Post on 05-Dec-2014
description
Process Whitelisting And Resource Access Control For ICS Computers
Kuniyasu SuzakiNational Institute of Advanced Industrial
Science and Technology (AIST) &
Control System Security Center (CSSC)
At S4x14 SCADA Security Scientific SymposiumOTDay 14/Jan/2014
Who am I?• Kuniyasu Suzaki is a researcher of
– National Institute of Advanced Industrial Science and Technology (AIST)
– Control System Security Center (CSSC)
Entrance of Tohoku Tagajo Headquarters (TTHQ) of CSSC
What is CSSC?■Outline
Name
Control System Security Center (Abbreviation) CSSC
Association members(In alphabetical order)
Total 23 corporations (As of Dec, 2013) *8 starting member corporations
• Azbil Corporation *• Fuji Electric Co., Ltd. • FUJITSU LIMITED• Hitachi, Ltd.*• Information-technology Promotion Agency, Japan
(IPA)• Japan Quality Assurance Organization ( JQA )• LAC Co., Ltd.• McAfee Co.,Ltd.• Mitsubishi Electric Corporation• Mitsubishi Heavy Industries Ltd.*• Mitsubishi Research Institute Inc.*• Mori Building Co., Ltd.*• National Institute of Advanced Industrial Science
and Technology (AIST) *• NEC Corporation• NRI Secure Technologies Ltd. • NTT Corporation• OMRON Corporation• The University of Electro-Communications, • Tohoku Information Systems Company,
Incorporated• Toshiba Corporation*• Toyota InfoTechnology Center Co., Ltd.• Trend Micro Incorporated • Yokogawa Electric Corporation*
※ A corporation authorized by the Minister of Economics, Trade and Industry
Established March 6, 2012 (The registration date)
Location
[Tohoku Tagajo Headquarters (TTHQ)]
Tagajo City, Miyagi, Japan[Tokyo Research Center (TRC)]National Institute of Advanced Industrial
Science and Technology Waterfront, Tokyo, Japan
http://www.css-center.or.jp/
Organization and Activity
Task Committee Activities
R&D and Testbed Task Committee
It sets the direction of R&D regarding control system security as well as the construction of testbeds and promotes R&D and leverages the testbeds.
Certification and Standardization Task Committee
It examines evaluation certification regarding control system security and strategies and policies of standardization. It leverages the testbeds for evaluation certification and standardization.
Incident Handling Task Committee
It prepares for security incidents in control systems and examines the directions of technical development needed for incident handling including the countermeasures of security incidents.
Promotion and Human Resource Development Task Committee
It sets the direction of awareness and human resource development for control system security as a technical research association. It enhances situational awareness and promotes human resource development, making the use of the testbeds.
CL Activities
CSSC-CLIt promotes International standard compliance certification. Especially it conducts evaluation/certification of ICS and “Communication Robustness Test” defined in EDSA.
• Under the supervision of the Steering Committee, 4 task committees were established.
• Certification Laboratory (CSSC-CL) has also launched since 01/08/2013.
Testbed of CSSCProcess automation systems
Factory automation
Today’s Topic
Why white list control is used on ICS?
• Contents– Background– OS lockdown by white list control– Implementation detail– Case study on SCADA System
Background to introduce white list (1/3)
• OSes on ICS were changed from Special to Commodity.– Commodity OS is cheap. It has plenty of functions, developers,
users and vulnerabilities.– Example: Many SCADA systems on Windows
Special OSVulnerabilities
Commodity OS
FunctionsFew
Many
Few
Many
Apply White List Technology(Lockdown)
inactivate necessary functions Reduce vulnerabilities
Background to introduce white list (2/3)
• Best Effort vs.. Quality Control (Taguchi Method)– Quality Control is not real time processing.
• Dispersion of overhead (time delay) must be controlled.
– Commodity OS has many security tools(Anti-Virus tools), but they are based on best effort.
• There is no guarantee for delay, because the black list must be updated periodically.
• ICS systems require predictable delay.– The delay caused by security tools should be predictable.
Background to introduce white list (3/3)
• White list control – The overhead is predictable.– It can add on an existing OS of ICS.
• ICS does not need to run many applications.– E.g., SCADA system requires few applications.
• White list control orders a lockdown of OS.
OS Lockdown
• Lockdown for malware. • Legitimate applications work well, if necessary computing
resources are registered. (1) Process Creation (2) Computing Resources Access from a process
Function of OS Lockdown(1) Limit the process creation
– Parent-child relation• Necessary applications must register its parent applications
on a process white list.
– Integrity check for binary• SHA-1 of binaries must register to process white list.
– [Useful Option] Conflict of interest • If an application must run exclusively with another
application, they cannot run at the same time.• It can prevent TOCTOU attack (Time of check to time of use)• False operation is also prevented.
– For example, administrator cannot run office applications during SCADA.
Function of OS Lockdown(2) Limit computing resource access from a process
– The computing resources are file, device, and network (IP address and port).
• If a relation between a resource and processes is registered to the white list, the resource is accessed from the processes only.
– “don’t care” setting• If a resource is not registered, all process can access to it.• It is a request from ICS developers!• Traditional access control is too strict and difficult to make
white list (e.g., SELinux). Furthermore, many elements of white list cause access delay.
• Availability is important on ICS.
Example of OS Lockdown
Normal OS on HMI
Applications have vulnerabilities, and resources have no limitation to use.
A B C
D E
G
Attackaccesses the green file.
Attack creates malicious C process.
Attackcreates G process to access the disk.
Lockdown OS on HMI Process White List (1) A creates B,D, and G. (2) D creates E. (3) E and G cannot run at same time. Resource Access Control is opened by A and B. is opened by E and G
A B C
D E
G
Attackaccesses the green file.
Attack creates malicious C process.
G can be created by A and can access to the disk. However, G cannot run along with E at the same time to protect same resource access.
No rule for the process creation
Attackcreates G process to access the disk.
No rule to access the file
Related WorksSE Linux Tomoyo
LinuxCommercial white list (Win)
Our method (Win)
Parent-Child relation
✔ ✔ ― ✔
Conflict of Interest ― ― ― ✔
SHA1 Integrity Check
― ― ― ✔
Access Control ✔ ✔ partially ✔
Log based List Creation
― ✔ ✔ ✔
Current Implementation• Process creation is implemented by a hook function
– PsSetCreateProcessNotifyRoutineEX()
• Resource Access control is implemented by Filter Manager
Process white list module
User Space
Kernel Space
Process White ListChild (SHA1)―Parent…
Hook create process system call by PsSetCreateProcessNotifyRoutine
Request to create process (system Call)
Return “CreationStatus” to allow or disallow
Request to access resources (system Call)
Access is deniedif target resource is listed and the accessis not allowed.
I/O Manger
Executive API
Filter Manager(Resource Access
Control)
File System Device Driver
File
Network
Device
Access Control List
Resource
Executive API
Process Manger
Parent Process
Child Process
PWC and RAC are implemented on Windows OS as device driver.
Creation is denied if no statement on Process White List.
If process creation is allowed, a child process is created.
How to create white list• 4 types of white list are created.
P: Process creation F: File access N: Network Access D: Device Access
• Most parts are created by logs of trials.– The logs are formatted and refined by editing tool.
Windows 7
Driver for Log gathering
Loggathering
P F N D
Windows 7
Process White List
Access Control
Editing tool
P F N D
ControlledControlled
Application Application Application
Sample: Process White List
Parent-Child relation
Child process SHA-1 of child process binary Parent processC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,SystemC:\Windows\System32\autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:\Windows\System32\wininit.exeC:\Windows\System32\lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:\Windows\System32\wininit.exeC:\Windows\System32\lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:\Windows\System32\wininit.exeC:\Windows\System32\winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:\Windows\System32\smss.exe
Sample: Process White List
Parent-Child relation
Child process SHA-1 of child process binary Parent processC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,SystemC:\Windows\System32\autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:\Windows\System32\wininit.exeC:\Windows\System32\lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:\Windows\System32\wininit.exeC:\Windows\System32\lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:\Windows\System32\wininit.exeC:\Windows\System32\winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:\Windows\System32\smss.exe
SHA-1 of binary is used for the integrity check.– It works as integrity
check.
Sample: Resource Access Control
• File Access Control
• Network Access Control
File processesC:\opt\SCADA\log.txt, C:\opt\SCADA\SACA.exe,C:\Windows\explorer.exeC:\opt\SCADA\config, C:\opt\SCADA\SACA.exe,C:\Windows\explorer.exeC:\opt\OPC\config, C:\opt\OPC\OPC.exe,C:\Windows\explorer.exe
IP Address, Port, Applications192.168.0.12,80,C:\Program Files\Internet Explorer\iexplore.exe192.168.0.11,80,C:\Users\test\Google\Chrome\Application\chrome.exe192.168.0.10,0,C:\opt\netperf\netperf.exe,C:\opt\netperf\netserver.exe
Optimization for ICS• Small white list
– “don’t care” setting allows small white list.
• White list mechanism for file is applied on open() function only. It does not care for read()and write().– String match takes much time. It takes about 200-300 μ-sec
on current CPU.
• White list mechanism for IP address and port takes less than 20 μ-sec, because it is achieved by arithmetic operations.
Case study on SCADA system• White List Control is applied on a SCADA system
SCADA
OPC
Log file
PLC Emulator
PLC Emulator
PLC EmulatorPLC Emulator
PLC Emulator
Modbus/TCP
NIC
PLC Emulator
PLC Emulator
PLC EmulatorPLC Emulator
PLC Emulator
PLC Emulator
PLC Emulator
PLC EmulatorPLC Emulator
PLC EmulatorConfigfile
Configfile
• SCADA and OPC get information from PLC every 1 second.
Detail of SCADA System• Server (Windows7 32bit)
– SCADA (3 types are tested) PA-Panel, Winlog, OpenSCADA http://openscada.org/
– OPC DeviceExplore
• PLC– Modbus PLC emulator http://www.plcsimulator.org/
• 5 emulators run on 3 PCs (Total 15).
OS Lockdown• Limit Process creation
– About 100 parent-child relations
• IP addresses and ports– 5 networks for SCADA, 10 networks for OPC
• Configure and Log files are limited – 2 files for SCADA, 1 files for OPC
Red line indicates access limitation for SCADAGreen line indicates access limitation for OPC
Each overhead is estimated less than 200 usec.
Attack on the SCADA system• IE’en [BlackHat’02] attacks on DCOM (port 135) which is
used by OPC.– http://www.securityfriday.com/tools/IEen.html
• The attack is prevented by white list control, because the attack requires process creation which is not registered on the white list.
Limitation of Current White List
• Current White List control cannot reduce vulnerabilities.– Malware can exploit, but the activity is limited.
• It is not easy to make perfect white list automatically. – Current white list is made from several trials. It is
also refined by hand.– A method to create white list from a specification is
needed. [future work]
Conclusions• OS Lockdown (White List Control) for Industrial
Control Systems– ICS does not need to run many applications.– The white list control offers predictable time delay.– Some techniques for optimization reduce the
overhead.
• White List Control is applied on SCADA systems and confirmed its feasibility. It will be applied on testbed systems of CSSC.