ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries

Keliris, Anastasis; Maniatakos, Michail

doi:10.14722/ndss.2019.23271

Cited by 43 publications

(21 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For payload generation, SABOT [33] gathers intelligence from source code analysis to automatically understand what kind of code manipulations would lead to attack goals being fulfilled. IC-SREF [21] is an open-source framework that allows general purpose PLC binary analysis. In all of these approaches, PLC code analysis has not been used to fingerprint a particular process.…”

Section: Related Workmentioning

confidence: 99%

“…FBs resemble functions in imperative programming languages. They are used as black boxes for frequently reoccurring processes, such as control algorithms (PID, Integral, Derivative), timing functions (triggers, timers), and networking functions (MODBUS, TCP) [21]. Extracting FBs from binaries can provide rich semantic information about the process.…”

Section: Sectormentioning

confidence: 99%

“…The strings in a binary are dynamic and include descriptive error messages, input/output prompts, or other information that might be used to identify the process of the PLC. Constructed dataset: In order to extract FBs from the binaries, we use ICSREF [21]. ICSREF, at its current version (1.0), works only with Codesys v2.3 binaries.…”

Section: Sectormentioning

confidence: 99%

“…After automatically extracting the FB names, individually, we had to cleanse the dataset. ICSREF is equipped with a function called hashmatch that extracts the FBs in PLC binaries, hashes them to create a signature and then matches them to a built-in library [21]. This function also provides the relative address at which the FB is located.…”

Section: Classification Based On Plc Function Blocks Cleaning Fb Namesmentioning

confidence: 99%

“…PLC control binaries are unique and different for each vendor. Using ICSREF [21], we explored the possibility to use the Global INIT subroutine to extract hard-coded values such as set points and PID values. This analysis is enabled by the reconnaissance steps before.…”

Section: From Plc Binaries Plc Binaries Also Contain Similar Values mentioning

confidence: 99%

See 4 more Smart Citations

I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems

Sarkar

Benkraouda²,

Maniatakos³

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Malicious manipulations on Industrial Control Systems (ICSs) endanger critical infrastructures, causing unprecedented losses. Stateof-the-art research in the discovery and exploitation of vulnerability typically assumes full visibility and control of the industrial process, which in real-world scenarios is unrealistic. In this work, we investigate the possibility of an automated end-to-end attack for an unknown control process in the constrained scenario of infecting just one industrial computer. We create databases of human-machine interface images, and Programmable Logic Controller (PLC) binaries using publicly available resources to train machine-learning models for modular and granular fingerprinting of the ICS sectors and the processes, respectively. We then explore control-theoretic attacks on the process leveraging common/ubiquitous control algorithm modules like Proportional Integral Derivative blocks using a PLC binary reverse-engineering tool, causing stable or oscillatory deviations within the operational limits of the plant. We package the automated attack and evaluate it against a benchmark chemical process, demonstrating the feasibility of advanced attacks even in constrained scenarios. CCS CONCEPTS • Security and privacy → Systems security.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Sectormentioning

confidence: 99%

Section: Sectormentioning

confidence: 99%

Section: Classification Based On Plc Function Blocks Cleaning Fb Namesmentioning

confidence: 99%

Section: From Plc Binaries Plc Binaries Also Contain Similar Values mentioning

confidence: 99%

See 3 more Smart Citations

I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems

Sarkar

Benkraouda²,

Maniatakos³

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

A malware detection method using satisfiability modulo theory model checking for the programmable logic controller system

Xie¹,

Chang

Jiang³

2020

Concurrency and Computation

View full text Add to dashboard Cite

Nowadays programmable logic controllers (PLCs) are suffering increasing cyberattacks. Attackers could reprogram PLCs to inject malware that would cause physical damages and economic losses. These PLC malwares are highly customized for the target which makes it difficult to extract a general pattern to detect them. In this article, we propose a PLC malware detection method based on model checking. Firstly, we improve the existing modeling method for PLC system by using the Satisfiability Modulo Theory (SMT) constraints to model the PLC system. We also present an algorithm that can transform the PLC program to the model. Our SMT-based model can deal with the features of the PLC system such as undetermined input signals, edge detection and so on. Secondly, we focus on malware detection and propose two methods, invariant extraction and rule design pattern, to generate detection rules. The former can extract the invariants from an original program, and the latter can lower the bar for user to design detection rules. Finally, we implement a prototype and evaluate it on three representative ICS scenarios. The evaluation result shows that our proposed method can successfully detect the malwares using four attack patterns.

show abstract

Post-exploitation and Persistence Techniques Against Programmable Logic Controller

Bytes

Zhou

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries

Cited by 43 publications

References 21 publications

I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems

I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems

A malware detection method using satisfiability modulo theory model checking for the programmable logic controller system

Post-exploitation and Persistence Techniques Against Programmable Logic Controller

Contact Info

Product

Resources

About