Enforcing Memory Safety in Cyber-PhysicalSystems

Eyasu Getahun Chekole1,2 John Henry Castellanos1

Martın Ochoa1 David K. Y. Yau1,2

Singapore University of Technology and Design, Singapore

Advanced Digital Sciences Center, Singapore

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 0

Motivation

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 0

Motivation Overview of CPS

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 0

Motivation Overview of CPS

Overview of CPSCPS: the integration of computations and communicationswith physical processes.

Figure 1 : CPS architectureEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 1

Motivation Overview of CPS

Secure Water Treatment (SWaT)SWaT: A water treatment plant at SUTD.Has 6 distinct processes controlled by 6 PLCs.

Figure 2 : SWaT

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 2

Motivation Overview of CPS

Secure Water Treatment (SWaT)SWaT: A water treatment plant at SUTD.Has 6 distinct processes controlled by 6 PLCs.

Figure 2 : SWaTEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 2

Motivation Overview of CPS

Secure Water Treatment (SWaT)

Figure 3 : SWaT architecture

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 3

Motivation Overview of CPS

Water inflow process (P1)

Figure 4 : Water inflow processEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 4

Motivation CPS attacks

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 4

Motivation CPS attacks

Cyber attacks in CPS

Figure 5 : Water inflow process

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5

Motivation CPS attacks

Cyber attacks in CPS

Figure 5 : Water inflow process

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5

Motivation CPS attacks

Cyber attacks in CPS

Figure 5 : Water inflow process

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5

Motivation CPS attacks

Cyber attacks in CPS

Figure 5 : Water inflow processEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 5

Motivation CPS attacks

Memory safety attacks

(aka) Memory corruption attacksThey exploit memory safety vulnerabilities,e.g., buffer overflows and dangling pointers

Commonly found in C/C++ programsCVE have been reported on PLCs:AB PLC 1, Siemens PLC 2, Schneider PLC 3.

Class of MS attacksCode injectionCode reuse

1https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-50072https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-06743https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0929

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 6

Motivation CPS attacks

Memory safety attacks in CPS

PLC firmwares & control logics are often written in C/C++.Thus, memory safety vulnerabilities are common in CPS .

Figure 6 : Exploiting memory-safety vulnerabilities

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 7

Motivation CPS attacks

Memory safety attacks in CPS

PLC firmwares & control logics are often written in C/C++.

Figure 6 : Exploiting memory-safety vulnerabilities

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 7

Contributions

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 7

Contributions

Main contributions

Enforcing memory-safety in CPSEmpirically measure and quantifytolerability of the MSOSensitivity analysis on performance factors

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 8

Enforcing memory safety

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 8

Enforcing memory safety Countermeasures

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 8

Enforcing memory safety Countermeasures

Existing countermeasures and approaches

Stack canariesNon-executable (NX)Address space layout randomization (ASLR)Control flow integrity (CFI)Code-instrumentation based methods

Inserts runtime checks during compilationAnd, catches violations at runtime.Can cover wide-range of errors.But, incurs high runtime overheads.

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 9

Enforcing memory safety Approach

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 9

Enforcing memory safety Approach

Approach

We follow a code-instrumentationbased countermeasureBased on secure compiling of PLCs.A proactive approach to counter MS attacks.

Detecting & mitigating MS violations.

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 10

Enforcing memory safety Enforcing ASan

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 10

Enforcing memory safety Enforcing ASan

Enforcing ASan

We enforced AddressSanitizer (ASan)4.It is a compile-time MS tool.It inserts runtime MS check during compile-time.It covers wide-range of MS vulnerabilities.It detects MS violations with high accuracy.

Incurs high memory-safety overhead (MSO).Thus, we evaluated its tolerability.

4Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: afast address sanity checker. In: USENIX ATC’12. (2012)

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 11

Enforcing memory safety Enforcing ASan

Secure compiling of PLCs

The PLC program & firmware compiled with GCC + ASan.

Figure 7 : Secure compilation of PLCs

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 12

Enforcing memory safety Experimental design

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 12

Enforcing memory safety Experimental design

Experimental design

Allen Bradely PLCs are closed sourceWe designed open SWaT (oSWaT) by mimicking SWaT.

Running on top of RPIProcessor speed: 200MHzController : OpenPLCCycle time: 10MSPLC program complexity: 129 instructionsNumber of connections: 7Communication frequency: 10MSI/O terminal: ArduinoDigital inputs: 32Digital outputs: 16Analog inputs: 13SCADA system: ScadaBR

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 13

Enforcing memory safety Experimental design

Experimental design

Figure 9 : Architecture of oSWaTEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 14

Enforcing memory safety Experimental results

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 14

Enforcing memory safety Experimental results

Detection accuracy

We detected two global buffer overflowvulnerabilities in OpenPLC firmware.

Detection accuracy of ASan from the original paper5.

Figure 11 : Detection accuracy

5Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: afast address sanity checker. In: USENIX ATC’12. (2012)

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 15

Enforcing memory safety Experimental results

Detection accuracy

We detected two global buffer overflowvulnerabilities in OpenPLC firmware.Detection accuracy of ASan from the original paper5.

Figure 11 : Detection accuracy

5Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: afast address sanity checker. In: USENIX ATC’12. (2012)

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 15

Enforcing memory safety Experimental results

Performance

Figure 12 : Average-case scan time (ACST)Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 16

Enforcing memory safety Experimental results

Performance

Figure 13 : Worst-case scan time (WCST)Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 16

Enforcing memory safety Quantifying tolerability

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 16

Enforcing memory safety Quantifying tolerability

Quantifying tolerability

Figure 14 : The PLC scan cycle

Scan time (TS): time taken tocomplete a scan cycle.

TS = TSI + TRL + TUO + TBW

Cycle time (Ω): an upperbound time to scan cycles.

Suppose the worst-case scan time (WCST) is τTolerability of MSO (T(MSO)):

T (MSO) =

Tolerable, if τ ≤ ΩNot tolerable, o.w

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 17

Enforcing memory safety Validating tolerability

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 17

Enforcing memory safety Validating tolerability

Validating tolerability

Approaches to validate tolerabilityEmpirical measurement

We have already measured theaverage and worst case performance.

WCST analysisA combination of the two

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 18

Enforcing memory safety Validating tolerability

WCST analysis

Suppose τ is the measured WCSTWould there exist any WCST φ s.t,

φ > Ω > τ?– Intolerable Condition (IC)

Need to do WCST analysis on the factors.

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 19

Enforcing memory safety Validating tolerability

WCST analysis

Processor speedIt is fixed ⇒ wouldn’t result the IC .

Complexity of the PLC programConsist of various type of instructions, e.g., AND, OR, NOT.Each instruction has fixed execution time.No loops and recursions ⇒ wouldn’t result the IC

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 20

Enforcing memory safety Validating tolerability

WCST analysis

Communication frequencyPLC communicates with n nodes.Receives packets with rate r .Handles r ∗ n packets/time ⇒ fixed.Thus, wouldn’t cause IC

Number of I/ONumber of I/Os is fixedThus, wouldn’t result the IC

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 21

Enforcing memory safety Validating tolerability

WCST analysis

Concurrency problemThe comm. & scan cycle threads accessshared resource: I/O buffers.There is locking to avoidrace conditions or deadlocks.W/c results a non-deterministic TBW .But comm. are limited and concurrencygets handled efficiently.Thus, wouldn’t result the IC

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 22

Enforcing memory safety Mitigation

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 22

Enforcing memory safety Mitigation

Mitigation

The mitigation approach in ASan isautomatic aborting the vulnerable program.

Which affects system availability and controllability.We are currently developing aresilient mitigation technique.

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 23

Conclusion

Outline

1 MotivationOverview of CPSCPS attacks

2 Contributions3 Enforcing memory safety

CountermeasuresApproachEnforcing ASanExperimental designExperimental resultsQuantifying tolerabilityValidating tolerabilityMitigation

4 ConclusionEyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 23

Conclusion

Conclusion

We managed to enforce a MS solution in CPS,That accurately detects and mitigates MS violationsIts overhead is tolerable (both in ACST and WCST)Its memory usage overhead is high – ≈ 38×

Future work:Intending to extend the solution to other CPS.The mitigation technique is an ongoing work

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 24

Conclusion

Conclusion

We managed to enforce a MS solution in CPS,That accurately detects and mitigates MS violationsIts overhead is tolerable (both in ACST and WCST)Its memory usage overhead is high – ≈ 38×

Future work:Intending to extend the solution to other CPS.The mitigation technique is an ongoing work

Eyasu G. Chekole (SUTD) Enforcing Memory Safety 15 Sep 2017 24

Thank you very much for your attention!