Automatic Verification of Safety Rules for a Subway Control Software

Programmable Logic Controllers (PLCs) drive the behavior of industrial control systems according to uploaded programs. It is now known that PLCs are vulnerable to the uploading of malicious code that can have severe physical consequences. What is not understood is whether an adversary with no knowledge of the PLC's interface to the control system can execute a damaging, targeted, or stealthy attack against a control system using the PLC. In this paper, we present SABOT, a tool that automatically maps the control instructions in a PLC to an adversary-provided specification of the target control system's behavior. This mapping recovers sufficient semantics of the PLC's internal layout to instantiate arbitrary malicious controller code. This lowers the prerequisite knowledge needed to tailor an attack to a control system. SABOT uses an incremental model checking algorithm to map a few plant devices at a time, until a mapping is found for all adversary-specified devices. At this point, a malicious payload can be compiled and uploaded to the PLC. Our evaluation shows that SABOT correctly compiles payloads for all tested control systems when the adversary correctly specifies full system behavior, and for 4 out of 5 systems in most cases where there where unspecified features. Furthermore, SABOT completed all analyses in under 2 minutes.

show abstract

“…Railway Switching. Lastly, consider a process that safely coordinates track switches and signal lights on a real railway segment [17]:…”

Section: Motor Controlmentioning

confidence: 99%

Sabot

McLaughlin

McDaniel

2012

Proceedings of the 2012 ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Usually, this validation is performed by means of testing and even though the experience of several decades shows that intensive testing is a very safe approach, it is also very expensive: the experience of RATP, bolic BDD-based methods [11] and abstraction methods [6]. Other approaches have been based on modelling [10] and on artificial intelligence methods [9].…”

Section: Introductionmentioning

confidence: 99%

Industrialising a proof-based verification approach of computerised interlocking systems

Behnia

Mammar²,

Mota

et al. 2008

WIT Transactions on the Built Environment

View full text Add to dashboard Cite

This paper describes the formal verification of an interlocking system. We have formally proved the non-derailing and non-collision safety properties for an existing interlocking system operating on Paris Metro's line 3Bis. These high-level properties have first been refined to an intermediate level permitting their expression in terms of the control system's inputs and outputs. The resulting properties have then been formalised in the Prover iLock Verifier engine's internal language. The Prover iLock Verifier engine is a COTS commercialised by Prover Technology. For this project some specific features have been added to the engine to provide certified proofs that can be used, instead of testing, in the SIL-4 qualification process of interlocking systems.

show abstract