Effective Fuzz Testing for Programmable Logic Controllers - Research for Nuclear Safety
This paper discusses the significance of fuzz testing for Programmable Logic Controllers (PLCs) to ensure nuclear safety, citing incidents like the Stuxnet worm attack. It delves into the methodology, zero-day vulnerability findings, and results of the research conducted by authors in February 2020, emphasizing the need for robust testing measures in industrial PLCs.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
EFFECTIVE FUZZ TESTING FOR PROGRAMMABLE LOGIC CONTROLLERS VULNERABILITY RESEARCH TO ENSURE NUCLEAR SAFETY Authors: Authors: Jakub Suchorab Marcin Dudek Kinga Staszkiewicz Joanna Walkiewicz Co Co- -author author: : Jacek Gajewski IAEA-CN-278/619 Paper presentation Vienna, February 2020
Presentation outline Introduction Introduction Fuzz Fuzz testing testing Laboratory Laboratory configuration configuration Research Research on on methodology methodology Found Found zero zero- -day day vulnerability vulnerability Results Results Summary Summary 2 2
Introduction Programmable Programmable Logic Control Control Systems Systems (ICS) Examples Examples of of incidents Stuxnet worm attack on Iranian nuclear facilities reprogrammed PLC damaged centrifuges (2010), Malfunctioning PLC led to shut down of reactor in the Browns Ferry nuclear power plant (2006); The The security security of of communication communication of of PLCs PLCs should should be In In was was decided decided to to create create a a specialized specialized laboratory fuzz fuzz testing testing methodology methodology for for PLC PLCs s. . Logic Controllers Controllers (PLCs) (ICS); ; incidents involving involving PLCs (PLCs) plays plays an an important important role role in in Industrial Industrial PLCs: : be tested tested; ; laboratory in in order order to to define define an an efficient efficient 3 3
Fuzz testing Input Input generator generator Delivery Delivery mechanism mechanism System Under System Under Test Test Fail detection Fail detection mechanism mechanism Fig. 1. Fuzzing framework: Input generator, a delivery mechanism and a fail detection mechanism. [Source: M. Almgren, D. Balzarotti, J. Stijohann and E. Zambon Report on automated vulnerability discovery techniques] 4 4
Laboratory configuration Table 1. Hardware and software used in laboratory Component Component Importance Importance Specification Specification PLC Siemens S7-317 PLC Siemens S7-1511 PLC Siemens S7-1512 1 desktop computer 1 laptop computer D-Link Web Smart Switch DGS-1224T PLC required Hardware Hardware Computer required Switch optional Fuzzer PLC configuration software Network protocol analyzer SCADA/HMI required Defensics from Synopsys Software Software required TIA Portal v14 recommended Wireshark Fig. 2. Laboratory setup optional WinCC 5 5
Research on methodology 1. 1. Initial configuration and interoperability testing; Initial configuration and interoperability testing; 2. 2. Encountered false positive error caused by faulty Profinet DCP protocol test suite; Encountered false positive error caused by faulty Profinet DCP protocol test suite; 3. 3. Full Full- -scale tests of available protocols; scale tests of available protocols; 4. 4. PLC PLC failure encountered during IPv4 protocol failure encountered during IPv4 protocol testing testing. . 6 6
Found zero-day vulnerability IP packet with modified header sent to S7 IP packet with modified header sent to S7- -1500 PLC about 33000 times 1500 PLC about 33000 times; ; In result, no communication with the target using IP In result, no communication with the target using IP- -based protocols based protocols; ; Report Report including proof sent to including proof sent to Siemens CERT; Siemens CERT; Vulnerability was classified as not previously known Vulnerability was classified as not previously known; ; The code CVE The code CVE- -2018 2018- -13805 was assigned to the vulnerability 13805 was assigned to the vulnerability; ; 7 7
Results Prepare a list Prepare a list of protocols of protocols Yes Yes Is there Is there any untested any untested protocol protocol? ? Przeprowad Przeprowad proces proces wyodr bniania wyodr bniania podatno ci podatno ci extracting process extracting process Conduct Conduct Vulnerability Vulnerability Yes Yes Run a full test of the Run a full test of the next protocol from next protocol from the list the list Is there Is there any any failure failure? ? Mark protocol Mark protocol as tested as tested No No No No Prepare full Prepare full documentation documentation Fig. 3. Diagram presenting developed fuzzing methodology. 8 8
Results Test failed Test failed No No Is the Is the optimal optimal sequence sequence found? found? Yes Yes Multiple Multiple failed test failed test rerun rerun Yes Yes Is failure Is failure repeatable? repeatable? Modify and rerun test Modify and rerun test case sequence case sequence Analyse the Analyse the results results No No Prepare proof Prepare proof of concept of concept script script Mark Mark the non non- -recurrent recurrent the failure failure as as Report to Report to vendor vendor 9 9 Fig. 4. Diagram presenting vulnerability extracting process. 9 9
Summary The proposed systematic approach to fuzz testing of The proposed systematic approach to fuzz testing of PLCs of new and existing devices in order to find vulnerabilities associated with of new and existing devices in order to find vulnerabilities associated with incorrect protocol processing incorrect protocol processing; ; PLCs allows the examination allows the examination No testing can cover every single possible combination of test cases No testing can cover every single possible combination of test cases, , so is to find as many vulnerabilities as possible in a systematic way, thus reducing a is to find as many vulnerabilities as possible in a systematic way, thus reducing a threat of undetected ones threat of undetected ones. . so the the goal goal 10 10
Thank you for your attention! Vienna, February 2020