PAtt: Physics-based Attestation of Control Systems

Ensuring the integrity of embedded programmable logic controllers (PLCs) is critical for safe operation of industrial con-trol systems. In particular, a cyber-attack could manipulatecontrol logic running on the PLCs to bring the process ofsafety-critical application into unsafe states. Unfortunately,PLCs are typically not equipped with hardware support thatallows the use of techniques such as remote attestation to ver-ify the integrity of the logic code. In addition, so far remoteattestation is not able to verify the integrity of the physicalprocess controlled by the PLC.In this work, we present PAtt, a system that combines re-mote software attestation with control process validation. PAttleverages operation permutations—subtle changes in the op-eration sequences based on integrity measurements—whichdo not affect the physical process but yield unique traces ofsensor readings during execution. By encoding integrity mea-surements of the PLC’s memory state (software and data) intoits control operation, our system allows to remotely verifythe integrity of the control logic based on the resulting sensortraces. We implement the proposed system on a real PLCcontrolling a robot arm, and demonstrate its feasibility. Ourimplementation enables the detection of attackers that ma-nipulate the PLC logic to change process state and/or reportspoofed sensor readings (with an accuracy of 97% againsttested attacks).

[1]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[2]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[3]  Rakesh Bobba,et al.  Learning Based Anomaly Detection for Industrial Arm Applications , 2018, CPS-SPC@CCS.

[4]  Mark Mohammad Tehranipoor,et al.  An Aging-Resistant RO-PUF for Reliable Key Generation , 2016, IEEE Transactions on Emerging Topics in Computing.

[5]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[6]  Eric B. Baum,et al.  On the capabilities of multilayer perceptrons , 1988, J. Complex..

[7]  Ahmad-Reza Sadeghi,et al.  State-aware anomaly detection for industrial control systems , 2018, SAC.

[8]  Ahmad-Reza Sadeghi,et al.  Reconciling remote attestation and safety-critical operation on simple IoT devices , 2018, DAC.

[9]  Nils Ole Tippenhauer,et al.  Gamifying ICS Security Training and Research: Design, Implementation, and Results of S3 , 2017, CPS-SPC@CCS.

[10]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[11]  Stefan Katzenbeisser,et al.  PUFs: Myth, Fact or Busted? A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon , 2012, CHES.

[12]  Osama A. Mohammed,et al.  Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit , 2017, NDSS.

[13]  Alexander Pretschner,et al.  Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning , 2017, USENIX Security Symposium.

[14]  R. Stanley Enumerative Combinatorics: Volume 1 , 2011 .

[15]  Jorge Guajardo,et al.  MEMS Gyroscopes as Physical Unclonable Functions , 2016, CCS.

[16]  Eibe Frank,et al.  Logistic Model Trees , 2003, ECML.

[17]  Ron Kohavi,et al.  Scaling Up the Accuracy of Naive-Bayes Classifiers: A Decision-Tree Hybrid , 1996, KDD.

[18]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[19]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[20]  Nils Ole Tippenhauer,et al.  HAMIDS: Hierarchical Monitoring Intrusion Detection System for Industrial Control Systems , 2016, CPS-SPC '16.

[21]  Milad Nasr,et al.  DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning , 2018, CCS.

[22]  Christian Haas,et al.  Anomaly Detection in Industrial Networks using Machine Learning: A Roadmap , 2016, ML4CPS.

[23]  Srinivas Devadas,et al.  Invited Paper: Secure Boot and Remote Attestation in the Sanctum Processor , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[24]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[25]  William Bolton 1 – Programmable logic controllers , 2006 .

[26]  Ulrike Meyer,et al.  FANCI : Feature-based Automated NXDomain Classification and Intelligence , 2018, USENIX Security Symposium.

[27]  Ahmad-Reza Sadeghi,et al.  PUFatt: Embedded platform attestation based on novel processor-based PUFs , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[28]  H. Farhangi,et al.  A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin , 2015 .

[29]  Alvaro A. Cárdenas,et al.  Cyber-Physical Systems Attestation , 2014, 2014 IEEE International Conference on Distributed Computing in Sensor Systems.

[30]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[31]  Adrian Perrig,et al.  SBAP: Software-Based Attestation for Peripherals , 2010, TRUST.

[32]  Frederik Armknecht,et al.  A security framework for the analysis and design of software attestation , 2013, CCS.

[33]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[34]  Pradeep K. Khosla,et al.  Using FIRE & ICE for Detecting and Recovering Compromised Nodes in Sensor Networks , 2004 .

[35]  Eibe Frank,et al.  Combining Naive Bayes and Decision Tables , 2008, FLAIRS.

[36]  Ahmad-Reza Sadeghi,et al.  TyTAN: Tiny trust anchor for tiny devices , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[37]  J. Doug Tygar,et al.  Side Effects Are Not Sufficient to Authenticate Software , 2004, USENIX Security Symposium.

[38]  Yuan Cao,et al.  ACRO-PUF: A Low-power, Reliable and Aging-Resilient Current Starved Inverter-Based Ring Oscillator Physical Unclonable Function , 2017, IEEE Transactions on Circuits and Systems I: Regular Papers.

[39]  Ian H. Witten,et al.  Generating Accurate Rule Sets Without Global Optimization , 1998, ICML.

[40]  Gene Tsudik,et al.  SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust , 2012, NDSS.

[41]  Asaf Shabtai,et al.  Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks , 2018, CPS-SPC@CCS.

[42]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[43]  Vijay Varadharajan,et al.  TrustLite: a security architecture for tiny embedded devices , 2014, EuroSys '14.

[44]  Ahmad-Reza Sadeghi,et al.  Enhancing RFID Security and Privacy by Physically Unclonable Functions , 2009, Towards Hardware-Intrinsic Security.

[45]  Xiang Pan,et al.  FlowCog: Context-Aware Semantic Extraction and Analysis of Information Flow Leaks in Android Apps , 2023, IEEE Transactions on Mobile Computing.

[46]  Eyke Hüllermeier,et al.  FURIA: an algorithm for unordered fuzzy rule induction , 2009, Data Mining and Knowledge Discovery.

[47]  Nuno Santos,et al.  Effective Detection of Multimedia Protocol Tunneling using Machine Learning , 2018, USENIX Security Symposium.

[48]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[49]  Eric D. Knapp,et al.  Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems , 2011 .

[50]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[51]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[52]  Amit Kumar Sikder,et al.  6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices , 2017, USENIX Security Symposium.

[53]  Frank Piessens,et al.  Efficient Isolation of Trusted Subsystems in Embedded Systems , 2010, SecureComm.

[54]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[55]  Sumeet Dua,et al.  Data Mining and Machine Learning in Cybersecurity , 2011 .

[56]  Salvatore Ruggieri,et al.  Efficient C4.5 , 2002, IEEE Trans. Knowl. Data Eng..

[57]  L. V. Doorn,et al.  SCUBA: Secure Code Update By Attestation in sensor networks , 2006, WiSe '06.

[58]  Alvaro A. Cárdenas,et al.  Temporal Phase Shifts in SCADA Networks , 2018, CPS-SPC@CCS.