Fuzzing and protocol analysis case-study of DNP3
Transcript of Fuzzing and protocol analysis case-study of DNP3
![Page 1: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/1.jpg)
Fuzzing and protocol analysis case-study of DNP3
Adam Crain, Automatak
![Page 2: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/2.jpg)
![Page 3: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/3.jpg)
Developed by Harris Corp, handed over to a vendor-neutral User Group in 1993. Many features have been “bolted on”, including security.
![Page 4: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/4.jpg)
Layered Architecture
Transport Layer
Application Layer
Link Layer
Application Service Data Unit (ASDU) Typical max size of 2KB semantics == functions + objects
Tx segmentation Rx re-assembly of APDUs
User code IED/RTU or your SCADA master
Adds CRCs and addressing. Error checking and (de) multiplexing.
![Page 5: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/5.jpg)
Application layer messages
![Page 6: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/6.jpg)
Application-layer semantics
READ
WRITE
OPERATE
CONFIRM
…..
RESPONSE
UNSOLICITED
FUNCTION CODES
OBJECTS
Measurements, time sync, file transfer, controls, etc, etc
● ∞ combinations ● multiple types per message ● Some function codes are
“function only”
![Page 7: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/7.jpg)
Project Robus
• Started in April 2013 • 30+ CVEs found via fuzzing • Deep study of failure modes
in one protocol • automatak.com/robus
![Page 8: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/8.jpg)
Focus on serial / masters
![Page 9: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/9.jpg)
DNP3 Fuzzing Test DNP3 Message (DL, TL, or AL)
Request Link States
Link Status
x Num Test Cases
Request
Response
x Num Retry (10)
![Page 10: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/10.jpg)
![Page 11: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/11.jpg)
Common Faults
uint32_t count = stop - start + 1; // ← integer overflow
F0 82 00 00 01 00 02 00 00 00 00 FF FF FF FF
Unsolicited Response
Group 1 Variation 0 Sizeless?!
4 byte start/stop
0
4294967295
![Page 12: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/12.jpg)
Less Common Faults Unexpected function code / object combinations
DD 82 00 00 0C 01 00 00 01 rnd(11) rnd(11)
Unsolicited Response
Control Relay Output Block
1 byte start/stop ● buffer overrun
● not malformed! ● unexpected objects ● accepts broadcast
CROB #1
CROB #2
![Page 13: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/13.jpg)
DNP3 Security
Transport Layer
Link Layer
Application Layer Secure Authentication
● Tightly coupled to the DNP3 application layer
● Auth-only ● New functions ● New objects ● 2 modes of authentication
![Page 14: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/14.jpg)
Application Layer
Complex Parsing
Porous Trust Boundary • Data is dangerous,
intended function matters not.
• Every time you extend
DNP3, you make it less secure.
• Optional challenges make security state machine overly complex
Logging %n%n%n
![Page 15: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/15.jpg)
2 modes of authentication
Challenge-response – 2 pass authentication
“Aggressive mode” – 1 pass authentication
![Page 16: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/16.jpg)
Aggressive mode message
![Page 17: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/17.jpg)
///// Payload Headers //// Header / Function
Issue #1: Aggressive-mode ambiguity
????
You can only tell if this is an aggressive mode request by speculatively parsing the 1st object header. Ambiguity is dangerous.
![Page 18: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/18.jpg)
Issue #2: Lack of an envelope for HMAC
DNP3 headers cannot be “skipped”. They must be parsed sequentially (at least lightly), so that you known where the next one starts.
//////////////////////////////////////////// HMAC USER, CSQ Header / Function
![Page 19: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/19.jpg)
“Session key status object”
• Total size framed by TLV in wrapping header
• Composed of fixed-size and variable-length subfields
• Final v-length field is the remainder of the encapsulation.
![Page 20: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/20.jpg)
“Update key change reply”
• Total size framed by TLV in wrapping header
• Composed of fixed-size and
variable-length subfields
• Final v-length field is the remainder of the encapsulation AND a length prefix.
![Page 21: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/21.jpg)
What does the spec have to say?
![Page 22: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/22.jpg)
SA Conclusions • Prefer a layered approach to SCADA
security to that decouples legacy protocol encodings/semantics from security.
• Design security to address both function
and implementation attack surface.
![Page 23: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/23.jpg)
How can langsec help? • Critical infrastructure vendors need better tools
besides hand-rolled parsers. • Standards bodies need the theory/guidance to
produce better designs.
• Protocols need reference implementations to guide their evolution.
![Page 24: Fuzzing and protocol analysis case-study of DNP3](https://reader030.fdocuments.net/reader030/viewer/2022020917/61bd31fc61276e740b10486d/html5/thumbnails/24.jpg)
Questions?