Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Developmenthttp://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu

Dartmouth CollegeDartmouth College

IINSTITUTE NSTITUTE FORFOR SSECURITYECURITYTTECHNOLOGY ECHNOLOGY SSTUDIESTUDIES

Fuzzing proprietary SCADA protocols

Sergey Bratus, ISTS/Dartmouth Bigezy, Fortune 500 utility company

Black Hat 2008

www.ISTS.dartmouth.edu

TCIP Project INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

http://www.iti.uiuc.edu/tcip/

• Ganesh Devarajan (TippingPoint)– DNP3 module for Sulley the fuzzer

(BH 07, Amini & Portnoy) – BH 07 talk caused much media stir

• Digital Bond's ICCPSic test tools– released to “subscribers who are

vetted asset owners” – “...will crash vulnerable ICCP servers.”

• SecuriTeam's beSTORM DNP3 fuzzer– crashed Wireshark's parser

• Mu Security's hardware fuzzer, ...

www.ISTS.dartmouth.edu

Fuzzing SCADA INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

Image

Image

• Generation-based: input created from models (knowledge) of:

– protocol specs (SPIKE, Peach, Sulley, ...)

– file formats (SPIKEfile, FileFuzz, ...)

• Mutation-based: input created from samples of traffic/data:

– packet captures (e.g., the GPF)

– proxying ongoing communications

www.ISTS.dartmouth.edu

Kinds of fuzzing INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

Requires little knowledge of protocol

• Proprietary protocol: cannot get specs

– Luckily, protocol is plain text

• Access to actual live equipment

– Isolated test control network

– Ability to observe and inject packets

• SCADA: traffic is continual and repetitive

– Endpoints will keep trying to re-establish connections that went wrong.

www.ISTS.dartmouth.edu

This ...is ...SCADA! (1) INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

• Distinct, elaborate initial handshake

– fuzz it to test initial auth code, or

– let it happen, and fuzz data parsing code

• Frequent keep-alives / status messages

– easier to see if target crashed: TCP RSTs

– back off automatically, let the connection be re-established, then fuzz again

• Regular, repeating structure of data packets

www.ISTS.dartmouth.edu

This ...is ...SCADA! (2) INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

• Fuzzer must mimic the protocol well enough to not be rejected outright– Purpose of the protocol model

• Most generation fuzzers use block models

– “Aitel had it had it right with SPIKE” -- Sulley

• How to guess blocks of unknown protocols?

– Just (im)precisely enough to mutate them

– better than inserting/deleting runs of random or special bytes

www.ISTS.dartmouth.edu

Protocol blocks? INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

• Guesses blocks (“tokens”) based on repeated occurrence

– runs a variant of the Lempel-Ziv compression algorithm (cf. GZIP)

– frequently repeated byte strings end up in a string table

– seeds the table with likely tokens/blocks from packet captures

• Applies GPF-like mutations to tokens:

– long byte runs for buffers

– extra delimiters, bit flips, ...

www.ISTS.dartmouth.edu

LZfuzz /Lazy-fuzz/ INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

http://lzfuzz.cs.dartmouth.edu

LZ tokenizer: Perl +

“GzPF” : modified GPF fuzzer

(accepts pre-tokenized input and other hints from LZ tokenizer)

+MITM scripts (ARP spoofing, libIPQ, etc.)

www.ISTS.dartmouth.edu

LZfuzz: INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

www.ISTS.dartmouth.edu

LZfuzz INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

Desktop Server

Laptop

Intercept packetsLZfuzz string table

xxx gjhjhgjhgjhg http get put aquire resetxxx gjhjhg http get put aquire resexxx gj hjhgjhgjhg http get put aquire resetxxx gjhjhgj hgjhg http get put aquire resetxxx g jhg http get put aquire resett

Tokenize &mutate

Reassemble& send

www.ISTS.dartmouth.edu

Components INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

ip_queue raw socketsIP

forwarding/routing

libipq libnet

LZfuzzlearning

GPFtoken

fuzzingLZfuzz

tokenizer

ARP spoofing:arp-sk

sniffing/interception

injection/spoofing

ip_forward

Guessing protocol field boundaries in ICMP

www.ISTS.dartmouth.edu

LZfuzz is lazy INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

• MITMs and forwards live communications

– Standard LAN ARP-poisoning tricks

– Rewrites packets in transit

• Reacts to broken connections by backing off and changing fuzzing mode– Detects RSTs and repeated SYNs

– Waits (passes packets unmolested) till normal data exchange resumes

– Shifts window of fuzzed tokens

• Must know locations and algorithms of integrity checksums for packet fix-up

www.ISTS.dartmouth.edu

... but it tries INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

Unless authenticated and integrity checked with crypto, packets can be

– modified in transit even if sent by a well-behaved peer

– selectively dropped or fragmented by MITM

– crafted and inserted into the network by an entirely different stack

www.ISTS.dartmouth.edu

Misplaced trust in peers INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

“You are far too trusting.”

• Vendors' false assumptions?

– Unauthorized connections the only threat?

– Making sure connected peers do not emit bad packets is enough?

– Control network does not allow packet injection or link layer attacks?

• Control networks need anti-injection measures more than others!

– IPSec, other VPNs: must know a secret to join (must be an insider)

– L2 measures, monitoring may help, too

www.ISTS.dartmouth.edu

Lessons learned? INSTITUTE FOR SECURITYTECHNOLOGY STUDIES

Dartmouth College

Contact Information

Institute for Security Technology StudiesDartmouth College

6211 Sudikoff LaboratoryHanover, NH 03755

---------------------------------Phone: 603.646.0700

Fax: 603.646.1672

Email: info@ists.dartmouth.edu

Thanks!

Talk to Bigezy if you are a SCADA asset owner :-)