NUSMV: A New Symbolic Model Verifier
CAV '99 Proceedings of the 11th International Conference on Computer Aided Verification
Logic in Computer Science: Modelling and Reasoning about Systems
Logic in Computer Science: Modelling and Reasoning about Systems
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
Research challenges for the security of control systems
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
False data injection attacks against state estimation in electric power grids
Proceedings of the 16th ACM conference on Computer and communications security
Stealthy deception attacks on water SCADA systems
Proceedings of the 13th ACM international conference on Hybrid systems: computation and control
Cumulative attestation kernels for embedded systems
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
On dynamic malware payloads aimed at programmable logic controllers
HotSec'11 Proceedings of the 6th USENIX conference on Hot topics in security
VIPER: verifying the integrity of PERipherals' firmware
Proceedings of the 18th ACM conference on Computer and communications security
CPS: stateful policy enforcement for control system device usage
Proceedings of the 29th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
Programmable Logic Controllers (PLCs) drive the behavior of industrial control systems according to uploaded programs. It is now known that PLCs are vulnerable to the uploading of malicious code that can have severe physical consequences. What is not understood is whether an adversary with no knowledge of the PLC's interface to the control system can execute a damaging, targeted, or stealthy attack against a control system using the PLC. In this paper, we present SABOT, a tool that automatically maps the control instructions in a PLC to an adversary-provided specification of the target control system's behavior. This mapping recovers sufficient semantics of the PLC's internal layout to instantiate arbitrary malicious controller code. This lowers the prerequisite knowledge needed to tailor an attack to a control system. SABOT uses an incremental model checking algorithm to map a few plant devices at a time, until a mapping is found for all adversary-specified devices. At this point, a malicious payload can be compiled and uploaded to the PLC. Our evaluation shows that SABOT correctly compiles payloads for all tested control systems when the adversary correctly specifies full system behavior, and for 4 out of 5 systems in most cases where there where unspecified features. Furthermore, SABOT completed all analyses in under 2 minutes.