Ghost in the PLC: Designing an Undetectable Programmable Logic Controller Rootkit

Presented at Black Hat Europe 2016, Nov. 3, 2016, 11:15 a.m. (60 minutes)

Programmable Logic Controllers (PLCs) are a family of embedded devices used for physical process control. Similar to other embedded devices, PLCs are vulnerable to cyber attacks. Because they are used to control the physical processes of critical infrastructures, compromised PLCs constitute a significant security and safety risk. In this research, we investigate attacks against PLCs from two different perspectives. We show how to circumvent current host-based detection mechanisms applicable to PLCs by avoiding typical function hooking or modifying kernel data structure. We then introduce a novel attack against a PLC that allows the adversary to stealthily manipulate the physical process it controls by tampering with the device I/O at a low level. The attack is feasible due to lack of hardware interrupt on the PLC's SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection. Our study is meant to be used as a basis for the design of more robust detection techniques specifically tailored for PLCs.

Presenters:

• Majid Hashemi - Research Engineer, Quarkslab
  Majid Hashemi is a Research & Development Engineer at Quarkslab, France. In his role as a researcher at Quarkslab, he is dedicated to reverse engineering and analyzing embedded devices. Majid's foremost curiosity is for low-level programming and reverse engineering the dark corners of the operating system. In the past, Majid was mostly involved in analyzing critical infrastructures and radio communications equipment.
• Ali Abbasi - PhD Student, DISTRIBUTED AND EMBEDDED SYSTEMS SECURITY GROUP, UNIVERSITY OF TWENTE
  Ali Abbasi is a Ph.D. candidate in Distributed and Embedded System Security group at the University of Twente, The Netherlands and visiting Ph.D. researcher at the Chair of Systems Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. He received his master degree in Computer Science from Tsinghua University, Beijing, China in 2013. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. He is currently doing his research at the Chair of Systems Security of Ruhr-University Bochum regarding designing system-level protection mechanisms to battle against the sophisticated memory corruption and code-reuse attacks against PLCs and other critical real-time embedded systems. Before that Ali was working as Head of Vulnerability Analysis and Penetration Testing Group at National Computer Security Incident Response Team (CSIRT) at the Sharif University of Technology in Tehran, Iran.

Links:

• https://www.blackhat.com/eu-16/briefings/schedule/#ghost-in-the-plc-designing-an-undetectable-programmable-logic-controller-rootkit-4437
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Ghost in the PLC - Designing an Undetectable Programmable Logic Controller Rootkit.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Ghost in the PLC - Designing an Undetectable Programmable Logic Controller Rootkit.eng.srt (subtitles)
• https://www.youtube.com/watch?v=hS8QQeV3PTo

Similar Presentations:

• 33C3 (2016) / Do as I Say not as I Do: Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack
• Black Hat Asia 2016 / PLC-Blaster: A Worm Living Solely in the PLC
• DEF CON 26 (2018) / Hacking PLCs and Causing Havoc on Critical Infrastructures