Combating memory corruption attacks on SCADA devices

Memory corruption attacks on SCADA devices can cause significant dis- ruptions to control systems and the industrial processes they operate. However, despite the presence of numerous memory corruption vulner- abilities, few, if any, techniques have been proposed for addressing the vulnerabilities or for combating memory corruption attacks. This paper describes a technique for defending against memory corruption attacks by enforcing logical boundaries between potentially hostile data and safe data in protected processes. The technique encrypts all input data using random keys; the encrypted data is stored in main memory and is decrypted according to the principle of least privilege just before it is processed by the CPU. The defensive technique affects the precision with which attackers can corrupt control data and pure data, protecting against code injection and arc injection attacks, and alleviating prob- lems posed by the incomparability of mitigation techniques. An experi- mental evaluation involving the popular Modbus protocol demonstrates the feasibility and efficiency of the defensive technique

Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness

Pointer taintedness is a concept which has been successfully employed as basis for vulnerability analysis of C/C++ source code, and as a run-time mitigation technique against memory corruption attacks. Nevertheless, pointer taintedness interferes with the specification of several industrial control protocols. As a consequence it is not directly usable in detecting memory corruption vulnerabilities in implementations of those industrial control protocols. Furthermore, source-code analysis may have no visibility on certain low-level vulnerabilities since there may be a considerable difference between what programmers intend with the source code they write and what the CPU really executes. A set of memory corruption vulnerabilities specific to implementations of industrial control protocols may escape source code analysis as they are related to a dynamic organization of data in memory. In this paper we define a new concept referred to as memory access taintedness. We discuss the logical motivations behind our definition of memory access taintedness and demonstrate that memory access taintedness is fully employable in vulnerability analysis of the machine code of implementations of industrial control protocols. We analyze the main low-level characteristics of both traditional attacks and attacks specific to process control systems, and demonstrate the ability of memory access taintedness to detect memory corruption vulnerabilities. We represent memory access taintedness as a decision tree and use it as the fundamental component of a finite state machine model we devised for the purpose of dynamically detecting memory corruption vulnerabilities in implementations of industrial control protocols

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Part 3: Security ManagementInternational audienceRecent trends in automation technology lead to a rising exposition of industrial control systems (ICS) to new vulnerabilities. This requires the introduction of proper security approaches in this field. Prevalent in ICS is the use of access control. Especially in critical infrastructures, however, preventive security measures should be complemented by reactive ones, such as intrusion detection. Beginning from the characteristics of automation networks we outline the implications for a suitable application of intrusion detection in this field. On this basis, an approach for creation of self-learning anomaly detection for ICS protocols is presented. In contrast to other approaches, it takes all network data into account: flow information, application data, and the packet order. We discuss the challenges that have to be solved in each step of the network data analysis to identify future aspects of research towards learning normality in industrial control networks

Botnet detection techniques: review, future trends, and issues

NoIn recent years, the Internet has enabled access to widespread remote services in the distributed computing environment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open.University of Malaya, Malaysia (No. FP034-2012A