Race to the bottom: embedded control systems binary security: an industrial control system protection approach

Ali Abbasi


In recent years, critical infrastructures in various countries have been targeted by cyberattacks. The most famous example of such an attack is Stuxnet. Stuxnet is a piece of malware designed to limit the pace of Iranian uranium enrichment by manipulating the control software running in the embedded control system (ECS) of the plant. Following Stuxnet, various attacks against ECS devices have been reported, including attacks on the Ukraine electrical grid that caused a nationwide blackout and the targeting of ECS devices in a refinery in Saudi Arabia. This thesis consists of two parts. In the first part, we examine ECS security from an attackerfis perspective. Our most notable contribution in this respect is the engineering of a new kind of attack that previously had not been understood and that takes advantage of a specific feature of embedded devices, namely, reconfigurability at the hardware level. In this part, we also evaluate the effectiveness of socalled “emulation-based intrusion detection systems,” which are currently considered sophisticated intrusion detection systems against advanced persistent threats (APTs). Our research shows not only that their effectiveness is limited but also how attackers can adapt their payloads to avoid detection by such systems. In the second part, we examine ECSs from a defender’s perspective, and we introduce two new protection mechanisms that operate at the device (host) level. These mechanisms are designed to prevent the attacker from gaining access to the ECS device using memory corruption vulnerabilities. The suggested mechanisms introduce for the first time the possibility of effectively applying “control-flow integrity” checks to resource-poor and time-constrained devices such as PLCs. At a low level, these techniques also take advantage of some architecture-specific features. We evaluate these techniques and show that they are effective and not easy to bypass.

[external] [pdf]