Firmware Modification Analysis in Programmable Logic Controllers

Abstract : Incorporating security in supervisory control and data acquisition (SCADA) systems and sensor networks has proven to be a pervasive problem due to the constraints and demands placed on these systems. Both attackers and security professionals seek to uncover the inherent roots of trust in a system to achieve opposing goals. With SCADA systems, a battle is being fought at the cyber -- physical level, specifically the programmable logic controller (PLC). The Stuxnet worm, which became increasingly apparent in the summer of 2010, has shown that modifications to a SCADA system can be discovered on infected engineering workstations on the network, to include the ladder logic found in the PLC. However, certain firmware modifications made to a PLC can go undetected due to the lack of effective techniques available for detecting them. Current software auditing tools give an analyst a singular view of assembly code, and binary difference programs can only show simple differences between assembly codes. Additionally, there appears to be no comprehensive software tool that aids an analyst with evaluating a PLC firmware file for modifications and displaying the resulting effects. Manual analysis is time consuming and error prone. Furthermore, there are not enough talented individuals available in the industrial control system (ICS) community with an in-depth knowledge of assembly language and the inner workings of PLC firmware. This research presents a novel analysis technique that compares a suspected-altered firmware to a known good firmware of a specific PLC and performs a static analysis of differences. This technique includes multiple tests to compare both firmware versions, detect differences in size, and code differences such as removing, adding, or modifying existing functions in the original firmware. A proof-of-concept experiment demonstrates the functionality of the analysis tool using different firmware versions from an Allen-Bradley ControlLogix L61 PLC.

[1]  Mark Fabro,et al.  Control Systems Cyber Security: Defense-in-Depth Strategies , 2006 .

[2]  Igor Nai Fovino,et al.  An experimental investigation of malware attacks on SCADA systems , 2009, Int. J. Crit. Infrastructure Prot..

[3]  W. D. Maurer,et al.  Generalized structured programs and loop trees , 2007, Sci. Comput. Program..

[4]  Marcus A. Maloof,et al.  Learning to Detect and Classify Malicious Executables in the Wild , 2006, J. Mach. Learn. Res..

[5]  S. Shankar Sastry,et al.  Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems , 2009, Ad Hoc Networks.

[6]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[8]  Rosslin John Robles,et al.  Symmetric-Key Encryption for Wireless Internet SCADA , 2009, FGIT-SecTech.

[9]  Hareton K. N. Leung,et al.  Combining concept lattice with call graph for impact analysis , 2012, Adv. Eng. Softw..

[10]  Gary McGraw,et al.  Attacking Malicious Code: A Report to the Infosec Research Council , 2000, IEEE Software.

[11]  Norah Abokhodair,et al.  Saudi Arabia's response to cyber conflict: A case study of the Shamoon malware incident , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[12]  Emmanouil Magkos,et al.  Modeling security in cyber-physical systems , 2012, Int. J. Crit. Infrastructure Prot..

[13]  Carl D Schuett Programmable Logic Controller Modification Attacks for use in Detection Analysis , 2014 .

[14]  Arindam Khan,et al.  A cryptographic primitive based authentication scheme for run-time software of embedded systems , 2010, 2010 2nd International Conference on Reliability, Safety and Hazard - Risk-Based Technologies and Physics-of-Failure Methods (ICRESH).

[15]  Bhavani M. Thuraisingham,et al.  Differentiating Code from Data in x86 Binaries , 2011, ECML/PKDD.

[16]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[17]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[18]  Jon Erickson,et al.  Hacking: The Art of Exploitation , 2008 .

[19]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[20]  Sergey Bratus,et al.  Intrusion detection for resource-constrained embedded control systems in the power grid , 2012, Int. J. Crit. Infrastructure Prot..

[21]  Jason Edwin Stamp,et al.  Framework for SCADA Security Policy , 2005 .

[22]  William Bolton 1 – Programmable logic controllers , 2006 .

[23]  Sangjin Lee,et al.  A Methodology for Forensic Analysis of Embedded Systems , 2008, 2008 Second International Conference on Future Generation Communication and Networking.

[24]  Eldad Eilam,et al.  Reversing: Secrets of Reverse Engineering , 2005 .

[25]  Neil Walkinshaw,et al.  Reverse-Engineering Software Behavior , 2013, Adv. Comput..

[26]  Suku Nair,et al.  Placement of trust anchors in embedded computer systems , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[27]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2008, TOPL.

[28]  Wolfgang E. Nagel,et al.  Construction and compression of complete call graphs for post-mortem program trace analysis , 2005, 2005 International Conference on Parallel Processing (ICPP'05).

[29]  Wei Gao,et al.  A control system testbed to validate critical infrastructure protection concepts , 2011, Int. J. Crit. Infrastructure Prot..

[30]  Kate Munro,et al.  Deconstructing Flame: the limitations of traditional defences , 2012 .

[31]  J. Pollet Developing a solid SCADA security strategy , 2002, 2nd ISA/IEEE Sensors for Industry Conference,.

[32]  G.M. Coates,et al.  A Trust System Architecture for SCADA Network Security , 2010, IEEE Transactions on Power Delivery.

[33]  Somesh Jha,et al.  Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors , 2010, 2010 IEEE Symposium on Security and Privacy.

[34]  Karl A Sickendick File Carving and Malware Identification Algorithms Applied to Firmware Reverse Engineering , 2013 .

[35]  David Robinson,et al.  Exploiting the critical infrastructure via nontraditional system inputs , 2011, CSIIRW '11.

[36]  Wade Trappe,et al.  Introduction to Cryptography with Coding Theory , 2002 .

[37]  Sujeet Shenoi,et al.  Security Strategies for SCADA Networks , 2007, Critical Infrastructure Protection.

[38]  William Hohl ARM Assembly Language: Fundamentals and Techniques , 2009 .

[39]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[40]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[41]  Mark Lutz,et al.  Learning Python , 1999 .

[42]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[43]  Dale C. Rowe,et al.  The role of cyber-security in information technology education , 2011, SIGITE '11.

[44]  Lucille R McMinn,et al.  External Verification of SCADA System Embedded Controller Firmware , 2012 .

[45]  Albert Marcella,et al.  Critical Infrastructure Protection , 2002 .