BayesImposter Bayesian Estimation Based .bss Imposter Attack on Industrial Control Systems_2

2025-04-27 0 0 1.87MB 15 页 10玖币
侵权投诉
BayesImposter: Bayesian Estimation Based .bss Imposter Aack
on Industrial Control Systems
Anomadarshi Barua, Lelin Pan, and Mohammad Abdullah Al Faruque
Department of Electrical Engineering and Computer Science
University of California, Irvine, California, USA.
Email: {anomadab, lelinp, alfaruqu}@uci.edu
ABSTRACT
Over the last six years, several papers used memory deduplication
to trigger various security issues, such as leaking heap-address and
causing bit-ip in the physical memory. The most essential require-
ment for successful memory deduplication is to provide identical
copies of a physical page. Recent works use a brute-force approach
to create identical copies of a physical page that is an inaccurate
and time-consuming primitive from the attacker’s perspective.
Our work begins to ll this gap by providing a domain-specic
structured way to duplicate a physical page in cloud settings in the
context of industrial control systems (ICSs). Here, we show a new
attack primitive - BayesImposter, which points out that the attacker
can duplicate the .bss section of the target control DLL le of cloud
protocols using the Bayesian estimation technique. Our approach
results in less memory (i.e., 4 KB compared to GB) and time (i.e., 13
minutes compared to hours) compared to the brute-force approach
used in recent works. We point out that ICSs can be expressed as
state-space models; hence, the Bayesian estimation is an ideal choice
to be combined with memory deduplication for a successful attack
in cloud settings. To demonstrate the strength of BayesImposter, we
create a real-world automation platform using a scaled-down auto-
mated high-bay warehouse and industrial-grade SIMATIC S7-1500
PLC from Siemens as a target ICS. We demonstrate that BayesIm-
poster can predictively inject false commands into the PLC that can
cause possible equipment damage with machine failure in the target
ICS. Moreover, we show that BayesImposter is capable of adversarial
control over the target ICS resulting in severe consequences, such
as killing a person but making it looks like an accident. Therefore,
we also provide countermeasures to prevent the attack.
CCS CONCEPTS
Security and privacy Embedded systems security.
KEYWORDS
PLCs, DLL le, bayesian estimation, adversarial control
ACM Reference Format:
Anomadarshi Barua, Lelin Pan, and Mohammad Abdullah Al Faruque. 2022.
BayesImposter: Bayesian Estimation Based .bss Imposter Attack on Indus-
trial Control Systems . In Annual Computer Security Applications Conference
Permission to make digital or hard copies of part or all of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for third-party components of this work must be honored.
For all other uses, contact the owner/author(s).
ACSAC ’22, December 5–9, 2022, Austin, TX, USA
©2022 Copyright held by the owner/author(s).
ACM ISBN 978-1-4503-9759-9/22/12.
https://doi.org/10.1145/3564625.3564638
(ACSAC ’22), December 5–9, 2022, Austin, TX, USA. ACM, New York, NY,
USA, 15 pages. https://doi.org/10.1145/3564625.3564638
1 INTRODUCTION
Historically, Industrial Control Systems (ICSs) follow the ANSI/ISA
95 model [
65
], where disconnected computer systems and isolated
sensor frameworks were used to screen various operations and
tasks in lower levels of the automation pyramid [
20
]. As we enter
the fourth industrial revolution [
51
] (Industry 4.0), the ANSI/ISA95
model is going under dierent transformations. These transforma-
tions include the vertically/horizontally interconnected and decen-
tralized ICSs in all levels of the automation pyramid for exible
monitoring and control. The decentralization of ICSs in Industry
4.0 adds fuel to movement to the Industrial Internet of Things (IIoT)
trend, where cloud servers and virtualization [
74
] play an important
role by providing easy-to-access automation platforms.
In Industry 4.0, Infrastructure-as-a-Service (IaaS) enables Pro-
grammable Logic Controllers (PLCs) to connect with clouds [
48
].
Moreover, to support multiple PLCs and supervisory platforms,
today’s ICSs use multiple Virtual Private Servers (VPSs) in a single
cloud platform [
38
]. The cloud server has memory deduplication fea-
ture enabled [
33
], which is a widespread optimizing feature present
in today’s cloud servers to support virtualization. In this typical
ICS platform, the user sends control programming and supervisory
commands from VPSs using cloud protocols (i.e., MQTT, AMQP) to
PLCs [
49
]. The cloud protocol’s software stack has a specic DLL
le, which transports these commands and is located in the server
computer. We call this specic DLL le as target control DLL le.
In this paper, at rst, we show that the .bss section of the target
control DLL le of cloud protocols transports the critical control
commands from VPSs to PLCs (i.e., lower level of the automation
pyramid). Next, after identifying the target control DLL le, we
introduce the Bayesian estimation by which an attacker can recreate
or fake the memory page of the .bss section of the target control
DLL le. We name the fake .bss section
1
as the .bss imposter and
denote the attack model by BayesImposter.
The intuition behind BayesImposter is that as ICSs can be ex-
pressed as state-space models [
35
], our BayesImposter exploits the
Bayesian estimation technique to accurately predict the current
state of the industrial controller. As control commands are directly
related to the current states of the industrial controller, after estimat-
ing the states, the attacker can also estimate the control commands
from the estimated states. As the .bss section contains the control
commands, hence, the attacker can successfully recreate the .bss
section using the estimated control commands. We show that our
proposed Bayesian estimation results in less memory and attack
arXiv:2210.03719v1 [cs.CR] 7 Oct 2022
ACSAC ’22, December 5–9, 2022, Austin, TX, USA Anomadarshi Barua, Lelin Pan, and Mohammad Abdullah Al Faruque
time to recreate the page of the .bss imposter compared to the brute
force approach demonstrated in recent works [19, 29, 58, 62].
After recreating the fake .bss section, BayesImposter uses the
underlying memory deduplication feature enabled in the cloud to
merge the page of the fake .bss section with the legitimate .bss
section. In this way, the attacker can locate the memory address of
the fake .bss section in the host machine and can use a malicious
co-located VPS to trigger a bit-ip in the page of the .bss section
using the Rowhammer bug [
19
,
29
,
58
,
62
] of the host machine. As
the .bss section contains the control commands, this paper shows
that a bit ip in this section may cause corruption or even change
the actual command. This method can be termed as false command
injection. The injected false commands propagate from VPSs to
the PLCs and may cause an unplanned behavior with catastrophic
machine failure in the target ICS. It is worthwhile to mention here
that, as BayesImposter has more control over the recreation of a
fake .bss section, our attack is capable of adversarial control over
the target ICS from a co-located VPS on the same cloud. To the best
of our knowledge, BayesImposter is the rst work that successfully
merges the idea of Bayesian estimation of the state-space models of
ICSs with the memory deduplication and the Rowhammer bug in
cloud settings in the context of ICSs.
Technical Contributions: Our contributions are:
We are the rst to point out how the .bss section of the tar-
get control DLL le of cloud protocols can be exploited by using
memory deduplication in modern ICSs.
We are the rst to introduce Bayesian estimation to recreate the
.bss section. Our attack requires less memory and time compared
to the brute force approach used in recent works [19, 29, 58, 62].
We create a real-world scaled-down factory model of a practical
ICS, which has an automated high-bay warehouse from schertech-
nik [
6
]. We use an industrial-grade PLC with a part# SIMATIC
S7-1500 [
12
] from Siemens to create the automation platform and
connect the PLC to clouds using industry-standard cloud protocols.
We evaluate BayesImposter in our factory model considering
ve variants of industry-standard cloud protocols and show the
adversarial control to generalize our attack model in cloud settings.
The demonstration of our work is shown in the following link:
https://sites.google.com/view/bayesmem/home.
2 BACKGROUND
2.1 Connecting PLCs with clouds
IIoT enables PLCs to upload the acquired data directly to clouds
[
64
]. PLCs are connected to clouds normally in two ways: using
an adapter or directly using a standard protocol. Standard cloud
protocols, such as MQTT and AMQP support bidirectional and event-
based data transmission between PLCs and upper managements.
The upper management can modify control functions of PLCs in
run-time by ashing new control programs to PLCs from clouds.
2.2 Programs for supervisory controls
The IEC 61131 programming standard [
72
] is used for control pro-
gramming of PLCs. Control programs can be broadly divided into
three categories: (i) programs for basic functions, (ii) programs for
1
In this paper, the .bss section means the .bss section of the target control DLL le of
cloud protocols; unless otherwise mentioned.
VPS1
VPS2
VPS3
Upper
Management
PLC1
PLC2
PLC3
Cloud server
Sending program
for supervisory controls Cloud protocols
(MQTT/AMQP) IEC 61158 standard
(Modbus/PROFINET)
VPSs to support different
PLC automation platforms
Horizontal axis Vertical axis
Suction cup
Vacuum gripper robot
Figure 1: Dierent components of an ICS in cloud settings.
supervisory controls, and (iii) programs for critical time-constraint
functions (e.g., security and real-time response, etc.). Traditionally,
all these three categories of control programs were implemented in
PLCs in industrial premises. However, with the new trend in Indus-
try 4.0, nowadays, only the programs for critical time-constraint
functions are implemented in PLCs. Programs for basic functions
and supervisory controls are not implemented in PLCs; rather, they
are implemented in clouds or in web-server. For example, basic
functions and supervisory control programs are outsourced as web
services to a cloud or to a server for class C33 PLC controller [
49
].
This gives more exibility to upper managements as they can change
programs remotely in run-time to tackle abruptly changing situations.
2.3 Use of VPSs with PLCs
ICSs are becoming more complex in Industry 4.0. ICSs often need
to support multiple automation platforms that may conict with
each other. Moreover, multiple PLC controllers and supervisory
platforms may need multiple software packages that may require
multiple operating systems. Also, introducing web servers and
clouds to ICSs increases the necessity of using multiple private
servers. As using multiple separate physical machines to support
multiple automation platforms or operating systems or private
servers is one of the available solutions, industries evidently use
VPSs to reduce the number of required physical machines to reduce
cost [
63
]. Moreover, modern cloud platforms oer cheap access to
VPSs by sharing a single server among multiple operating systems
on a single server machine using virtualization software [11].
2.4 A motivational example of an ICS
A motivational example is shown in Fig. 1 where we consider an
automated high-bay warehouse as our example ICS. It has a vac-
uum gripper robot, which stores objects in the storage rack of the
warehouse using a suction cup and moves along the horizontal
and vertical axis. We elaborate more on this in Section 7.1 while
demonstrating our attack model. Here, multiple PLCs having dif-
ferent platforms are supported by a cloud using multiple VPSs.
Upper management located in the cloud send programs for su-
pervisory controls from VPSs to PLCs using cloud protocols (i.e.,
MQTT/AMQP). PLCs communicate with the underlying sensors
and controllers using IEC 61158 standard protocols (e.g., Modbus,
PROFINET, etc.). Given this background, an attacker can perturb
the supervisory control commands (i.e., false command injection) in
our example ICS and remotely hamper its normal operation using
our attack model - BayesImposter.
2.5 Memory deduplication
Memory deduplication is a process that merges identical pages
in the physical memory into one page to reduce redundant pages
BayesImposter: Bayesian Estimation Based .bss Imposter Aack on Industrial Control Systems ACSAC ’22, December 5–9, 2022, Austin, TX, USA
Automated high-bay warehouse
False
command
injection
Cloud
provider
Malicious
insider
Interdiction
Stealthiness, unplanned shutdown, lost production, possible
equipment damage, monetary losses, adversarial control
Physical
Domain
Attacker Victim
VPS Victim
page
Cloud server
Malicious co-
located VPS
.bss
imposter
page .bss
imposter
page
Rowhammer bit flip
Memory
deduplication
Recreating .bss
section of target
control DLL using
Bayesian estimation
.bss section of
target control DLL
Cloud protocol
(MQTT/AMQP)
Sending
program for
supervisory
controls
Industrial PLC
(e.g., SIMATIC
from Siemens)
Cyber domain Physical domain
Figure 2: Dierent components of our attack model - BayesImposter on industrial control systems in cloud settings.
having similar contents. It is a widely used feature in cloud servers
allowing multiple VPSs to run on less allocated memory in a single
physical machine. The amount of redundant pages can be as high
as 86% [
30
] and memory deduplication can save up to 50% of the
allocated memory in the cloud server [
42
]. This feature is available
in Windows 8.1, Windows Server 2016, 2019, and 2022 and Linux
distribution. Windows Servers have it as Data Deduplication [
3
]
and Linux distributions have it as Kernel Samepage Merging (KSM),
which is implemented in Kernel-based Virtual Machine (KVM) (see
Appendix 11.5, 11.6, and 11.7 for more detail on this topic).
3 ATTACK MODEL
Fig. 2 shows the attack model - BayesImposter in cloud settings. The
essential components of BayesImposter are described below.
(i) Target system:
We consider an infrastructure [
39
] where
PLCs are connected with a cloud for maintenance and control pro-
gramming, and multiple Virtual Machines (VMs) acting as VPSs are
located in the same cloud to support multiple automation platforms.
As multiple VPSs in the same cloud share the same hardware, an
attacker can exploit the shared hardware from a co-located VPS.
(ii) Attacker’s capabilities:
Let us consider a scenario where
a user gives commands from his proprietary VPS to a PLC to do
control programming and supervisory controls.
.bss imposter:
A few specic DLL les (i.e., target control
DLL) of the cloud protocols transport these commands from VPS
to PLCs. These DLL les are organized into dierent sections. Each
section can be writable or read-only and can encapsulate executable
(i.e., code) or non-executable (i.e., data) information. The section,
which encapsulates uninitialized data, is known as .bss section. The
.bss section of the target control DLL contains control programming
and supervisory control specic information/data, which are mostly
boolean type coming from the user as commands. This .bss section
is page-aligned in virtual memory as well as in physical memory.
Let us denote this as victim page. If an attacker can recreate the
victim page, the attacker can use this recreated victim page (a.k.a.,
.bss imposter page) to trigger memory deduplication.
Bottleneck:
To recreate the victim page, the attacker needs
to guess all the initialization values of uninitialized variables of the
.bss section. As there could be hundreds of control variables present
in the .bss section, this is
almost impossible
for the attacker to
successfully guess the victim page and recreate it following the
brute force approach adopted in recent works [19, 29, 58, 62]. The
brute force approach was successful in [
19
,
29
,
58
,
62
] because they
only guessed a specic 32-bit data to recreate a victim page. To guess
hundreds of variables in the .bss section, the brute force approach
could require hundreds of hours. Moreover, the attacker may need
to spray the physical memory with terabyte amount of recreated
pages to initiate a successful attack in the brute-force approach.
Solution:
Thankfully this challenge can be handled by using
BayesImposter. The intuition behind BayesImposter is that if an at-
tacker knows the state-space model of the ICS, the attacker can
estimate the boolean and non-boolean control commands because
the control commands are directly correlated with the current states
of an ICS. As the .bss section transports the control commands, the
estimation of the control commands helps the attacker to success-
fully guess the control variables present in the .bss section leading
to a successful recreation of the victim page (i.e., .bss imposter page).
Memory deduplication + Rowhammer:
After recreating
the .bss imposter page using our BayesImposter, the attacker can
initiate memory deduplication to merge the victim page with the
attacker’s provided .bss imposter page. In this way, the attacker maps
the victim page in his address space to initiate the Rowhammer
attack on the .bss imposter page from his address space. It can ip bits
in the .bss imposter page and change values of control commands.
(iii) Outcomes of the attack:
As the .bss section contains im-
portant data dedicated to control programming and supervisory
controls, the bit ips in the .bss section may lead to potential failure
in ICSs. It can cause an unplanned shutdown, possible equipment
damage, catastrophic machine failure, monetary losses, or even can
kill a person but making it looks like an accident in the target ICS.
(iv) Attacker’s access level:
Our attack requires the deploy-
ment of a malicious co-located VPS in the cloud where the victim
VPS resides. As public clouds are not common in ICSs, the clouds in
ICSs can be either private or hybrid. The access needed to private
or hybrid clouds can be possible in at least three scenarios.
In the rst scenario, the attack can be originated from the cloud
provider targeting the VPS of cloud users [
61
]. As cloud providers
provide software, platform, and infrastructure as service [
16
], they
have physical access to target clouds where the victim VPS resides.
In the second scenario, a malicious insider [
31
,
75
], which can
be a disgruntled employee, can use his insider knowledge of the
system to deploy the malicious co-located VPS. A similar incident
is found in the literature where a disgruntled ex-employee of an
ICS posted a note in a hacker journal indicating that his insider
knowledge of the system could be used to shut down that ICS [
69
].
The third scenario is interdiction, which has been rumored to
be used in the past [
17
,
67
,
73
] and has been recently proven to
be practically feasible [
70
]. In this scenario, during interdiction,
a competitor can intercept the installation of VPS in clouds while
providing service and may deploy the malicious VPS.
(v) Stealthy attack:
The authorities may not be aware of the
co-located malicious VPS and would possibly not detect the source
摘要:

BayesImposter:BayesianEstimationBased.bssImposterAttackonIndustrialControlSystemsAnomadarshiBarua,LelinPan,andMohammadAbdullahAlFaruqueDepartmentofElectricalEngineeringandComputerScienceUniversityofCalifornia,Irvine,California,USA.Email:{anomadab,lelinp,alfaruqu}@uci.eduABSTRACTOverthelastsixyears,s...

展开>> 收起<<
BayesImposter Bayesian Estimation Based .bss Imposter Attack on Industrial Control Systems_2.pdf

共15页,预览3页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:15 页 大小:1.87MB 格式:PDF 时间:2025-04-27

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 配电装置 动力学连接体 力的合成 高考理综 全宋诗作者索引 公务员考试
/ 15
评分 收藏
分享
立即下载
客服
关注