IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT

With the rapid growth of the Internet-of-Things (IoT), concerns about the security of IoT devices have become prominent. Several vendors are producing IP-connected devices for home and small office networks that often suffer from flawed security designs and implementations. They also tend to lack mechanisms for firmware updates or patches that can help eliminate security vulnerabilities. Securing networks where the presence of such vulnerable devices is given, requires a brownfield approach: applying necessary protection measures within the network so that potentially vulnerable devices can coexist without endangering the security of other devices in the same network. In this paper, we present IOT SENTINEL, a system capable of automatically identifying the types of devices being connected to an IoT network and enabling enforcement of rules for constraining the communications of vulnerable devices so as to minimize damage resulting from their compromise. We show that IOT SENTINEL is effective in identifying device types and has minimal performance overhead

External Verification of SCADA System Embedded Controller Firmware

Critical infrastructures such as oil and gas pipelines, the electric power grid, and railways, rely on the proper operation of supervisory control and data acquisition (SCADA) systems. Current SCADA systems, however, do not have sufficient tailored electronic security solutions. Solutions available are developed primarily for information technology (IT) systems. Indeed, the toolkit for SCADA incident prevention and response is unavailing as the operating parameters associated with SCADA systems are different from IT systems. The unique environment necessitates tailored solutions. Consider the programmable logic controllers (PLCs) that directly connect to end physical systems for control and monitoring of operating parameters -- the compromise of a PLC could result in devastating physical consequences. Yet PLCs remain particularly vulnerable due to a lack of firmware auditing capabilities. This research presents a tool we developed specifically for the SCADA environment to verify PLC firmware. The tool does not require any modifications to the SCADA system and can be implemented on a variety of systems and platforms. The tool captures serial data during firmware uploads and then verifies them against a known good firmware baseline. Attempts to inject modified and/or malicious firmware are identified by the tool. Additionally, the tool can replay and analyze captured data by emulating a PLC during firmware upload. The emulation capability enables verification of the firmware upload from an interface computer without requiring modifications to or interactions with the operational SCADA system. The ability to isolate the tool from production systems and verify the validity of firmware makes the tool a viable application for SCADA incident response teams and security engineers

A Test bed dedicated to the Study of Vulnerabilities in IEC 61850 Power Utility Automation Networks

International audienceIndustrial control systems rely more and more on digital technologies. Although the cyber risk such technologies induce is widely judged as serious, especially for critical infrastructures, these systems have generally not been designed to serve cybersecurity purposes. Instead they were thought first for serving operational efficiency. It thus becomes critical to study cyber threats in industrial environments and experimental test beds are needed to evaluate risks, physical consequences of cyber incidents, and performance of countermeasures. The test bed we present here focuses on studying cyber risks and their mitigation in IEC 61850 power utility automation systems. The operational part is composed of engineering computers, supervision software, off-the-shelf intelligent relays (Intelligent Electronic Device – IED), a hardware-in-the-loop process simulation, and the cybersecurity tools include an attack generation station and a network analyzer. In this paper, we present the operational part, giving details on the power grid hardware-in-the-loop simulation and its importance in the understanding of cyber consequences on the global system. The article concludes giving preliminary experimental results showing consequences of a false data injection attack on a simple electrical architecture

Evaluating LLMs for Privilege-Escalation Scenarios

Penetration testing, an essential component of cybersecurity, allows organizations to proactively identify and remediate vulnerabilities in their systems, thus bolstering their defense mechanisms against potential cyberattacks. One recent advancement in the realm of penetration testing is the utilization of Language Models (LLMs). We explore the intersection of LLMs and penetration testing to gain insight into their capabilities and challenges in the context of privilige escalation. We create an automated Linux privilege-escalation benchmark utilizing local virtual machines. We introduce an LLM-guided privilege-escalation tool designed for evaluating different LLMs and prompt strategies against our benchmark. We analyze the impact of different prompt designs, the benefits of in-context learning, and the advantages of offering high-level guidance to LLMs. We discuss challenging areas for LLMs, including maintaining focus during testing, coping with errors, and finally comparing them with both stochastic parrots as well as with human hackers

Emulation of Industrial Control Field Device Protocols

It has been shown that thousands of industrial control devices are exposed to the Internet, however, the extent and nature of attacks on such devices remains unknown. The first step to understanding security problems that face modern supervisory control and data acquisition (SCADA) and industrial controls networks is to understand the various attacks launched on Internet-connected field devices. This thesis describes the design and implementation of an industrial control emulator on a Gumstix single-board computer as a solution. This emulator acts as a decoy field device, or honeypot, intended to be probed and attacked via an Internet connection. Evaluation techniques are developed to assess the accuracy of the emulation implemented on the Gumstix and are compared against the implementation on a standard PC and the emulation target, a Koyo DirectLogic 405 programmable logic controller. The results show that both the Gumstix and PC emulator platforms are very accurate to the workloads presented. This suggests that a honeypot implemented on a Gumstix emulator and a standard PC are both suitable for applications in SCADA attack-landscape research

PS3^3: Precise Patch Presence Test based on Semantic Symbolic Signature

During software development, vulnerabilities have posed a significant threat to users. Patches are the most effective way to combat vulnerabilities. In a large-scale software system, testing the presence of a security patch in every affected binary is crucial to ensure system security. Identifying whether a binary has been patched for a known vulnerability is challenging, as there may only be small differences between patched and vulnerable versions. Existing approaches mainly focus on detecting patches that are compiled in the same compiler options. However, it is common for developers to compile programs with very different compiler options in different situations, which causes inaccuracy for existing methods. In this paper, we propose a new approach named PS3, referring to precise patch presence test based on semantic-level symbolic signature. PS3 exploits symbolic emulation to extract signatures that are stable under different compiler options. Then PS3 can precisely test the presence of the patch by comparing the signatures between the reference and the target at semantic level. To evaluate the effectiveness of our approach, we constructed a dataset consisting of 3,631 (CVE, binary) pairs of 62 recent CVEs in four C/C++ projects. The experimental results show that PS3 achieves scores of 0.82, 0.97, and 0.89 in terms of precision, recall, and F1 score, respectively. PS3 outperforms the state-of-the-art baselines by improving 33% in terms of F1 score and remains stable in different compiler options.Comment: Accepted to ICSE 2024; Camera-ready versio

Use of supervised machine learning for GNSS signal spoofing detection with validation on real-world meaconing and spoofing data : part I

The vulnerability of the Global Navigation Satellite System (GNSS) open service signals to spoofing and meaconing poses a risk to the users of safety-of-life applications. This risk consists of using manipulated GNSS data for generating a position-velocity-timing solution without the user's system being aware, resulting in presented hazardous misleading information and signal integrity deterioration without an alarm being triggered. Among the number of proposed spoofing detection and mitigation techniques applied at different stages of the signal processing, we present a method for the cross-correlation monitoring of multiple and statistically significant GNSS observables and measurements that serve as an input for the supervised machine learning detection of potentially spoofed or meaconed GNSS signals. The results of two experiments are presented, in which laboratory-generated spoofing signals are used for training and verification within itself, while two different real-world spoofing and meaconing datasets were used for the validation of the supervised machine learning algorithms for the detection of the GNSS spoofing and meaconing

Understanding Hackers' Work: An Empirical Study of Offensive Security Practitioners

Offensive security-tests are a common way to pro-actively discover potential vulnerabilities. They are performed by specialists, often called penetration-testers or white-hat hackers. The chronic lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve this, researchers and tool builders need a solid understanding of how hackers work, their assumptions, and pain points. In this paper, we present a first data-driven exploratory qualitative study of twelve security professionals, their work and problems occurring therein. We perform a thematic analysis to gain insights into the execution of security assignments, hackers' thought processes and encountered challenges. This analysis allows us to conclude with recommendations for researchers and tool builders to increase the efficiency of their automation and identify novel areas for research.Comment: 11 pages, we have chosen the category "Software Engineering" and not "Cryptography and Security" as while this is a paper about security practices, we target software engineering researcher

Certifications of Critical Systems – The CECRIS Experience

In recent years, a considerable amount of effort has been devoted, both in industry and academia, to the development, validation and verification of critical systems, i.e. those systems whose malfunctions or failures reach a critical level both in terms of risks to human life as well as having a large economic impact. Certifications of Critical Systems – The CECRIS Experience documents the main insights on Cost Effective Verification and Validation processes that were gained during work in the European Research Project CECRIS (Certification of Critical Systems). The objective of the research was to tackle the challenges of certification by focusing on those aspects that turn out to be more difficult/important for current and future critical systems industry: the effective use of methodologies, processes and tools. Starting from both the scientific and industrial state of the art methodologies for system development and the impact of their usage on the verification and validation and certification of critical systems, the project aimed at developing strategies and techniques supported by automatic or semi-automatic tools and methods for these activities, setting guidelines to support engineers during the planning of the verification and validation phases. Topics covered include: Safety Assessment, Reliability Analysis, Critical Systems and Applications, Functional Safety, Dependability Validation, Dependable Software Systems, Embedded Systems, System Certification