Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit

نویسندگان

  • Luis Garcia
  • Ferdinand Brasser
  • Mehmet Hazar Cintuglu
  • Ahmad-Reza Sadeghi
  • Osama A. Mohammed
  • Saman A. Zonouz
چکیده

Trustworthy operation of industrial control systems (ICS) depends on secure code execution on the embedded programmable logic controllers (PLCs). The controllers monitor and control the underlying physical plants such as electric power grids and continuously report back the system status to human operators. We present HARVEY, 1 a PLC rootkit that implements a physics-aware stealthy attack against cyberphysical power grid control systems. HARVEY sits within the PLC’s firmware below the control logic and modifies control commands before they are sent out by the PLC’s output modules to the physical plant’s actuators. HARVEY replaces legitimate control commands with malicious, adversary-optimal commands to maximize the damage to the physical power equipment and cause large-scale failures. To ensure system safety, the operators observe the status of the power system by fetching system parameter values from PLC devices. To conceal the maliciously caused anomalous behavior from operators, HARVEY intercepts the sensor measurement inputs to the PLC device. HARVEY simulates the power system with the legitimate control commands (which were intercepted/replaced with malicious ones), and calculates/injects the sensor measurements that operators would expect to see. We implemented HARVEY on the widely spread Allen Bradley PLC and evaluated it on a real-world electric power grid test-bed. The results empirically prove HARVEY’s deployment feasibility in practice nowadays.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

HookFinder: Identifying and Understanding Malware Hooking Behaviors

Installing various hooks into the victim system is an important attacking strategy used by malware, including spyware, rootkits, stealth backdoors, and others. In order to evade detection, malware writers are exploring new hooking mechanisms. For example, a stealth kernel backdoor, deepdoor, has been demonstrated to successfully evade all existing hook detectors. Unfortunately, the state of the...

متن کامل

On Dynamic Malware Payloads Aimed at Programmable Logic Controllers

With the discovery of the Stuxnet attack, increasing attention is being paid to the potential for malware to target Programmable Logic Controllers (PLCs). Despite much speculation about threats from PLC malware, the popular opinion is that automated attacks against PLCs are not practical without having a priori knowledge of the target physical process. In this paper, we explore the problem of d...

متن کامل

Poster: CompareView - A Provenance Verification Framework for Detecting Rootkit-Based Malware

Using rootkit mechanisms to hide malware presence is pervasive in today’s computer attacks. We propose the CompareView framework, a host-based solution to detect stealthy outbound traffic generated by rootkit-based malware. Using a lightweight cryptographic protocol, our CompareView framework compares the views of outbound network packets at different layers of the host network stack and verify...

متن کامل

Rootkits and What we Know: Assessing US and Korean Knowledge and Perceptions

Respondents from eight Korean and U.S. higher education institutions were surveyed as to their knowledge and experience with various forms of computer malware. The surveys provide insight into knowledge of rootkits that have become coffee lounge discussion following the once secretive Sony rootkit news break in late 2005 and then the rash of accusations and acknowledgements of other rootkits th...

متن کامل

Identifying Rootkit Infections Using a New Windows Hidden-driver-based Rootkit

It can be observed that most sophisticated kernel mode rootkits implement hiding tasks via loading drivers in Windows. Also, more and more malware writers are taking advantage of rootkits to shield their illegal activities. Therefore, the role of a detector for effectively detecting Windows driver-hidden rootkits is becoming extremely important. In our previous work, we focused on developing a ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2017