Memory corruption attacks on SCADA devices can cause significant disruptions to control systems and the industrial processes they operate. However, despite the presence of numerous memory corruption vulnerabilities, few, if any, techniques have been proposed for addressing the vulnerabilities or for combating memory corruption attacks. This paper describes a technique for defending against memory corruption attacks by enforcing logical boundaries between potentially hostile data and safe data in protected processes. The technique encrypts all input data using random keys; the encrypted data is stored in main memory and is decrypted according to the principle of least privilege just before it is processed by the CPU. The defensive technique affects the precision with which attackers can corrupt control data and pure data, protecting against code injection and arc injection attacks, and alleviating problems posed by the incomparability of mitigation techniques. An experimental evaluation involving the popular Modbus protocol demonstrates the feasibility and efficiency of the defensive technique.
Chapter PDF
Similar content being viewed by others
References
Aleph One, Smashing the stack for fun and profit Phrack, vol. 7(49), 1996.
S. Alexander, Defeating compiler-level buffer overflow protection, ;login: The USENIX Magazine, vol. 30(3), pp. 59–71, 2005.
Anonymous, Once upon a free(), Phrack, vol. 10(57), 2001.
A. Baratloo, N. Singh and T. Tsai, Transparent run-time defense against stack smashing attacks Proceedings of the USENIX Annual Technical Conference, 2000.
A. Baratloo, T. Tsai and N. Singh libsafe:Protecting critical elements of stacks, White Paper, Avaya, Basking Ridge, New Jersey (pubs.research.avayalabs.com/pdfs/ALR-2001-019-whpaper.pdf), 1999.
E. Barrantes, D. Ackley, T. Palmer, D. Stefanovic and D. Zovi, Randomized instruction set emulation to disrupt binary code injection attacks Proceedings of the Tenth ACM Conference on Computer and Communications Security, pp. 281–289, 2003.
C. Bellettini and J. Rrushi, SCADA protocol obfuscation: A proactive defense line in SCADA systems, presented at the SCADA Security Scientific Symposium, 2007.
C. Bellettini and J. Rrushi, Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness Proceedings of the IEEE SMC Information Assurance and Security Workshop, pp. 341–348, 2007.
Bulba and Kil3r, Bypassing StackGuard and StackShield Phrack, vol. 10(56), 2000.
S. Chen, K. Pattabiraman, Z. Kalbarczyk and R. Iyer, Formal reasoning of various categories of widely exploited security vulnerabilities by pointer taintedness semantics, in Security and Protection in Information Processing Systems, Y. Deswarte, F. Cuppens, S. Jajodia and L. Wang (Eds.), Kluwer, Boston, Massachusetts, pp. 83–100, 2004.
S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk and R. Iyer, Defeating memory corruption attacks via pointer taintedness detection Proceedings of the International Conference on Dependable Systems and Networks, pp. 378– 387, 2005.
S. Chen, J. Xu, E. Sezer, P. Gauriar and R. Iyer, Non-control data attacks are realistic threats Proceedings of the Fourteenth USENIX Security Symposium, pp. 177–192, 2005.
M. Conover and w00w00 Security Team, w00w00 on heap overflows (www.w00w00.org/files/articles/heaptut.txt), 1999.
C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen and J. Lokier, FormatGuard: Automatic protection from printfformat string vulnerabilities Proceedings of the Tenth USENIX Security Symposium, pp. 191–200, 2001.
C. Cowan, S. Beattie, J. Johansen and P. Wagle, PointGuard: Protecting pointers from buffer overflow vulnerabilities Proceedings of the Twelfth USENIX Security Symposium, pp. 91–104, 2003.
C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang, StackGuard: Automatic adaptive detection and prevention of buffer overflow attacks Proceedings of the Seventh USENIX Security Symposium, pp. 63–78, 1998.
I. Dobrovitski, Exploit for CVS double free()for Linux pserver, Neo-hapsis Archives (www.security-express.com/archives/fulldisclosure/2003-q1/0545.html), 2003.
Gera and Riq, Advances in format string exploitation Phrack, vol. 10(59), 2002.
iDefense Labs, LiveData Protocol Server heap overflow vulnerability, Sterling, Virginia (labs.idefense.com/intelligence/vulnerabilities/display.php? id=523), 2007.
International Electrotechnical Commission, Telecontrol Equipment and Systems — Part 6-503: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations — TASE.2 Services and Protocol, IEC Publication 60870-6-503, Geneva, Switzerland, 2002.
F. Iwanitz and J. Lange OPC — Fundamentals, Implementation and Application, Huthig, Heidelberg, Germany, 2006.
M. Kaempf, Vudo malloctricks Phrack, vol. 11(57), 2001.
G. Kc, A. Keromytis and V. Prevelakis, Countering code injection attacks with instruction set randomization Proceedings of the Tenth ACM Conference on Computer and Communications Security, pp. 272–280, 2003.
Klog, Frame pointer overwriting Phrack, vol. 9(55), 1999.
A. Krennmair, ContraPolice: A libcextension for protecting applications from heap smashing attacks (synflood.at/papers/cp.pdf), 2003.
Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts (www.modbus.org/specs.php), 2004.
L. Mora, OPC exposed: Part I, presented at the SCADA Security Scientific Symposium, 2007.
Nergal, Advanced return-into-lib(c)exploits: PaX case study Phrack, vol. 10(58), 2001.
N. Nethercote and J. Seward valgrind:A program supervision framework Electronic Notes in Theoretical Computer Science, vol. 89(2), pp. 44–66, 2003.
NOP Ninjas, Format string technique (julianor.tripod.com/bc/NN-form ats.txt), 2001.
D. Novillo, From source to binary: The inner workings of GCC Red Hat Magazine(www.redhat.com/magazine/002dec04/features/gcc), December 2004.
D. Patterson and J. Hennessy Computer Organization and Design, Morgan Kaufmann, San Francisco, California, 2007.
PaX-Team, Documentation for the PaX Project (pax.grsecurity.net/docs), 2008.
J. Pincus and B. Baker, Mitigations for low-level coding vulnerabilities: Incomparability and limitations, Microsoft Corporation, Redmond, Washington, 2004.
T. Robbins libformat, 2001.
M. Roesch and C. Green, Snort Users Manual 2.3.3, Sourcefire (www.snort.org/docs/snortmanual), 2006.
scut and team teso, Exploiting format string vulnerabilities (julianor.trip od.com/bc/formatstring-1.2.pdf), 2001.
S. Simmons, D. Edwards and N. Wilde, Securing control systems with multilayer static mutation, presented at the Process Control Systems Forum Annual Meeting(www.pcsforum.org/events/2007/atlanta/documents /west.pdf), 2007.
A. Sovarel, D. Evans and N. Paul, Where's the FEEB? The effectiveness of instruction set randomization Proceedings of the Fourteenth USENIX Security Symposium, pp. 145–160, 2005.
TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification (www.x86.org/ftp/manuals/tools/elf.pdf), 1995.
US-CERT, LiveData ICCP Server heap buffer overflow vulnerability, Vulnerability Note VU#190617, Washington, DC (www.kb.cert.org/vuls /id/190617), 2006.
US-CERT, Takebishi Electric DeviceXPlorer OPC Server fails to properly validate OPC server handles, Vulnerability note VU#926551, Washington, DC (www.kb.cert.org/vuls/id/926551), 2007.
Vendicator, StackShield: A stack smashing technique protection tool for Linux (www.angelfire.com/sk/stackshield), 2000.
C. Walter, FreeMODBUS: A Modbus ASCII/RTU and TCP implementation (v1.3), FreeMODBUS, Vienna, Austria (freemodbus.berlios.de), 2007.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bellettini, C., Rrushi, J. (2008). Combating Memory Corruption Attacks On Scada Devices. In: Papa, M., Shenoi, S. (eds) Critical Infrastructure Protection II. ICCIP 2008. The International Federation for Information Processing, vol 290. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88523-0_11
Download citation
DOI: https://doi.org/10.1007/978-0-387-88523-0_11
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-88522-3
Online ISBN: 978-0-387-88523-0
eBook Packages: Computer ScienceComputer Science (R0)