do as i say not as i do stealth modification of ... · •need to focus on system level security of...
TRANSCRIPT
DoasISaynotasIDoStealthModificationof
ProgrammableLogicControllersI/ObyPinControlAttack
ALI ABBASI
SYSSEC GROUP, RUHRUNIVERSITY BOCHUM, GERMANY& SCS GROUPUNIVERSITY OF TWENTE, NETHERLANDS
MAJ ID HASHEMI
PARIS , FRANCE
Whoweare
• AliAbbasi,visitingresearcheratchairofsystemsecurityofRuhrUniversityBochumandPhDstudentatDistributedandEmbeddedSystemsSecurityGroup,UniversityofTwente,TheNetherlands.
(@bl4ckic3)
• MajidHashemi,R&Dresearcher(@m4ji_d).
2
Agenda• BackgroundonProcessControl• Backgroundonexistingattacksanddefensesforembeddedsystems• ApplicableDefensesforPLCs• BackgroundonPinControl• TheProblemwithPinControl• Rootkitvariant• Non-rootkitvariant• Demo• Discussions
3
Whatthistalkisabout?
• ThetalkistryingtouncoverexistingdesignflawinPLCs.
• Theattackcanbeusedinfuturebyattackers.
• WearenotunveilingfullyfunctionalmalwareforPLCs.
• Noexploitationtechniques,no0dayleak
• Wearenotgoingtomentionanyvendorname.
4
IndustrialControlSystem
Physicalapplication
InformationTechnology(IT)
OperationalTechnology(OT)
5
IndustrialControlSystemhacking
Physicalapplication 6
Processcontrol101
Processcontrol
Runningupstairstoturnonyourfurnaceeverytimeitgetscoldgetstiringafterawhilesoyouautomateitwithathermostat
Setpoint
8
Controlloop
Actuators
Controlsystem
Physicalprocess Sensors
Measureprocessstate
Computescontrolcommandsfor
actuators
Adjustthemselvestoinfluence
processbehavior
9
Controlequipment
• Inlarge–scaleoperationscontrollogicgetsmorecomplexthanathermostat
• Onewouldneedsomethingbiggerthanathermostattohandleit
• Mostofthetimethisisaprogrammablelogiccontroller(PLC)
10
What is a PLC?
• AnEmbeddedSystemwithRTOSrunninglogic.
11
[ifinput1]AND[input2orinput11]->[dosomethinginoutput6]
IftankpressureinPLC1>1800reduceinflowinPLC3
• Itisprogrammedgraphicallymostofthetime• Defineswhatshould/shouldnothappen
− Underwhichconditions− Atwhattime− YesorNoproposition
Controllogic
1. Copydatafrominputstotemporarystorage2. Runthelogic3. Copyfromtemporarystoragetooutputs
Inputs
Outputs
SensorsActuators
HowPLCWorks
Read Inputs
Logic Program
Update Outputs
Logic Variable Table (VT)
Runtime
Inputs
Outputs
Physical I/O
Read/Write I/O
Inputs from I/O
Set Points
Outputs to I/O
Read/Write VT
• Usedtocomputeoutputbasedoninputsreceivedfromcontrollogic
JacquesSmuts„ProcessControlforPractitioners“
Controlalgorithm
• PID:proportional,integral,derivative– mostwidelyusedcontrolalgorithmontheplanet
• PIcontrollersaremostoftenused
ExistingAttacksandDefensesforEmbeddedSystemsApplicabletothePLCs
15
Current attacks against embedded systems
• Authenticationbypass• AttackerfindabackdoorpasswordinthePLC.
• Firmwaremodificationattacks• AttackeruploadnewfirmwaretothePLC
• Configurationmanipulationattacks• Attackermodifythelogic
• ControlFlowattacks• AttackerfindabufferoverfloworRCEinthePLC
• HookingfunctionsforICSmalwares
16
Current defenses for embedded systems
• Attestation• memoryattestation
• Firmwareintegrityverification• Verifytheintegrityoffirmwarebeforeitsbeinguploaded
• Hookdetection• Codehookingdetection
• Detectcodehooking
• Datahookingdetection• Detectdatahooking
17
• DesignedforembeddeddevicesrunningmodernOS.
• Nohardwaremodifications.
• LimitedCPUoverhead.
• Novirtualization.
Requirement for Applicable Defenses for PLCs
18
System-level protection for PLCs
• TrivialDefenses:• LogicChecksum• Firmwareintegrityverification
• Non-trivialsoftware-basedHIDSapplicabletoPLCs• Doppelganger(Symbiote Defense):animplementationforsoftwaresymbiotes forembeddeddevices
• AutoscopyJR:Ahostbasedintrusiondetectionwhichisdesignedtodetectkernelrootkitsforembeddedcontrolsystems
19
How Doppelganger Works
• Scanthefirmwareofthedeviceforlivecoderegionsandinsertsymbiotes randomly.
1 2
TextLive Code Region 1 Live Code Region 2
Symbiote1 (Checksum of
Region 1)
Symbiote2 (Checksum of
Region 2)Other Memory
regions
Symbiote Manager
Breakpoint 1 Breakpoint 2
Firmware
Other Memory regions
20
How Autoscopy Jr works
• TriestoDetectsfunctionhookingbylearning
• VerifiesthedestinationfunctionaddressandreturnswiththevaluesandaddressesinTLL(TrustedLocationList)
21
DebugRegisters
• Designedfordebuggingpurpose.
• Functionhookinginterceptthefunctioncallandmanipulatethefunctionargument.
• WeusedebugregistersinARMprocessorstointerceptmemoryaccess(Nofunctioninterception,nofunctionargumentmanipulation)
22
23
PinControl
BackgroundonPinControlPinControlsubsystem
• Pinmultiplexing(type)• Pinconfiguration(in/out)
Systemonchip(SoC)SystemonChip
1 2
3
Pinmultiplexing 24
PinConfiguration
• InputPin• readablebutnotwriteable
• OutputPin• readableand writeable
25
HowPLCcontrolsI/O
26
IntroducingPinControlAttack:AMemoryIllusionOperating
System/KernelMap (I/O Memory, +16bytes)
Request for mapping the physical I/O Memory
ReadPin24
Write 0/1 every 5 sec
PLC Runtime
Pin24==Input(bit==0)
Pin22==Output(bit==1)
Write register
Virtual I/O Memory (mapped)
State Register
Read register
0forbit241forbit22
0/1
1
State Register
Physical I/O Memory
Read register
Write register
0forbit241forbit22
0/1
1
map via MMU
LogicBlinkLEDevery5secinPin22if
Pin24isTrue
27
IntroducingPinControlAttack:AMemoryIllusionOperating
System/KernelMap (I/O Memory, +16bytes)
Request for mapping the physical I/O Memory
ReadPin24
Write 0/1 every 5 sec
PLC Runtime
Write register
Virtual I/O Memory (mapped)
State Register
Read register
0/1
1
State Register
Physical I/O Memory
Read register
Write register 0/1
1
map via MMU
LogicBlinkLEDevery5secinPin22if
Pin24isTrue
Pin22==Input(bit==0)0 for bit 22
0 for bit 22
Write Failure!!
Pin is in Input Mode
28
ThinkofcopyingfilestoUSBdrive
29
• Similarmappingbetweenphysicalandvirtualaddresses
• IfUSBdriveisremovedduringcopyoperation,OSreportsawarningback
Letslookatit.
Demo1Digital
30
NobodythoughtaboutthesameissueforPLCs
31
•Shouldn’tthePLCruntimefailorgetterminatedbecauseofI/Ofailure?
– Nope!
• PLCdesignwasalwaysaboutparamountreliabilityofreal-timeexecution,HIGHup-timeandlong-termusefullifeinharshenvironmentalconditions
• MaliciousmanipulationofPLCwerenotpartofdesignconsiderations:-)
Securityconcernsregardingpincontrol
• Nointerruptforpinconfiguration
– HowtheOSknowsaboutthemodificationofpinconfiguration?– Whatifsomebodymodifiesconfigurationofapinatruntime?– Byswitchinginput pinintooutput pin,itispossibletowritearbitraryvalueintoitsphysicaladdress
• NoInterruptforpinmultiplexing
– HowOSknowsaboutmodificationofpinmultiplexing?– Whatifsomebodymultiplexapinatruntime?– Bymultiplexingpinitispossibletoprevent runtimefromwriting valueintooutputpin
32
Problem statement
• Whatifwecreateanattackusingpincontrolthat:• Donotdofunctionhooking• DonotmodifyexecutablecontentsofthePLCruntime.• Donotchangethelogicfile
• Obviouslyweconsiderotherdefensesavailable(e.g.logicchecksumisalsothere)
33
PinControlAttack
34
PinControlAttack
• PinControlAttack:• manipulatetheI/Oconfiguration(PinConfigurationAttack)• manipulatetheI/O multiplexing(PinMultiplexingAttack)
• PLCOSwillneverknowsaboutit.
35
Twooptionstoachievethesame
q Firstversion:rootkit– Rootprivilege– KnowledgeofSoC registers– KnowledgeofmappingbetweenI/Opinsandthelogic
q Secondversion:C-code(shellcode)– EqualprivilegeasPLCruntime– KnowledgeofmappingbetweenI/Opinsandthelogic
1
2
– Nofunctionhooking– NomodificationofPLCruntime
executablecontent– Nochangetologicfile
36
HowPinConfigurationAttackWorks?
1. Put I/O Address into Debug
register
Manipulate Read
2. Intercept Read Operation from I/O
3. Set Pin to Output Mode
4. Write Desired Value to Output
read(I/O, Pin)
Pin Control Attack actions
PLC runtime actions
read() continue....
1. Put I/O Address into Debug
register
Manipulate Write
2. Intercept Write Operation to I/O
3. Set Pin to Input (write-ignore)
write(I/O, Pin)
write() continue...
37
SimpleLogic
LetstestitwithasimpleFunctionBlockLanguageLogic.
38
SimpleLogic2
• SecondLogicforarealPLC
39
40
41
Letslookatit.
Demo2Digital
42
Letslookatit.
Demo3Digital
43
APLCruntimeDynamicandStaticAnalysis
• I/OMapping
• LookforBaseAddresses of I/O
44
I/OAttack:Rootkit
• RootkitneedsrootusertoinstallitscodeasaLoadableKernelModule(LKM).
• vmalloc()allocatesourLKM.ItevadesDoppelganger.
• Donotdoanykindoffunctionhooking,evadesAutoscopy Jr.
• Canchangethelogicregardlessoflogicoperation.
45
Logic Code
Firmware
I/O Pin
Control attack
Other attacks
I/Oresponsetimefluctuationinrootkitvariant
46
CPUOverhead
WriteManipulation:~5%
ReadManipulation:~23%
47
SecondVariantoftheAttack– NoRootkit!
• Noneedtohaverootkit!
• WecandothesamewiththePLCruntimeprivilege.
• Overheadbelow1%.
• WecaneitherremaptheI/OorusealreadymappedI/Oaddress.
• Asshellcode
48
Secondvariant
Inputs
Outputs
Physical I/O Pin
The Malicious Code
Exported Kernel Object File System
device driver
/dev/mem
Logic
PLC Runtime
Read the I/O Output every 4
millisecond
Read the I/O Input
every 4 millitsecond
Starting Time Calculation Loop
Read Manipulate
Write Manipulate
Reconfigure the I/O Pins
49
SecondVariant 1. Find the Refrence Starting
Time
Manipulate Read
3. Set Pin to Output Mode (write-enable)
4. Write Desired Value to Output
Pin
read(I/O, Pin)
Pin Control Attack actions
PLC runtime actions
1. Find the Refrence Starting
Time
Manipulate Write
3. Set Pin to Input (write-ignore)
write() to I/O
3. Set Pin to Output
(write-enable)
Write desired value
50
WhataboutAnalogControl?
• Analogsignalsarebasicallyaggregationofdigitalsignals.
• Twowaystodoit:• 1.Ifpartoforentireanalogmemorycangetmultiplexedtodigitalpinsattackercanmultiplexthepinandwritedigitalbitsandbasicallycontrolthevaluesintheanalogmemory
• 2.UsingthetechniquewhichwecanPC+1,wetelltheinterrupthandlertoreturnthecontroltothenextinstructionwithinthePLCruntime,basicallyavoidingwriteoperationoccur
51
AnalogI/OManipulation
52
Letslookatit.
DemoAnalog
53
OtherFuturePossibilities!
• Attackingpull-upandpull-downresistorsinI/Ointerfaces
• Whatifwedisablethem?
• RemotelymanipulatetheI/Oviaapowerfulelectromagneticfield!
54
Nevertrustyourinputs!
55
Discussions• For now attacker can:
• Simply change the logic• Modify PLC Runtime executable
• Fixing these attacks are trivial:• Proper Authentication• Proper Logic Checksum• PLC Runtime integrity verification
• Next Step for attackers:• Achieve its goal without actually modifying the Logic or Runtime or
hooking functions
56
RacetotheBottom
57
Assoonassecurityisintroducedatsomelayerofcomputerornetworkarchitectureabstraction,theattackersaregoingonelayerdown.
InthehackingcommunityitiscalledRace-to-the-Bottom
Conclusions• Need to focus on system level security of control devices In future
more sophisticated techniques come that evade defenses.• Pin Control attack is an example of such attacks.
• Pin Control Attack:• lack of interrupt for I/O configuration registers• Significant consequences on protected PLCs and other control devices such
as IEDs.
• Solution:• It is hard to handle I/O interrupts with existing real-time constraints.• Monitoring I/O Configuration Pins for anomalies.• User/Kernel space separation for I/O memory.
58
Questions?Lookingformore…
AttendourtalkatDigitalBond S4x17,Miami,USA
Everythingthathasabeginninghasanend.TheMatrixRevolutions.
Contact:
[email protected] @bl4ckic3
@m4ji_d
59