Report Speech BHS 2019 by Ali Abbasi

Wrap-up report Black Hat Sessions 2019 - Presentation Ali Abbasi written by Fatih Kirbiyik- 31 July 2019

Below you will find a brief report written by Fatih Kirbiyik, Embedded Security Expert at Secura, about the technical deep dive talk given by Ali Abbasi, Post Doctoral Researcher at the chair for System Security of Ruhr-University Bochum in Germany about Embedded Control Systems Binary Security and Industrial Control System Approach.  

ali abbasi technical deep dive black hat sessions secura's annual security conference

Ali Abbasi started his talk by noting that in order to protect critical infrastructures such as Industrial Control Systems, we have to understand the attacks against them. A basic attack in an unprotected Industrial Control Systems network would require getting network access, understanding the process, manipulating the controller and exploiting the process. There are, however, different protection mechanisms in place that the attacker has to overcome. Typically, ICS/SCADA networks are part of a bigger IT network within their organization and are aimed at controlling a physical process. There are already some existing network protection devices, which are based on observing the network and trying to detect malicious network activity. It turns out that there are attacks and methods, which can bypass this first layer of protection due to the device intrinsic and implementation vulnerabilities. The second step for an attacker would be to understand the physical process, and for which purpose the ICS/SCADA is designed for. As these processes can hugely differ between ICSs. These differences in processes consequently result in different attack vectors that ought to be considered.

Another obstacle the attacker has to overcome is that most process controllers in ICS (i.e. PLCs) have host-based protections such as firmware integrity checks, malware detection or hooking detection. These controllers contain CPUs that are developed for a wider range of applications. Hence, these CPUs may also introduce vulnerabilities to the overall system via their OS or the services they provide. Exploiting PLC software is not different than exploiting any other embedded system software. Due to the widely used programming language in embedded software development being C, memory corruption exploits are consequently applicable. Although some vendors are implementing exploit mitigations such as Address Space Layout Randomization (ASLR), stack canaries and executable space protection, the support for these mitigations are limited and not industry-wide.

ali abbasi technical deep dive black hat sessions secura

During his talk, Ali Abbasi also introduced his open-source exploit mitigation solution (named µShield) for embedded system software, which is based on Control Flow Integrity (CFI) checks. When these mitigations are combined, it becomes more difficult for an attacker to exploit the ICS.

ali abbasi technical deep dive black hat sessions 2019 secura

In the last part of his talk, Abbasi touched on the challenges of fuzzing embedded system software. These challenges are in accessing the source code, accessing the relevant documentation, the limited knowledge about the hardware and in the scalability of fuzz testing. He also described the followings approaches in order to overcome these challenges; using the hardware features available within the embedded system such as debugging functionalities, instruction profiling via side-channel, tapping the communication between the CPU and the RAM and feeding this into the fuzzer and last but not least,  emulating the firmware.

 Click for more BHS reports

Are you interested in participating? Keep up to date with the latest news about the Black Hat Sessions (BHS), receive exclusive (early bird) discounts and secure your seat for interactive workshops. Sign up for our periodical newsletter and we will keep your informed.

 Keep me informed

@ Secura 2020
Webdesign Studio HB / webdevelopment Medusa