trigger action integrity for cyber -physical systems · ics-cert report () 0 100 200 300 400...
TRANSCRIPT
Trigger Action Integrity for Cyber-Physical Systems Doug Everson1, Long Cheng1, Danfeng (Daphne) Yao2
1Clemson University, 2Virginia Tech
Motivation
Cyber-Physical Systems (CPS)
Event Identification and Dependence Analysis
Advanced Manufacturing
ICS-CERT report (https://ics-cert.us-cert.gov)
0
100
200
300
400
2010 2011 2012 2013 2014 2015
Number of Reported Incidents in ICS
Event-Aware Finite-State Automaton (eFSA) Model
<label>:5 call void (...)* @actuator_signal() ...
...%3 = load i32* @steps, align 4%4 = icmp sle i32 %2, %3 br i1 %4, label %5, label %9
True False
<label>:9 ret void
Data dependence
Any sensor reading API
Control dependenceAny
actuation API
<label>:15 %16 = call i32 @E2()%17 = icmp ne i32 %16, 0br i1 %17, label %18, label %27
<label>:0 ...%3 = call i32 @E1()%4 = icmp ne i32 %3, 0br i1 %4, label %5, label %15
True False
<label>:5 Actuation1...
<label>:27 …
<label>:18 Actuation2...
True False
!1dependent
!1⋀!2dependent
!1⋀!2dependent
S0;while(…){S1;if(E1()){for(…humidity…){S2; S3;}}
else if(E2()){for(…){S4;}}
S5;S6;}
1
32
4
65
78
109
11
Binary eventNon-binary
event
Binary event3
9
6 S3S0S1S1 S51
S6
S211S4
S0,…,S6 denote system calls
710
S3S1
S4
[%&'%() ]|!1
[%()%'+ ]|{-.-/0-123 454-6}
[%&'%89 ]|!1⋀!2
[%&'%:&;]|!1⋀!2
Event Identification EventDependence
Analysis
Limitation of eFSA
Enforcing Trigger-Actuation Integrity
Security policies
Identify Security Checkpoints
Event-Actuation Dependency Analysis
13
25
4
6
Actuation-Physical Dependency Analysis
1 3
2 4
3 6
4 6
Program Instrumentation
1
32
4
Execution Monitor
Checking Event Triggering Integrity
Checking Control Actuation Integrity
5
Security policies
√ √√
√
System Overview
Hardware
Normal World Secure World
Execution MonitorInstrumented Program
call void @Actuation()
call void @__ETI_CALL(context)
…
Event Triggering Integrity
Control Actuation Integrity call void @__CAI_CALL(context)
…
On-going Work
Training Phase
Monitoring Phase
Detect whether a control action should really happen before triggering a sensitive actuation
Detect whether a control actuation has properly happened after it is triggered
Sensors
Physical Process
Actuators
Events
Control System
Electrical distribution, manufacturing, industrial control, automobile systems, …
Control Actuation
Breakers, switches,pumps, motors, valves, …
Event Triggering
Adversary Event Triggering Attacks
Control Command Replacing Attacks
Actual Inside Temperature
Actual HVAC Status
Actual Outside
Temperature
Physics Runtime
ActuatorThermostat
Controller
TAIExecution
Monitor and Sensor Suite
Mod/Sim Live Testbed
Autonomous Vehicle Systems
Controller
TAIExecution
Monitor and Sensor Suite
- Multiple Data Sources- Wired Networks (CAN, Automotive Ethernet)- Wireless Networks (DSRC, 5G)- Physical Environment (Gyroscopes)- Sensors (Radar, Throttle Position, Speedometer)- Controls (Brake Pedal, Accelerator, Steering)
- Learn, correlate, monitor, respond- Identify security policy- Identify unexpected inputs- Alert and/or respond for occupant safety
• Finer granularity of integrity checking (Basic-Block level)• Prevent from damaging the physical system before
sending control actuations• Detect control command replacing attacks in CPS• Minimum code instrumentation
• CPS field devices may send control signals by directly writing registers without calling system calls
• Passive monitoring detects attacks only after they have occurred with predictable and severe consequences
• Timing-compliance • Secure reference monitor
Design Objectives