enforcing memory safety in cyber-physical systems · scada system: scadabr eyasu g. chekole (sutd)...
TRANSCRIPT
Enforcing Memory Safety in Cyber-PhysicalSystems
Eyasu Getahun Chekole1,2 John Henry Castellanos1
Martın Ochoa1 David K. Y. Yau1,2
Singapore University of Technology and Design, Singapore
Advanced Digital Sciences Center, Singapore
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 0
Motivation
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 0
Motivation Overview of CPS
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 0
Motivation Overview of CPS
Overview of CPSCPS: the integration of computations and communicationswith physical processes.
Figure 1 : CPS architectureEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 1
Motivation Overview of CPS
Secure Water Treatment (SWaT)SWaT: A water treatment plant at SUTD.Has 6 distinct processes controlled by 6 PLCs.
Figure 2 : SWaT
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 2
Motivation Overview of CPS
Secure Water Treatment (SWaT)SWaT: A water treatment plant at SUTD.Has 6 distinct processes controlled by 6 PLCs.
Figure 2 : SWaTEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 2
Motivation Overview of CPS
Secure Water Treatment (SWaT)
Figure 3 : SWaT architecture
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 3
Motivation Overview of CPS
Water inflow process (P1)
Figure 4 : Water inflow processEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 4
Motivation CPS attacks
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 4
Motivation CPS attacks
Cyber attacks in CPS
Figure 5 : Water inflow process
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5
Motivation CPS attacks
Cyber attacks in CPS
Figure 5 : Water inflow process
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5
Motivation CPS attacks
Cyber attacks in CPS
Figure 5 : Water inflow process
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5
Motivation CPS attacks
Cyber attacks in CPS
Figure 5 : Water inflow processEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5
Motivation CPS attacks
Memory safety attacks
(aka) Memory corruption attacksThey exploit memory safety vulnerabilities,e.g., buffer overflows and dangling pointers
Commonly found in C/C++ programsCVE have been reported on PLCs:AB PLC 1, Siemens PLC 2, Schneider PLC 3.
Class of MS attacksCode injectionCode reuse
1https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-50072https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-06743https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0929
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 6
Motivation CPS attacks
Memory safety attacks in CPS
PLC firmwares & control logics are often written in C/C++.Thus, memory safety vulnerabilities are common in CPS .
Figure 6 : Exploiting memory-safety vulnerabilities
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 7
Motivation CPS attacks
Memory safety attacks in CPS
PLC firmwares & control logics are often written in C/C++.
Figure 6 : Exploiting memory-safety vulnerabilities
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 7
Contributions
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 7
Contributions
Main contributions
Enforcing memory-safety in CPSEmpirically measure and quantifytolerability of the MSOSensitivity analysis on performance factors
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 8
Enforcing memory safety
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 8
Enforcing memory safety Countermeasures
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 8
Enforcing memory safety Countermeasures
Existing countermeasures and approaches
Stack canariesNon-executable (NX)Address space layout randomization (ASLR)Control flow integrity (CFI)Code-instrumentation based methods
Inserts runtime checks during compilationAnd, catches violations at runtime.Can cover wide-range of errors.But, incurs high runtime overheads.
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 9
Enforcing memory safety Approach
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 9
Enforcing memory safety Approach
Approach
We follow a code-instrumentationbased countermeasureBased on secure compiling of PLCs.A proactive approach to counter MS attacks.
Detecting & mitigating MS violations.
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 10
Enforcing memory safety Enforcing ASan
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 10
Enforcing memory safety Enforcing ASan
Enforcing ASan
We enforced AddressSanitizer (ASan)4.It is a compile-time MS tool.It inserts runtime MS check during compile-time.It covers wide-range of MS vulnerabilities.It detects MS violations with high accuracy.
Incurs high memory-safety overhead (MSO).Thus, we evaluated its tolerability.
4Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: afast address sanity checker. In: USENIX ATC’12. (2012)
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 11
Enforcing memory safety Enforcing ASan
Secure compiling of PLCs
The PLC program & firmware compiled with GCC + ASan.
Figure 7 : Secure compilation of PLCs
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 12
Enforcing memory safety Experimental design
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 12
Enforcing memory safety Experimental design
Experimental design
Allen Bradely PLCs are closed sourceWe designed open SWaT (oSWaT) by mimicking SWaT.
Running on top of RPIProcessor speed: 200MHzController : OpenPLCCycle time: 10MSPLC program complexity: 129 instructionsNumber of connections: 7Communication frequency: 10MSI/O terminal: ArduinoDigital inputs: 32Digital outputs: 16Analog inputs: 13SCADA system: ScadaBR
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 13
Enforcing memory safety Experimental design
Experimental design
Figure 9 : Architecture of oSWaTEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 14
Enforcing memory safety Experimental results
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 14
Enforcing memory safety Experimental results
Detection accuracy
We detected two global buffer overflowvulnerabilities in OpenPLC firmware.
Detection accuracy of ASan from the original paper5.
Figure 11 : Detection accuracy
5Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: afast address sanity checker. In: USENIX ATC’12. (2012)
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 15
Enforcing memory safety Experimental results
Detection accuracy
We detected two global buffer overflowvulnerabilities in OpenPLC firmware.Detection accuracy of ASan from the original paper5.
Figure 11 : Detection accuracy
5Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: afast address sanity checker. In: USENIX ATC’12. (2012)
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 15
Enforcing memory safety Experimental results
Performance
Figure 12 : Average-case scan time (ACST)Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 16
Enforcing memory safety Experimental results
Performance
Figure 13 : Worst-case scan time (WCST)Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 16
Enforcing memory safety Quantifying tolerability
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 16
Enforcing memory safety Quantifying tolerability
Quantifying tolerability
Figure 14 : The PLC scan cycle
Scan time (TS): time taken tocomplete a scan cycle.
TS = TSI + TRL + TUO + TBW
Cycle time (Ω): an upperbound time to scan cycles.
Suppose the worst-case scan time (WCST) is τTolerability of MSO (T(MSO)):
T (MSO) =
Tolerable, if τ ≤ ΩNot tolerable, o.w
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 17
Enforcing memory safety Validating tolerability
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 17
Enforcing memory safety Validating tolerability
Validating tolerability
Approaches to validate tolerabilityEmpirical measurement
We have already measured theaverage and worst case performance.
WCST analysisA combination of the two
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 18
Enforcing memory safety Validating tolerability
WCST analysis
Suppose τ is the measured WCSTWould there exist any WCST φ s.t,
φ > Ω > τ?– Intolerable Condition (IC)
Need to do WCST analysis on the factors.
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 19
Enforcing memory safety Validating tolerability
WCST analysis
Processor speedIt is fixed ⇒ wouldn’t result the IC .
Complexity of the PLC programConsist of various type of instructions, e.g., AND, OR, NOT.Each instruction has fixed execution time.No loops and recursions ⇒ wouldn’t result the IC
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 20
Enforcing memory safety Validating tolerability
WCST analysis
Communication frequencyPLC communicates with n nodes.Receives packets with rate r .Handles r ∗ n packets/time ⇒ fixed.Thus, wouldn’t cause IC
Number of I/ONumber of I/Os is fixedThus, wouldn’t result the IC
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 21
Enforcing memory safety Validating tolerability
WCST analysis
Concurrency problemThe comm. & scan cycle threads accessshared resource: I/O buffers.There is locking to avoidrace conditions or deadlocks.W/c results a non-deterministic TBW .But comm. are limited and concurrencygets handled efficiently.Thus, wouldn’t result the IC
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 22
Enforcing memory safety Mitigation
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 22
Enforcing memory safety Mitigation
Mitigation
The mitigation approach in ASan isautomatic aborting the vulnerable program.
Which affects system availability and controllability.We are currently developing aresilient mitigation technique.
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 23
Conclusion
Outline
1 MotivationOverview of CPSCPS attacks
2 Contributions3 Enforcing memory safety
CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation
4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 23
Conclusion
Conclusion
We managed to enforce a MS solution in CPS,That accurately detects and mitigates MS violationsIts overhead is tolerable (both in ACST and WCST)Its memory usage overhead is high – ≈ 38×
Future work:Intending to extend the solution to other CPS.The mitigation technique is an ongoing work
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 24
Conclusion
Conclusion
We managed to enforce a MS solution in CPS,That accurately detects and mitigates MS violationsIts overhead is tolerable (both in ACST and WCST)Its memory usage overhead is high – ≈ 38×
Future work:Intending to extend the solution to other CPS.The mitigation technique is an ongoing work
Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 24