, ISSTA.

[16]  Alberto Martelli,et al.  Additive AND/OR Graphs , 1973, IJCAI.

[17]  Holger Schlingloff,et al.  A Rewriting Based Monitoring Algorithm for TPTL , 2013, CS&P.

[18]  Bent Thomsen,et al.  Symbolic execution and timed automata model checking for timing analysis of Java real-time systems , 2015, EURASIP J. Embed. Syst..

[19]  Erika Ábrahám,et al.  Two CEGAR-based approaches for the safety verification of PLC-controlled plants , 2016, Inf. Syst. Frontiers.

[20]  Nils Ole Tippenhauer,et al.  On Ladder Logic Bombs in Industrial Control Systems , 2017, CyberICPS/SECPRE@ESORICS.

[21]  Dawn M. Tilbury,et al.  SMART: A System-Level Manufacturing and Automation Research Testbed , 2017 .

[22]  Karthik Pattabiraman,et al.  ARTINALI: dynamic invariant detection for cyber-physical system security , 2017, ESEC/SIGSOFT FSE.

[23]  Philippe Schnoebelen,et al.  Towards the automatic verification of PLC programs written in Instruction List , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[24]  Thomas A. Henzinger,et al.  A really temporal logic , 1994, JACM.

[25]  Ralf Huuck,et al.  Semantics and Analysis of Instruction List Programs , 2005, SFEDL@ETAPS.

[26]  Naren Ramakrishnan,et al.  Causality reasoning about network events for detecting stealthy malware activities , 2016, Comput. Secur..

[27]  Long Cheng,et al.  Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks , 2017, ACSAC.

[28]  Bernhard Beckert,et al.  Regression Verification for Programmable Logic Controller Software , 2015, ICFEM.

[29]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[30]  Helge Janicke,et al.  Runtime-Monitoring for Industrial Control Systems , 2015 .

[31]  Yuriy Brun,et al.  Leveraging existing instrumentation to automatically infer invariant-constrained models , 2011, ESEC/FSE '11.

[32]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[33]  Sung Deok Cha,et al.  Generating test sequences using symbolic execution for event-driven real-time systems , 2003, Microprocess. Microsystems.

[34]  Stefan Kowalewski,et al.  Arcade.PLC: a verification platform for programmable logic controllers , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[35]  J.F. Groote,et al.  The safety guaranteeing system at station Hoorn-Kersenboogerd , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[36]  Alexander Aiken,et al.  Detecting races in Relay Ladder Logic programs , 1998, International Journal on Software Tools for Technology Transfer.

[37]  Jasmin Dzinic,et al.  Simulation-based verification of PLC programs , 2014 .

[38]  Erika Ábrahám,et al.  A CEGAR Tool for the Reachability Analysis of PLC-Controlled Plants Using Hybrid Automata , 2015, Formalisms for Reuse and Systems Integration.

[39]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.