Journal of Software Assessment and Valuation (한국소프트웨어감정평가학회 논문지)

Korea Software Assessment and Valuation Society (한국소프트웨어감정평가학회)
권호 표지
DOI QR코드

DOI QR Code

A Sanitizer for Detecting Vulnerable Code Patterns in uC/OS-II Operating System-based Firmware for Programmable Logic Controllers

PLC용 uC/OS-II 운영체제 기반 펌웨어에서 발생 가능한 취약점 패턴 탐지 새니타이저

  • 한승재 (단국대학교 컴퓨터학과) ;
  • 이건용 (단국대학교 응용컴퓨터공학과) ;
  • 유근하 (단국대학교 컴퓨터학과) ;
  • 조성제 (단국대학교 컴퓨터학과)
  • Received : 2020.05.22
  • Accepted : 2020.06.19
  • Published : 2020.06.30
⟨ Previous Next ⟩

Abstract

As Programmable Logic Controllers (PLCs), popular components in industrial control systems (ICS), are incorporated with the technologies such as micro-controllers, real-time operating systems, and communication capabilities. As the latest PLCs have been connected to the Internet, they are becoming a main target of cyber threats. This paper proposes two sanitizers that improve the security of uC/OS-II based firmware for a PLC. That is, we devise BU sanitizer for detecting out-of-bounds accesses to buffers and UaF sanitizer for fixing use-after-free bugs in the firmware. They can sanitize the binary firmware image generated in a desktop PC before downloading it to the PLC. The BU sanitizer can also detect the violation of control flow integrity using both call graph and symbols of functions in the firmware image. We have implemented the proposed two sanitizers as a prototype system on a PLC running uC/OS-II and demonstrated the effectiveness of them by performing experiments as well as comparing them with the existing sanitizers. These findings can be used to detect and mitigate unintended vulnerabilities during the firmware development phase.

산업제어 시스템에서 많이 사용되는 PLC(Programmable Logic Controller)는 마이크로 컨트롤러, 실시간 운영체제, 통신 기능들과 통합되고 있다. PLC들이 인터넷에 연결됨에 따라 사이버 공격의 주요 대상이 되고 있다. 본 논문에서는, 데스크톱에서 개발한 uC/OS-II 기반 펌웨어를 PLC로 다운로드 하기 전, 펌웨어 코드의 보안성을 향상시켜 주는 새니타이저를 개발한다. 즉, PLC용 임베디드 펌웨어를 대상으로 버퍼의 경계를 넘어선 접근을 탐지하는 BU 새니타이저(BU sanitizer)와 use-after-free 버그를 탐지하는 UaF 새니타이저(UaF sanitizer)를 제안한다. BU 새니타이저는 대상 프로그램의 함수 호출 그래프와 심볼 정보를 기반으로 제어 흐름 무결성 위배도 탐지할 수 있다. 제안한 두 새니타이저를 구현하고 실험을 통해 제안 기법의 유효성을 보였으며, 기존 연구와의 비교를 통해 임베디드 시스템에 적합함을 보였다. 이러한 연구결과는 개발 단계에서 의도하지 않은 펌웨어 취약점을 탐지하여 제거하는데 활용할 수 있다.

Keywords

Acknowledgement

본 연구는 산업통상자원부(MOTIE)와 한국에너지기술평가원(KETEP)의 지원을 받아 수행한 연구과제임.(NO. 20171510102080)

References

  1. K. C. Kwon and M. Lee, "Technical review on the localized digital instrumentation and control systems", Nuclear engineering and technology, vol.41, no.4, pp.447-454, May 2009. https://doi.org/10.5516/net.2009.41.4.447
  2. S. Karanasios and D. Allen, "ICT for development in the context of the closure of Chernobyl nuclear power plant: An activity theory perspective", Information Systems Journal, vol.23, no.4, pp.287-306, February 2013. https://doi.org/10.1111/isj.12011
  3. V. M. Igure, S. A. Laughter, and R. D. Williams, "Security issues in SCADA networks", computers & security, vol.25, no.7, pp.498-506, October 2006. https://doi.org/10.1016/j.cose.2006.03.001
  4. N. Falliere, L. O. Murchu, and E. Chien, "W32.Stuxnet Dossier (Version 1.4)", White paper, Symantec Security Response, February 2011. https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
  5. E. Chien, L. O. Murchu, and N. Falliere, "W32. Duqu: the precursor to the next stuxnet", Proceedings of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats, 25-27; SAN JOSE, US, April 2012. https://www.usenix.org/conference/leet12/workshop-program/presentation/chien
  6. C. Wueest, "Targeted attacks against the energy sector (Version 1.0)", White paper, Symantec Security Response, January 2014. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/targeted-attacks-against-engery-sector-14-en.pdf
  7. A. Sajid, H. Abbas, and K. Saleem, "Cloud-assisted IoT-based SCADA systems security: A review of the state of the art and future challenges", IEEE Access, vol.4, pp.1375-1384, March 2016. https://doi.org/10.1109/access.2016. 2549047
  8. Z. Basnight, J. Butts, J. Lopez Jr, and T. Dube, "Firmware modification attacks on programmable logic controllers", International Journal of Critical Infrastructure Protection, vol.6, no.2, pp.76-84, June 2013. https://doi.org/10.1016/j.ijcip.2013.04.004
  9. M. Payer, Software Security - Principles, Policies, and Protection, Free ebook, pp. 56-58, April 2019. https://nebelwelt.net/SS3P/softsec.pdf
  10. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, "AddressSanitizer: A Fast Address Sanity Checker", Proceedings of the 2012 USENIX Annual Technical Conference, 13-15; Boston, US, June 2012. https://dl.acm.org/doi/10.5555/2342821.2342849
  11. K. Serebryany and T. Iskhodzhanov, ThreadSanitizer: data race detection in practice, Proceedings of the workshop on binary instrumentation and applications, 62-71; New York, US, December 2009. https://doi.org/10.1145/1791194.1791203
  12. E. Stepanov and K. Serebryany, "MemorySanitizer: fast detector of uninitialized memory use in C++", 2015 IEEE/ACM International Symposium on Code Generation and Optimization(CGO), 7-11; San Francisco, US, February 2015. https://doi.org/10.1109/cgo.2015.7054186
  13. 최광준, 유근하, 조성제, "PLC용 uC/OS 운영체제의 보안성 강화를 위한 실행코드 새니타이저", 정보과학회논문지, vol.29, no.2, pp.365-375, April 2019. https://doi.org/10.13089/JKIISC.2019.29.2.365
  14. Texas Instruments, TMS320C28x CPU and Instruction Set - Reference Guide, Literature Number: SPRU430F, Texas Instruments Incorporated, April 2015. http://www.ti.com/lit/ug/spru430f/spru430f.pdf?&ts=1590046187628
  15. https://doc.micrium.com/display/osiidoc/Memory+Management/, February 28, 2020.