44 research outputs found
Learning-guided network fuzzing for testing cyber-physical system defences
The threat of attack faced by cyber-physical systems (CPSs), especially when
they play a critical role in automating public infrastructure, has motivated
research into a wide variety of attack defence mechanisms. Assessing their
effectiveness is challenging, however, as realistic sets of attacks to test
them against are not always available. In this paper, we propose smart fuzzing,
an automated, machine learning guided technique for systematically finding
'test suites' of CPS network attacks, without requiring any knowledge of the
system's control programs or physical processes. Our approach uses predictive
machine learning models and metaheuristic search algorithms to guide the
fuzzing of actuators so as to drive the CPS into different unsafe physical
states. We demonstrate the efficacy of smart fuzzing by implementing it for two
real-world CPS testbeds---a water purification plant and a water distribution
system---finding attacks that drive them into 27 different unsafe states
involving water flow, pressure, and tank levels, including six that were not
covered by an established attack benchmark. Finally, we use our approach to
test the effectiveness of an invariant-based defence system for the water
treatment plant, finding two attacks that were not detected by its physical
invariant checks, highlighting a potential weakness that could be exploited in
certain conditions.Comment: Accepted by ASE 201
Finding Causally Different Tests for an Industrial Control System
Industrial control systems (ICSs) are types of cyber-physical systems in
which programs, written in languages such as ladder logic or structured text,
control industrial processes through sensing and actuating. Given the use of
ICSs in critical infrastructure, it is important to test their resilience
against manipulations of sensor/actuator inputs. Unfortunately, existing
methods fail to test them comprehensively, as they typically focus on finding
the simplest-to-craft manipulations for a testing goal, and are also unable to
determine when a test is simply a minor permutation of another, i.e. based on
the same causal events. In this work, we propose a guided fuzzing approach for
finding 'meaningfully different' tests for an ICS via a general formalisation
of sensor/actuator-manipulation strategies. Our algorithm identifies the causal
events in a test, generalises them to an equivalence class, and then updates
the fuzzing strategy so as to find new tests that are causally different from
those already identified. An evaluation of our approach on a real-world water
treatment system shows that it is able to find 106% more causally different
tests than the most comparable fuzzer. While we focus on diversifying the test
suite of an ICS, our formalisation may be useful for other fuzzers that
intercept communication channels.Comment: Accepted by the 45th IEEE/ACM International Conference on Software
Engineering (ICSE 2023
Active fuzzing for testing and securing cyber-physical systems
National Research Foundation (NRF) Singapore under its National Satellite of Excellence Programm
Learning Failure-Inducing Models for Testing Software-Defined Networks
Software-defined networks (SDN) enable flexible and effective communication
systems, e.g., data centers, that are managed by centralized software
controllers. However, such a controller can undermine the underlying
communication network of an SDN-based system and thus must be carefully tested.
When an SDN-based system fails, in order to address such a failure, engineers
need to precisely understand the conditions under which it occurs. In this
paper, we introduce a machine learning-guided fuzzing method, named FuzzSDN,
aiming at both (1) generating effective test data leading to failures in
SDN-based systems and (2) learning accurate failure-inducing models that
characterize conditions under which such system fails. This is done in a
synergistic manner where models guide test generation and the latter also aims
at improving the models. To our knowledge, FuzzSDN is the first attempt to
simultaneously address these two objectives for SDNs. We evaluate FuzzSDN by
applying it to systems controlled by two open-source SDN controllers. Further,
we compare FuzzSDN with two state-of-the-art methods for fuzzing SDNs and two
baselines (i.e., simple extensions of these two existing methods) for learning
failure-inducing models. Our results show that (1) compared to the
state-of-the-art methods, FuzzSDN generates at least 12 times more failures,
within the same time budget, with a controller that is fairly robust to fuzzing
and (2) our failure-inducing models have, on average, a precision of 98% and a
recall of 86%, significantly outperforming the baselines
Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems
With a growing number of embedded devices that create, transform and send data autonomously at its core, the Internet-of-Things (IoT) is a reality in different sectors such as manufacturing, healthcare or transportation. With this expansion, the IoT is becoming more present in critical environments, where security is paramount. Infamous attacks such as Mirai have shown the insecurity of the devices that power the IoT, as well as the potential of such large-scale attacks. Therefore, it is important to secure these embedded systems that form the backbone of the IoT. However, the particular nature of these devices and their resource constraints mean that the most cost-effective manner of securing these devices is to secure them before they are deployed, by minimizing the number of vulnerabilities they ship. To this end, fuzzing has proved itself as a valuable technique for automated vulnerability finding, where specially crafted inputs are fed to programs in order to trigger vulnerabilities and crash the system. In this survey, we link the world of embedded IoT devices and fuzzing. For this end, we list the particularities of the embedded world as far as security is concerned, we perform a literature review on fuzzing techniques
and proposals, studying their applicability to embedded IoT devices and, finally, we present future research directions by pointing out the gaps identified in the review
Code Integrity Attestation for PLCs using Black Box Neural Network Predictions
Cyber-physical systems (CPSs) are widespread in critical domains, and
significant damage can be caused if an attacker is able to modify the code of
their programmable logic controllers (PLCs). Unfortunately, traditional
techniques for attesting code integrity (i.e. verifying that it has not been
modified) rely on firmware access or roots-of-trust, neither of which
proprietary or legacy PLCs are likely to provide. In this paper, we propose a
practical code integrity checking solution based on privacy-preserving black
box models that instead attest the input/output behaviour of PLC programs.
Using faithful offline copies of the PLC programs, we identify their most
important inputs through an information flow analysis, execute them on multiple
combinations to collect data, then train neural networks able to predict PLC
outputs (i.e. actuator commands) from their inputs. By exploiting the black box
nature of the model, our solution maintains the privacy of the original PLC
code and does not assume that attackers are unaware of its presence. The trust
instead comes from the fact that it is extremely hard to attack the PLC code
and neural networks at the same time and with consistent outcomes. We evaluated
our approach on a modern six-stage water treatment plant testbed, finding that
it could predict actuator states from PLC inputs with near-100% accuracy, and
thus could detect all 120 effective code mutations that we subjected the PLCs
to. Finally, we found that it is not practically possible to simultaneously
modify the PLC code and apply discreet adversarial noise to our attesters in a
way that leads to consistent (mis-)predictions.Comment: Accepted by the 29th ACM Joint European Software Engineering
Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE
2021
Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge
Industrial Control Systems (ICSs) rely on insecure protocols and devices to
monitor and operate critical infrastructure. Prior work has demonstrated that
powerful attackers with detailed system knowledge can manipulate exchanged
sensor data to deteriorate performance of the process, even leading to full
shutdowns of plants. Identifying those attacks requires iterating over all
possible sensor values, and running detailed system simulation or analysis to
identify optimal attacks. That setup allows adversaries to identify attacks
that are most impactful when applied on the system for the first time, before
the system operators become aware of the manipulations.
In this work, we investigate if constrained attackers without detailed system
knowledge and simulators can identify comparable attacks. In particular, the
attacker only requires abstract knowledge on general information flow in the
plant, instead of precise algorithms, operating parameters, process models, or
simulators. We propose an approach that allows single-shot attacks, i.e.,
near-optimal attacks that are reliably shutting down a system on the first try.
The approach is applied and validated on two use cases, and demonstrated to
achieve comparable results to prior work, which relied on detailed system
information and simulations.Comment: This paper has been accepted at Applied Cryptography and Network
Security (ACNS) 202
A survey of cyber-physical attacks and detection methods in smart water distribution systems
Modern technologies empower water distribution systems (WDS) for better services in the processes of water supply, storage, distribution, and recycling. They improve real-time monitoring, automating, and managing. However, the limitations of these technologies introduce cyber-physical attacks to the WDS. The main goals of cyber-physical attacks include disrupting normal operations and tampering the critical data, which have negative impacts on the WDS. Therefore, it is vital to develop and implement solutions to increase the security of the WDS by detecting and mitigating cyber-physical attacks. Since security for WDS is relatively new, there are no surveys on this topic despite its vital importance. Therefore, in this paper, we provide a comprehensive survey for the common cyber-physical attacks and common detection mechanisms for the WDS. We compare the attacks and detection methods with emphasis on ideas, methods, evaluation results, advantages, limitations, etc. We further provide a future research direction. We realize that there are still not many research attempts in this area and we hope that this work can trigger more research activities related to the WDS