一种使用可满足性模数理论模型检查可编程逻辑控制器系统的恶意软件检测方法
A malware detection method using satisfiability modulo theory model checking for the programmable logic controller system
一、摘要
本文提出了一种基于模型检测的PLC恶意软件检测方法。PLC恶意软件是针对目标高度定制的,因此很难提取通用模式来检测它们,本文提出了一种基于模型检测的PLC恶意软件检测方法。我们基于SMT的模型可以处理PLC系统的特征,如输入信号不确定、边缘检测等。其次,针对恶意软件检测问题,提出了两种检测规则生成方法:不变量提取和规则设计模式。 前者可以从原始程序中提取不变量,后者可以降低用户设计检测规则的门槛。最后,我们实现了一个原型,并在三个具有代表性的ICS场景中对其进行了评估。评估结果表明,我们提出的方法可以成功地检测出四种攻击模式的恶意软件。
二、模型设计
在本文中,我们提出了一种可满足性模数理论(SMT)模型检查方法来检测PLC恶意软件。
- 第一阶段是检测规则生成。为了检测恶意软件,我们需要定义白名单或规则。在我们的方案中,这项工作由目标控制系统的工程师完成。这些规则表示为时态逻辑公式。
- 第二阶段为PLC建模。我们的目标是PLC和现场控制系统,因此我们从内部代码对其行为进行建模。无论何时检测到目标,我们都必须从目标PLC提取字节码,并生成基于约束的模型(smv格式)作为模型检查器的输入。
- 模型生成后,可以验证模型是否满足规则。nuXmv模型检查器用于处理检测。如果模型不能满足其中一条规则,则表示发生了违反正常行为的行为,并检测到恶意软件。
三、具体实现
(一)生成检测规则
1.不变提取
第一种方法是从原始PLC程序中自动提取不变量。原始程序是指由工程师编写并下载到PLC的程序,可以认为是可靠的。虽然原始程序可能有几个不同的版本(由于系统进化或代码修改),但它们应该共享一些共同的行为。19例如,这些程序应遵循相同的安全要求。其中一个程序中的不变量可以表示作为检测规则的部分常见行为。在实践中,我们使用工程站中的程序作为原始程序,并以运行在PLC上的程序为目标。
2.规则设计模式
第二种方法是规则设计模式,它指导工程师定义检测规则。设计模式是使用LTL公式描述的模板。工程师只能专注于规则设计,而不是LTL公式的细节。模式应该足够简单,让工程师能够理解,还应该涵盖攻击策略。
(二)基于SMT的PLC建模
SMT模型检验可以看作SAT的一个扩展,用一阶逻辑代替命题逻辑。有界模型检查(BMC)和无界模型检查(UMC)是SMT模型检查的两种主要方法。
在基于SMT的模型检查中,我们需要为模型构造约束并进行求解。现代模型检查器(如NuSMV和nuXmv)可以支持基于约束的建模,这将有助于对不确定的输入序列和初始状态进行建模。
在本文中,我们选择nuXmv对系统进行建模并检查规则。nuXmv是一种新的符号模型检查器,它可以支持使用多个BMC技术的SMT模型检查。
四、总结
我们的模型集成了程序和过程,可以减少误报。其他大多数工作都以源代码为输入,我们的方法可以分析二进制文件,从而直接检测恶意软件。此外,我们还将二进制语言分解为STL语言,以支持其他语言编写的程序(在评估中,支持LAD和SCL)。通过使用基于SMT的模型检查,我们的方法可以处理布尔、整数和浮点数据类型,并支持对计时器、计数器和函数进行建模,以便于对准确的系统行为进行建模。与其他工作不同,我们提供了变量提取来自动生成检测规则,用户将从中受益。这些改进对于用户检测恶意软件是切实可行的。
我们的目标是篡改PLC控制逻辑攻击物理设备的恶意软件,我们还注意到存在其他类型的PLC恶意软件。一些PLC恶意软件不会攻击系统,而是充当后门,渗透系统并传播蠕虫。一些PLC恶意软件篡改固件而不是控制逻辑,以执行低级秘密攻击。为了检测这些恶意软件,我们将把我们的方法与固件和网络流量分析技术结合起来。
本文提出了一种基于SMT模型检测的PLC恶意软件检测方法。我们给出了PLC模型检查、PLC程序和工业过程的正式定义。PLC模型检查的问题是,我们必须枚举所有可能的输入信号序列来构造状态转移图。使用SMT约束代替状态转移图对系统建模,并使用SMT模型检查器检查属性。该方法的优点是可以处理不确定的输入信号。我们还提出了两种方法,不变抽取和规则设计模式,以降低设计检测规则的难度。
1. Berger H.Automating with STEP 7 in STL and SCL: Programmable Controllers SIMA TIC S7-300/400. Hoboken, NJ: John Wiley & Sons; 2012.
2. Beresford BD. Exploiting siemens simatic S7 PLCs.Black Hat. 2011.
3. Klick J, Lau S, Marzin D, Malchow JO, Roth V. Internet-facing PLCs as a network backdoor.Commun Netw Sec. 2015;2015:524-532.
4. Gjendemsjø M. Creating a Weapon of Mass Disruption: Attacking Programmable Logic Controllers (Master's thesis). Norwegian University of Science
and T echnology; 2013.
5. T zokatziou G, Maglaras L, Janicke H. Insecure by design: using human interface devices to exploit SCADA systems. Paper presented at: Proceedings of
the 3rd International Symposium for ICS & SCADA Cyber Security Research; 2015:103-106; BCS Learning & Development Ltd.
6. Milinkovíc SA, Lazíc LR. Industrial PLC security issues. Paper presented at: Proceedings of the 2012 20th T elecommunications Forum (TELFOR);
2012:1536-1539; IEEE.
7. Falliere N, Murchu LO, Chien E. W32. stuxnet dossier . tech. rep., Symantec Corperation; 2011.
8. Vávra, J., & Hromada, M. An evaluation of cyber threats to industrial control systems. Paper presented at: Proceedings of the International Conference
on Military T echnologies; 2015:1-5; IEEE.
9. Moser A, Kruegel C, Kirda E. Limits of static analysis for malware detection.ACSAC Comput Sec Appl Conf. 2007;2007:421-430.
10. Mclaughlin S, Mcdaniel P. SABOT :specification-based payload generation for programmable logic controllers. Paper presented at: Proceedings of the
2012 ACM Conference on Computer and Communications Security; 2012:439-449; ACM.
11. Mohan S, Bak S, Betti E, Y un H, Sha L, Caccamo M. S3A: Secure system simplex architecture for enhanced security and robustness of cyber-physical
systems. Paper presented at: Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems; 2013:65-74; ACM.
12. John KH, Tiegelkamp M.IEC 61131-3: Programming Industrial Automation Systems Concepts and Programming Languages, Requirements for Programming
Systems, Decision-Making Aids. Berlin, Heidelberg / Germany: Springer; 2010.
13. Clarke EM, Grumberg O, Peled DA.Model Checking. Berlin, Heidelberg / Germany: Springer; 1997.
14. Biere A, Cimatti A, Clarke EM, Fujita M, Zhu Y. Symbolic model checking using SA T procedures instead of BDDs. Paper presented at: Proceedings of the
1999 Design Automation Conference; 1999:317-320; IEEE.
15. De Moura L, Rner N. Satisfiability modulo theories: introduction and applications.Commun ACM. 2011;54(9):69-77. https:/ /doi.org/10.1145/1995376.
1995394.
16. Allen FE. Control flow analysis.ACM SIGPLAN Not. 1970;5(7):1-19.
17. McLaughlin SE. On dynamic malware payloads aimed at programmable logic controllers. Paper presented at: Proceedings of the 6th USENIX Workshop
on Hot T opics in Security . USENIX. HotSec 2011.
18. Langner R. A time bomb with fourteen bytes. http:/ /www.langner .com/en/2011/07/21/a-time-bomb-with-fourteen-bytes/; 2011.
19. Beckert B, Ulbrich M, V ogel-Heuser B, Weigl A. Regression verification for programmable logic controller software. Paper presented at: Proceedings of
the International Conference on Formal Engineering Methods; 2015: 234-251; Springer .
20. Huuck R. Semantics and analysis of instruction list programs.Electr Notes Theoret Comput Sci. 2005;115:3-18. https:/ /doi.org/10.1016/j.entcs.2004.09.
026.
21. Biallas S, Brauer J, Kowalewski S. Arcade. PLC: a verification platform for programmable logic controllers. Paper presented at: Proceedings of the 2012
Proceedings of the 27th IEEE/ ACM International Conference; 2012: 338-341
22. McLaughlin SE, Zonouz SA, Pohly DJ, McDaniel PD.A T rusted Safety V erifier for Process Controller Code. V ol 14. San Diego, CA: NDSS; 2014.
23. Darvas D, Blanco VE, Fernández AB. PLCverif: a tool to verify PLC programs based on model checking techniques. Paper presented at: Proceedings of
the 15th International Conference on Accelerator and Large Experimental Physics Control Systems; 2015:911-915.
24. Spenneberg R, Brüggemann M, Schwartke H. Plc-blaster: a worm living solely in the plc.Black Hat Asia. 2016.
25. Abbasi A, Hashemi M. Ghost in the plc designing an undetectable programmable logic controller rootkit via pin control attack.Black Hat Europe.
2016;2016:1-35.
26. Garcia L, Brasser F, Cintuglu MH, Sadeghi AR, Mohammed OA, Zonouz SA.Hey , My Malware Knows Physics!Attacking PLCs with Physical Model Aware Rootkit.
San Diego, CA: NDSS; 2017.
27. Meng W, Li W, Wang Y, Au MH. Detecting insider attacks in medical cyber-physical networks based on behavioral profiling.Futur Gener Comput Syst.
2018. https:/ /doi.org/10.1016/j.future.2018.06.007.
28. Wang Y, Meng W, Li W, Liu Z, Liu Y, Xue H. Adaptive machine learning-based alarm reduction via edge computing for distributed intrusion detection
systems.Concurr Comput Pract Exp. 2019;31(19):1-12. https:/ /doi.org/10.1002/cpe.5101.
29. Y oo H, Kalle S, Smith J, Ahmed I. overshadow PLC to detect remote control-logic injection attacks. Paper presented at: Proceedings of the 2019
International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment; 2019:109-132; Springer .
30. Keliris A, Maniatakos M. ICSREF: a framework for automated reverse engineering of industrial control systems binaries. Paper presented at: Proceedings
of the Network and Distributed Systems Security (NDSS) Symposium; 2019; NDSS.
31. Pavlovic O, Pinger R, Kollmann M. Automated formal verification of PLC programs written in IL. Paper presented at: Proceedings of the 2007 Conference
on Automated Deduction; 2007:152-163; CADE.
32. Schlich B, Brauer J, Wernerus J, Kowalewski S. Direct model checking of PLC programs in IL.IF AC Proc V ol. 2009;42(5):28-33.
33. Darvas D, Adiego BF, Vörös A, Bartha T, Viñuela EB, Suárez VMG. Formal verification of complex properties on PLC programs. Paper presented at:
Proceedings of the International Conference on Formal T echniques for Distributed Objects, Components, and Systems; 2014:284-299; Spring.
34. Zonouz S, Rrushi J, McLaughlin S. Detecting industrial control malware using automated PLC code analytics.IEEE Secur Priv. 2014;12(6):40-47. https:/ /
doi.org/10.1109/MSP .2014.113.
35. Stattelmann S, Biallas S, Schlich B, Kowalewski S. Applying static code analysis on industrial controller code. Paper presented at: Proceedingsof the 2014
IEEE Emerging T echnology and Factory Automation (ETF A); 2014:1-4; IEEE.
36. Malchow JO, Marzin D, Klick J, Kovacs R, Roth V. Plc guard: a practical defense against attacks on cyber-physical systems. Paper presented at:
Proceedings of the 2015 IEEE Communications and Network Security (CNS); 2015:326-334; IEEE.
