On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

The Phoenix Drone: An Open-Source Dual-Rotor Tail-Sitter Platform for Research and Education

In this paper, we introduce the Phoenix drone: the first completely open-source tail-sitter micro aerial vehicle (MAV) platform. The vehicle has a highly versatile, dual-rotor design and is engineered to be low-cost and easily extensible/modifiable. Our open-source release includes all of the design documents, software resources, and simulation tools needed to build and fly a high-performance tail-sitter for research and educational purposes. The drone has been developed for precision flight with a high degree of control authority. Our design methodology included extensive testing and characterization of the aerodynamic properties of the vehicle. The platform incorporates many off-the-shelf components and 3D-printed parts, in order to keep the cost down. Nonetheless, the paper includes results from flight trials which demonstrate that the vehicle is capable of very stable hovering and accurate trajectory tracking. Our hope is that the open-source Phoenix reference design will be useful to both researchers and educators. In particular, the details in this paper and the available open-source materials should enable learners to gain an understanding of aerodynamics, flight control, state estimation, software design, and simulation, while experimenting with a unique aerial robot.Comment: In Proceedings of the IEEE International Conference on Robotics and Automation (ICRA'19), Montreal, Canada, May 20-24, 201

Design and implementation of a hardened distributed network endpoint security system for improving the security of internet protocol-based networks

This thesis proposes a distributed approach to securing computer networks by delegating the role of a conventional firewall to a collection of nodes and controllers placed throughout the networks they are intended toprotect from attack. This distributed firewall system is a specific application of a generalized distriubted system framework that is also proposed in this thesis. The design and implementation of both the generalized framework and the application of the framework in creating a distributed firewall system for use on Ethernet-based networks that rely on the Internet Protocol are discussed. Conclusions based upon the preliminary implementation of the proposed systems are given along with future directions --Abstract, pageiii

A general-purpose microcontroller-based framework for integrating oceanographic sensors, instruments, and peripherals

Author Posting. © American Meteorological Society, 2017. This article is posted here by permission of American Meteorological Society for personal use, not for redistribution. The definitive version was published in Journal of Atmospheric and Oceanic Technology 34 (2017): 415-427, doi:10.1175/JTECH-D-16-0069.1.Sensors and instruments for basic oceanographic properties are becoming increasingly sophisticated, which both simplifies and complicates their use in field studies. This increased sophistication disproportionately affects smaller-scale observational efforts that are less likely to be well supported technically but which need to integrate instruments, sensors, and commonly needed peripheral devices in ways not envisioned by their manufacturers. A general-purpose hardware and software framework was developed around a widely used family of low-power microcontrollers to lessen the technical expertise and customization required to integrate sensors, instruments, and peripherals, and thus simplify such integration scenarios. Both the hardware and associated firmware development tools provide a range of features often required in such scenarios: serial data interfaces, analog inputs and outputs, logic lines and power-switching capability, nonvolatile storage of data and parameters for sampling or configuration, and serial communication interfaces to supervisory or telemetry systems. The microcontroller and additional components needed to implement this integration framework are small enough to encapsulate in standard cable splices, creating a small form factor “smart cable” that can be readily wired and programmed for a range of integration needs. An application programming library developed for this hardware provides skeleton code for functions commonly desired when integrating sensors, instruments, and peripherals. This minimizes the firmware programming expertise needed to apply this framework in many integration scenarios and thus streamlines the development of firmware for different field applications. Envisioned applications are in field programs where significant technical instrumentation expertise is unavailable or not cost effective.Link Foundation Ocean Engineering graduate fellowship to SRL. Subsequent development effort was supported by a NASA New Investigator Award to SRL (NNX10AQ83G) and by the Woods Hole Oceanographic Institution through its Assistant Scientist Endowed Support, a Cecil H. and Ida M. Green Technology Innovation Award, and the Investment in Science Program

Aerial Networking for the Implementation of Cooperative Control on Small Unmanned Aerial Systems

The employment of Small Unmanned Aerial Systems (SUAS) for reconnaissance and surveillance missions is a vital capability of the United States military. Cooperative control algorithms for SUAS can enable tactical multi-vehicle configurations for communications extension, intelligent navigation, and a multitude of other applications. Past research at AFIT has designed and simulated a cooperative rover-relay algorithm for extended communications and has investigated its implementation through various modem configurations. This research explores aerial networking options for implementing cooperative control and applies them to an actual SUAS. Using Commercial Off-The-Shelf (COTS) hardware, a system was designed and flight tested to implement the rover-relay algorithm and provide a testbed system for future research in cooperative control. Two different modem configurations were designed and tested. The first modem configuration was demonstrated through a series of ground and flight tests to successfully relay autopilot commands and telemetry between a ground station and a rover aircraft through a relay aircraft. This configuration effectively doubles the effective range of the rover system to 1.2 miles, together with an algorithm that autonomously navigates the relay aircraft to an optimal location. Secondly, a mesh network was configured and tested. This configuration successfully relayed aircraft telemetry to the ground station from each vehicle in the network. However, the network suffered from low throughput, which limited autopilot functionality, such as updating navigation waypoints to each aircraft. The results suggest the system be updated with more capable modems in a mesh configuration to broaden the possibilities for future research in cooperative applications

Development of the Codebase for ECE Design: Smartwatch Device and App for Continuous Glucose Monitoring

This honors thesis describes the development of the codebase for the 2018 University of Connecticut ECE Senior Design project titled Smartwatch Device and App for Continuous Glucose Monitoring\u27\u27. The goal for the senior design project is to remove the dependencies imposed by a previously-designed prototype of a glucose-monitoring smartwatch, by creating a new custom device without those dependencies. Development of the new codebase involves splitting the tasks of an Arduino codebase into a number of logical components that are then implemented in C. This new codebase makes substantial improvements to the overall program structure and organization, as well as numerous functional additions. An API for writing graphics to a given display is written and implemented for two LCD controllers as well as for the standard output stream. This graphics API uses a buffering strategy and partial screen rendering to achieve faster display writing. Functions that plot incoming data on an auto-scaling bar graph are implemented as well. The resulting codebase realizes the firmware for a custom smartwatch controlled by an ATSAMD21G18A microcontroller. This smartwatch is designed to periodically read the frequency of an incoming signal to determine and display the current glucose level of a user. The program supports Bluetooth communication with a smartphone app and a deep sleep mode to save battery during inactivity. Current time and date are kept and displayed to the user, as well as battery and Bluetooth connection information. A user interacts with the smartwatch using two buttons

A General Hardware/Software Co-design Methodology for Embedded Signal Processing and Multimedia Workloads

This paper presents a hardware/software co-design methodology for partitioning real-time embedded multimedia applications between software programmable DSPs and hardware based FPGA coprocessors. By following a strict set of guidelines, the input application is partitioned between software executing on a programmable DSP and hardware based FPGA implementation to alleviate computational bottlenecks in modern VLIW style DSP architectures used in embedded systems. This methodology is applied to channel estimation firmware in 3.5G wireless receivers, as well as software based H.263 video decoders. As much as an 11x improvement in runtime performance can be achieved by partitioning performance critical software kernels in these workloads into a hardware based FPGA implementation executing in tandem with the existing host DSP.Nokia Inc.Texas InstrumentsNational Science Foundatio

Enterprise platform systems management security threats and mitigation techniques

Developers and technologists of enterprise systems such as servers, storage and networking products must constantly anticipate new cybersecurity threats and evolving security requirements. These requirements are typically sourced from marketing, customer expectations, manufacturing and evolving government standards. Much ongoing major research focus has been on securing the main enterprise system purpose functionality, operating system, network and storage. There appears, however, to be far less research and a growing number of reports of vulnerabilities in the area of enterprise systems management hardware and software subsystems. Many recent examples are within types of subsystems such as baseboard management controllers (BMCs), which are intricate embedded subsystems, independent of the host server system functionality. A BMC is typically comprised of a specialized system-on-a-chip, RAM, non-volatile storage, and sensors, and runs an embedded LINUX Operating System. The BMC’s primary roles are always increasing in scope including managing system inventory, system operational health, thermal and power control, event logging, remote console access, provisioning, performance monitoring, software updates and failure prediction and remediation. To compromise or create a denial of service of such subsystems has an increasing impact on equipment manufacturers and large and small enterprises. This report’s primary objective is to research real-world and theoretical hardware and software cyber-attack vectors on enterprise product platforms, inclusive of BMCs, BIOS and other embedded systems within such products. For each presented attack vector, best practices and suggestions for effective avoidance and mitigation are explored. Domains of particular interest are physical access security, hardware manipulation and secure boot protections against software image manipulation, BIOS recovery and secure field debug techniques.Electrical and Computer Engineerin