Defending Cyber–Physical Systems Through Reverse-Engineering-Based Memory Sanity Check

Abstract

Cyber-physical systems (CPSs) are ubiquitous in critical infrastructures, where programmable logic controllers (PLCs) and physical components intertwine. However, multiple successful attacks targeting safety-related CPSs, in particular the PLCs, manifest their vulnerability towards malicious cyber attacks, which may cause significant damage consequently. Though several kinds of defending techniques exist in the literature, few of them can be practically and widely applied to real-world CPSs equipped with PLCs from leading vendors, primarily due to the lack of specific hardware or unrealistic defense assumptions. In this paper, we propose PLC-READER, a practical memory attacks detection and response framework to secure the CPS. The core of PLC-READER includes 1) a comprehensive semantic analysis solution specifically for PLC’s proprietary protocol based on software reverse engineering and network traffic difference analysis, and 2) a fine-grained memory structure analysis solution to identify the critical memory data. Based on the results of such reverse engineering, PLC-READER further performs sanity checks for the PLC’s critical memory by periodically checking the hash values and dynamic checksum values of these memory data. We extensively evaluated PLC-READER against 4 types of 366 different memory attacks, with some newly developed ones which got 6 CVE IDs from Schneider and Rockwell, by analyzing 3 kinds of proprietary protocols and 6 kinds of memory structures in 6 kinds of real-world PLCs from 3 leading manufacturers. The results demonstrate that the PLC-READER can detect all memory attacks with an accuracy of 100% and perform corresponding emergency responses in time.