Unraveling SCADA Protocols: Using Sulley Fuzzer

Presented at DEF CON 15 (2007), Aug. 4, 2007, 1 p.m. (50 minutes)

Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have. After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives. I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers. Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.

Presenters:

  • Ganesh Devarajan - Security Researcher Tipping Point Inc.
    Ganesh Devarajan Ganesh Devarajan currently works as a Security Researcher for TippingPoint Inc., a division of 3Com. currently he focuses on SCADA Securities and other Application based securities. Prior to this, he worked as a Security Researcher for the CASE Research Center Syracuse , NY. He has publications in various fields such as RBAC, Wireless Securities, XML based Signatures and Runtime Software Application patches and holds a Masters Degree in Computer Engineering from Syracuse University .

Links:

Similar Presentations: