Virtualization-Based Resilience Approaches for Industrial Control Systems

Industrial Control Systems (ICS) and their components perform cyber-physical functions. In the context of critical infrastructure, these functions are vital to modern life. Programmable Logic Controllers (PLCs) are prominently found in ICS environments and execute the operational logic of the system. The continued escalation of cyberattacks targeting ICS and their PLCs serves as motivation for increasing system resilience. This dissertation analyzes domain cyber-threats and demonstrates novel approaches which utilize virtualization, containerization, input/output multiplexing, cryptographic attestation, software defined networking, security orchestration, and PLC runtimes to advance PLC trust and resilience while facilitating integration into past, present, and future systems. The research approaches were proven using physical ICS testbed environments with experimentation results showcasing enhanced control system trust and resilience

Automotive firmware extraction and analysis techniques

An intricate network of embedded devices, called Electronic Control Units (ECUs), is responsible for the functionality of a modern vehicle. Every module processes a myriad of information and forwards it on to other nodes on the network, typically an automotive bus such as the Controller Area Network (CAN). Analysing embedded device software, and automotive in particular, brings many challenges. The analyst must, especially in the notoriously secretive automotive industry, first lift the ECU firmware from the hardware, which typically prevents unauthorised access. In this thesis, we address this problem in two ways: - We detail and bypass the access control mechanism used in diagnostic protocols in ECU firmware. Using existing diagnostic functionality, we present a generic technique to download code to RAM and execute it, without requiring physical access to the ECU. We propose a generic firmware readout framework on top of this, which only requires access to the CAN bus. - We analyse various embedded bootloaders and combine dynamic analysis with low-level hardware fault attacks, resulting in several fault-injection attacks which bypass on-chip readout protection. We then apply these firmware extraction techniques to acquire immobiliser firmware by two different manufacturers, from which we reverse engineer the DST80 cipher and present it in full detail here. Furthermore, we point out flaws in the key generation procedure, also recovered from the ECU firmware, leading to a full key recovery based on publicly readable transponder pages

Detecting Software Attacks on Embedded IoT Devices

Internet of Things (IoT) applications are being rapidly deployed in the context of smart homes, automotive vehicles, smart factories, and many more. In these applications, embedded devices are widely used as sensors, actuators, or edge nodes. The embedded devices operate distinctively on a task or interact with each other to collectively perform certain tasks. In general, increase in Internet-connected things has made embedded devices an attractive target for various cyber attacks, where an attacker gains access and control remote devices for malicious activities. These IoT devices could be exploited by an attacker to compromise the security of victim’s platform without requiring any physical hardware access. In order to detect such software attacks and ensure a reliable and trustworthy IoT application, it is crucial to verify that a device is not compromised by malicious software, and also assert correct execution of the program. In the literature, solutions based on remote attestation, anomaly detection, control-flow and data-flow integrity have been proposed to detect software attacks. However, these solutions have limited applicability in terms of target deployments and attack detection, which we inspect thoroughly. In this dissertation, we propose three solutions to detect software attacks on embedded IoT devices. In particular, we first propose SWARNA, which uses remote attestation to verify a large network of embedded devices and ensure that the application software on the device is not tampered. Verifying the integrity of a software preserves the static properties of a device. To secure the devices from various software attacks, it is imperative to also ensure that the runtime execution of a program is as expected. Therefore, we focus extensively on detecting memory corruption attacks that may occur during the program execution. Furthermore, we propose, SPADE and OPADE, secure program anomaly detection that runs on embedded IoT devices and use deep learning, and machine learning algorithms respectively to detect various runtime software attacks. We evaluate and analyse all the proposed solutions on real embedded hardware and IoT testbeds. We also perform a thorough security analysis to show how the proposed solutions can detect various software attacks

Securing the Edges of IoT Networks: a Scalable SIP DDoS Defense Framework with VNF, SDN, and Blockchain

An unintended consequence of the global deployment of IoT devices is that they provide a fertile breeding ground for IoT botnets. An adversary can take advantage of an IoT botnet to launch DDoS attacks against telecommunication services. Due to the magnitude of such an attack, legacy security systems are not able to provide adequate protection. The impact ranges from loss of revenue for businesses to endangering public safety. This risk has prompted academia, government, and industry to reevaluate the existing de- fence model. The current model relies on point solutions and the assumption that adversaries and their attacks are readily identifiable. But adversaries have challenged this assumption, building a botnet from thousands of hijacked IoT devices to launch DDoS attacks. With bot- net DDoS attacks there are no clear boundary where the attacks originate and what defensive measures to use. The research question is: in what ways programmable networks could defend against Session Initiation Protocol (SIP) Distributed Denial-of-Service (DDoS) flooding attacks from IoT botnets? My significant and original contribution to the knowledge is a scalable and collaborative defence framework that secures the edges of IoT networks with Virtual Network Function (VNF), Software-Defined Networking (SDN), and Blockchain technology to prevent, detect, and mitigate SIP DDoS flooding attacks from IoT botnets. Successful experiments were performed using VNF, SDN, and Blockchain. Three kinds of SIP attacks (scan, brute force, and DDoS) were launched against a VNF running on a virtual switch and each was successfully detected and mitigated. The SDN controller gathers threat intelligence from the switch where the attacks originate and installs them as packet filtering rules on all switches in the organisation. With the switches synchronised, the same botnet outbreak is prevented from attacking other parts of the organisation. A distributed application scales this framework further by writing the threat intelligence to a smart contract on the Ethereum Blockchain so that it is available for external organisations. The receiving organisation retrieves the threat intelligence from the smart contract and installs them as packet filtering rules on their switches. In this collaborative framework, attack detection/mitigation efforts by one organisation can be leveraged as attack prevention efforts by other organisations in the community

Achieving cyber resiliency against lateral movement through detection and response

Systems and attacks are becoming more complex, and classical cyber security methods are failing to protect and secure those systems. We believe that systems must be built to be resilient to attacks. Cyber resilience is a dynamic protection strategy that aims to stop cyber attacks while maintaining an acceptable level of service. The strategy monitors a system to detect cyber incidents, and dynamically changes the state of the system to learn about the incidents, contain an attack, and recover. Thus, instead of being perfectly protected, a cyber-resilient system survives a cyber incident by containing the attack and recovering while maintaining service. Cyber resiliency has the potential to secure the modern systems that control our critical infrastructure. However, several practical and theoretical challenges hinder the development of cyber-resilient architectures. In particular, an architecture needs to support and make use of a large amount of monitoring; the problem is especially serious for a large network in which hosts send low-level information for fusion. The problem is not only computational; the semantics of the data also creates a challenge. In combining information from multiple sources and across multiple abstractions, we need to realize that the sources are describing different events in the system which are occurring at varying time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The estimated state is used to detect malicious activities and to drive responses. The integrity of the monitoring data is critical to making “correct” decisions that are not influenced by the attacker. In addition, choosing an appropriate response to specific attacks requires knowledge of the at- tackers’ behavior, i.e., an attacker model. If the attacker model is wrong, then the responses selected by the mechanism will be ineffective. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging when the systems are highly complex. In this dissertation, we propose a resiliency architecture that uses a model of the system to deploy monitors, estimates the state of the system using monitor data, and selects responses to contain and recover from attacks while maintaining service. Then we describe our design for the essential components of the said resiliency architecture for a multitude of systems including operating systems, hosts, and enterprise net- works, to address lateral movement attacks. Specifically, we have built components that address monitor design, fusion of monitoring data, and response. Our pieces address the challenges that face cyber-resilient architectures. We set out to provide resilience against lateral movement. Lateral movement is a step taken by an attacker to shift his or her position from an initial compromised host into a target host with high value. First, we designed a host-level monitor Kobra that generates different estimations of the state of a host. Kobra combines the various aspects of application behavior into multiple views: (1) a discrete time signal used for anomaly detection, and (2) a host-level process communication graph to correlate events that happen in a network. We use the host correlations to generate chains of network events that correspond to suspicious lateral movement behavior. We use a novel fusion framework that enables us to fuse monitoring events for different sources over a hierarchy. Finally, we respond to lateral movement by changing the topology and healing rates in the network. The changes are enacted by a feedback controller to slow down and stop the spread of the attack. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we propose PowerAlert, an out-of-box integrity checker, to establish the “trustworthiness” of a machine. PowerAlert is resilient to attacker evasion and adaptation. It uses the current drawn by the CPU, measured using an external probe, to confirm that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use an optimal initiation strategy, and to resist adaptation, we use randomly generated integrity-checking programs. We pick the optimal initiation strategy by modeling the problem of low-cost integrity checking when an attacker is attempting to evade detection as a continuous-time game called Tireless. The optimal strategy is the Nash equilibrium that optimizes the defender’s cost of checking and utility of detection against an adaptive attacker

Formally designing and implementing cyber security mechanisms in industrial control networks.

This dissertation describes progress in the state-of-the-art for developing and deploying formally verified cyber security devices in industrial control networks. It begins by detailing the unique struggles that are faced in industrial control networks and why concepts and technologies developed for securing traditional networks might not be appropriate. It uses these unique struggles and examples of contemporary cyber-attacks targeting control systems to argue that progress in securing control systems is best met with formal verification of systems, their specifications, and their security properties. This dissertation then presents a development process and identifies two technologies, TLA+ and seL4, that can be leveraged to produce a high-assurance embedded security device. The method presented in this dissertation takes an informal design of an embedded device that might be found in a control system and 1) formalizes the design within TLA+, 2) creates and mechanically checks a model built from the formal design, and 3) translates the TLA+ design into a component-based architecture of a native seL4 application. The later chapters of this dissertation describe an application of the process to a security preprocessor embedded device that was designed to add security mechanisms to the network communication of an existing control system. The device and its security properties are formally specified in TLA+ in chapter 4, mechanically checked in chapter 5, and finally its native seL4 architecture is implemented in chapter 6. Finally, the conclusions derived from the research are laid out, as well as some possibilities for expanding the presented method in the future

A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks

accepted in IEEE Communications Surveys & TutorialsInternational audienceThe idea of programmable networks has recently re-gained considerable momentum due to the emergence of the Software-Defined Networking (SDN) paradigm. SDN, often referred to as a ''radical new idea in networking'', promises to dramatically simplify network management and enable innovation through network programmability. This paper surveys the state-of-the-art in programmable networks with an emphasis on SDN. We provide a historic perspective of programmable networks from early ideas to recent developments. Then we present the SDN architecture and the OpenFlow standard in particular, discuss current alternatives for implementation and testing of SDN-based protocols and services, examine current and future SDN applications, and explore promising research directions based on the SDN paradigm

Designing and Deploying Internet of Things Applications in the Industry: An Empirical Investigation

RÉSUMÉ : L’Internet des objets (IdO) a pour objectif de permettre la connectivité à presque tous les objets trouvés dans l’espace physique. Il étend la connectivité aux objets de tous les jours et o˙re la possibilité de surveiller, de suivre, de se connecter et d’intéragir plus eÿcacement avec les actifs industriels. Dans l’industrie de nos jours, les réseaux de capteurs connectés surveillent les mouvements logistiques, fabriquent des machines et aident les organisations à améliorer leur eÿcacité et à réduire les coûts. Cependant, la conception et l’implémentation d’un réseau IdO restent, aujourd’hui, une tâche particulièrement diÿcile. Nous constatons un haut niveau de fragmentation dans le paysage de l’IdO, les développeurs se complaig-nent régulièrement de la diÿculté à intégrer diverses technologies avec des divers objets trouvés dans les systèmes IdO et l’absence des directives et/ou des pratiques claires pour le développement et le déploiement d’application IdO sûres et eÿcaces. Par conséquent, analyser et comprendre les problèmes liés au développement et au déploiement de l’IdO sont primordiaux pour permettre à l’industrie d’exploiter son plein potentiel. Dans cette thèse, nous examinons les interactions des spécialistes de l’IdO sur le sites Web populaire, Stack Overflow et Stack Exchange, afin de comprendre les défis et les problèmes auxquels ils sont confrontés lors du développement et du déploiement de di˙érentes appli-cations de l’IdO. Ensuite, nous examinons le manque d’interopérabilité entre les techniques développées pour l’IdO, nous étudions les défis que leur intégration pose et nous fournissons des directives aux praticiens intéressés par la connexion des réseaux et des dispositifs de l’IdO pour développer divers services et applications. D’autre part, la sécurité étant essen-tielle au succès de cette technologie, nous étudions les di˙érentes menaces et défis de sécurité sur les di˙érentes couches de l’architecture des systèmes de l’IdO et nous proposons des contre-mesures. Enfin, nous menons une série d’expériences qui vise à comprendre les avantages et les incon-vénients des déploiements ’serverful’ et ’serverless’ des applications de l’IdO afin de fournir aux praticiens des directives et des recommandations fondées sur des éléments probants relatifs à de tels déploiements. Les résultats présentés représentent une étape très importante vers une profonde compréhension de ces technologies très prometteuses. Nous estimons que nos recommandations et nos suggestions aideront les praticiens et les bâtisseurs technologiques à améliorer la qualité des logiciels et des systèmes de l’IdO. Nous espérons que nos résultats pourront aider les communautés et les consortiums de l’IdO à établir des normes et des directives pour le développement, la maintenance, et l’évolution des logiciels de l’IdO.----------ABSTRACT : Internet of Things (IoT) aims to bring connectivity to almost every object found in the phys-ical space. It extends connectivity to everyday things, opens up the possibility to monitor, track, connect, and interact with industrial assets more eÿciently. In the industry nowadays, we can see connected sensor networks monitor logistics movements, manufacturing machines, and help organizations improve their eÿciency and reduce costs as well. However, designing and implementing an IoT network today is still a very challenging task. We are witnessing a high level of fragmentation in the IoT landscape and developers regularly complain about the diÿculty to integrate diverse technologies of various objects found in IoT systems, and the lack of clear guidelines and–or practices for developing and deploying safe and eÿcient IoT applications. Therefore, analyzing and understanding issues related to the development and deployment of the Internet of Things is utterly important to allow the industry to utilize its fullest potential. In this thesis, we examine IoT practitioners’ discussions on the popular Q&A websites, Stack Overflow and Stack Exchange, to understand the challenges and issues that they face when developing and deploying di˙erent IoT applications. Next, we examine the lack of interoper-ability among technologies developed for IoT and study the challenges that their integration poses and provide guidelines for practitioners interested in connecting IoT networks and de-vices to develop various services and applications. Since security issues are center to the success of this technology, we also investigate di˙erent security threats and challenges across di˙erent layers of the architecture of IoT systems and propose countermeasures. Finally, we conduct a series of experiments to understand the advantages and trade-o˙s of serverful and serverless deployments of IoT applications in order to provide practitioners with evidence-based guidelines and recommendations on such deployments. The results presented in this thesis represent a first important step towards a deep understanding of these very promising technologies. We believe that our recommendations and suggestions will help practitioners and technology builders improve the quality of IoT software and systems. We also hope that our results can help IoT communities and consortia establish standards and guidelines for the development, maintenance, and evolution of IoT software and systems

Secure Remote Attestation for Safety-Critical Embedded and IoT Devices

In recent years, embedded and cyber-physical systems (CPS), under the guise of Internet-of-Things (IoT), have entered many aspects of daily life. Despite many benefits, this develop-ment also greatly expands the so-called attack surface and turns these newly computerizedgadgets into attractive attack targets. One key component in securing IoT devices is malwaredetection, which is typically attained with (secure) remote attestation. Remote attestationis a distinct security service that allows a trusted verifier to verify the internal state of aremote untrusted device. Remote attestation is especially relevant for low/medium-end em-bedded devices that are incapable of protecting themselves against malware infection. Assafety-critical IoT devices become commonplace, it is crucial for remote attestation not tointerfere with the device’s normal operations. In this dissertation, we identify major issues inreconciling remote attestation and safety-critical application needs. We show that existingattestation techniques require devices to perform uninterruptible (atomic) operations duringattestation. Such operations can be time-consuming and thus may be harmful to the device’ssafety-critical functionality. On the other hand, simply relaxing security requirements of re-mote attestation can lead to other vulnerabilities. To resolve this conflict, this dissertationpresents the design, implementation, and evaluation of several mitigation techniques. In par-ticular, we propose two light-weight techniques capable of providing interruptible attestationmodality. In contrast to traditional techniques, our proposed techniques allow interrupts tooccur during attestation while ensuring malware detection via shuffled memory traversals ormemory locking mechanisms. Another type of techniques pursued in this dissertation aimsto minimize the real-time computation overhead during attestation. We propose using peri-odic self-measurements to measure and record the device’s state, resulting in more flexiblescheduling of the attestation process and also in no real-time burden as part of its interactionwith verifier. This technique is particularly suitable for swarm settings with a potentiallylarge number of safety-critical devices. Finally, we develop a remote attestation HYDRAarchitecture, based on a formally verified component, and use it as a building block in ourproposed mitigation techniques. We believe that this architecture may be of independentinterest