An Industrial Control System Protection Approach by Ali Abbasi, BHS 2019

Ali Abbasi is a Post-Doctoral researcher at the Chair for System Security of Ruhr-University Bochum, Germany. During the Black Hat Sessions (BHS) on June 13th he will give a technical presentation on the binary security of embedded control systems: An Industrial Control System Protection Approach. In this (technical) interview, Ali shines light on the questions we asked him in the run-up to the conference.

What project/research are you currently working on? 
I am currently involved in three different research projects. In the first research, we are trying to bring coverage-guided fuzzing to embedded control devices. I am also involved in a project related to finding hidden engineering (or backdoors) in Programmable Logic Controllers (PLCs). Finally, I am involved in a project for data-flow integrity for real-time embedded systems.    

What real (world) challenges are you trying to address with your research?
I think we can agree that the security ecosystems in both industrial control system domain and especially in embedded control devices are falling behind when compared to general-purpose computers. To be more specific, in general-purpose computer domain we have various security mitigations, more advanced vulnerability discovery techniques and tools. In contrast, we do not have these kinds of mitigations or techniques in embedded control devices domain. These issues alone might not seem problematic, but when we consider this situation in the context of increased exposure of these devices to the internet (e.g., IIoT), then we suddenly have a different case: a bunch of devices which control the critical infrastructures of nations, connected to the internet which has low hanging fruit vulnerabilities. This is a real-world issue. To address these multi-dimensional issues during my Ph.D. studies, I was involved in designing more advanced security mechanisms for these devices while considering the environment which they are operating. Additionally, to improve the security of embedded devices in ICS, we need to have better ways to detect and discover vulnerabilities in them. So I am working to address this challenge by creating a framework for fuzzing embedded ICS devices.  

A bunch of devices which control the critical infrastructures of nations, connected to the internet which has low hanging fruit vulnerabilities. This is a real-world issue.  - Ali Abbasi, Researcher on Systems Security for Embedded Systems

What can you tell us about the challenges of hardening COTS embedded systems against the exploitation of memory corruption vulnerabilities, especially systems with realtime requirements as they are found in various safety-critical domains such as automotive or industrial automation?
Generally, designing security mitigation for embedded systems with limited resources is hard, but it is much more challenging when you also consider timelines. The first challenge is an architectural problem: the real-time requirement automatically preempts security in its nature. Therefore, you have the situation where you have a delay on threat detection, and you must accept system compromise over timeliness. It means that in a realtime environment you must consider system compromise as an acceptable outcome (despite detecting the attack). Finally, you can not kill real-time PLC software during the attack and put the operator in a situation where she/he loses control of the cyberphysical process. The second challenge is how to cope with diversity in the embedded domain. After all, embedded domain with respect to hardware and resources is heterogeneous and thus you can not apply the same security policy in devices with different hardware features. This means that you must design different security policies per different embedded hardware families.

How or why is systems engineering for securing embedded systems different from securing basic IT systems?
There are so many differences, take for example certification issues. You can not just design a security solution without considering how your design affects already obtained certificates. So for example, if you have an avionic system which has a DO-178B certificate, any major modification to the software means that vendor must reapply for certification, so when designing a new security mechanism you should consider this issue. Other examples which I mentioned earlier are real-time requirement or diversity in hardware. Therefore any solution to secure embedded devices should consider these issues.   

What do you think about the future of embedded systems?
In the context of cyber security, I think embedded systems, for a short period, will follow general-purpose computers. This means that security solutions first get introduced in the general-purpose domain and then get adopted to the embedded world. However, this condition will change as more and more hardware-based security features get adopted into high-end embedded systems. Take for example ARM v8.5A memory tagging or ARM v8.3 pointer authentication or ARM CoreSight (equivalant to Intel PT). So we can see that some high-end embedded SoCs reduce the gap or even take over on hardware support for security features.   

ICS embedded security is also a keystone of Black Hat Sessions 2019. You will provide a technical presentation at the event. Can you give a glimpse of what you are going to present on the 13th of June?
I am going to talk about how to improve the security of embedded control devices. I’ll start by looking at how an attacker can target a plant (regardless of what kind of embedded device being used), I will then discuss existing security solutions for embedded devices and how an attacker can exploit an embedded device without being detected by existing security mitigations. Afterwards, I’ll discuss better security solutions for embedded control systems and especially talk about detecting code reuse attacks in such devices. Eventually, I am going to give a glimpse on the challenges of fuzzing embedded control devices and what we can do to address them. Read the full abstract on https://www.blackhatsessions.com/programme-ali-abbasi

Visit www.blackhatsessions.com for more information about the programme and registration.

@ Secura 2019
Webdesign Studio HB / webdevelopment Medusa