Do as I Say not as I Do: Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack

Presented at 33C3 (2016), Dec. 29, 2016, 4 p.m. (60 minutes).

Input/Output is the mechanisms through which embedded systems interact and control the outside world. Particularly when employed in mission critical systems, the I/O of embedded systems has to be both reliable and secure. Embedded system’s I/O is controlled by a pin based approach. In this work, we investigate the security implications of embedded system’s pin control. In particular, we show how an attacker can tamper with the integrity and availability of an embedded system’s I/O by exploiting cerain pin control operations and the lack of hardware interrupts associated to them. Embedded systems are widely used today in a variety of applications, such as consumer, industrial, automotive, medical, commercial and military. As such, they are often employed in mission critical systems that have to be both reliable and secure. In particular, it is important that their I/O (Input/Output) be stable and secure, as this is the way they interact with the outside world. Digging into their architecture, we know that the I/O interfaces of embedded systems (e.g., GPIO, SCI, USB, etc.), are usually controlled by a so-called System on a Chip (SoC), an integrated circuit that combines multiple I/O interfaces. In turn, the pins in a SoC are managed by a pin controller, a subsystem of SoC, through which one can configure pin multiplexing or the input or output mode of pins. One of the most peculiar aspects of a pin controller is that its behavior is determined by a set of registers: by altering these registers one can change the behavior of the chip in a dramatic way. This feature is exploitable by attackers, who can tamper with the integrity or the availability of legitimate I/O operations, factually changing how an embedded system interacts with the outside world. Based on these observations, in this research, we introduce a novel attack technique against embedded systems, which we call pin control attack. As we will demonstrate in the work, the salient features of this new class of attacks are: First, it is intrinsically stealth. The alteration of the pin configuration does not generate any interrupt, preventing the OS to react to it. Secondly, it is entirely different in execution from traditional techniques such as manipulation of kernel data structures or system call hooking, which are typically monitored by anti-rootkit protection systems. Finally, it is viable. It is possible to build concrete attack using it. To demonstrate these points, we first present and demonstrate the attack capabilities offered by Pin Control attack, together with the minimal requirements for carrying out the attack. We argue that the attack capabilities include blocking the communication with a peripheral, causing physical damage to the peripheral, and manipulating values read or written by legitimate processes. We show how pin control can be exploited both with and without the attacker having kernel-level or root access. To demonstrate the feasibility of our attack technique, we describe the practical implementation of an attack against a Programmable Logic Controller (PLC) environment by exploiting the runtime configuration of the I/O pins used by the PLC to control a physical process. The attack allows one to reliably take control of the physical process normally managed by the PLC, while remaining stealth to both the PLC runtime and operators monitoring the process through a Human Machine Interface, a goal much more challenging than simply disabling the process control capabilities of the PLC, which would anyway lead to potentially catastrophic consequences. The attack does not require modification of the PLC logic or traditional kernel tampering or hooking techniques, which are normally monitored by anti-rootkit tools. We present two variations of the attack implementation. The first implementation allows an extremely reliable manipulation of the process at the cost of requiring root access. The second implementation slightly relaxes the requirement of reliable manipulation while allowing the manipulation to be achieved without root access. Finally, we discuss potential mechanisms to detect/prevent Pin Configuration exploitation. However, because the pin configuration does happen legitimately at runtime and the lack of proper interrupt notifications from the SoC, it seems non-trivial to devise monitoring techniques that are both reliable and sufficiently light way to be employed in embedded systems.

Presenters:

  • Ali Abbasi
    Ali Abbasi is a Ph.D. candidate in Distributed and Embedded System Security group at the University of Twente, The Netherlands and visiting Ph.D. researcher at the Chair of Systems Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. He received his master degree in Computer Science from Tsinghua University, Beijing, China in 2013. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. He is currently doing his research at the Chair of Systems Security of Ruhr-University Bochum regarding designing system-level protection mechanisms to battle against the sophisticated memory corruption and code-reuse attacks against PLCs and other critical real-time embedded systems. Before that Ali was working as Head of Vulnerability Analysis and Penetration Testing Group at National Computer Security Incident Response Team (CSIRT) at the Sharif University of Technology in Tehran, Iran.
  • Majid
    Majid Hashemi is a Research & Development Engineer at Quarkslab, France. In his role as a researcher at Quarkslab, he is dedicated to reverse engineering and analyzing embedded devices. Majid was involved in this research as an independent researcher. Majid's foremost curiosity is for low-level programming and reverse engineering the dark corners of the operating system. In the past, Majid was mostly involved in analyzing critical infrastructures and radio communications equipment.

Links:

Similar Presentations: