misuse patterns derived from threats that take control of ... · four misuse patterns, all from...

Misuse Patterns Derived from Threats that Take Control of Radio Frequency Remote Controllers of Container Terminal Cranes

VIRGINIA M. ROMERO, Florida Atlantic University EDUARDO B. FERNANDEZ, Florida Atlantic University

1

Port Automation has been playing an increasing role with the introduction of robots, artificial intelligence and other digital tools that have increased the speed and efficiency of the handling of goods flowing into and out of cargo ports. By digitizing and automating activities once handled by human crane operators and cargo haulers, seaports can reduce the amount of time ships sit in port and boost port productivity by accelerating the movement of containers between ships and other transportation means. Radio frequency (RF) remote controllers are widely used in container terminal cranes, unfortunately these devices have become the weakest link in these safety-critical applications. RF controllers are vulnerable to command injection, where an attacker can selectively alter their behavior by crafting arbitrary commands with consequences ranging from theft and extortion to sabotage and injury. We present here misuse patterns that result from taking control of RF remote controllers. These misuse patterns describe how these attacks are performed and specify appropriate countermeasures for mitigating them. These patterns are part of our work on building a Security Reference Architecture for Cargo Ports.

Categories and Subject Descriptors: D.2.11 [Software Engineering]: Software Architectures - Patterns

General Terms: Design

Additional Key Words and Phrases: CPS, container terminals, cyber-physical systems, misuse patterns, security, remote controllers, radio frequency, RF, container terminal cranes.

ACM Reference Format: V. M. Romero, and E. B. Fernandez, 2020. Procs. 9th Asian Conference on Pattern Languages of Programs, Asian PLoP'20, March 4-6, Taipei, Taiwan. 13 pages.

1. INTRODUCTION

Port automation has been playing an increasing role with the introduction of robots, artificial intelligence and other digital tools that have increased the speed and efficiency of the handling of goods flowing into and out of cargo ports. The principal factor for the introduction of automation is often to reduce the cost per handled container (cost per move) in the terminal while ensuring a consistent level of productivity and customer service. Over the past decades, sensor and navigation technology has made it possible to remove the operator from a container handling machine or transport vehicle in cargo ports. The unmanned container handling machine or vehicle can then be completely controlled by a computer or by using a combination of automated and manually operated procedures. These procedures may be controlled remotely. A work sequence performed in this fashion is more predictable and without human errors. Remotely operated container handling machines and vehicles also make it possible for one operator to control and supervise, at the same time, a large volume of equipment. In cases when 100% of the work cycle has been automated, the role of the operator is to supervise and handle exceptional situations (Rintanen and Thomas 2018). While more efficient, automation has increased the effect of attacks. We have already seen several large-scale attacks that exploited several vulnerabilities in port automation and unless measures are taken, such attacks are predicted to become more common (DiRenzo et al. 2015). System vulnerabilities are code flaws or weaknesses of the system which can be exploited to carry out attacks. The attacks can be described using misuse patterns. Security patterns realize countermeasures that are used to prevent these attacks (Fernandez 2013). Our audience includes container terminal system architects and system designers, software developers and security professionals who are interested in building, securing and managing cargo port container terminal applications. The objective of our work is to help our intended audience understand that in order

Authors’ addresses: Virginia M. Romero (corresponding author), Dept. of Computer and Electrical Eng. and Computer Science, Florida Atlantic University, 777 Glades Rd., Boca Raton, FL33431, USA; email: [email protected] . Eduardo B. Fernandez Dept. of Computer and Electrical Eng. and Computer Science, Florida Atlantic University, 777 Glades Rd., Boca Raton, FL33431, email: [email protected] Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.

mailto:[email protected]

mailto:[email protected]

Misuse Patterns Derived from Threats that Take Control of Radio Frequency Remote Controllers of Container Terminal Cranes Page - 2

to stop or mitigate these possible attacks, we need to consider how these attacks take place and describe in detail the flow of these attacks. We present here a description of an attack to industrial radio frequency (RF) remote controllers, widely used in container terminal cranes, in the form of a misuse pattern. Misuse patterns describe how the attack is carried out from the point of view of an attacker (Fernandez et al. 2007 and 2009). They explain the attack environment, flow and countermeasures to control the attack. These misuse patterns are an addition to our work on building a Security Reference Architecture for Cargo Ports. Figure 1 shows how our previously published patterns, represented by colored lines, are used to model a cargo port. The purple lines represent the pattern for the loading and unloading of containers to/from a ship at a cargo port facility, “Secure and Safe Port Loading Facility” (Fernandez et al. 2014). The red lines represent the pattern for the secure delivery of containers at a cargo port, “Secure Cargo Port Drayage” (Romero and Fernandez March 2018). The blue lines represent the pattern for ship arrivals and departures and the colored classes and their associations represent a pattern for “Controlled Access to a Cargo Port Terminal Physical Structure” (Romero and Fernandez November 2018). The misuse patterns presented in the following sections are attacks that can be performed when loading/unloading containers at a cargo port facility (see Figure 2). The attacker takes control of the crane while the crane operator uses RF remote controllers for crane operation. The loading and unloading of containers is described in our “Secure and Safe Port Loading Facility” pattern. Crane and CraneOperator are depicted as classes in Figure 1, RemoteController in Figure 2.

Figure 1 Partial Security Reference Architecture for Cargo Ports


In Section 2, we follow a misuse pattern template to present four misuses that result from taking control of container terminal cranes using command injection in RF remote controllers: drop a container, accelerate crane beyond its limit to cause damage to it, misplace container to cause disruption of operations and send e-stop commands repeatedly causing a DoS (Denial-of-Service) attack. In Section 3, we offer some conclusions and present future work. The misuse pattern template is described in the Appendix.

2. MISUSE PATTERNS DERIVED FROM THREATS THAT TAKE CONTROL OF RADIO FREQUENCY REMOTE CONTROLLERS OF CONTAINER TERMINAL CRANES

2.1 Intent

An attacker can remotely take control of a container terminal crane by crafting arbitrary commands to later send to the RF remote controllers of these cranes as if they were valid ones (command injection). This may lead to very dangerous situations ranging from theft and extortion to sabotage, injury and loss of lives. This pattern results in four misuse patterns, all from using command injection: drop container, accelerate the moving load beyond limit to cause damage to the crane, misplace container to cause disruption of operations and send e-stop command repeatedly causing a DoS (Denial-of-Service) attack.

2.2 Context

In port operations, RF remote controllers are widely used in cargo handling equipment. Industrial RF remote controllers rely on proprietary RF protocols that were designed decades ago and mostly focused on safety as opposed to security. In the early days of this technology, attacks to these RF remote controllers were costly and rarely performed. Nowadays inexpensive RF-hacking toolsets are readily available. These systems are not robust against command spoofing; an attacker or attacking device within range can capture a few seconds of radio traffic, selectively modify the packets and create new arbitrary commands automatically. Not all industrial RF remote controllers implement “rolling code” technology. Rolling code technology, also known as hopping code, is a security technology commonly used to provide a fresh code for each authentication in a transmitter/receiver exchange. Encryption is the process of encoding a message in such a way that only authorized parties can access it. It uses an algorithm to encrypt data and then uses a key for the receiving party to decrypt the information. A rolling code transmitter provides secure encrypted RF transmission comprising of a fixed code and a rolling code. A receiver demodulates the encrypted RF transmission and recovers the fixed code and rolling code. Upon comparison of the fixed and rolling codes with stored codes and determining that the signal has emanated from an authorized transmitter, a signal is generated to actuate (Farris and Fitzgibbon 2000).

2.3 Problem

Attacks can be performed by taking advantage of the following vulnerabilities in RF remote controllers: No use of rolling code – Each packet is self-contained and requires no dynamic secret to be interpreted. Any captured packet is always valid in the future. Weak or no cryptography – The data exchanged between transmitter and receiver is not encrypted or is weakly encrypted and predictable. Pairing mechanism – Knowledge of the pairing mechanism allows complete impersonation of a legitimate transmitter. Safety features of RF remote controllers, like the “pairing mechanism”, are not designed with a cybersecurity mindset. Rather, they are meant to prevent injuries due to malfunction or unexpected external conditions. Pairing mechanism requires that transmitter and receiver are paired with a (fixed) pairing code. The


pairing code is used to recognize and accept commands only from known transmitters. Issues prevented by using the pairing code mechanism are interferences of multiple transmitters of the same model and brand. This feature allows them to work together in the same RF band. However, knowledge of this pairing code also allows complete impersonation of a legitimate transmitter. All RF remote controllers are shipped with a pre-configured pairing code (the same on both transmitter and receiver), usually written on the device enclosure. Attackers take advantage of this information and use it for replay and other forms of attacks. Weak or no passcode to operate the transmitter – The operator needs to enter a passcode to operate the transmitter. This sequence enables the transmitter and starts the receiver. Knowledge of the passcode allows anyone to use a transmitter. When the passcodes are weak, attackers can use guessing tactics to enable the transmitter and start the receiver.

2.4 Solution

In a command injection attack, the attacker must intercept a valid RF command and record it. The recording can be done with software defined radio (SDR) equipment that can be purchased rather inexpensively depending on its sophistication. The attacker must learn and be very knowledgeable of the radio protocol to the extent that when a packet that represents “command X” is recorded, he can derive and reengineer another packet that encodes “command Y”, and transmit it with the same SDR equipment. The reengineering can be done in an external offline device. In a variation of this attack, the attacker records a valid transmission with an SDR and replays it, “as is”, at a later time with malicious intentions (i.e. accelerate crane beyond its limits causing damage to the crane). This attack is indistinguishable from a valid transmission through a legitimate communication.

Figure 2 Class Diagram of the Context for the Command Injection Attack


2.4.1 Structure

Figure 2 shows a class diagram of the context for a command injection attack to the remote controller of a container terminal crane. The system is composed of: Quay, which represents the platform for loading and unloading ships. A set of Cranes, each crane with a unique receiver CraneRx paired one to one to their corresponding transmitters CraneTx. RemoteController is composed of a transmitter and a receiver. Through OperatorView, a person of type CraneOperator sends a valid command to the crane and the Attacker records and captures the data under different conditions (e.g., different buttons, pressure duration, timing, etc). Through reverse-engineering the structure of the packet in the radio protocol, the attacker derives another command. Each Container is associated with a unique location in Storage and with the crane carrying it at a given moment. Each Container is assigned to a CraneOperator at a specific date and time. DataLogger logs the data sent and received by RemoteController.

2.4.2 Dynamics

The following use cases describe how attackers can take control of container terminal cranes using command injection attack in RF controllers and the misuses they can perform with this control. UC1 (misuse): Drop container causing damage (Figure 3) Summary: The attacker records a packet with command “lift container” and derives another packet that

encodes command “release container”. Actors: Attacker, Operator Description: 1. Operator issues a valid “lift container” command to the receiver of the RF remote controlled crane.

2. Attacker records the command data with a radio receiver. 3. Attacker deconstructs the structure of the packet (reverse-engineering), usually offline. 4. Attacker derives “release container” command. 5. Attacker transmits the new derived command to the receiver of the remote controlled crane. 6. Crane accepts this forged command and releases container causing damage. Postcondition: A successful command injection attack is carried out releasing container and causing damage, such

as container destruction or hurting/killing a person.


Figure 3 Sequence Diagram for Drop Container using Command Injection Attack

UC2 (misuse): Accelerate the crane beyond its limit to cause damage to it (Figure 4) Summary: The attacker records a packet with command “accelerate crane” and repeatedly sends the

command to accelerate the crane beyond its limit to cause damage to it. Actors: Attacker, Operator Description: 1. Operator issues a valid “accelerate crane” command to the receiver of the radio remote controlled crane.

2. Attacker records the command data with a radio receiver. 3. Crane accelerates as requested by operator. 4. Attacker sends repeated “accelerate” commands. 5. Crane continues to accelerate beyond its limit causing damage to it. Postcondition: “Accelerating the crane beyond its limit” attack is carried out successfully causing damage.


Figure 4 Sequence Diagram to Accelerate Crane Beyond Its Limits

UC3 (misuse): Misplace container to cause disruption (Figure 5) Summary: The attacker records a command that carries a specific location to place a container in storage

area and derives another command with unknown location. Actors: Attacker, Operator Description: 1. Operator issues a valid “position” command with specific location in storage.

2. Attacker records the command data with a radio receiver. 3. Attacker deconstructs the structure of the packet (reverse-engineering), usually offline. 4. Attacker derives “position” command with a different location in storage. 5. Attacker transmits the new derived command containing a different location. 6. Crane accepts this forged command and deposits container at an unknown location. Postcondition: A successful attack is carried out causing disruption of operations (container at an unknown location).


Figure 5 Sequence Diagram to Misplace Container to cause Disruption

UC4 (misuse): Send e-stop command repeatedly causing a DoS condition (Figure 6) Summary: The attacker maliciously uses a special command, the e-stop command, to create a denial of

service (DoS) condition. Actors: Attacker, Operator Description: 1. Operator issues a valid command to the receiver of the radio remote controlled crane.

2. Attacker records the command data with a radio receiver. 3. Attacker deconstructs the structure of the packet (reverse-engineering), usually offline. 4. Attacker derives “e-stop” command. 5. Attacker sends the e-stop command in a loop.

6. Crane receiver is flooded with e-stop commands. 7. Operator sends a start or a move command. 8. Crane receiver is overwhelmed with e-stop commands and cannot accept any other commands. Postcondition: A successful e-stop command flooding attack is carried out creating a DoS condition.


Figure 6 Sequence Diagram for DoS Attack

2.5 Affected System Components and Forensics

Fully automated container terminals are remotely controlled and have a large number of industrial radio remote controllers in place, mainly because these facilities are too large to make a wired-only deployment feasible. Even when container terminals are not fully automated, traditional container terminals are filled with radio-controlled lifting and handling machines to move containers and loads. The container terminal’s “attack surface” is larger now. In all attacks presented, Crane and RemoteController system components are affected. Container and Storage are also affected in the “misplace container to cause disruption” misuse (see Figure 2).

Data loggers (shown in Figure 2) added to the devices can be used to keep track of the movements and usage of the controlled equipment. In an attack, this information may be used to trace back to the attackers.

2.6 Known Uses (Incidents)

Trend Micro Research tested attacks on seven RF remote controller vendors under two conditions: in-lab and on-site. For in-lab testing, industrial remote controllers from two vendors (Juuko and Saga) that distribute their products worldwide were used. The protocols were reverse-engineered and tested against command injection. Their protocols failed on all cases (Andersson et al. 2019). Remote controllers from vendors like Hetronic, Elca and Telecrane have been tested onsite for command replay and e-stop abuse and have failed. They either use a constant checksum function in all of the packets, making the process of fuzzing these packets easier; or they use a weak form of encryption with a rolling code but they do not enforce the check of the rolling code, leading to any forged packet to be accepted as valid. In January 2019, hackers took control of giant construction cranes using the vulnerabilities of RF remote controllers. Attackers discovered that the data packets containing commands were often transported over the airwaves with little to no security. Where there was basic encoding or encryption of commands, it still did not prevent the hackers from replicating commands using an SDR (Brewster 2019).


2.7 Consequences

By taking advantage of the vulnerabilities in the radio protocols of the controlled cranes, the attacker can cause disruption, severe financial loss, injuries and even loss of human lives: The lack of logs or forensic artifacts in these RF remote controllers to keep track of the movements and usage of

the controlled equipment make remote attacks very difficult to be traced back to the attackers. For financially motivated attackers, they could steal goods from the container terminals by placing containers in

unauthorized drayage trucks. This type of attack plays a role in larger supply-chain attack schemes. An attacker can simulate a malfunction, causing repeated damage to the container terminal and then ask for a

ransom to stop. Attacks can be implemented through portable, small RF devices, conveniently hidden anywhere in the target facility. Such devices are not easy to be discovered, especially if one does not consider them a plausible threat.

2.8 Countermeasures

Design and implement proper security mechanisms, such as “rolling code” technology.

Continue to build on open, well-known, standard protocols using security by design as part of the protocol.

All transmissions must be authenticated and encrypted.

Pairing mechanism - Transmitter and receiver are paired with a (fixed) pairing code, which is used to recognize and accept commands only from known transmitters.

Multifactor authentication passcode protection - The operator needs to enter a sequence (passcode) to operate the transmitter. This sequence enables the transmitter and starts the receiver.

Authorization - The transmitter implements an access control model that selectively enables or disables advanced features according to the level of the operator, who is identified using radio frequency identification (RFID) or an equivalent factor.

Virtual Fencing - Transmitter and receiver communicate via an out of band channel (infrared) in addition to RF. When the transmitter is out of range, the receiver does not accept any commands.

2.9 Related Patterns

“Secure and Safe Port Loading Facility” (Fernandez et al. 2014) - Provides the typical functions of a port loading facility (loading and unloading of containers to/from a ship) including security and safety mechanisms that can defend against all identified threats. “Secure Cargo Port Drayage” (Romero and Fernandez March 2018) - Provides all the typical functions and security mechanisms for the secure delivery and pick up of containers at a maritime cargo port. “A Pattern for Controlled Access to a Cargo Port Terminal Physical Structure” (Romero and Fernandez November 2018) - Describes the mapping of a cargo port’s functional units to its physical locations and define the allocation of the rights of the individuals or roles associated with these units to access such locations. “Denial-of-Service (DoS) in VoIP” is described in the form of misuse pattern (Pelaez et al. 2009). “A Misuse Pattern for DDoS in the IoT” (Syed et al 2018) - This misuse pattern describes how an attacker can exploit security vulnerabilities of IoT devices to produce a DoS situation. It describes how this attack is performed and specifies appropriate countermeasures for mitigating the attack. “Security Logger/Auditor” (Fernandez 2013) - This pattern describes how to keep track of users’ actions in order to determine who did what and when. It logs all security-sensitive actions performed by users and provides controlled access to records for audit purposes.


“Authenticator” (Fernandez 2013) - When a user or system (subject) identifies itself to the system, the Authenticator pattern allows verification that the subject intending to access the system is who or what it claims to be. “Encryption” (Fernandez 2013) - Encryption protects message confidentiality by making a message unreadable to those that do not have access to the key. Symmetric encryption uses the same key for encryption and decryption. In asymmetric encryption, a public/private key pair is used for encryption and decryption respectively.

3. CONCLUSIONS

Misuse patterns can be very useful when it comes to understanding system vulnerabilities and designing secure systems as well as performing forensics. Identifying threats is not enough. We need to understand how a whole misuse is performed; how the attack is executed from the point of view of the attacker. We also need to understand the attack environment, its flow and apply the corresponding countermeasures to secure the system against the attack. The idea of misuse patterns was introduced in previous work (Fernandez et al. 2007). Here we used it to describe a command injection attack to the RF remote controller in a container terminal crane. This attack is using fairly basic vulnerabilities of the RF remote controller’s radio protocols and can be prevented, or at least made more difficult, by adding the proper security mechanisms to the controllers. The objective of our work is to highlight security vulnerabilities, explain attack dynamics and propose countermeasures to improve the security of Cyber-Physical systems (CPS), specifically Cargo Ports. Our approach is to build a common framework, namely a Reference Architecture (RA), using patterns and UML models, based on the interactions of the system (Use Cases), to later apply security mechanisms to control or mitigate a set of specific threats and define a Security Reference Architecture for Cargo Ports. We will continue to develop misuse patterns for other components of a cargo port in order to build a catalog that can be used by container terminal systems designers and developers as well as designers of applications that need to run in these systems. Finally, we intend to incorporate these patterns into the secure systems design methodology described in (Fernandez 2013).

Acknowledgements

We thank our shepherd Alan Liu for their insightful comments that have significantly helped to improve our paper.

References J. Andersson, M. Balduzzi. S. Hilt, P. Lin, F. Maggi, A. Urano and R. Vosseler, “A Security Analysis of Radio Remote Controllers for Industrial Applications”, Trend-Micro Research, Jan 2019. https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf T. Brewster, “Exclusive: Hackers Take Control of Giant Construction Cranes”, 2019, https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#282557e71d0a

J. DiRenzo, D. Goward, F. Roberts, “The Little-Known Challenge of Maritime Cyber Security”, 2015 6th International Conference on Information, Intelligence, Systems and Applications (IISA). IEEE, 2015. B. L. Farris and J. J. Fitzgibbon. "Rolling code security system." U.S. Patent No. 6,154,544. 28 Nov. 2000. E. B. Fernandez, J. C. Pelaez, and M.M. Larrondo‐Petrie. 2007. Attack patterns: A new forensic and design tool. Procs. of the Third Annual IFIP WG 11.9 Int. Conf. on Digital Forensics, Orlando, FL, Jan. 29-31, 2007. Chapter 24 in Advances in Digital Forensics III, P. Craiger and S. Shenoi (Eds.), Springer/IFIP, 2007, 345-357.

https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf

https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf

https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#282557e71d0a


E.B. Fernandez, N. Yoshioka, and H. Washizaki, "Modeling misuse patterns", 4th Int. Workshop on Dependability Aspects of Data Warehousing and Mining Applications (DAWAM 2009), in conjunction with the 4th Int.Conf. on Availability, Reliability, and Security (ARES 2009). March 16-19, 2009, Fukuoka, Japan E. B .Fernandez, “Security patterns in practice: Building secure architectures using software patterns”. Wiley Series on Software Design Patterns. 2013 E. B. Fernandez, R. Monge, and R. Carvajal, "A pattern for a secure and safe port loading facility", Procs. of the 10th Latin American Conference on Pattern Languages of Programs (SugarLoafPLoP 2014). J. C. Pelaez, E.B. Fernandez and M.M. Larrondo‐Petrie (2009). “Misuse patterns in VoIP”. J. Security and Communication Networks, 2(6), 635-653. K. Rintanen, A. Thomas, “Container Terminal Automation”, PEMA (Port Equipment Manufacturers Association), 2018. https://www.pema.org/wp-content/uploads/downloads/2016/06/PEMA-IP12-Container-Terminal-Automation.pdf V. M. Romero, E. B. Fernandez, “A Pattern for Controlled Access to a Cargo Port Terminal Physical Structure”, 12th Latin American Conference on Pattern Languages of Programs, SugarLoaf PLoP'18, Nov 20-23, Valparaiso, Chile. V.M. Romero, E. B. Fernandez, “A Pattern for Secure Cargo Port Drayage”, Procs. 7th Asian Conference on Pattern Languages of Programs, Asian PLoP'18, March 1-2, 2018, Tokyo, Japan. 9 pages. M. Syed, E. B. Fernandez, J. Moreno, “A Misuse Pattern for DDoS in the IoT”, Proceedings of European Conference on Pattern Languages of Programs (EuroPLoP), July 2018.

https://www.pema.org/wp-content/uploads/downloads/2016/06/PEMA-IP12-Container-Terminal-Automation.pdf


APPENDIX

MISUSE PATTERN TEMPLATE

Misuse patterns provide generic descriptions of an attack, the environment vulnerabilities that facilitate it, countermeasures to prevent it, as well as information which can be useful for forensics in case the attack has taken place. A misuse pattern has following sections:

Name: The description of the attack type as mentioned in standard attack repositories.

AKA: The attack is also known by these alternative terms.

Intent: The purpose of the pattern as goal of the attacker. Also known as thumbnail description

Context: The definition of the environment in which the attack takes place, including architectural components (along with their vulnerabilities) that are present and existing security defenses of the system.

Problem: The vulnerabilities that allow the attack to happen and can also be used to list the hurdles for the attacker in achieving it.

Solution: The description of how the attack takes place and its results. System is represented in the form of a UML class diagram and flow of messages in the attack is shown using sequence or collaboration diagrams.

Affected system components and Forensics: All components that are affected by the attack and are essential to the forensic examination (evidence).

Known Uses: List of the security incidents where the attack has already occurred.

Consequences: The advantages and drawbacks of the solution from the attacker’s perspective.

Countermeasures: Security measures to prevent the specified attack. These measures can correspond to new or existing security patterns.

Related Patterns: Patterns that complement the attack or are alternatives.

misuse patterns derived from threats that take control of ... · four misuse patterns, all from...

Documents