DoasISaynotasIDoStealthModificationof

ProgrammableLogicControllersI/ObyPinControlAttack

ALI ABBASI

SYSSEC GROUP, RUHRUNIVERSITY BOCHUM, GERMANY& SCS GROUPUNIVERSITY OF TWENTE, NETHERLANDS

MAJ ID HASHEMI

PARIS , FRANCE

Whoweare

• AliAbbasi,visitingresearcheratchairofsystemsecurityofRuhrUniversityBochumandPhDstudentatDistributedandEmbeddedSystemsSecurityGroup,UniversityofTwente,TheNetherlands.

(@bl4ckic3)

• MajidHashemi,R&Dresearcher(@m4ji_d).

2

Agenda• BackgroundonProcessControl• Backgroundonexistingattacksanddefensesforembeddedsystems• ApplicableDefensesforPLCs• BackgroundonPinControl• TheProblemwithPinControl• Rootkitvariant• Non-rootkitvariant• Demo• Discussions

3

Whatthistalkisabout?

• ThetalkistryingtouncoverexistingdesignflawinPLCs.

• Theattackcanbeusedinfuturebyattackers.

• WearenotunveilingfullyfunctionalmalwareforPLCs.

• Noexploitationtechniques,no0dayleak

• Wearenotgoingtomentionanyvendorname.

4

IndustrialControlSystem

Physicalapplication

InformationTechnology(IT)

OperationalTechnology(OT)

5

IndustrialControlSystemhacking

Physicalapplication 6

Processcontrol101

Processcontrol

Runningupstairstoturnonyourfurnaceeverytimeitgetscoldgetstiringafterawhilesoyouautomateitwithathermostat

Setpoint

8

Controlloop

Actuators

Controlsystem

Physicalprocess Sensors

Measureprocessstate

Computescontrolcommandsfor

actuators

Adjustthemselvestoinfluence

processbehavior

9

Controlequipment

• Inlarge–scaleoperationscontrollogicgetsmorecomplexthanathermostat

• Onewouldneedsomethingbiggerthanathermostattohandleit

• Mostofthetimethisisaprogrammablelogiccontroller(PLC)

10

What is a PLC?

• AnEmbeddedSystemwithRTOSrunninglogic.

11

[ifinput1]AND[input2orinput11]->[dosomethinginoutput6]

IftankpressureinPLC1>1800reduceinflowinPLC3

• Itisprogrammedgraphicallymostofthetime• Defineswhatshould/shouldnothappen

− Underwhichconditions− Atwhattime− YesorNoproposition

Controllogic

1. Copydatafrominputstotemporarystorage2. Runthelogic3. Copyfromtemporarystoragetooutputs

Inputs

Outputs

SensorsActuators

HowPLCWorks

Read Inputs

Logic Program

Update Outputs

Logic Variable Table (VT)

Runtime

Inputs

Outputs

Physical I/O

Read/Write I/O

Inputs from I/O

Set Points

Outputs to I/O

Read/Write VT

• Usedtocomputeoutputbasedoninputsreceivedfromcontrollogic

JacquesSmuts„ProcessControlforPractitioners“

Controlalgorithm

• PID:proportional,integral,derivative– mostwidelyusedcontrolalgorithmontheplanet

• PIcontrollersaremostoftenused

ExistingAttacksandDefensesforEmbeddedSystemsApplicabletothePLCs

15

Current attacks against embedded systems

• Authenticationbypass• AttackerfindabackdoorpasswordinthePLC.

• Firmwaremodificationattacks• AttackeruploadnewfirmwaretothePLC

• Configurationmanipulationattacks• Attackermodifythelogic

• ControlFlowattacks• AttackerfindabufferoverfloworRCEinthePLC

• HookingfunctionsforICSmalwares

16

Current defenses for embedded systems

• Attestation• memoryattestation

• Firmwareintegrityverification• Verifytheintegrityoffirmwarebeforeitsbeinguploaded

• Hookdetection• Codehookingdetection

• Detectcodehooking

• Datahookingdetection• Detectdatahooking

17

• DesignedforembeddeddevicesrunningmodernOS.

• Nohardwaremodifications.

• LimitedCPUoverhead.

• Novirtualization.

Requirement for Applicable Defenses for PLCs

18

System-level protection for PLCs

• TrivialDefenses:• LogicChecksum• Firmwareintegrityverification

• Non-trivialsoftware-basedHIDSapplicabletoPLCs• Doppelganger(Symbiote Defense):animplementationforsoftwaresymbiotes forembeddeddevices

• AutoscopyJR:Ahostbasedintrusiondetectionwhichisdesignedtodetectkernelrootkitsforembeddedcontrolsystems

19

How Doppelganger Works

• Scanthefirmwareofthedeviceforlivecoderegionsandinsertsymbiotes randomly.

1 2

TextLive Code Region 1 Live Code Region 2

Symbiote1 (Checksum of

Region 1)

Symbiote2 (Checksum of

Region 2)Other Memory

regions

Symbiote Manager

Breakpoint 1 Breakpoint 2

Firmware

Other Memory regions

20

How Autoscopy Jr works

• TriestoDetectsfunctionhookingbylearning

• VerifiesthedestinationfunctionaddressandreturnswiththevaluesandaddressesinTLL(TrustedLocationList)

21

DebugRegisters

• Designedfordebuggingpurpose.

• Functionhookinginterceptthefunctioncallandmanipulatethefunctionargument.

• WeusedebugregistersinARMprocessorstointerceptmemoryaccess(Nofunctioninterception,nofunctionargumentmanipulation)

22

23

PinControl

BackgroundonPinControlPinControlsubsystem

• Pinmultiplexing(type)• Pinconfiguration(in/out)

Systemonchip(SoC)SystemonChip

1 2

3

Pinmultiplexing 24

PinConfiguration

• InputPin• readablebutnotwriteable

• OutputPin• readableand writeable

25

HowPLCcontrolsI/O

26

IntroducingPinControlAttack:AMemoryIllusionOperating

System/KernelMap (I/O Memory, +16bytes)

Request for mapping the physical I/O Memory

ReadPin24

Write 0/1 every 5 sec

PLC Runtime

Pin24==Input(bit==0)

Pin22==Output(bit==1)

Write register

Virtual I/O Memory (mapped)

State Register

Read register

0forbit241forbit22

0/1

1

State Register

Physical I/O Memory

Read register

Write register

0forbit241forbit22

0/1

1

map via MMU

LogicBlinkLEDevery5secinPin22if

Pin24isTrue

27

IntroducingPinControlAttack:AMemoryIllusionOperating

System/KernelMap (I/O Memory, +16bytes)

Request for mapping the physical I/O Memory

ReadPin24

Write 0/1 every 5 sec

PLC Runtime

Write register

Virtual I/O Memory (mapped)

State Register

Read register

0/1

1

State Register

Physical I/O Memory

Read register

Write register 0/1

1

map via MMU

LogicBlinkLEDevery5secinPin22if

Pin24isTrue

Pin22==Input(bit==0)0 for bit 22

0 for bit 22

Write Failure!!

Pin is in Input Mode

28

ThinkofcopyingfilestoUSBdrive

29

• Similarmappingbetweenphysicalandvirtualaddresses

• IfUSBdriveisremovedduringcopyoperation,OSreportsawarningback

Letslookatit.

Demo1Digital

30

NobodythoughtaboutthesameissueforPLCs

31

•Shouldn’tthePLCruntimefailorgetterminatedbecauseofI/Ofailure?

– Nope!

• PLCdesignwasalwaysaboutparamountreliabilityofreal-timeexecution,HIGHup-timeandlong-termusefullifeinharshenvironmentalconditions

• MaliciousmanipulationofPLCwerenotpartofdesignconsiderations:-)

Securityconcernsregardingpincontrol

• Nointerruptforpinconfiguration

– HowtheOSknowsaboutthemodificationofpinconfiguration?– Whatifsomebodymodifiesconfigurationofapinatruntime?– Byswitchinginput pinintooutput pin,itispossibletowritearbitraryvalueintoitsphysicaladdress

• NoInterruptforpinmultiplexing

– HowOSknowsaboutmodificationofpinmultiplexing?– Whatifsomebodymultiplexapinatruntime?– Bymultiplexingpinitispossibletoprevent runtimefromwriting valueintooutputpin

32

Problem statement

• Whatifwecreateanattackusingpincontrolthat:• Donotdofunctionhooking• DonotmodifyexecutablecontentsofthePLCruntime.• Donotchangethelogicfile

• Obviouslyweconsiderotherdefensesavailable(e.g.logicchecksumisalsothere)

33

PinControlAttack

34

PinControlAttack

• PinControlAttack:• manipulatetheI/Oconfiguration(PinConfigurationAttack)• manipulatetheI/O multiplexing(PinMultiplexingAttack)

• PLCOSwillneverknowsaboutit.

35

Twooptionstoachievethesame

q Firstversion:rootkit– Rootprivilege– KnowledgeofSoC registers– KnowledgeofmappingbetweenI/Opinsandthelogic

q Secondversion:C-code(shellcode)– EqualprivilegeasPLCruntime– KnowledgeofmappingbetweenI/Opinsandthelogic

1

2

– Nofunctionhooking– NomodificationofPLCruntime

executablecontent– Nochangetologicfile

36

HowPinConfigurationAttackWorks?

1. Put I/O Address into Debug

register

Manipulate Read

2. Intercept Read Operation from I/O

3. Set Pin to Output Mode

4. Write Desired Value to Output

read(I/O, Pin)

Pin Control Attack actions

PLC runtime actions

read() continue....

1. Put I/O Address into Debug

register

Manipulate Write

2. Intercept Write Operation to I/O

3. Set Pin to Input (write-ignore)

write(I/O, Pin)

write() continue...

37

SimpleLogic

LetstestitwithasimpleFunctionBlockLanguageLogic.

38

SimpleLogic2

• SecondLogicforarealPLC

39

40

41

Letslookatit.

Demo2Digital

42

Letslookatit.

Demo3Digital

43

APLCruntimeDynamicandStaticAnalysis

• I/OMapping

• LookforBaseAddresses of I/O

44

I/OAttack:Rootkit

• RootkitneedsrootusertoinstallitscodeasaLoadableKernelModule(LKM).

• vmalloc()allocatesourLKM.ItevadesDoppelganger.

• Donotdoanykindoffunctionhooking,evadesAutoscopy Jr.

• Canchangethelogicregardlessoflogicoperation.

45

Logic Code

Firmware

I/O Pin

Control attack

Other attacks

I/Oresponsetimefluctuationinrootkitvariant

46

CPUOverhead

WriteManipulation:~5%

ReadManipulation:~23%

47

SecondVariantoftheAttack– NoRootkit!

• Noneedtohaverootkit!

• WecandothesamewiththePLCruntimeprivilege.

• Overheadbelow1%.

• WecaneitherremaptheI/OorusealreadymappedI/Oaddress.

• Asshellcode

48

Secondvariant

Inputs

Outputs

Physical I/O Pin

The Malicious Code

Exported Kernel Object File System

device driver

/dev/mem

Logic

PLC Runtime

Read the I/O Output every 4

millisecond

Read the I/O Input

every 4 millitsecond

Starting Time Calculation Loop

Read Manipulate

Write Manipulate

Reconfigure the I/O Pins

49

SecondVariant 1. Find the Refrence Starting

Time

Manipulate Read

3. Set Pin to Output Mode (write-enable)

4. Write Desired Value to Output

Pin

read(I/O, Pin)

Pin Control Attack actions

PLC runtime actions

1. Find the Refrence Starting

Time

Manipulate Write

3. Set Pin to Input (write-ignore)

write() to I/O

3. Set Pin to Output

(write-enable)

Write desired value

50

WhataboutAnalogControl?

• Analogsignalsarebasicallyaggregationofdigitalsignals.

• Twowaystodoit:• 1.Ifpartoforentireanalogmemorycangetmultiplexedtodigitalpinsattackercanmultiplexthepinandwritedigitalbitsandbasicallycontrolthevaluesintheanalogmemory

• 2.UsingthetechniquewhichwecanPC+1,wetelltheinterrupthandlertoreturnthecontroltothenextinstructionwithinthePLCruntime,basicallyavoidingwriteoperationoccur

51

AnalogI/OManipulation

52

Letslookatit.

DemoAnalog

53

OtherFuturePossibilities!

• Attackingpull-upandpull-downresistorsinI/Ointerfaces

• Whatifwedisablethem?

• RemotelymanipulatetheI/Oviaapowerfulelectromagneticfield!

54

Nevertrustyourinputs!

55

Discussions• For now attacker can:

• Simply change the logic• Modify PLC Runtime executable

• Fixing these attacks are trivial:• Proper Authentication• Proper Logic Checksum• PLC Runtime integrity verification

• Next Step for attackers:• Achieve its goal without actually modifying the Logic or Runtime or

hooking functions

56

RacetotheBottom

57

Assoonassecurityisintroducedatsomelayerofcomputerornetworkarchitectureabstraction,theattackersaregoingonelayerdown.

InthehackingcommunityitiscalledRace-to-the-Bottom

Conclusions• Need to focus on system level security of control devices In future

more sophisticated techniques come that evade defenses.• Pin Control attack is an example of such attacks.

• Pin Control Attack:• lack of interrupt for I/O configuration registers• Significant consequences on protected PLCs and other control devices such

as IEDs.

• Solution:• It is hard to handle I/O interrupts with existing real-time constraints.• Monitoring I/O Configuration Pins for anomalies.• User/Kernel space separation for I/O memory.

58

Questions?Lookingformore…

AttendourtalkatDigitalBond S4x17,Miami,USA

Everythingthathasabeginninghasanend.TheMatrixRevolutions.

Contact:

a.abbasi@utwente.nl @bl4ckic3

@m4ji_d

59