Abstract
Over the years, Industrial Control Systems (ICS) manufacturers have started embracing extensive system library support provided by control logic development software, easing the development process. Furthermore, these runtimes controlling the execution of the control application do not provide the same level of isolation as an Operating System, enabling an adversary to exploit vulnerabilities in the imported libraries to launch an attack. The identification and patching of vulnerabilities in the control logic of an ICS are not as straightforward as on a personal computer because devices such as Programmable Logic Controllers (PLCs) have specialized requirements. For instance, these devices have operated in the field continuously for years without disruptive upgrades. Moreover, often control application logic executes as a thread of the runtime process, making it challenging to locate the vulnerability directly in the main memory. In this work, we will present a non-intrusive approach for vulnerability localization and selective patching of PLC control binaries while the device is online and controlling parts of critical infrastructure.
More specifically, we start by understanding how a runtime loads control logic, providing insight into its memory mapping and address resolution. We then utilize this knowledge for extracting and rehosting the firmware (runtime) from a testing PLC, running an identical setup to the deployed PLC for performing concolic execution of the control application using angr. This enables our tool to automatically identify vulnerabilities such as out-of-bound memory write and read, OS command injection, and improper input validation, some of the topmost dangerous software weaknesses for 2021. Finally, it performs vulnerability localization by traversing over the data dependence graph generated for the control binary and non-intrusively hot-patches these vulnerabilities. This technique is non-intrusive, i.e., it does not impact the PLC’s operation and does not require taking it offline, making it suitable for PLC devices that cannot be decommissioned. We will demonstrate the non-intrusiveness of our technique live on PLCs executing parts of various critical infrastructure sectors in a lab environment.