Combating Memory Corruption Attacks On Scada Devices

  • Carlo Bellettini
  • Julian Rrushi
Conference paper
Part of the The International Federation for Information Processing book series (IFIPAICT, volume 290)

Memory corruption attacks on SCADA devices can cause significant disruptions to control systems and the industrial processes they operate. However, despite the presence of numerous memory corruption vulnerabilities, few, if any, techniques have been proposed for addressing the vulnerabilities or for combating memory corruption attacks. This paper describes a technique for defending against memory corruption attacks by enforcing logical boundaries between potentially hostile data and safe data in protected processes. The technique encrypts all input data using random keys; the encrypted data is stored in main memory and is decrypted according to the principle of least privilege just before it is processed by the CPU. The defensive technique affects the precision with which attackers can corrupt control data and pure data, protecting against code injection and arc injection attacks, and alleviating problems posed by the incomparability of mitigation techniques. An experimental evaluation involving the popular Modbus protocol demonstrates the feasibility and efficiency of the defensive technique.


SCADA systems memory corruption attacks Modbus protocol 


  1. 1.
    Aleph One, Smashing the stack for fun and profit Phrack, vol. 7(49), 1996.Google Scholar
  2. 2.
    S. Alexander, Defeating compiler-level buffer overflow protection, ;login: The USENIX Magazine, vol. 30(3), pp. 59–71, 2005.Google Scholar
  3. 3.
    Anonymous, Once upon a free(), Phrack, vol. 10(57), 2001.Google Scholar
  4. 4.
    A. Baratloo, N. Singh and T. Tsai, Transparent run-time defense against stack smashing attacks Proceedings of the USENIX Annual Technical Conference, 2000.Google Scholar
  5. 5.
    A. Baratloo, T. Tsai and N. Singh libsafe:Protecting critical elements of stacks, White Paper, Avaya, Basking Ridge, New Jersey (, 1999.Google Scholar
  6. 6.
    E. Barrantes, D. Ackley, T. Palmer, D. Stefanovic and D. Zovi, Randomized instruction set emulation to disrupt binary code injection attacks Proceedings of the Tenth ACM Conference on Computer and Communications Security, pp. 281–289, 2003.Google Scholar
  7. 7.
    C. Bellettini and J. Rrushi, SCADA protocol obfuscation: A proactive defense line in SCADA systems, presented at the SCADA Security Scientific Symposium, 2007.Google Scholar
  8. 8.
    C. Bellettini and J. Rrushi, Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness Proceedings of the IEEE SMC Information Assurance and Security Workshop, pp. 341–348, 2007.Google Scholar
  9. Bulba and Kil3r, Bypassing StackGuard and StackShield Phrack, vol. 10(56), 2000.Google Scholar
  10. 10.
    S. Chen, K. Pattabiraman, Z. Kalbarczyk and R. Iyer, Formal reasoning of various categories of widely exploited security vulnerabilities by pointer taintedness semantics, in Security and Protection in Information Processing Systems, Y. Deswarte, F. Cuppens, S. Jajodia and L. Wang (Eds.), Kluwer, Boston, Massachusetts, pp. 83–100, 2004.Google Scholar
  11. 11.
    S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk and R. Iyer, Defeating memory corruption attacks via pointer taintedness detection Proceedings of the International Conference on Dependable Systems and Networks, pp. 378– 387, 2005.Google Scholar
  12. 12.
    S. Chen, J. Xu, E. Sezer, P. Gauriar and R. Iyer, Non-control data attacks are realistic threats Proceedings of the Fourteenth USENIX Security Symposium, pp. 177–192, 2005.Google Scholar
  13. 13.
    M. Conover and w00w00 Security Team, w00w00 on heap overflows (, 1999.
  14. 14.
    C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen and J. Lokier, FormatGuard: Automatic protection from printfformat string vulnerabilities Proceedings of the Tenth USENIX Security Symposium, pp. 191–200, 2001.Google Scholar
  15. 15.
    C. Cowan, S. Beattie, J. Johansen and P. Wagle, PointGuard: Protecting pointers from buffer overflow vulnerabilities Proceedings of the Twelfth USENIX Security Symposium, pp. 91–104, 2003.Google Scholar
  16. 16.
    C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang, StackGuard: Automatic adaptive detection and prevention of buffer overflow attacks Proceedings of the Seventh USENIX Security Symposium, pp. 63–78, 1998.Google Scholar
  17. 17.
    I. Dobrovitski, Exploit for CVS double free()for Linux pserver, Neo-hapsis Archives (, 2003.
  18. 18.
    Gera and Riq, Advances in format string exploitation Phrack, vol. 10(59), 2002.Google Scholar
  19. 19.
    iDefense Labs, LiveData Protocol Server heap overflow vulnerability, Sterling, Virginia ( id=523), 2007.Google Scholar
  20. 20.
    International Electrotechnical Commission, Telecontrol Equipment and Systems — Part 6-503: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations — TASE.2 Services and Protocol, IEC Publication 60870-6-503, Geneva, Switzerland, 2002.Google Scholar
  21. 21.
    F. Iwanitz and J. Lange OPC — Fundamentals, Implementation and Application, Huthig, Heidelberg, Germany, 2006.Google Scholar
  22. 22.
    M. Kaempf, Vudo malloctricks Phrack, vol. 11(57), 2001.Google Scholar
  23. 23.
    G. Kc, A. Keromytis and V. Prevelakis, Countering code injection attacks with instruction set randomization Proceedings of the Tenth ACM Conference on Computer and Communications Security, pp. 272–280, 2003.Google Scholar
  24. 24.
    Klog, Frame pointer overwriting Phrack, vol. 9(55), 1999.Google Scholar
  25. 25.
    A. Krennmair, ContraPolice: A libcextension for protecting applications from heap smashing attacks (, 2003.Google Scholar
  26. 26.
    Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts (, 2004.
  27. 27.
    L. Mora, OPC exposed: Part I, presented at the SCADA Security Scientific Symposium, 2007.Google Scholar
  28. 28.
    Nergal, Advanced return-into-lib(c)exploits: PaX case study Phrack, vol. 10(58), 2001.Google Scholar
  29. 29.
    N. Nethercote and J. Seward valgrind:A program supervision framework Electronic Notes in Theoretical Computer Science, vol. 89(2), pp. 44–66, 2003.CrossRefGoogle Scholar
  30. 30.
    NOP Ninjas, Format string technique ( ats.txt), 2001.Google Scholar
  31. 31.
    D. Novillo, From source to binary: The inner workings of GCC Red Hat Magazine(, December 2004.
  32. 32.
    D. Patterson and J. Hennessy Computer Organization and Design, Morgan Kaufmann, San Francisco, California, 2007.zbMATHGoogle Scholar
  33. 33.
    PaX-Team, Documentation for the PaX Project (, 2008.Google Scholar
  34. 34.
    J. Pincus and B. Baker, Mitigations for low-level coding vulnerabilities: Incomparability and limitations, Microsoft Corporation, Redmond, Washington, 2004.Google Scholar
  35. 35.
    T. Robbins libformat, 2001.Google Scholar
  36. 36.
    M. Roesch and C. Green, Snort Users Manual 2.3.3, Sourcefire (, 2006.
  37. 37.
    scut and team teso, Exploiting format string vulnerabilities (julianor.trip, 2001.Google Scholar
  38. 38.
    S. Simmons, D. Edwards and N. Wilde, Securing control systems with multilayer static mutation, presented at the Process Control Systems Forum Annual Meeting( /west.pdf), 2007.
  39. 39.
    A. Sovarel, D. Evans and N. Paul, Where's the FEEB? The effectiveness of instruction set randomization Proceedings of the Fourteenth USENIX Security Symposium, pp. 145–160, 2005.Google Scholar
  40. 40.
    TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification (, 1995.
  41. 41.
    US-CERT, LiveData ICCP Server heap buffer overflow vulnerability, Vulnerability Note VU#190617, Washington, DC ( /id/190617), 2006.
  42. 42.
    US-CERT, Takebishi Electric DeviceXPlorer OPC Server fails to properly validate OPC server handles, Vulnerability note VU#926551, Washington, DC (, 2007.
  43. 43.
    Vendicator, StackShield: A stack smashing technique protection tool for Linux (, 2000.
  44. 44.
    C. Walter, FreeMODBUS: A Modbus ASCII/RTU and TCP implementation (v1.3), FreeMODBUS, Vienna, Austria (, 2007.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Carlo Bellettini
    • 1
  • Julian Rrushi
    • 2
  1. 1.University of MilanMilanItaly
  2. 2.University of IllinoisUrbana-ChampaignUSA

Personalised recommendations