Team for Research in
Ubiquitous Secure Technology

Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness
Carlo Bellettini, Julian L. Rrushi

Citation
Carlo Bellettini, Julian L. Rrushi. "Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness". Proceedings of the 8th IEEE SMC Information Assurance Workshop, LTC John Hill (ed.), 341-348, June, 2007.

Abstract
Pointer taintedness is a concept which has been successfully employed as basis for vulnerability analysis of C/C++ source code, and as a run-time mitigation technique against memory corruption attacks. Nevertheless, pointer taintedness interferes with the specification of several industrial control protocols. As a consequence it is not directly usable in detecting memory corruption vulnerabilities in implementations of those industrial control protocols. Furthermore, source-code analysis may have no visibility on certain low-level vulnerabilities since there may be a considerable difference between what programmers intend with the source code they write and what the CPU really executes. A set of memory corruption vulnerabilities specific to implementations of industrial control protocols may escape source code analysis as they are related to a dynamic organization of data in memory. In this paper we define a new concept referred to as memory access taintedness. We discuss the logical motivations behind our definition of memory access taintedness and demonstrate that memory access taintedness is fully employable in vulnerability analysis of the machine code of implementations of industrial control protocols. We analyze the main low-level characteristics of both traditional attacks and attacks specific to process control systems, and demonstrate the ability of memory access taintedness to detect memory corruption vulnerabilities. We represent memory access taintedness as a decision tree and use it as the fundamental component of a finite state machine model we devised for the purpose of dynamically detecting memory corruption vulnerabilities in implementations of industrial control protocols.

Electronic downloads

Citation formats  
  • HTML
    Carlo Bellettini, Julian L. Rrushi. <a
    href="http://www.truststc.org/pubs/314.html"
    >Vulnerability Analysis of SCADA Protocol Binaries
    through Detection of Memory Access Taintedness</a>,
    Proceedings of the 8th IEEE SMC Information Assurance
    Workshop, LTC John Hill (ed.), 341-348, June, 2007.
  • Plain text
    Carlo Bellettini, Julian L. Rrushi. "Vulnerability
    Analysis of SCADA Protocol Binaries through Detection of
    Memory Access Taintedness". Proceedings of the 8th IEEE
    SMC Information Assurance Workshop, LTC John Hill (ed.),
    341-348, June, 2007.
  • BibTeX
    @inproceedings{BellettiniRrushi07_VulnerabilityAnalysisOfSCADAProtocolBinariesThroughDetection,
        author = {Carlo Bellettini and Julian L. Rrushi},
        title = {Vulnerability Analysis of SCADA Protocol Binaries
                  through Detection of Memory Access Taintedness},
        booktitle = {Proceedings of the 8th IEEE SMC Information
                  Assurance Workshop},
        editor = {LTC John Hill},
        pages = {341-348},
        month = {June},
        year = {2007},
        abstract = {Pointer taintedness is a concept which has been
                  successfully employed as basis for vulnerability
                  analysis of C/C++ source code, and as a run-time
                  mitigation technique against memory corruption
                  attacks. Nevertheless, pointer taintedness
                  interferes with the specification of several
                  industrial control protocols. As a consequence it
                  is not directly usable in detecting memory
                  corruption vulnerabilities in implementations of
                  those industrial control protocols. Furthermore,
                  source-code analysis may have no visibility on
                  certain low-level vulnerabilities since there may
                  be a considerable difference between what
                  programmers intend with the source code they write
                  and what the CPU really executes. A set of memory
                  corruption vulnerabilities specific to
                  implementations of industrial control protocols
                  may escape source code analysis as they are
                  related to a dynamic organization of data in
                  memory. In this paper we define a new concept
                  referred to as memory access taintedness. We
                  discuss the logical motivations behind our
                  definition of memory access taintedness and
                  demonstrate that memory access taintedness is
                  fully employable in vulnerability analysis of the
                  machine code of implementations of industrial
                  control protocols. We analyze the main low-level
                  characteristics of both traditional attacks and
                  attacks specific to process control systems, and
                  demonstrate the ability of memory access
                  taintedness to detect memory corruption
                  vulnerabilities. We represent memory access
                  taintedness as a decision tree and use it as the
                  fundamental component of a finite state machine
                  model we devised for the purpose of dynamically
                  detecting memory corruption vulnerabilities in
                  implementations of industrial control protocols. },
        URL = {http://www.truststc.org/pubs/314.html}
    }
    

Posted by Julian L. Rrushi on 31 Jan 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.