Protecting Distributed Object Applications from Corruption of Class Bytecodes on Client Side

In this paper are discussed cyber-attacks to Distributed Object Applications that originate from RMI client programs running on malicious hosts. These cyber-attacks may be performed by a cyberattacker who has full control on his machine and intentionally uses debugging instrumentation, that potentially may be based on the Java Platform Debugging Architecture, to take full control over the RMI client bytecodes while they execute on the JVM of his machine, properly modify these bytecodes eventually adding new ones, and attack the RMI server through such a corrupted RMI client. The objective of the information reported in this paper is to raise the security awareness of distributed application developers and support them in protecting their applications from such a threat.JRC.G.6-Sensors, radar technologies and cybersecurit

La cuestión de las fronteras de la Unión Europea entre soberanía estatal y universalismo de los derechos fundamentales: el espacio de Europa unida y sus reflejos sobre el principio de ciudadanía

Tesis Univ. Granada. Programa Oficial de Doctorado en: Ciencias Jurídica

A product machine model for anomaly detection of interposition attacks on cyber-physical systems

In this paper we propose an anomaly intrusion detection model based on shuffle operation and product machines targeting persistent interposition attacks on control systems. These at actuallyareundetectable by the most advanced system call monitors as they issue no system calls and are stealthy enough to transfer control to hijacked library functions without letting their saved instruction pointers get stored on stack. We exploit the fact that implementations of control protocols running in control systems, which in turn are attached to physical systems such as power plants and electrical substations, exhibit strong regularities in terms of sequences of function calls and system calls issued during protocol transactions. The main idea behind the proposed approach is to introduce NULL function calls within a Modbus binary and to apply the shuffle operation between them and existing function calls. We then devise and implement a product machine capable of recognizing the shuffle representation of function call and system call regularities. A sensor uses a unidirectional interprocess communication channel based on shared memory to receive profile data from a Modbus process, and subsequently submits them to the product machine. We describe an experimental evaluation of our model on an ARM-based Modbus device and demonstrate that the proposed model overcomes the limitations of state of the art approaches with regard to detection of persistent interposition attacks on control system

Memory corruption attacks, defenses, and evasions

The chapter introduces and describes representative defense mechanisms to protect from both basic and advanced exploitation of low-level coding vulnerabilities. Exploitation of low-level coding vulnerabilities has evolved from a basic stack-based buffer overflow with code injection to highly sophisticated attack techniques. In addition, pure-data attacks were demonstrated to be as efficient as control-data attacks and quite realistic. On the other hand research on assessment of the robustness of proposed mitigation techniques revealed various weaknesses in them leading to design and implementation of evasion techniques. Most of the defensive techniques protect only from a limited set of attack techniques, thus a defense employment requires multiple complementary mitigation techniques. Furthermore, there are few mitigation techniques designed to counter pure-data attacks. In response to these limitations, current research proposes better defensive mechanisms such as pointer taintedness detection and attack data burning capable of countering any kind of control-data or pure-data attack

Combating memory corruption attacks on SCADA devices

Memory corruption attacks on SCADA devices can cause significant dis- ruptions to control systems and the industrial processes they operate. However, despite the presence of numerous memory corruption vulner- abilities, few, if any, techniques have been proposed for addressing the vulnerabilities or for combating memory corruption attacks. This paper describes a technique for defending against memory corruption attacks by enforcing logical boundaries between potentially hostile data and safe data in protected processes. The technique encrypts all input data using random keys; the encrypted data is stored in main memory and is decrypted according to the principle of least privilege just before it is processed by the CPU. The defensive technique affects the precision with which attackers can corrupt control data and pure data, protecting against code injection and arc injection attacks, and alleviating prob- lems posed by the incomparability of mitigation techniques. An experi- mental evaluation involving the popular Modbus protocol demonstrates the feasibility and efficiency of the defensive technique

Composite Intrusion Detection in Process Control Networks

An intrusion detection ensemble, i.e. a set of diverse intrusion detection algorithms employed as a group, has been shown to outperform each one those diverse algorithms employed individually. Moving along this line, we have devised an intrusion detection ensemble that inspects network packets that flow across the process control network of a digitally controlled physical system such as a power plant. Such process control specific intrusion detection ensemble is comprised of a statistical anomaly intrusion detection algorithm called the Estimation-Inspection (EI) algorithm, a physical process aware specification-based approach, a theory of deception for intrusion detection that we call mirage theory, and an alert fusion technique in the form of a Bayesian theory of confirmation. In this research we leverage evolutions of the content of specific locations in the random access memory (RAM) of control systems into means of characterizing the normalcy or abnormality of network traffic. The EI algorithm uses estimation methods from applied statistics and probability theory to estimate normal evolutions of RAM content. The physical process aware specification-based approach defines normal evolutions of RAM content via specifications developed manually through expert knowledge. Mirage theory consistently introduces deceptive evolutions of RAM content, and hence employs communicating finite state machines to detect any deviations caused by malicious network packets. The alert fusion technique also leverages evolutions of RAM content to estimate the degrees to which network traffic normalcy and abnormality hypotheses are confirmed on evidence. In this dissertation we provide a detailed discussion of these intrusion detection algorithms along with a detailed discussion of the alert fusion technique. We also discuss an empirical testing of the proposed intrusion detection ensemble in a small testbed comprised of Linux PC-based control systems that resemble the process control environment of a power plant; and in the case of the EI algorithm, a probabilistic validation via stochastic activity networks with activity-marking oriented reward structures

Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness

Pointer taintedness is a concept which has been successfully employed as basis for vulnerability analysis of C/C++ source code, and as a run-time mitigation technique against memory corruption attacks. Nevertheless, pointer taintedness interferes with the specification of several industrial control protocols. As a consequence it is not directly usable in detecting memory corruption vulnerabilities in implementations of those industrial control protocols. Furthermore, source-code analysis may have no visibility on certain low-level vulnerabilities since there may be a considerable difference between what programmers intend with the source code they write and what the CPU really executes. A set of memory corruption vulnerabilities specific to implementations of industrial control protocols may escape source code analysis as they are related to a dynamic organization of data in memory. In this paper we define a new concept referred to as memory access taintedness. We discuss the logical motivations behind our definition of memory access taintedness and demonstrate that memory access taintedness is fully employable in vulnerability analysis of the machine code of implementations of industrial control protocols. We analyze the main low-level characteristics of both traditional attacks and attacks specific to process control systems, and demonstrate the ability of memory access taintedness to detect memory corruption vulnerabilities. We represent memory access taintedness as a decision tree and use it as the fundamental component of a finite state machine model we devised for the purpose of dynamically detecting memory corruption vulnerabilities in implementations of industrial control protocols

Network forensic analysis of electrical substation automation traffic

Part 1: INFRASTRUCTURE PROTECTIONInternational audienceThe computations and input/output values of intelligent electronic devices that monitor and operate an electrical substation depend strongly on the state of the power system. This chapter presents an approach that correlates the physical parameters of an electrical substation with the network traffic that intelligent electronic devices send over a substation automation network. Normal network traffic in a substation automation network is modeled as a directed, weighted graph, yielding what is referred to as a model graph. Similar graph modeling is performed on unknown network traffic. The research problem of determining whether or not unknown network traffic is normal involves a subgraph isomorphism search algorithm. Normal network packets in unknown network traffic form a graph that is a subgraph of the model graph. In contrast, malware-generated network packets present in unknown network traffic produce a graph that is not a subgraph of the model graph. Time series analysis of network traffic is performed to estimate the weights of the edges in the graphs. This analysis enables the subgraph isomorphism search algorithm to find structural matches with portions of the model graph as well matches with the timing characteristics of normal network traffic. The approach is validated using samples drawn from recent industrial control system malware campaigns