Post on 29-Nov-2014
description
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Air Force Institute of Technology
Center for Cyberspace Research
Stephen Dunlap
Jonathan Butts, PhD
PLC Code Protection
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
What’s the Story?
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Tactical Questions
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Requirements
• Helpful:
Resources
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Static Analysis
Device? We don’t need no stinkin device…
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Hardware Analysis
But I’ll take it if I can get it…
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Dynamic Analysis
I don’t always do dynamic analysis, but when I do, I use JTAG…
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Let’s Do This
Attacks Need:
Triggers
Payloads Deployment
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Hook regularly executed function • Count executions
Time Bomb
Jump Instruction before modification
After modification
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Time Bomb Cont.
Store a counter in memory
Load counter and subtract
Test for zero Continue operation if greater
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Hook jump table for CPU mode change • Keep track of changes for specific sequence
Logic Bomb
RUN
REM RUN
REM PROG
PROG
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Hook CIP command handler jump table
Remote Commands
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Check for custom service and instance
Remote Commands Cont.
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Endless loop causes recoverable fault • Fault shutdown routine
Soft DoS
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
• Write value to flash • Fault if value exists
Persistent DoS
• Exploit Flash Writing Function • R0 – Destination address • R1 – Source Address • R1 – Data Length
Flash end address
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Where to From Here?
• Traffic Modification • Modify CIP values • Propagation
• Persistence • Implant in bootloader • Ignore firmware updates • Modify version number
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Pivoting Through Firewall
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Pivoting Through Router
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Pivoting Through Router
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Implications
• Vendor agnostic • Expensive devices not needed • Supply chain • Cost of entry
• Team composition: Two guys • Time: Approx 3 months • Money: $3,500
NATION STATE NOT REQUIRED
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Protection Mechanisms
• Vendor • Digital Signatures • Trusted Platform Module
• Integrator • Source Verification • Access Control • Configuration Management
• Asset Owner • Deep Packet Inspection • Data Diodes • Configuration Management
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
Thank You