never trust your inputs or how to fool an adc
Post on 14-Apr-2017
741 Views
Preview:
TRANSCRIPT
NEVERTRUSTYOURINPUTS(ORHOWTOFOOLADC)
;CAT/DEV/USER
2
Alexander@dark_k3yBolshev,Ph.D.SecurityResearcher@IOActiveAssistantProfessor@SPbETU “LETI”
Marina @marmushaKrotofilSecurityResearcher@HoneywellSec
3
AGENDA
q Problemstatementq Analog-to-DigitalConverters(ADC)q “Racing”withADCclockq Invalidamplituderangeofsignalq AttackvectorsinICSqMitigations
Workstation
Workstation
Firewall
ModemOperatorConsole
Firewall
SQLServer
PLC
RTU
Maintenance
FileServer
Webserver
Corporate LAN
SCADAnetwork
Webservices
Active Directory
SensorVentil
Active Directory
EngineeringWorkstation
Process LAN
4
Physical application
INDUSTRIALCONTROLSYSTEMS
5
PROCESSCONTROLINANUTSHELL
Actuators
Controlsystem
Physical process Sensors
Measureprocessstate
Computescontrolcommandsforactuators
Adjustthemselvestoinfluence
processbehavior
6
IMPACTOFIMPROPERSIGNALPROCESSING
http://www.co
ntrolglobal.com
/blogs/unfettered/marina-krotofils-presentation-on-
how-to
-hack-a-chem
ical-plant-and-its-implica
tion-to-actual-issues-at-a-nuclear-plant/
q Twoidenticallybuiltnuclearplants.Onehadflowinducedvibrationissue.Andanotherdidnot.
q Thevibrationsindicationshoweditselfashf noise- Fieldengineerhasfilteredthesignaltogetridofannoyingnoise- Lossofviewintovibrationissue
Equipmentdamageatnuclearplant
Workstation
Workstation
Firewall
ModemOperatorConsole
Firewall
SQLServer
PLC
RTU
Maintenance
FileServer
Webserver
Corporate LAN
SCADAnetwork
Webservices
Active Directory
SensorVentil
Active Directory
EngineeringWorkstation
Process LAN
7
Catastrophic consequences
REASONTOSECURECONTROLSYSTEMS
8
PROCESSMONITORING
CONTROLSYSTEM PROCESSOPERATOR OPERATORCONSOLE(HMI)
9
PROCESSMONITORING
CONTROLSYSTEM PROCESSOPERATOR OPERATORCONSOLE(HMI)
10
CONSIDERAFIELDARCHITECTURE
Analog control loop
Control PLC
Actuator
Monitoring PLC/ Logger/DAQ/Safety PLC
HMI
0V (actuator is OFF)
MV – Manipulated Variable
qWhatifMV valueonactuatorwillbedifferentfromMV valueonlogger?
1.5V (actuator is ON)
11
BUTIT’SANALOGCONTROLLINE!
Areyousure?
q It’simpossibletohavetwodifferentMVs onthesamelineatthesametime!
12
NOTETOEEANDDSPGUYS:
Areyousure?(2)
q Yes,weknowthatmostpartourtalkisaboutaliasing,andthisiseasilycouldbefixedbyantialiasingfilters..
q Andit“shouldbe”obvious,thatsuchfiltersareeverywhere…q But:
DEMOSETUP
13
“HMI Panel”
“Control PLC”(arduino)
“Actuator”(motor)
“Monitoring PLC”(S7 1200)
14
DEMO1
DEMOVIDEO-- Twodevices,twodifferentMVs--
15
INTROTOANALOG-TO-DIGITALCONVERTERS (ADC)
17
WHATISADC?
q Convertsacontinuousanalogsignal(voltageoramperage)toadigitalnumberthatrepresentssignal'samplitude
t
x(t)
18
ADCINANUTSHELL
Quantizing&
Encoding
…
• Frequency• Phase• Amplitude
Sampling & Holding (S/H) circuit
Resolution
MSBADC
Clock
uI(t)
VREF
uI’(t)fs Dn-1
D1D0
Conversion time
Input signal
19
TYPESOFADC
TherearemanyADCtypes(>10).Themostcommonare:
q Successive-approximationADC(SAR)q Sigma-deltaADCq Pipeline
http
://el
ectro
nicd
esig
n.co
m/a
nalo
g/re
al-wo
rld-v
ersu
s-you
r-adc
http
://w
ww
.plan
etan
alog.c
om/a
utho
r.asp
?sec
tion_
id=3
193&
doc_
id=5
6162
7
20
EXPLOITABLEADCDESIGNCONSTRAINS
q SamplingfrequencyshouldfollowNyquistrule( >2)-Otherwisethesignalwillappearoffalse (alias) frequency
fs f
21
EXPLOITABLEADCDESIGNCONSTRAINS
q AmplitudeoftheinputsignalshouldnotexceedADC’sdynamicrange-Itisdeterminedbythereferencevoltage
Time5
10
V
0
„RACING“WITHADCCLOCK
-- SARADC--
23
BLOCKDIAGRAM
http
s://e
n.w
ikip
edia
.org
/wik
i/Suc
cess
ive_
appr
oxim
atio
n_A
DC
- DAC =Digital-to-Analogconverter- EOC =EndofConversion- SAR =SuccessiveApproximation
Register- S/H =SampleandHoldcircuit- VIN =InputVoltage- VREF =ReferenceVoltage
SAR
DAC
S/H +-
Clock EOC
Comparator
VIN
VREF
DN-1 DN-2 D1 D0
24
SAR:WEIGHINGPROBLEM
q SARalgorithmisbasedononeofthesolutionstoweighingproblembyNiccolò FontanaTartaglia,Italianmathematicianandengineerin1556
http
s://e
n.w
ikip
edia
.org
/wik
i/Nic
col%
C3%
B2_
Font
ana_
Tarta
glia
http://www.analog.com/media/en/training-seminars/tutorials/MT-021.pdf
q Theobjectiveistodeterminetheleastnumberofweightswhichwouldservetoweighanintegralnumberofpoundsfrom1lb to40lb usingabalancescale
25
ADC:WEIGHINGPROCESS
VIN
VREF
¾VREF
½VREF
¼VREF
VDAC
BIT2=1 BIT0=1BIT1=0BIT3=0
Time
(MSB) (LSB)
LETSSETUPEXPERIMENTExperimentalsetup:- Arduino Leonardo
(Atmega32U4withbuild-inADC,125kHzint clock)
- Si5351generator
Algorithm:1. Generatesquaresignalwith
specificfrequencyandphase,2. Read120ADCvaluesinrow
andaveragethem,3. Output toserialport (PC),4. Increasephaseandfrequency,5. GOTO1.
27
RESULTWhat is this?!
28
RACINGWITHADCCLOCK
29
LETSREPEATOUREXPERIMENT
Frequency=around8.9kHz
for(;;){ asm("cbi 0x0e, 6"); val = __fastAnalogRead(A0); //inline function asm("sbi 0x0e, 6"); sum += val; step++;
if(step > 120){ if(phase >= 170){ phase = 0; freq += 100; }else phase += 10;
si5351.set_freq(freq, 0ULL, SI5351_CLK0); si5351.set_phase(SI5351_CLK0, phase);
Serial.print(sum * 1.0/step); 30
LETSREPEATOUREXPERIMENTLet’sintroduce“counter”toourcodeforaveraging120ADCconversions:
Fast analog read
Average, frequency changing and out to serial portgoes here
We’re putting here an outgoingZero-peak signal to see whenADC do actual work
31
TIMINGDIAGRAMEXPLAINSEVERYTHING
32
FROMATMEGA32U4DATASHEET
Chapter24onADC,page302
125kHz/14~8928Hz(112μs)
We’vejustbreachedthroughsamplingrateprecisionoftheADC!
33
NOTONLYBUILT-INADCSTestresultsforMCP3201ADC
fCLK =125kHZ
fCLK =8MHZ
14.3kHz
292.5kHz
34
“RACING“WITHADCCLOCK
-- Delta-SigmaADC--
35
DELTASIGMAADC
q Delta-sigma(ΔΣ;orsigma-delta,ΣΔ)modulationisamethodforencodinganalogsignalsintodigitalsignalsasfoundinanADC.
q Typically,delta-sigmaADCsclocksfromhigh-frequency signal,buttheresultingsamplerateismuchslower thanforothertypesofADC
q Example:AD7706ADC,clockfrequency– 2MHz,outputsamplerate– 25-500samples persecond.
q Thisallowstoproduceresultswithbiggerresolutionandmuchreliability.
https://en.wikipedia.org/wiki/Delta-sigma_modulation
36
MODUSOPERANDI http://www.analog.com/library/analogDialogue/archives/33-08/adc/index.htmlhttps://en.wikipedia.org/wiki/Delta-sigma_modulation
https://www.maximintegrated.com/en/app-notes/index.mvp/id/1870
37
DEMO3
Stillexploitable?LIVEDEMO-- delta-sigma--
38
39
ATTACKEFFORTS:SIGMA-DELTAVS.SAR
q SARADCsaremucheasiertoexploit(dueitssimplenature),howeverincreasingSARclockfrequencycouldproducemoreproblemsforattacker
q Delta-sigmaADCsallowsonlyafewwaystocraftreliableattack,howevertheresultcouldoverwhelmyourneeds.
40
-- ADCaccesstiming--
SOFTWARE-RELATEDPROBLEMS
41
DEMO3
DEMOVIDEO-- Onesignal,twoADCs--
42
FROMDEMO:TWODEVICES&TWODIFFOUTPUTSWait,butwhy?Timingdiagramscanexplain;-)
43
EVERYTHINGISMUCHEASIERINTHEICSWORLD
q Inmanyreal-world ICS applicationsADCdoesn’tsampleinputsignalwithhighestpossiblefrequency- Typicalsamplingrateis1-100timespersecond
Maliciouspartofsignal
44
HURDLESOFTHEATTACKER
q Howtofigureouttherequiredphaseandfrequencytocraftneededmalicioussignal?
q SendsomepeaksignalsandmonitoroutputoftheADC(directly/indirectly)
q E.g.byhackingintoswitchyoucanmonitor/controlbothdataflowtocontrolPLCAND digitaldataoutputfromMonitoringPLC/logger/DAQ/SafetyPLC/etc
45
FIGURINGOUTSIGNALPARAMETERS
ControlPLC
Actuator
HMICompromisedindustrialswitch
Monitoring PLC/ Logger/DAQ/Safety PLC
46
-- ADCconversiontime--
SOFTWARE-RELATEDPROBLEMS
47
ADCINCRITICALAPPLICATIONS
BecarefulwhenusingADCincriticalapplications
q IndustrialPLCsalsohaveanaloginputsandbuilt-inADCs
q Let’stestatoneofthemost popular PLCsS71200
48
Let’schecktherealconversiontimeofS71200ADC
Arduino
Waveformgenerator S71200
Analogsignal
S7Protocol
S7inputamplitudeFrequency
I2C
ReadsvaluefromPLCeveryNtime
EXPERIMENTSETUP
49Frequencyisfixed
N=8.3ms
N=9ms
N=7ms
N=4.5ms
N=2.5ms
50
51
Nothing,really.Youjustneedtoreaddatasheetmorethoroughly
Text in small letters
WHAT’SWRONG?
52
INVALIDRANGEOFSIGNALS
53
q Considera5-10VsignalwhichisconsumedbyADCwithranges0-15V
q Whatwillhappenifyousendsignallowerthan5Vorhigher10V? Time
5
10
V
From the real life code:
uint8_t val = readADC(0); // reading8-bitADCvaluewithranges0V-15Vval = val – 85; // Normalization->85==5Volts(255/3)
Anysignaloflessthem5V(val < 85)willcauseintegeroverflow inval
BREAKINGSOFTWAREDEFINEDRANGES
54
BREAKINGHARDWAREDEFINEDRANGES
WhatiftheattackersendssignaloutsideoftheADChardwaredefinedrange(>Vref)?
q ADCwilloutputmaxvalue(allbitsetto1)q ADCmightbedamagedq Valuesonotherinputs couldbedistorted
55
DEMOSETUP
USBUART
NegativeVoltagesource
Atmega328p
OpticalIsolator
56
DEMO4
DEMOVIDEO-- Negativeinputsignal--(breakinghardwarerange)
57
58
ANOTHEREXAMPLEBreakingHWRANGESforNXPLPC11U24FinternalADC(3.3VRef)
ADC/Ref Volts A-3 A-2 A-1 A-0 A+1 A+2 A+3NXPLPC11U24F(3.3VRef)
0.48 0.0 0.48 1.58 3.33.39 0.0 3.3 1.59 3.34.1 0.087 3.3 1.729 3.34.65 0.17 3.3 1.974 3.35.1 0.44 3.3 2.212 3.35.9 0.0 2.035 1.561 3.36.1-9.8 ~ ~ ~ ~-0.48 0.0 0.0 1.58 3.3-1.1 0.0 0.0 1.64 3.20-1.5 0.025 0.0 1.71 3.07-1.7 0.0 0.0 2.5 2.9-2 ~ ~ ~ ~
59
ATTACKVECTORSINICS
60
Linecouplingcircuit(usuallyOpAmp/Transformer)
Totalsetupcost50$(1kHz)-- 400$(50MHz)
DIRECTACCESSATTACKTOOLKIT(RARECASE)
61
ATTACKINGFROMICSDEVICE
qCompromisingoneofthefieldcomponents(PLC,sensor,actuator,DAQ,logger,etc.)- MostMCUsinsidetransmitters/actuatorsarecapableofgenerating
arbitrarysignalsupto500-1000Hz- Somedevicesallowtogeneratesignalsof44kHzandabove
62
ATTACKFROMTRANSMITTER
HARTtransmitterreferencedesign;-)DAC with s/r up to 100kHz(smooth sine wave at ~ 5kHz)
http
://w
ww
.tm-e
etim
es.c
om/e
n/ac
cura
te-in
dust
rial-t
empe
ratu
re-m
easu
rem
ents
-with
-loop
-pow
ered
-tra
nsm
itter
.htm
l?cm
p_id
=7&
new
s_id
=222
9188
50
63
MITIGATIONS
64
HARDWAREMITIGATIONS
65
LPFFILTERS(ANTIALIASING)INREFERENCEDESIGN
q Low-passfilterattenuatesignalswithafrequencyhigherthanitscutofffrequency
q BufferADCinputwithLPFq GooddesigndictatesADCfs >LPFfc
66
LPFFILTERSINREFERENCEDESIGN“WeincludedLPFinourdesign"
ADCwithfs ~470Hz
LPFwithfc near15kHz
67
SOLUTION
68
FLIPSIDEOFUSINGLPF
qWhenaddingLPFintoanindividualdevice,makesurethatallrelateddeviceshavethesame cut-offfrequencies
”Securing”mayleadtomorevulnerabilities
q E.g.ifPLCinput isbufferedwithLPF𝒇𝒄 = 𝟏𝒌𝑯𝒛 andactuator equippedwithLPFwith𝒇𝒄 = 𝟓𝒌𝑯𝒛,theattacknotonlypossible,buttheprobabilityofsuccessincreases!
69
NOTE:DIGITALLPFWON’TWORK!
DonotusedigitalLPFafter theADC!
q ADCwillbealreadycompromisedbyamaliciousintendedsignalandnodigitalfilterwillfixthematters
70
USEADCWITHHIGHERBANDWIDTH/LOWERCONVERSIONTIME(OROTHERTYPEOFADC)q UsingADCwithhighersamplingfrequency(mostlyforSARs)
canmitigate“racingwithADC”attackastheattackerwillhavetogeneratesignalofmuchhigherfrequency
q Orjustusedelta-sigmaADCs
q Generating~1MHz signalorinjectingitintoanaloglineismuchharderthangeneratingorinjecting~1kHz signal- H/fsignalssubjectedtogreaterattenuationandmoreaffected
bynoise
71
SCALESIGNALAMPLITUDEBEFOREADC
q ToavoidabuseofADCvoltageranges,normalizesignalamplitudebeforefeedingthesignaltoADC- Simplestoption:voltagedivider+OpAmp,- Signalconditioningcircuitsoreven
dynamicrangecompression
SelectwhatissuitableforyourOTprocess
72
SOFTWAREMITIGATIONS
73
SAMPLINGFREQUENCYRANDOMIZATION
http://www.sixsigma4service.com/evaluation-considerations-fo
r-data-sampling.html
SAMPLINGFREQUENCYRANDOMIZATIONq Certain randomnessinsamplingfrequencywillmakeattacker’s
jobmuchharder-Manyofthediscussedattackswillbemuchmorechallengingtoexecute
q Smallvariationof𝒇) won’tdegradesignalunderstandingprocess.Onthecontrary,itwillproduceasignalsampleofbetterquality.
𝒇) = 𝑓 + rand(△)
Time
V
0
74
APLYSECURECODINGTECHNIQUES
q ScrutinizeyourADCs/PLCdatasheetstofigureouteffectiveranges,conversiontime,frequencyandothercriticalparameters
q Evenifitissufficienttocontroltheprocesswithonevaluepersecond,samplethesignalwithhigherfrequencyandaverageconvertedvalues
qWhenreceivingvaluefromADC,treatitasanabsolutevalue(allbitsreceivedfromADCaresignificant)
75
DON’TSLEEP!(WHILEONDUTYJ )
Avoidwriting/usingthefollowingcode(ifyoudon’tcompletelyunderstandyourprocess)
Val = readADC();Output(Val);Sleep(Timeout);
76
BLACKHATSOUNDBYTESq Aliasingattacksandattacksusingvoltagerangesarestill
possibleagainstmodernADCcomponentsinsideICSdevices.(thanks,Cap!)
qMostoftheseproblemscouldbeeasilysolvedwithantialiasingfilters(LPF),however,thesefiltersshouldhavesamecut-offfrequencies.
q EvengoodLPFandgoodADCwillnotsaveyou,ifyoursoftwareworkswithADCincorrectly.
77
OTANDITHAVECOMMONPROBLEMS
NEVERTRUSTYOURINPUTS
@dark_k3y@marmusha
top related