OTRazor: Static Code Analysis for Vulnerability Discovery in Industrial Automation Scripts

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 1:30 p.m. (40 minutes)

In this talk, we delve into industrial robot programming, focusing on the security issues arising from the design and implementation choices of these platforms.

Industrial robot manufacturers provide proprietary, domain-specific programming languages to operate these complex machines. Mostly focused on movement instructions, such programming languages also provide access to low-level system resources like files and network access, and some even allow dynamic code loading. While useful, these features can lead to unsafe programming patterns such as input-validation vulnerabilities or malware-like functionalities, especially if the underlying environment provides no resource isolation like those found in modern operating systems.

After describing the technical features of the languages by eight leading manufacturers, we'll share several cases of vulnerable and malicious usage. We'll then present a static code analyzer that we created and patented, to scan robotic programs and discover unsafe code patterns. Our evaluation on 50 automation programs show that unsafe patterns are indeed found in real-world code, and that static source code analysis is an effective defense tool in the short term.

We conclude by discussing the remediation steps that can be adopted by developers and vendors to mitigate such issues in the medium and long term.

Presenters:

• Federico Maggi - Researcher, Trend Micro Research
  With more than a decade of research experience in the cybersecurity field, Federico Maggi is specialized in doing threat and security analysis on virtually any system. Federico has analyzed web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. Federico has experience on defensive technology and research, through building machine learning-based tools for intrusion and fraud detection. He's applied data visualization techniques for analyzing botnets, and has gained basic malware analysis and reverse-engineering on Android-based platforms. Currently employed as a Senior Researcher with security giant Trend Micro, Federico was an Assistant Professor at Politecnico di Milano, one of the leading engineering technical universities in Italy. Aside his teaching activities, Federico co-directed the security group and has managed hundreds of graduate students. Federico has given several lectures and talks as an invited speaker at international venues and research schools, and also serves in the review or organizing committees of well-known conferences.
• Marco Balduzzi - Senior Research Scientist, Trend Micro Research
  Dr. Marco Balduzzi holds a PhD in applied security from Télécom ParisTech and a M.Sc. in computer engineering from University of Bergamo. His interests concern all aspects of computer security, with particular emphasis on real problems that affect systems and networks. Some topics of interest are web and browser security, code analysis, malware detection, cyber-crime, privacy, and threats in the IoT space. With 15 years of experience in IT security, he's now with Trend Micro as a Senior Research Scientist. His work has been published in top peer-reviewed conferences like NDSS, RAID and ACSAC, and featured by distinguished media like Forbes, The Register, InfoWorld, DarkReading, BBC, and CNN. He's a regular speaker at conferences like Black Hat, HITB, OWASP AppSec, and now sits on the review board of IEEE journals and venues like HITB, AppSec, eCrime, and DIMVA.
• Stefano Zanero - Associate Professor, Politecnico di Milano
  Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyberphysical security, and cybersecurity in general. Besides teaching "Computer Security" and "Computer Forensics" at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 70 scientific papers and books. He is a Senior Member of the IEEE (for which he sits on the MGA board), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association). He has been named a Fellow of ISSA and sits in its International Board of Directors. Stefano is also a co-founder and chairman of Secure Network, a leading information security consulting firm based in Milan and in London; a co-founder of 18Months, a cloud-based ticketing solutions provider; and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
• Davide Quarta - Postdoc Researcher, EURECOM
  While working on this project Davide Quarta was a Postdoctoral Researcher with the System Security group under the supervision of Davide Balzarotti. He received his PhD from Politecnico di Milano where he worked in the NECSTLab under the supervision of Stefano Zanero and Federico Maggi. During this journey, he co-advised more than 10 students on their master thesis, and projects. He received my Laurea Magistrale in Software and Digital Systems, and Laurea from Politecnico di Torino. As a Marie-Skłodowska Curie alumni, Davide has been an exchange student at UC Santa Barbara' SecLab, working under the supervision of Giovanni Vigna and Christopher Kruegel. At the end of his PhD, Davide had a chance to work as an engineering intern in Qualcomm' Product Security group under the supervision of Pouyan Sepehrdad. He served as a reviewer for several journals, and as part of the Security&Privacy '18 student program committee, and WOOT '19 Artifact Evaluation Committee. Davide loves teaching: He worked as TA in basic programming, and computer security courses. As a freelance consultant, he taught malware analysis, and mobile and windows reverse engineering for the Consorzio Interuniversitario Nazionale per l'Informatica, and national, and international clients of Italian security firms Secure Network, and Shorr Kan.
• Marcello Pogliani - Security Engineer, Secure Network Srl
  <p>Marcello Pogliani holds a PhD in information technology (computer security) from Politecnico di Milano. His research interests focus on cybersecurity in general, and particularly on security analysis topics concerning cyber-physical and industrial systems. In his spare time, he enjoys playing and organizing Capture the Flag competitions with Politecnico's team, Tower of Hanoi, and with the Italian team mHACKeroni. Currently, Marcello is a Security Engineer with Secure Network Srl, an information security consultancy firm, and sometimes collaborates on research work with his former colleagues at Politecnico. The research presented at Black Hat 2020 was performed while Marcello was a PhD candidate at Politecnico di Milano.</p>

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523

Similar Presentations:

• REcon 2023 / Reversing NIM binaries: the easy way
• DEF CON China Beta (2018) / When Memory-Safe Languages Become Unsafe
• Black Hat USA 2011 / Vulnerability Extrapolation or 'Give me more Bugs like that, please?'