Firmware modification attacks on programmable logic controllers

Basnight, Zachry; Butts, Jonathan; López, Julio Pérez; Dube, Thomas

doi:10.1016/j.ijcip.2013.04.004

Cited by 135 publications

(75 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore we hypothesise that there are potential artefacts in the reprogrammed code, that can be used the to establish the attacker's intentions (Falliere et al, 2011). There are other malicious attacks on PLCs such as firmware counterfeiting and modifications (Basnight, 2013) and uploading of malware (McLaughlin, 2011). This paper focuses on a modification attack on the PLC program code, as to our knowledge there has been limited research in this area (considering this occurred in the Stuxnet attack).…”

Section: Existing Researchmentioning

confidence: 99%

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Wu¹,

Nurse²

2015

JDFSL

View full text Add to dashboard Cite

The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker's intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the "Snapshot" function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker's intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger's suitability as a forensic tool to analyse and acquire the program code. Based on the experiment's results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.

show abstract

Section: Existing Researchmentioning

confidence: 99%

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Wu¹,

Nurse²

2015

JDFSL

View full text Add to dashboard Cite

show abstract

“…Before the highly publicized Stuxnet malware, most of the attacks were trivial intrusions against the IT equipment of industrial control network. However, the Stuxnet malware has intensified a race to the bottom where low-level attacks have a tactical advantage [2] and are therefore preferred [23]. PLCs play a significant role in the industry since they control and monitor industrial processes in critical infrastructures [13].…”

Section: Introductionmentioning

confidence: 99%

“…Various research shown the feasibility of such attacks [8], [19], [20] against PLCs. To defeat this attack, the industry is using logic checksums and IDS [18], [21], [2]. -Control-flow attacks: in general, this category of attacks is achieved by exploiting a memory corruption vulnerability (e.g.…”

Section: Introductionmentioning

confidence: 99%

Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation

Abbasi¹,

Hashemi²,

Zambon³

et al. 2017

Critical Information Infrastructures Security

View full text Add to dashboard Cite

Abstract. Input/Output is the mechanism through which Programmable Logic Controllers (PLCs) interact with and control the outside world. Particularly when employed in critical infrastructures, the I/O of PLCs has to be both reliable and secure. PLCs I/O like other embedded devices are controlled by a pin based approach. In this paper, we investigate the security implications of the PLC pin control system. In particular, we show how an attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.

show abstract

“…On the other hand, working with an incorrect base address may lead to inaccurate interpretations of segments referenced by immediate addresses. Therefore, knowledge of the true base address is critical in understanding the binary file as a whole [5].…”

mentioning

confidence: 99%

Determining Image Base of Firmware Files for ARM Devices

Zhu

Tan

Zhang

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYDisassembly, as a principal reverse-engineering tool, is the process of recovering the equivalent assembly instructions of a program's machine code from its binary representation. However, when disassembling a firmware file, the disassembly process cannot be performed well if the image base is unknown. In this paper, we propose an innovative method to determine the image base of a firmware file with ARM/Thumb instruction set. First, based on the characteristics of the function entry table (FET) for an ARM processor, an algorithm called FIND-FET is proposed to identify the function entry tables. Second, by using the most common instructions of function prologue and FETs, the FIND-BASE algorithm is proposed to determine the candidate image base by counting the matched functions and then choose the one with maximal matched FETs as the final result. The algorithms are applied on some firmwares collected from the Internet, and results indicate that they can effectively find out the image base for the majority of example firmware files.

show abstract

Firmware modification attacks on programmable logic controllers

Cited by 135 publications

References 2 publications

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation

Determining Image Base of Firmware Files for ARM Devices

Contact Info

Product

Resources

About