工控系统中PLC安全漏洞及控制流完整性研究

doi:10.16180/j.cnki.issn1007-7820.2021.02.006

Abstract

Abstract:

PLC plays an important role in industrial control systems. However, the security vulnerability of PLC disclosed in recent years has increased year by year. Carrying out the research on defense technology of vulnerability for PLC is of great significance for improving the security of industrial control system. Based on the control-flow integrity, this study proposes a defense mechanism using control-flow integrity for PLC to protect PLC from vulnerability hijacking. This defense mechanism protects the PLC from being hijacked by attackers through checking the control transfer instruction in the PLC program and inserting check instruction based on pile technology to ensure that the program is executed according to the original control-flow graph. In order to effectively guarantee the real-time performance of the PLC, a cyclic shadow stack is introduced. The proposed scheme effectively protects the PLC from vulnerability hijacking, and the performance overhead of the defense mechanism is only about 3.6% on average.

Key words: PLC, vulnerabilities, control-flow hijacking, control-flow integrity, industrial control system, security of industrial control system

CLC Number:

TP309

CHEN Dawei,XU Ruzhi. Research on Security Vulnerabilities and Control Flow Integrity of PLC in Industrial Control System[J].Electronic Science and Technology, 2021, 34(2): 33-37.

Figures/Tables 7

Table 1

Figure 1.

Figure 2.

Figure 3.

Figure 4.

Figure 5.

Table 2

References 19

[1]	Abbasi A, Hashemi M. Ghost in the plc designing an undetectable programmable logic controller rootkit via pin control attack[J].Black Hat Europe, 2016(6):1-35.
[2]	Peck D, Peterson D. Leveraging ethernet card vulnerabilities in field devices [C].Miami:SCADA Security Scientific Symposium, 2009.
[3]	Basnight Z, Butts J, Lopez Jr J, et al. Firmware modification attacks on programmable logic controllers[J]. International Journal of Critical Infrastructure Protection, 2013,6(2):76-84.
[4]	Adelstein F, Stillerman M, Kozen D. Malicious code detection for open firmware [C].Las Vegas:Computer Security Applications Conference, 2002.
[5]	Yang H, Cheng L, Chuah M C. Detecting payload attacks on Programmable Logic Controllers (PLCs) [C].Beijing: IEEE Conference on Communications and Network Security, 2018.
[6]	Beresford D. Exploiting siemens simatic S7 PLCS[J]. Black Hat USA, 2011,16(2):723-733.
[7]	刘龙龙, 张建辉, 杨梦. 网络攻击及其分类技术研究[J]. 电子科技, 2017,30(2):169-172.
	Liu Longlong, Zhang Jianhui, Yang Meng. Research on network attacks and their classification[J]. Electronic Science and Technology, 2017,30(2):169-172.
[8]	Huang Z S, Harris I G. Return-oriented vulnerabilities in ARM executables [C].Waltham:IEEE Conference on Technologies for Homeland Security, 2012.
[9]	Abadi M, Budiu M, Erlingsson Ü, et al. Control-flow integrity principles, implementations, and applications[J]. ACM Transactions on Information and System Security, 2009,13(1):4-15.
[10]	Zhang C, Wei T, Chen Z, et al. Practical control flow integrity and randomization for binary executables [C]. Berkeley:IEEE Symposium on Security and Privacy, 2013.
[11]	Zhang M, Sekar R. Control flow integrity for COTS binaries [C].Washington D C:Proceeding of the Twenty-second USENIX Conference of Security, 2013.
[12]	Güktas E, Athanasopoulos E, et al. Out of control: overcoming control-flow integrity [C].Berkeley:IEEE Symposium on Security and Privacy, 2014.
[13]	Conti M, Crane S, Davi L, et al. Losing control:on the effectiveness of control-flow integrity under stack attacks [C].New York:Proceedings of the Twenty-second ACM SIGSAC Conference on Computer and Communications Security, 2015.
[14]	Li J, Tong X, Zhang F, et al. Fine-CFI:fine-grained control-flow integrity for operating system kernels[J].IEEE Transactions on Information Forensics and Security, 2018(1):1-7.
[15]	Niu B, Tan G. Per-input control-flow integrity [C].New York:Proceedings of the Twenty-second ACM SIGSAC Conference on Computer and Communications Security, 2015.
[16]	Das S, Zhang W, Liu Y. A fine-grained control flow integrity approach against runtime memory attacks for embedded systems[J].IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2016(3):1-15.
[17]	Davi L, Dmitrienko A, Egele M, et al. MoCFI: a framework to mitigate control-flow attacks on smartphones [C].San Diego:The Nineteenth Annual Network and Distributed System Security Symposium, 2012.
[18]	Abbasi A, Holz T, Zambon E, et al. ECFI:asynchronous control flow integrity for programmable logic controllers [C].Orlando:Proceedings of the Thirty-third Annual Computer Security Applications Conference, 2017.
[19]	Alves T R, Buratto M, de Souza F M, et al.Openplc: An open source alternative to automation [C].San Jose:IEEE Global Humanitarian Technology Conference, 2014.

年份	漏洞简介	危害
2011	西门子PLC的多个协议漏洞^[6]	攻击者利用这些漏洞可以执行远程代码,达到控制流劫持的目的
2014	美国国土安全部工业控制系统网络应急响应小组公布了施耐德电气的PLC设备存在安全漏洞	漏洞允许远程未经身份验证的用户发出停止和启动命令,如果攻击者可以访问Modbus TCP端口,则攻击者无需身份验证即可停止或启动CPU,允许远程未经身份验证的用户通过Modbus下载和上传可能已修改的梯形逻辑
2015	美国国土安全部工业控制系统网络应急响应小组公布了施耐德电气Modicon M340 PLC存在一个缓冲区溢出漏洞	成功利用此漏洞可能导致攻击者访问的设备崩溃,同时缓冲区溢出可能允许远程代码执行
2016	美国国土安全部工业控制系统网络应急响应小组公布了罗克韦尔Micrologix 1100 系列的PLC存在一个缓冲区溢出漏洞	成功利用基于堆栈的缓冲区溢出漏洞可能允许攻击者远程执行受影响设备上的任意代码

PLC是否拥有CFI	平均情况下消耗的处理器周期数	最差情况下消耗的处理器周期数
否	58 325	78 046
是	60 425	82 141

Research on Security Vulnerabilities and Control Flow Integrity of PLC in Industrial Control System

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 19

Related Articles 15

Metrics

Comments

Recommended 10

[1]	FAN Zhenrui. Application of S7-1200 PLC in Position Control of Servo Motor [J]. Electronic Science and Technology, 2020, 33(5): 77-81.
[2]	JIN Aijuan,TAO Weihan,WEI Zibu,SUN Yumian,ZHANG Zhengyi,MA Beibei. Current Sharing Technology of Parallel Buck Converter [J]. , 2017, 30(4): 162-.
[3]	ZHENG Shanglei1，FU Yinghua1,2，ZHOU Daitong3. PID Parameter Setting Based on S7300 PLC and Wincc [J]. , 2016, 29(11): 97-.
[4]	ZHU Jinjin, SHEN Tuhao, BAO Kejin. Realization of Communication Between PLC and Supervision Computer Through Industrial Ethernet Based on .NET [J]. , 2016, 29(11): 115-.
[5]	YANG Jun,WENG Guohua,YUE Jian,FAN Zhihong. Design of the Three-dimensional Pitot Speed Measuring System Based on Servo Motor [J]. , 2015, 28(9): 152-.
[6]	MA Beibei,CHEN Yunqi. Application of DC Speed Control System in Belt Conveyor Based on PLC [J]. , 2015, 28(7): 161-.
[7]	ZONG Bingchen. Design of a Basic Motor Control Circuit Based on PLC Technology [J]. , 2014, 27(5): 88-.
[8]	ZHOU Feihao,YANG Yanxiang,LIU Liang,DENG Qiang. Security System Based on Power Line Carrier Communication and Dynamic Image Detection [J]. , 2014, 27(4): 162-.
[9]	LI Xiaowei,SONG Xuwen. Design of Video Surveillance System Based on Power Line Communication and Technology of Streaming Media [J]. , 2014, 27(3): 59-.
[10]	GUO Wutao,QI Jinpeng. Powered Temperature Cycle Test System Based on VB and PLC [J]. , 2014, 27(12): 34-.
[11]	LI Binglin,WEI Hongbo,YOU Wen. Design of the High Power Fenestration Control System Based on PLC and Touch screen [J]. , 2014, 27(12): 73-.
[12]	WANG Yalei,HUANG Mengtao. Implementation and Application of Fuzzy PLC in PID Based on the Forecast Model [J]. , 2014, 27(10): 29-.
[13]	YANG Jiachun,GUO Yulong,WANG Yongfei3. Application of PLC in the Production of Liquid Hydrogen [J]. , 2013, 26(8): 146-.
[14]	CHEN Lei,HU Fayun,FAN Shengnian,ZHU Lianglong2. Design of a Feedback Control System Based on the Packing Density of the S7-200 [J]. , 2013, 26(8): 152-.
[15]	CAI Si-Yu, SHANG Wei-Ping. Novel Automatic Interpretation System Based on Power Line Carrier Communication for Museums [J]. , 2013, 26(4): 41-.