The Data Distribution Service (DDS) Protocol is Critical: Let's Use it Securely!

Presented at Black Hat Europe 2021, Nov. 11, 2021, 1:30 p.m. (40 minutes).

We discovered and disclosed vulnerabilities in most of the OMG Data Distribution Service (DDS) implementations. DDS enables crucial technologies like autonomous driving, healthcare machinery, military tactical systems, or missile launch stations. Notably, DDS is used by NASA at the KSC, by SIEMENS for smart grid applications, by Volkswagen and Bosch for autonomous valet parking systems, by NAV CANADA for ATC, and by the Robot Operating System 2 (ROS2) to control industrial and consumer robots.

Designed around industrial-level requirements, DDS sits deep in the control network, allowing an arbitrary number of endpoints like sensors or actuators to communicate transparently, with an abstract API based on familiar data type specifications (e.g., C structs) and simple function calls, regardless of the complexity of the data.

We approached DDS from the bottom up, and we will show you how we wrote a Scapy layer to guide you through the packet structure. Although network fuzzing wasn't directly effective, it greatly helped us to master the tiny details of DDS. This led us to find an amplification vulnerability in the standard, which allows an attacker to redirect flood an arbitrary host. DDS configuration is highly dependent on XML, JSON, YAML, or similar formats, which make them another attack vector. By writing a Radamsa-based file fuzzer we found a parsing vulnerability in RTI DDS Connector, so an attacker can use a malicious configuration file to gain initial access. We then focus on fuzzing the message interpretation routines in all implementations. Using concrete examples, we explain how to pick good fuzz targets and prepare them for popular frameworks like OSS-Fuzz and UnicornAFL.

We take you from knowing nothing about DDS to efficiently researching new vulnerabilities, which we encourage other researchers, DDS users and implementors to do. We report on our interactions with some of the DDS implementors, which we believe is the first concrete step towards securing this critical protocol in the long run. We release fuzzing harnesses and a Scapy layer to decode the DDS RTPS layer.


Presenters:

  • Mars Cheng - Threat Researcher, TXOne Networks Inc.
    Mars Cheng (@marscheng_) is a threat researcher for TXOne Networks, blending a background and experience in both ICS/SCADA and enterprise cybersecurity systems. Mars has directly contributed to more than 10 CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Mars was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat, DEFCON, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, CLOUDSEC, VXCON and InfoSec Taiwan as well as other conferences and seminars related to the topics of ICS and IoT security. Mars is general coordinator of HITCON (Hacks in Taiwan Conference) 2021 and was vice general coordinator of HITCON 2020.
  • Patrick Kuo - Threat Researcher, TXOne Networks
    Patrick Kuo (@patrickkuo_t) is a threat researcher and hunting system developer for TXOne Networks. He focused on big data analysis, threat hunting engine building and threat hunting system development. For big data analysis, Patrick has focused on monitoring and classifying malicious payloads from big data, and then analyzing the correctness and uniqueness of these payloads. For the threat hunting engine, Patrick focused on building, integrating, refactoring and improving the engine to improve its ability to hunt malicious attacks and payloads. For the threat hunting system, Patrick focused on creating complete and adjustable infrastructure to process and analyze large amounts of data flow in real-time. Patrick is a speaker at several international cyber security conferences such as Black Hat, FIRST and CYBERSEC.
  • Ta-Lun Yen - Threat Researcher, TXOne Networks
    Ta-Lun Yen is a security researcher with interests in reverse engineering, protocol analysis, wireless security, embedded and IoT/ICS device security. He has been a member of a Taiwanese InfoSec community "UCCU Hacker" and has presented various research at well-known conferences and events. Ta-Lun is currently working for TXOne Networks (Trend Micro) with a focus on offensive research.
  • Federico Maggi - Senior Researcher, Trend Micro Research
    Federico Maggi has more than a decade of research experience in the cybersecurity field and has done offensive and defensive research on web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. Some of his research work has been featured on mainstream and media outlets such as Wired, Reuters, Forbes, Hackread, ZDNet, and MIT Technology Review. Federico is currently employed as a Senior Researcher with security giant Trend Micro (https://trendmicro.com), and was an Assistant Professor at Politecnico di Milano, one of the leading engineering technical universities in Italy. Aside from his teaching activities, Federico co-directed the security group and has managed hundreds of graduate students. Federico has given several lectures and talks as an invited speaker at international venues and research schools, and also serves in the review or organizing committees of well-known conferences. More information about Federico and his work is available online at https://maggi.cc
  • Erik Boasson - Senior Technologist, ADLINK Technology
    Erik Boasson is a member of the Technology Office of ADLINK Technology. His focus is on DDS, its applications and future developments, and currently his efforts are mostly towards developing Eclipse Cyclone DDS. He has more than two decades of experience in the field, starting at the source of data-centric programming model at Hollandse Signaalapparaten BV in the '90s. His implementation of the SPLICE architecture there has proven itself in several contexts, including as a tool to convince the US DoD to mandate data-centric systems.
  • Chizuru Toyama - Staff Engineer, TX One Networks (Trend Micro)
    Chizuru Toyama is a security researcher at Trend Micro/TXOne Networks. Chizuru has been working for over a decade in the security industry. Chizuru previously had developed forensic tools, then shifted the research focus on IoT and ICS related products and protocols. Chizuru is currently working on ICS vulnerability research and has been credited for multiple ICS-CERT advisories.
  • VĂ­ctor Mayoral-Vilches - Robotics Security Researcher, Alias Robotics   as Victor Mayoral-Vilches
    Victor Mayoral-Vilches is a robotics architect with a strong technical background in embedded systems. Victor has wide experience as an invited speaker in robotics forums and experience in cybersecurity and functional safety. Victor authored Akerbeltz ransomware for collaborative robots, aztarna robot footprinting tool, and the Robot Vulnerability Scoring System (RVSS) or the Robot Vulnerability Database (RVD), amongst other robot cybersecurity research products while working at Alias Robotics, a robot cybersecurity specialized firm. Victor has more than 25 scientific publications and 10 patents filed, mostly in the fields of secure and reconfigurable hardware and software for robots. Victor spent the last 10 years building robots and interacting with manufacturers and built, funded and led -- end-to-end -- 3 robotics startups designing robotic hardware and software architectures through adaptable FPGA-based System on Modules (SoMs), while in cooperation with top silicon vendors. Victor built partnerships with leading communication and robotic firms in security and robotics and served clients worldwide through projects from the US DARPA to the Japanese Mitsubishi, going through ABB. Victor was selected as one of the ten most innovative individuals under 35 in Spain by the MIT Technology Review in 2017 and held multiple national expert positions representing Spain in ISO and IEC committees for new standards in working groups for robotics and cybersecurity. Victor led a security team that uncovered hundreds of vulnerabilities in robots (with their corresponding CVE IDs) and sometimes writes @ https://cybersecurityrobotics.net/.

Links:

Similar Presentations: