Process Whitelisting And Resource Access Control For ICS Computers

Kuniyasu SuzakiNational Institute of Advanced Industrial

Science and Technology (AIST) &

Control System Security Center (CSSC)

At S4x14 SCADA Security Scientific SymposiumOTDay 14/Jan/2014

Who am I?• Kuniyasu Suzaki is a researcher of

– National Institute of Advanced Industrial Science and Technology (AIST)

– Control System Security Center (CSSC)

Entrance of Tohoku Tagajo Headquarters (TTHQ) of CSSC

What is CSSC?■Outline

Name

Control System Security Center 　　(Abbreviation) 　 CSSC

Association members(In alphabetical order)

Total 23 corporations (As of Dec, 2013) 　*8 starting member corporations

• Azbil Corporation *• Fuji Electric Co., Ltd. • FUJITSU LIMITED• Hitachi, Ltd.*• Information-technology Promotion Agency, Japan

(IPA)• Japan Quality Assurance Organization （ JQA ）• LAC Co., Ltd.• McAfee Co.,Ltd.• Mitsubishi Electric Corporation• Mitsubishi Heavy Industries Ltd.*• Mitsubishi Research Institute Inc.*• Mori Building Co., Ltd.*• National Institute of Advanced Industrial Science

and Technology (AIST) *• NEC Corporation• NRI Secure Technologies Ltd. • NTT Corporation• OMRON Corporation• The University of Electro-Communications, • Tohoku Information Systems Company,

Incorporated• Toshiba Corporation*• Toyota InfoTechnology Center Co., Ltd.• Trend Micro Incorporated • Yokogawa Electric Corporation*

　※ A corporation authorized by the Minister of Economics, Trade and Industry

Established March 6, 2012 (The registration date)

Location

[Tohoku Tagajo Headquarters (TTHQ)]

Tagajo City, Miyagi, Japan[Tokyo Research Center (TRC)]National Institute of Advanced Industrial

Science and Technology Waterfront, Tokyo, Japan

http://www.css-center.or.jp/

Organization and Activity

Task Committee Activities

R&D and Testbed Task Committee

It sets the direction of R&D regarding control system security as well as the construction of testbeds and promotes R&D and leverages the testbeds.

Certification and Standardization Task Committee

It examines evaluation certification regarding control system security and strategies and policies of standardization. It leverages the testbeds for evaluation certification and standardization.

Incident Handling Task Committee

It prepares for security incidents in control systems and examines the directions of technical development needed for incident handling including the countermeasures of security incidents.

Promotion and Human Resource Development Task Committee

It sets the direction of awareness and human resource development for control system security as a technical research association. It enhances situational awareness and promotes human resource development, making the use of the testbeds.

CL Activities

CSSC-CLIt promotes International standard compliance certification. Especially it conducts evaluation/certification of ICS and “Communication Robustness Test” defined in EDSA.

• Under the supervision of the Steering Committee, 4 task committees were established.

• Certification Laboratory (CSSC-CL) has also launched since 01/08/2013.

Testbed of CSSCProcess automation systems

Factory automation

Today’s Topic

Why white list control is used on ICS?

• Contents– Background– OS lockdown by white list control– Implementation detail– Case study on SCADA System

Background to introduce white list (1/3)

• OSes on ICS were changed from Special to Commodity.– Commodity OS is cheap. It has plenty of functions, developers,

users and vulnerabilities.– Example: Many SCADA systems on Windows

Special OSVulnerabilities

Commodity OS

FunctionsFew

Many

Few

Many

Apply White List Technology(Lockdown)

inactivate necessary functions Reduce vulnerabilities

Background to introduce white list (2/3)

• Best Effort vs.. Quality Control (Taguchi Method)– Quality Control is not real time processing.

• Dispersion of overhead (time delay) must be controlled.

– Commodity OS has many security tools(Anti-Virus tools), but they are based on best effort.

• There is no guarantee for delay, because the black list must be updated periodically.

• ICS systems require predictable delay.– The delay caused by security tools should be predictable.

Background to introduce white list (3/3)

• White list control – The overhead is predictable.– It can add on an existing OS of ICS.

• ICS does not need to run many applications.– E.g., SCADA system requires few applications.

• White list control orders a lockdown of OS.

OS Lockdown

• Lockdown for malware. • Legitimate applications work well, if necessary computing

resources are registered. (1) Process Creation (2) Computing Resources Access from a process

Function of OS Lockdown(1) Limit the process creation

– Parent-child relation• Necessary applications must register its parent applications

on a process white list.

– Integrity check for binary• SHA-1 of binaries must register to process white list.

– [Useful Option] Conflict of interest • If an application must run exclusively with another

application, they cannot run at the same time.• It can prevent TOCTOU attack (Time of check to time of use)• False operation is also prevented.

– For example, administrator cannot run office applications during SCADA.

Function of OS Lockdown(2) Limit computing resource access from a process

– The computing resources are file, device, and network (IP address and port).

• If a relation between a resource and processes is registered to the white list, the resource is accessed from the processes only.

– “don’t care” setting• If a resource is not registered, all process can access to it.• It is a request from ICS developers!• Traditional access control is too strict and difficult to make

white list (e.g., SELinux). Furthermore, many elements of white list cause access delay.

• Availability is important on ICS.

Example of OS Lockdown

Normal OS on HMI

Applications have vulnerabilities, and resources have no limitation to use.

A B C

D E

G

Attackaccesses the green file.

Attack creates malicious C process.

Attackcreates G process to access the disk.

Lockdown OS on HMI 　 Process White List　 (1) A creates B,D, and G. (2) D creates E. (3) E and G cannot run at same time. 　 Resource Access Control　　 　 is opened by A and B. 　　 is opened by E and G

A B C

D E

G

Attackaccesses the green file.

Attack creates malicious C process.

G can be created by A and can access to the disk. However, G cannot run along with E at the same time to protect same resource access.

No rule for the process creation

Attackcreates G process to access the disk.

No rule to access the file

Related WorksSE Linux Tomoyo

LinuxCommercial white list (Win)

Our method (Win)

Parent-Child relation

✔ ✔ ― ✔

Conflict of Interest ― ― ― ✔

SHA1 Integrity Check

― ― ― ✔

Access Control ✔ ✔ partially ✔

Log based List Creation

― ✔ ✔ ✔

Current Implementation• Process creation is implemented by a hook function

– PsSetCreateProcessNotifyRoutineEX()

• Resource Access control is implemented by Filter Manager

Process white list module

User Space

Kernel Space

Process White ListChild (SHA1)―Parent…

Hook create process system call by PsSetCreateProcessNotifyRoutine

Request to create process (system Call)

Return “CreationStatus” to allow or disallow

Request to access resources (system Call)

Access is deniedif target resource is listed and the accessis not allowed.

I/O Manger

Executive API

Filter Manager(Resource Access

Control)

File System Device Driver

File

Network

Device

Access Control List

Resource

Executive API

Process Manger

Parent Process

Child Process

PWC and RAC are implemented on Windows OS as device driver.

Creation is denied if no statement on Process White List.

If process creation is allowed, a child process is created.

How to create white list• 4 types of white list are created.

P: Process creation F: File access N: Network Access D: Device Access

• Most parts are created by logs of trials.– The logs are formatted and refined by editing tool.

Windows 7

Driver for Log gathering

Loggathering

P F N D

Windows 7

Process White List

Access Control

Editing tool

P F N D

ControlledControlled

Application Application Application

Sample: Process White List

Parent-Child relation

Child process 　　　　　　　　 SHA-1 of child process binary Parent processC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,SystemC:\Windows\System32\autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:\Windows\System32\wininit.exeC:\Windows\System32\lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:\Windows\System32\wininit.exeC:\Windows\System32\lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:\Windows\System32\wininit.exeC:\Windows\System32\winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:\Windows\System32\smss.exe

Sample: Process White List

Parent-Child relation

Child process 　　　　　　　　 SHA-1 of child process binary Parent processC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,SystemC:\Windows\System32\autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:\Windows\System32\smss.exeC:\Windows\System32\wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:\Windows\System32\smss.exeC:\Windows\System32\csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:\Windows\System32\smss.exeC:\Windows\System32\services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:\Windows\System32\wininit.exeC:\Windows\System32\lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:\Windows\System32\wininit.exeC:\Windows\System32\lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:\Windows\System32\wininit.exeC:\Windows\System32\winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:\Windows\System32\smss.exe

SHA-1 of binary is used for the integrity check.– It works as integrity

check.

Sample: Resource Access Control

• File Access Control

• Network Access Control

File 　　　　 processesC:\opt\SCADA\log.txt, C:\opt\SCADA\SACA.exe,C:\Windows\explorer.exeC:\opt\SCADA\config, C:\opt\SCADA\SACA.exe,C:\Windows\explorer.exeC:\opt\OPC\config, C:\opt\OPC\OPC.exe,C:\Windows\explorer.exe

IP Address, Port, Applications192.168.0.12,80,C:\Program Files\Internet Explorer\iexplore.exe192.168.0.11,80,C:\Users\test\Google\Chrome\Application\chrome.exe192.168.0.10,0,C:\opt\netperf\netperf.exe,C:\opt\netperf\netserver.exe

Optimization for ICS• Small white list

– “don’t care” setting allows small white list.

• White list mechanism for file is applied on open() function only. It does not care for read()and write().– String match takes much time. It takes about 200-300 μ-sec

on current CPU.

• White list mechanism for IP address and port takes less than 20 μ-sec, because it is achieved by arithmetic operations.

Case study on SCADA system• White List Control is applied on a SCADA system

SCADA

OPC

Log file

PLC Emulator

PLC Emulator

PLC EmulatorPLC Emulator

PLC Emulator

Modbus/TCP

NIC

PLC Emulator

PLC Emulator

PLC EmulatorPLC Emulator

PLC Emulator

PLC Emulator

PLC Emulator

PLC EmulatorPLC Emulator

PLC EmulatorConfigfile

Configfile

• SCADA and OPC get information from PLC every 1 second.

Detail of SCADA System• Server (Windows7 32bit)

– SCADA (3 types are tested) PA-Panel, Winlog, OpenSCADA http://openscada.org/

– OPC DeviceExplore

• PLC– Modbus PLC emulator http://www.plcsimulator.org/

• 5 emulators run on 3 PCs (Total 15).

OS Lockdown• Limit Process creation

– About 100 parent-child relations

• IP addresses and ports– 5 networks for SCADA, 10 networks for OPC

• Configure and Log files are limited – 2 files for SCADA, 1 files for OPC

Red line indicates access limitation for SCADAGreen line indicates access limitation for OPC

Each overhead is estimated less than 200 usec.

Attack on the SCADA system• IE’en [BlackHat’02] attacks on DCOM (port 135) which is

used by OPC.– http://www.securityfriday.com/tools/IEen.html

• The attack is prevented by white list control, because the attack requires process creation which is not registered on the white list.

Limitation of Current White List

• Current White List control cannot reduce vulnerabilities.– Malware can exploit, but the activity is limited.

• It is not easy to make perfect white list automatically. – Current white list is made from several trials. It is

also refined by hand.– A method to create white list from a specification is

needed. [future work]

Conclusions• OS Lockdown (White List Control) for Industrial

Control Systems– ICS does not need to run many applications.– The white list control offers predictable time delay.– Some techniques for optimization reduce the

overhead.

• White List Control is applied on SCADA systems and confirmed its feasibility. It will be applied on testbed systems of CSSC.