Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks

Recent studies have revealed that control programs running on embedded devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We address several challenges in reasoning cyber-physical execution semantics of a control program, including the event identification and dependence analysis. As an instantiation of Orpheus, we present a new program behavior model, i.e., the event-aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if physical events and eFSA's state transitions are inconsistent. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s~0.211s for the cyber-physical contextual consistency checking.

[1]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Tzi-cker Chiueh,et al.  Automatic extraction of accurate application-specific sandboxing policy , 2005, MILCOM 2005 - 2005 IEEE Military Communications Conference.

[3]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[4]  Lui Sha,et al.  Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System , 2017, 2017 IEEE/ACM Second International Conference on Internet-of-Things Design and Implementation (IoTDI).

[5]  Naren Ramakrishnan,et al.  Long-Span Program Behavior Modeling and Attack Detection , 2017, ACM Trans. Priv. Secur..

[6]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[7]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[8]  Blase Ur,et al.  Practical trigger-action programming in the smart home , 2014, CHI.

[9]  Kang G. Shin,et al.  CPS approach to checking norm operation of a brake-by-wire system , 2015, ICCPS.

[10]  Barbara G. Ryder,et al.  Probabilistic Program Modeling for High-Precision Anomaly Classification , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[11]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[12]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[13]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[14]  Debin Gao,et al.  On Gray-Box Program Tracking for Anomaly Detection , 2004, USENIX Security Symposium.

[15]  Osama A. Mohammed,et al.  Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit , 2017, NDSS.

[16]  Siddharth Sridhar,et al.  Cyber–Physical System Security for the Electric Power Grid , 2012, Proceedings of the IEEE.

[17]  Ahmad-Reza Sadeghi,et al.  HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement , 2017, ArXiv.

[18]  Barbara G. Ryder,et al.  A Formal Framework for Program Anomaly Detection , 2015, RAID.

[19]  Ing-Ray Chen,et al.  Behavior Rule Specification-Based Intrusion Detection for Safety Critical Medical Cyber Physical Systems , 2015, IEEE Transactions on Dependable and Secure Computing.

[20]  Rajeev Gandhi,et al.  PCFIRE: Towards provable preventative Control-Flow Integrity enforcement for realistic embedded software , 2016, 2016 International Conference on Embedded Software (EMSOFT).

[21]  David K. Y. Yau,et al.  Optimal False Data Injection Attack against Automatic Generation Control in Power Grids , 2016, 2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS).

[22]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[23]  Long Cheng,et al.  On Threat Modeling and Mitigation of Medical Cyber-Physical Systems , 2017, 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE).

[24]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[25]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[26]  Frank Mueller,et al.  Time-based intrusion detection in cyber-physical systems , 2010, ICCPS '10.

[27]  Claude Castelluccia,et al.  Defending embedded systems against control flow attacks , 2009, SecuCode '09.

[28]  Naren Ramakrishnan,et al.  Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths , 2015, CCS.

[29]  Yong Wang,et al.  SRID: State Relation Based Intrusion Detection for False Data Injection Attacks in SCADA , 2014, ESORICS.

[30]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[31]  Sridhar Adepu,et al.  Argus: An Orthogonal Defense Framework to Protect Public Infrastructure against Cyber-Physical Attacks , 2016, IEEE Internet Computing.

[32]  Moses Schwartz,et al.  Emerging Techniques for Field Device Security , 2014, IEEE Security & Privacy.

[33]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[34]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[35]  Wayne H. Wolf,et al.  Cyber-physical Systems , 2009, Computer.

[36]  Fengwei Zhang,et al.  Ninja: Towards Transparent Tracing and Debugging on ARM , 2017, USENIX Security Symposium.

[37]  Lui Sha,et al.  On-chip control flow integrity check for real time embedded systems , 2013, 2013 IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA).

[38]  Aiko Pras,et al.  Exploring security vulnerabilities of unmanned aerial vehicles , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[39]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[40]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[41]  Edward A. Lee,et al.  Cyber-physical system design contracts , 2013, 2013 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS).

[42]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[43]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[44]  Michel Dagenais,et al.  Hardware‐assisted software event tracing , 2017, Concurr. Comput. Pract. Exp..

[45]  Elisa Bertino,et al.  MAVR: Code Reuse Stealthy Attacks and Mitigation on Unmanned Aerial Vehicles , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems.

[46]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[47]  D. Kushner,et al.  The real story of stuxnet , 2013, IEEE Spectrum.

[48]  Alvaro A. Cárdenas,et al.  Cyber-Physical Systems Attestation , 2014, 2014 IEEE International Conference on Distributed Computing in Sensor Systems.

[49]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[50]  Roman L. Lysecky,et al.  Analysis of Control Flow Events for Timing-based Runtime Anomaly Detection , 2015, WESS.

[51]  Ing-Ray Chen,et al.  Adaptive Intrusion Detection of Malicious Unmanned Air Vehicles Using Behavior Rule Specifications , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[52]  Ivan Beschastnikh,et al.  NetCheck: Network Diagnoses from Blackbox Traces , 2014, NSDI.

[53]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[54]  Nirvana Meratnia,et al.  Sensor fusion-based event detection in Wireless Sensor Networks , 2009, 2009 6th Annual International Mobile and Ubiquitous Systems: Networking & Services, MobiQuitous.

[55]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[56]  Lui Sha,et al.  SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[57]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.