ArticlePDF Available
DFRWS 2023 EU - Selected papers of the Tenth Annual DFRWS Europe Conference
Towards generic memory forensic framework for programmable logic
controllers
*,**
Rima Asmar Awad
a
,
*
, Muhammad Haris Rais
c
, Michael Rogers
b
, Irfan Ahmed
c
,
Vincent Paquit
a
a
Oak Ridge National Laboratory, Oak Ridge, TN, 37830, USA
b
Tennessee Technological University, Cookeville, TN, 38505, USA
c
Virginia Commonwealth University, Richmond, VA, 23284, USA
article info
Article history:
Keywords:
CPS forensics
Memory forensics
JTAG
SCADA
PLC
ICS
Embedded devices
abstract
A Programmable Logic Controller (PLC) is a microprocessor-based controller that is used to automate
physical processes in critical infrastructure and various other industries and manufacturing sectors.
Initially, PLCs were completely isolated from the Internet, and cyber security was not incorporated at the
time of development. The introduction of industry 4.0 and the evolution of ICS systems to communicate
over public IP addresses from the Internet enhanced productivity and efciency, but Internet
connectivity exposed the systems and their vulnerabilities, which led to an increase in cyber attacks.
When a system is sabotaged/compromised, security analysts need to get to the root cause of the attack as
quickly as possible to recover the system. To do so, memory forensic analysis is critical to provide a
unique insight into the run-time memory activities and extract a reliable source of evidence. In this
paper, we analyze the memory structure of the Schneider Electric Modicon M221 PLC. To build a memory
prole, we reverse engineer the communication protocol and conduct differential analysis to gain
knowledge about the structure of the memory and the low-level representation of control logic in-
structions. We then identify dynamic and static memory regions by modifying different project elds and
conducting differential analysis, which allows us to identify boundaries of critical memory structures and
extract important forensic artifacts that can be found in the memory. The Python implementation of the
memory prole can help reduce the time and effort required for manual analysis in case of cyber incident
or system failure.
©2023 The Author(s). Published by Elsevier Ltd on behalf of DFRWS This is an open access article under
the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
1. Introduction
Programmable Logic Controllers (PLC) play a vital role in in-
dustrial control systems and many other manufacturing sectors.
PLCs are used to automate industrial processes by collecting input
data from eld devices such as sensors, processing the data, and
then sending commands to actuator devices such as motors
(Ahmed et al., 2016). The PLCs memory code (control logic) exe-
cutes in cycles, in which each cycle reads input from multiple re-
sources, executes the control logic instructions to calculate the
output, and then sends that output to the physical process in the
form of analog or digital signals. PLC's have been in use since the
early 1970s as the means for monitoring, and remotely controlling
geographically distributed physical processes such as water treat-
ment and distribution, oil and gas pipelines, and electrical power
transmission and distribution. As microprocessors, personal com-
puters and networking technology evolved over time, industrial
control systems incorporated these advances in technology.
However, PLC operations are still typically sent via insecure
proprietary network protocols that can be easily reverse-
*
This manuscript has been authored by UT-Battelle, LLC, under contract DE-
AC05-00OR22725 with the US Department of Energy (DOE). The US government
retains and the publisher, by accepting the article for publication, acknowledges
that the US government retains a nonexclusive, paid-up, irrevocable, worldwide
license to publish or reproduce the published form of this manuscript, or allow
others to do so, for US government purposes.
**
DOE will provide public access to these results of federally sponsored research
in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-
public-access-plan).
*Corresponding author.
E-mail address: awadrl@ornl.gov (R.A. Awad).
Contents lists available at ScienceDirect
Forensic Science International: Digital Investigation
journal homepage: www.elsevier.com/locate/fsidi
https://doi.org/10.1016/j.fsidi.2023.301513
2666-2817/©2023 The Author(s). Published by Elsevier Ltd on behalf of DFRWS This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/
licenses/by-nc-nd/4.0/).
Forensic Science International: Digital Investigation 44 (2023) 301513
engineered by attackers, which allows them to create open-source
APIs and develop tools that can be used for malicious purposes
(Senthivel et al., 2017,2018). Due to their critical role and lack of
security mechanisms, PLCs are often an easy target for cyber-
attacks that leads to sabotaging physical processes and the
destruction of critical infrastructure. Despite increasing attention to
PLC security, integrating security into PLCs remains difcult as they
are intended to be simple input/output machines with determin-
istic behavior and limited resources (Ahmed et al., 2012). For
example, although a layer of encryption has been added to new
communication protocols, those protocols can provide secure
communication to new products and are not supported by legacy
devices, leaving them vulnerable to attacks.
The lack of security in PLCs also allows attackers to maliciously
modify both the rmware and control logic programs (Qasim et al.,
2022;Ayub et al., 2021;Zubair et al., 2022a). Once an intruder
reverse-engineers and modies the device's rmware, with proper
access, the intruder can download it to the device. Similarly, an
attacker can access control logic on the device and modify it. Even
worse, a sophisticated attacker with minimal knowledge about the
physical process, can craft malicious control logic, and download it
to the PLC after bypassing authentication (Kalle et al., 2019). In
another scenario, memory code injection attacks can bypass
network intrusion detection systems and deliver malicious control
logic to the target device's memory. To avoid detection, the attacker
can write the malicious instructions to a memory segment other
than the code segment, which is possible due to the lack of write/
execution protection in PLC memory (Yoo et al., 2019a). Conducting
armware modication attack is not easy because it requires the
attacker to have extensive knowledge about the target PLC's
hardware components and bypass software whitelisting. Therefore,
control logic injection attacks are more likely to launch because
they are easier to achieve and harder to detect.
Memory forensic analysis is crucial to help answer forensic
questions following an attack or a system failure (Davis et al., 2022;
Ahmed et al., 2015;Bhatt and Ahmed, 2018). However, in industrial
control systems, conducting forensic analysis is a tedious and time-
consuming process due to heterogeneous hardware architectures
and proprietary rmware/communication protocols, which make it
challenging to employ a unied framework for all PLC memory
forensics (Awad et al., 2018). A methodology that describes the
process of analyzing the memory of PLCs that share similar hard-
ware components will provide valuable information to the forensic
analyst, and reduce the effort and time needed to accomplish this
task manually. Reduced analysis timewill result in a faster response
to a cyber-attack or a system failure.
In this paper, we use differential analysis to understand the
layout of the Modicon M221 memory and use the acquired
knowledge to build a memory prole for the M221 PLC. We use the
memory prole to extract important forensic artifacts including the
control logic, the metadata le, and the data blocks. We then
evaluate the effectiveness of our methodology by simulating a
trafc light control logic manipulation and extracting memory
forensic artifacts that present evidence about the incident.
The rest of the paper is organized as follows. Section 2covers
background and related works, section 3presents the memory
analysis methodology, section 4presents an evaluation of the
memory analysis followed by a discussion and future work in sec-
tion 5, and nally section 6concludes the paper.
2. Background &related work
In this section, we present an overview of PLCs, their basic
components, and their protocols. In addition, we go over the cur-
rent state of the art in the realm of PLC memory forensics.
2.1. Background
The PLC has revolutionized the automation and manufacturing
processes. Today, PLCs maintain the same core functionality and
simplicity that originally made them so popular with manufac-
turers. However, because of the continued advancement in pro-
cessor and memory technology, PLCs continue to shrink in size and
increase in power and speed. These technological advancements
have led to new capabilities, including support for multiple
communication protocols. Modern PLCs also seamlessly integrate
with powerful machine monitoring software and supervisory
control and data acquisition (SCADA) systems and thus provide
new ways for manufacturers to drive improvements to their oper-
ations' efciency and performance through machine data analysis.
To accomplish monitoring and automation tasks, the PLC's memory
code (control logic) executes in cycles, where it reads input from
multiple resources, then executes the control logic instructions to
calculate the output that is, then, sent to the physical process in the
form of signals. PLCs have been in use since the early 1970s as the
means for monitoring, and remotely controlling, geographically
widely distributed processes such as water treatment and distri-
bution, oil and gas pipelines, and electrical power transmission and
distribution.
2.1.1. PLC components
A typical PLC consists of basic interconnected components that
work together to allow the controller to accept inputs from various
sensors, make logical decisions as programmed, and control out-
puts such as starters of motors, solenoids, drives, and valves. As
shown in Fig. 1 a typical PLC is made up of the following:
Power Supply: This unit supplies the required power to the
components in the control panel by switching from 120VAC to
24VDC.
Processor: The processor module contains the microprocessor
that performs control functions and computations, as well as the
memory required to store the program.
Input/Output (I/O): I/O modules provide the means of con-
necting the processor to the eld devices and can be either digital
or analog.
Memory: The part of the PLC that stores data, programs, and
information. The process of adding new information into memory
is called writing, and the process of retrieving information from a
memory location is called reading. PLCs usually have both volatile
and non-volatile memory to store various types of data.
2.1.2. Communication protocols
A protocol is a set of rules that regulates communication among
networked devices. In PLCs, communication protocols are needed
to communicate with remote I/O devices, remote control devices,
Fig. 1. PLC components.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
2
and engineering software. In their infancy, PLC protocols used to be
proprietary, with each manufacturer having its own closed pro-
tocols. However, modern, open protocols, such as Modbus, estab-
lish the rules for data transmission, although proprietary
communication methods are still used by many vendors. Because
proprietary protocols support programming software to get access
to the physical memory of PLCs, they have been studied and
reverse-engineered by both academia and industry. Consequently,
knowledge acquired from analyzing a protocol can be used as an
important tool for memory forensic artifact acquisition.
2.2. Related work
Awad et al. (2018) present a survey on the published forensics
methodologies and frameworks applied to SCADA systems. The
authors demonstrate a gap in the forensics of end-point devices in
CPS, especially for the live forensics and acquiring root cause evi-
dence at run time.
Ahmed et al. (2017) presented the opportunities for network-
level and device-level attacks on PLCs and the forensic tools and
methodologies that can help investigate those attacks. The paper
also highlighted the forensic challenges that include proprietary
and closed-source rmware and inadequate PLC network forensic
tools.
Chow et al. (Chow and Chan) also discuss various possible attack
scenarios, and identied important logging information available in
the Siemens TIA portal, PLC diagnostic buffer, and Human Machine
Interface (HMI) module. The information is useful during forensic
investigations.
Many research efforts are focused on extracting and analyzing
PLC rmware (Zhu et al., 2017;Basnight et al., 2013;Mulder et al.,
2012). Although the rmware analysis can provide valuable
forensic artifacts, the current state of the PLC including the control
logic and input/output data states cannot be found through rm-
ware analysis.
A few recent works focused on control logic modeling/veri-
cation that acts as a cyber-physical security intrusion detection
engine to detect malicious code injection attempts or the modeling
of runtime PLC control logic behavior, to detect abnormal behaviors
(Zonouz et al., 2014;Garcia et al., 2016;Xie et al., 2022).
Wu et al. (Wu and Nurse, 2015) uses PLC debugging tools such as
PLC Logger to acquire and utilize PLC memory data. However, this
approach is restricted to specic PLC models from Siemens. Denton
et al. (2017) investigate General Electric's proprietary protocol, GE-
SRTP, to enable direct interaction with G.E PLC. The authors
demonstrated the capability to modify the control logic through
their tool using access memory registers.
Sushma et al. (Kalle et al., 2019) and Qasim (Qasim et al., 2019,
2020) extracted the PLC control logic by analyzing the network
trafc between the PLC and the engineering software.
Awad et al. (2019) discusses memory acquisition techniques
available in IT eld and the possibility of applying them to SCADA
end-point devices. The authors attempted to obtain the entire
memory of M221 PLC through the communication protocols and
via JTAG port. The memory acquisition via JTAG was not successful
because the JTAG pins were disabled by the manufacturer. Zubair
et al. (2022b) proposed a framework to remotely acquire a PLC
memory. The authors append a small code to the control logic that
would execute and read the memory contents from areas that are
not authorized for reading through a network protocol. While this
work analysis portions of acquired memory, it focuses on memory
extraction and not on actual memory analysis.
Yoo et al. (2019b) proposed a technique to identify control logic
attacks by creating and updating a local copy of the current
memory state using the network communication. They employ 42
unique features of the control logic and employed a classication
algorithm to identify malicious control logic injections or
modications.
Rais et al., 2021,2022 acquired the memory of AlleneBradley
Control Logix 1756 PLC through the JTAG interface available on
the PLC, and proposed a differential analysis-based framework to
extract forensic artifacts from the memory dump. The extracted
artifacts include PLC rmware, control logic, input, and output pin
states, and PLC operational parameters, however, the approach
require a PLC for the prole generation. Although this work is the
most relevant to the work presented in this paper, our approach
does not require a PLC to identify data structures in memory dump,
and it can be used on any device of the same model regardless of
the project or environment it is used in.
The existing literature focuses on identifying control logic at-
tacks, rmware reverse engineering, and intrusion detection.
Forensic artifacts are necessary to identify the root cause of
abnormal behavior and answer important questions about the
attack, such as how and when the attack happened, who was
involved, and what the attack targeted. Our study focuses on
extracting forensic artifacts, to help answer those questions.
3. Memory forensic analysis of M221 PLC
In this section, we acquire the memory of the M221 PLC after
reverse engineering the communication protocol. To build a
memory prole, we use pointers found in conguration blocks to
identify the essential memory and structures that contain impor-
tant forensic artifacts and characterize the state of PLC.
3.1. Modicon M221 PLC
The Schneider Electric Modicon M221 Logic Controller, designed
to control basic automation for machines, has 9 digital inputs, 2
analog inputs, and 7 relay-type digital outputs. The M221 PLC has a
32-bit micro-controller (Renesas RX630) that operates at 100 MHz
and supports both serial and Ethernet communication. The PLC
uses a Modbus encapsulated proprietary protocol and is cong-
ured/programmed with the EcoStruxure Machine Expert - Basic
software which supports the following IEC 61131e3 programming
languages:
!Instruction List: Low-level textual language that resembles
assembly
!Ladder Diagram: Graphical programming language that mimics
physical circuits, and consists of vertical rails (supply power)
and as many rungs(horizontal lines) as needed to represent
control circuits.
!Grafcet ListSFC: A standardized graphical specication language
for the design of a controller's dynamic behavior.
The memory of M221 PLC consists of two types:
!Volatile: The Random-access memory (RAM) has a size of 512
kbytes of which 256 kbytes are used for internal variables and
256 kbytes for application and data. The RAM memory is used to
execute the application and contains data needed at runtime.
!Non-volatile: This type of memory has a size of 1.5 Mbytes, of
which 256 Kbytes is used to back up the application and data in
case of a power outage. Its main use is saving application
backup.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
3
3.2. Memory acquisition
In digital forensics, forensic artifacts can either be obtained from
the non-volatile memory image or RAM image. However, to make
the attack concealed, most intruders try to hide the footprints of
the attack by injecting malicious code into RAM without leaving
any traces in the non-volatile memory. The forensic analyst can
take the device ofine to investigate the root cause of the attack,
but the volatile memory will be lost at that point. consequently, the
RAM image provides better results in identifying the malicious
behavior, as all the running instructions must be executed from the
RAM to perform its intended task. ICS protocols have documented
function codes to read specic data types, such as input, output,
counters, and timers, from a live PLC. However, function codes to
acquire the RAM and non-volatile contents are not documented,
and in some cases are not implemented (Ahmed et al., 2017).
Alternatively, a Joint Test Action Group (JTAG) port can be used to
access the entire memory space (Rais et al., 2021;Awad et al., 2019).
However, JTAG memory acquisition is slow and requires physical
access to the device, and manufacturers hide or disable the JTAG
port. Hence, JTAG memory acquisition is typically not practical in a
deployed system. To acquire the full memory of an M221 PLC, we
choose to use protocol function codes, as the entire memory ad-
dresses are protocol mapped (Zubair et al., 2022b).
3.2.1. Protocol reverse engineering
The Modicon M221 uses the UMAS (Unied Messaging Appli-
cation Services) proprietary protocol for communication. UMAS is
based on the well-known Modbus protocol and uses one of the
reserved Function Codes specied in the Modbus Protocol Speci-
cation (Function Code 90 or 0 "5A in hexadecimal) for both request
and reply packets. The UMAS protocol also has its own function
codes that indicate to the PLC how it should handle the message.
Function Codes are only sent in a request messages, while the re-
sponses will include a status indicating success or failure. Fig. 2
describes the communication between the client and the server
via UMAS protocol.
To reverse engineer the UMAS protocol, we used Wireshark to
collect the UMAS trafc while conducting various tasks from the
engineering software. Most importantly, we downloaded and
uploaded control logic to and from the connected PLC. To better
understand the static and dynamic elds in the UMAS packets, we
used the same control logic for download and upload requests. By
conducting differential analysis, we noticed that for the most part,
the data content stays the same, except for the session ID and the
function codes. Fig. 3 shows the request and response packet
format of the 0"28 function code used to read to memory ad-
dresses during a upload request. In a request packet, the starting
address, data block size, and data to be read are specied, and in
response packets, the only information provided is the status of a
request.
Fig. 4 shows an example of an Download request message that
uses function code (0 "29) to write the project from a PC to PLC. In
a request packet, the starting address and data block size of the
obtained physical memory are specied, and a response packet
provides information about the status, the data size, and the data
payload.
After reverse-engineering the protocol, we determined various
Fig. 2. Communication between the client and server.
Fig. 3. UMAS Upload trafc.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
4
function codes used for different operations. Table 1 lists some of
the function codes that are used for various purposes, such as
starting the PLC and reading coils, and holding registers. Among
these function codes, the function code (0 "28) is what we used to
read memory.
3.2.2. Memory layout analysis
After acquiring a full memory dump, we began our analysis
process by running Binwalk (a tool for searching a given binary
image for embedded les and executable code) on the memory
dump. We found that Binwalk detects a zip formatted le at
memory address 0 "00d00. After extracting the zip le, we found
that it was the project metadata le. Next, we modied various
parts of the project using the engineering software, such as
inserting a new rung, or mortifying an existing rung, and conducted
a differential analysis to determine changes. We noticed that the
conguration block is always present in download packets and
written to the same address (0xD4FE0100). This block remains the
same when the project does not change. After analyzing the
conguration le, we found that it contains pointers to the start
address and other information about other essential memory
structures. Based on the deferential analysis results, we learned
that the conguration block holds information about a second
conguration le address and its size, the metadata le and its size,
and the data block and its size. Fig. 5 shows the extracted cong-
uration block and the pointers to other memory structures.
Using the information from the previously analyzed congura-
tion block, we extracted the second conguration block and learned
the address and the size of the control logic, the rst conguration
block, and the data block. Fig. 6 shows the second conguration le
with the start address 0 "544F0407.
Fig. 7 illustrates the basic memory structures found in the M221
memory dump and the location of pointers to the data structure's
address. For the purpose of building the M221 memory prole, we
took advantage of the static location of the rst conguration block
and used it to learn the location of other memory structures, so we
can extract them and analyze them in a later step.
3.2.3. Forensic artifacts extraction
Digital forensic artifacts are objects that contain data or evi-
dence of something that occurred. For PLC memory forensics,
memory forensic artifacts may include timestamps, control logic,
network information, etc. A full memory dump is always necessary
to understand the memory layout and obtain forensically sound
data. However, after obtaining the memory layout in the previous
step, we notice that the M221 memory has a multitude of padding
data and unused memory spaces. For our purpose, we lter out the
padding data, such as 0X00 and 0xFF, and focus on the essential
memory blocks that contain the forensic artifacts. For the M221, we
found the meaningful addresses to be the following:
!0"00 - 0x1ffff: On chip RAM contains rst conguration block
and PLC network information
!0"7000000 - 0 "707ffff: External RAM contains second
conguration block, metadata le, control logic and data le
!0xfff0000 0 - 0xfff7ffff: On chip ROM contains rmware
3.2.3.1. Metadata le. We initially found the address of the meta-
data le using Binwalk, but we also found pointers to its address in
the rst conguration block. The compressed metadata le, named
Fig. 4. UMAS Download trafc.
Table 1
UMAS function codes.
Function
Code
Details
0"01 INIT_COMM: Initialize a UMAS communication
0"02 READ_ID: Request a PLC ID
0"03 READ_PROJECT_INFO: Read Project Information
0"04 READ_PLC_INFO: Get internal PLC Info
0"06 READ_CARD_INFO: Get internal PLC SD-Card Info
0"24 READ_COIL_REGISTERS: Read coils and holding registers from
PLC
0"28 READ_MEMORY: Read memory blocks
0"29 WRITE_MEMORY: Write to memory blocks
0"40 START_PLC: Starts the PLC
Fig. 5. Pointers in Conguration block to other critical memory blocks.
Fig. 6. Pointers in Conguration block to other critical memory blocks.
Fig. 7. Pointers in Conguration block to other critical memory blocks.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
5
entry, is usually located in the external RAM area and begins with
zip le signature bytes:/x50/x4b/x03/x04 as shown in Fig. 8. After
decompressing it, we noticed that it contains information about the
semantics of data objects used in the control logic and project in-
formation as shown in Fig. 9. The metadata le is not necessary for
the control execution, but an attacker can use it to gain knowledge
Fig. 9. Decompressed metadata le.
Fig. 8. Extracted metadata le in zip format.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
6
about the physical process controlled by the PLC. Furthermore, an
intruder can overwrite the metadata le with malicious code, so its
absence in a memory dump might indicate tampering.
3.2.3.2. Control logic. Control logic is the PLC program that is usu-
ally written using engineering software and then downloaded to
the PLC. Although engineering software offers more than one
programming language, ladder logic is typical. It mimics circuit
diagrams with rungsof logic read left to right. Each rung repre-
sents a specic action controlled by the PLC, starting with an input
or a series of inputs (contacts) that result in an output (coil). Control
logic runs in cycles and processes input signals to produce output
signals. Our ladder logic program consists of three rungs, each with
two input memory bits, a timer, and an output memory bit. The
program is a simulation of a trafc light such that the green light
stays on for 10s and then turns off, an orange light turns on for 5s,
and then a red light turns on for 10s. Fig. 10 and Fig. 11 shows an
example of PLC control logic in both ladder logic language and in-
struction language.
Control logic can be considered one of the most important
forensic artifact that a forensic investigator should acquire and
analyze at the time of a cyber incident or system failure. To nd the
address of a control logic structure in our memory dump, we use
the pointer reference that we previously found in the second
conguration block. In our project, the control logic structure can
be found at address 0x7CE10107 and its size is 142 bytes. To better
understand the logic and compare it to the code in our engineering
software, we tried decompiling it using the Eupheus decompiler
(Kalle et al., 2019). For the instructions that are not recognized by
the decompiler, we conducted differential analysis, after adjusting
instructions in rungs, to nd the low-level representation of the
ladder logic. Fig. 12 shows the ladder logic that we extracted using
our tool and the translation from RX630 instructions to the
instruction-set language.
3.2.3.3. Project information. We found that the chip RAM has a
Communicationobject that contains information about the de-
vice model, project name and some network information. Fig. 13
shows the information found about the device name, device IP
address, device MAC address, the subnet mask, and the version of
the rmware installed on the device. Project Name: Trafc Light
Device model: M221 TM221CE16R Device IP address:
192.168.1.221 subnet mask: 255.255.255.0 rmware version:
V1.4.0.3.
3.2.3.4. IO data. To communicate with eld devices, a PLC uses I/O
modules to process digital/analog input from input devices and
outputs digital/analog signals to output devices. Because I/O data
controls the behavior of the PLC, an attacker can tamper with the
values to manipulate the physical process. Hence, acquiring the I/O
data is important for forensic analysis. In a previous step, we found
that the start address for the data block is 0 "0 0800107. We used
the start address and the size specied in the conguration block to
extract the data block. Because the data block does not reect any
comments or tags from the engineering software, we again use
differential analysis to gure out the I/O data values in our memory
dump. To accomplish that, we extract the memory of the same
program while the program is running at different points in time.
As seen in Fig. 14, the dynamic values in red represent the I/O
values.
Fig. 10. Control logic in ladder logic language.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
7
4. Evaluation: trafc light scenario
To evaluate our memory analysis tool, we use engineering
software to download ladder logic that simulates the trafc light.
Then, we manipulated the ladder logic to light the red and green
lights simultaneously. Though we used the engineering software to
manipulate the code, in a real-life scenario, an attacker can
manipulate the code in the memory without using the engineering
software as demonstrated in (Yoo et al., 2019a) and (Kalle et al.,
2019). We then extracted the control logic memory code, based
on the steps described in section 3.
The ladder logic program consists of three rungs, each with a
timer that controls the time the light will be on. In our scenario, the
source of input signals is memory bits with values that change after
each rung executed as shown in Fig. 15. In the rst rung, the green
light (%Q.0.0) is turned on for 10 s when memory bits %M0 and %M2
are false. In rung two, the orange light (%Q.0.1) is activated for 5 s if
%M2 and %M1 are false. Finally, rung three energized the red light
(%Q.0.2) if %M1 and %M0.
To have both the green and red lights turned on at the same
time, we add an OR”“Normally Open Contactinstruction to the
Greenrung, and we set the input to be (%M0). By doing so, the
green light turns on in two cases: when %M0 and %M2 are false OR
when %M0 is true. Fig. 16 shows the manipulated control logic.
[H] To verify that we can detect control logic manipulation with
our tool, we acquire a memory dump before and after manipula-
tion. We then extract the memory code of the control logic block
from both dumps and compare the two extracted blocks. As seen in
Fig. 17, the instruction injected at the time of manipulation can be
easily noticed (highlighted in yellow): 2206F6700000. After
decompiling the RX630 code, we nd out that it is equivalent to the
IL instruction that we added using the engineering software: OR %
M0.In addition to analyzing the raw memory bytes, the forensic
analyst can also take notes of the size of a code block. Under normal
circumstances, the size of the code block should not change as long
as the PLC is running the same project. When code is injected into
memory, the size of the extracted control logic will most likely
change.
5. Discussion and future work
PLCs were not developed with security in mind, hence, they are
an easy target for cyber attacks. Following a cyber incident, the
forensic analyst needs to get to the root cause of the incident to
recover the system as quickly as possible. Memory forensic artifacts
Fig. 11. Control logic in Instruction Language.
Fig. 12. Control Logic extracted from memory dump.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
8
Fig. 13. Communication object from on-chip RAM.
Fig. 14. Data Block with different values at different points of time.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
9
provide important information to represent the system state.
However, the diverse architecture and protocols used in PLCs make
it challenging to acquire and analyze PLC memory images. In our
memory analysis methodology, we rely on knowledge acquired by
reverse engineering the communication protocol, and applying
differential analysis to learn about the layout of the memory. Since
the conguration le is always written to the same address, our
approach can be used to analyze the memory of other devices of the
same model. For future work, we aim to automate the detection of
memory blocks and analyze the memory of PLCs from other
vendors.
6. Conclusion
Memory forensic artifacts provide important information to
represent the system state. However, the diverse architecture and
Fig. 15. Control Logic for trafc light.
Fig. 16. Manipulated trafc light control logic: Green turns on while red only is supposed to be on.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
10
protocols used in PLCs make it challenging to acquire and analyze
PLC memory images. In this paper, we take a step forward in this
direction and present the memory forensic analysis of Schneider
Modicon M221 PLC. We create a memory forensic prole by iden-
tifying the static conguration block on the device and tracing the
pointers that reference other memory blocks and data structures.
We identify essential memory regions and extract important
forensic artifacts including the control logic and the I/O data. We
evaluate our analysis methodology by simulating a trafc light
attack.
References
Ahmed, I., Obermeier, S., Naedele, M., Richard III, G.G., 2012. Scada systems: chal-
lenges for forensic investigators. Computer 45 (12), 44e51.
Ahmed, I., Roussev, V., Ali Gombe, A., 2015. Robust ngerprinting for relocatable
code. In: Proceedings of the 5th ACM Conference on Data and Application Se-
curity and Privacy, CODASPY 15. Association for Computing Machinery, New
York, NY, USA, pp. 219e229. https://doi.org/10.1145/2699026.2699104.
Ahmed, I., Roussev, V., Johnson, W., Senthivel, S., Sudhakaran, S., 2016. A scada
system testbed for cybersecurity and forensic research and pedagogy. In: Pro-
ceedings of the 2nd Annual Industrial Control System Security Workshop. ICSS
16, Association for Computing Machinery, New York, NY, USA, pp. 1e9. https://
doi.org/10.1145/3018981.3018984.
Ahmed, I., Obermeier, S., Sudhakaran, S., Roussev, V., 2017. Programmable logic
controller forensics. IEEE Security &Privacy 15 (6), 18e24.
Awad, R.A., Beztchi, S., Smith, J.M., Lyles, B., Prowell, S., 2018. Tools, techniques, and
methodologies: a survey of digital forensics for scada systems. In: Proceedings
of the 4th Annual Industrial Control System Security Workshop, pp. 1e8.
Awad, R.A., Lopez, J., Rogers, M., 2019. Volatile memory extraction-based approach
for level 0-1 cps forensics. In: 2019 IEEE International Symposium on Tech-
nologies for Homeland Security (HST). IEEE, pp. 1e6.
Ayub, A., Yoo, H., Ahmed, I., 2021. Empirical study of plc authentication protocols in
industrial control systems. In: 2021 IEEE Security and Privacy Workshops.
SPW), pp. 383e397. https://doi.org/10.1109/SPW53761.2021.00058.
Basnight, Z., Butts, J., Lopez Jr., J., Dube, T., 2013. Firmware modication attacks on
programmable logic controllers. Int. J. Critical Infrastruct. Protect. 6 (2), 76e84.
Bhatt, M., Ahmed, I., 2018. Leveraging relocations in elf-binaries for linux kernel
version identication. Digit. Invest. 26, S12eS20. https://doi.org/10.1016/
j.diin.2018.04.022.
K. Chow, R. Chan, Plc Forensic Analysis: Forensic Traces of Industrial Control System
Attacks.
Davis, M., McInnes, B., Ahmed, I., 2022. Forensic investigation of instant messaging
services on linux os: discord and slack as case studies. Forensic Sci. Int.: Digit.
Invest. 42, 301401. https://doi.org/10.1016/j.fsidi.2022.301401 proceedings of
the Twenty-Second Annual DFRWS USA.
Denton, G., Karpisek, F., Breitinger, F., Baggili, I., 2017. Leveraging the srtp protocol
for over-the-network memory acquisition of a ge fanuc series 90-30. Digit.
Invest. 22, S26eS38.
Garcia, L., Zonouz, S., Wei, D., De Aguiar, L.P., 2016. Detecting plc control corruption
via on-device runtime verication. In: 2016 Resilience Week (Rws).
Kalle, S., Ameen, N., Yoo, H., Ahmed, I., 2019. CLIK on PLCs! Attacking control logic
with decompilation and virtual PLC. In: Proceeding of the 2019 NDSS Workshop
on Binary Analysis Research. BAR).
Mulder, J., Schwartz, M., Berg, M., Houten, J.V., Urrea, J.M., Pease, A., 2012. Analysis
of eld devices used in industrial control systems. In: International Conference
on Critical Infrastructure Protection. Springer, pp. 45e57.
Qasim, S.A., Lopez, J., Ahmed, I., 2019. Automated reconstruction of control logic for
programmable logic controller forensics. In: Lin, Z., Papamanthou, C.,
Polychronakis, M. (Eds.), Information Security. Springer International Publish-
ing, Cham, pp. 402e422.
Qasim, S.A., Smith, J.M., Ahmed, I., 2020. Control logic forensics framework using
built-in decompiler of engineering software in industrial control systems.
Forensic Sci. Int.: Digit. Invest. 33, 301013.
Qasim, S.A., Ayub, A., Johnson, J., Ahmed, I., 2022. Attacking the iec 61131 logic
engine in programmable logic controllers. In: Staggs, J., Shenoi, S. (Eds.), Critical
Infrastructure Protection XV. Springer International Publishing, Cham,
pp. 73e95.
Rais, M.H., Awad, R.A., Lopez Jr., J., Ahmed, I., 2021. Jtag-based plc memory acqui-
sition framework for industrial control systems. Forensic Sci. Int.: Digit. Invest.
37, 301196.
Rais, M.H., Awad, R.A., Lopez Jr., J., Ahmed, I., 2022. Memory forensic analysis of a
programmable logic controller in industrial control systems. Forensic Sci. Int.:
Digit. Invest. 40, 301339.
Senthivel, S., Ahmed, I., Roussev, V., 2017. Scada network forensics of the pccc
protocol. Digit. Invest. 22, S57eS65.
Senthivel, S., Dhungana, S., Yoo, H., Ahmed, I., Roussev, V., 2018. Denial of engi-
neering operations attacks in industrial control systems. In: Proceedings of the
Eighth ACM Conference on Data and Application Security and Privacy, CODASPY
18. ACM, New York, NY, USA, pp. 319e329.
Wu, T., Nurse, J.R., 2015. Exploring the use of plc debugging tools for digital forensic
investigations on scada systems. J. Digit. Forensics Security Law 10 (4), 7.
Xie, Y., Chang, R., Jiang, L., 2022. A malware detection method using satisability
modulo theory model checking for the programmable logic controller system.
Concurrency Comput. Pract. Ex. 34 (16), e5724.
Yoo, H., Ahmed, I., 2019a. Control logic injection attacks on industrial control sys-
tems. In: Dhillon, G., Karlsson, F., Hedstr
om, K., Zúquete, A. (Eds.), ICT Systems
Security and Privacy Protection. Springer International Publishing, Cham,
Fig. 17. Extracted control logic shows the difference between original logic and manipulated logic.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
11
pp. 33e48.
Yoo, H., Kalle, S., Smith, J., Ahmed, I., 2019b. Overshadow plc to detect remote
control-logic injection attacks. In: Perdisci, R., Maurice, C., Giacinto, G.,
Almgren, M. (Eds.), Detection of Intrusions and Malware, and Vulnerability
Assessment. Springer International Publishing, Cham, pp. 109e132.
Zhu, R., Zhang, B., Mao, J., Zhang, Q., Tan, Y.-a., 2017. A methodology for determining
the image base of arm-based industrial control system rmware. Int. J. Critical
Infrastruct. Protect. 16, 26e35.
Zonouz, S., Rrushi, J., McLaughlin, S., 2014. Detecting industrial control malware
using automated plc code analytics. IEEE Security &Privacy 12 (6), 40e47.
Zubair, N., Ayub, A., Yoo, H., Ahmed, I., 2022a. Control logic obfuscation attack in
industrial control systems. In: 2022 IEEE International Conference on Cyber
Security and Resilience. CSR), pp. 227e232. https://doi.org/10.1109/
CSR54599.2022.9850326.
Zubair, N., Ayub, A., Yoo, H., Ahmed, I., 2022b. Pem: remote forensic acquisition of
plc memory in industrial control systems. Forensic Sci. Int.: Digit. Invest. 40,
301336.
R.A. Awad, M.H. Rais, M. Rogers et al. Forensic Science International: Digital Investigation 44 (2023) 301513
12
... Programmable logic controller memory forensic analysis is crucial to collecting the artifacts and answering important questions about the incident. Although the memory analysis can be conducted manually [6], it is a tedious, time-consuming task that is prone to human error. Automating forensic artifact identification in a memory dump would significantly decrease the effort and time while enhancing accuracy. ...
... After identifying the target device, the communications protocol function codes are used to obtain memory dumps. The manual analysis method described in [3,6] investigates the hardware and software components of a programmable logic controller to create its memory profile. The memory profile is employed as a reference for memory forensic analysis and forensic artifact identification. ...
... The Modicon M221 programmable logic controller uses the proprietary UMAS protocol for communications. Awad et al. [6] reverse engineered the protocol and discovered that the function code 0x28 reads memory content. A custom Python script was developed to communicate with the programmable logic controller and acquire its memory content with minimal overhead. ...
Chapter
Full-text available
The introduction of Industry 4.0 and Internet-based technologies has enhanced industrial control system operations but have inadvertently increased their vulnerabilities to cyber attacks. When an industrial control system is compromised, security analysts need to identify the root cause quickly to start the recovery process and develop mitigation strategies. Memory forensics is critical in the incident analysis process to ascertain what occurred. Approaches for analyzing the persistent memory in industrial control devices are limited and almost nonexistent for volatile memory. This chapter proposes an automated methodology for programmable logic controller memory dump analysis using computer vision and deep learning techniques. The methodology converts the sequences of bytes in a programmable logic controller memory dump to red-green-blue pix-els and employs a deep learning model that learns the underlying patterns and features of pre-labeled forensic artifacts in images and segments them into distinct regions. The trained model is employed to automatically segment new memory images and identify forensic artifacts. Evaluation of the methodology on a Schneider Electric Modicon M221 programmable logic controller under code injection and code modification attacks demonstrates its ability to detect attack artifacts in memory dumps.
... PLC features include flexible programming, real-time process control, robust communication capabilities, data-driven monitoring and decision-making, and increasing cybersecurity. These features support Industry 4.0 [6] and IoT in industrial settings [7], [8]. ...
... Additionally, Fernández-Álvarez and Rodríguez (2022) shed light on traces present in the memory of the Telegram Desktop Application for Windows, whereas Nissan et al. (2023) employed support vector machines to reconstruct query activities from memory snapshots. Awad et al. (2023) worked on the memory structure of a particular Programmable Logic Controller including forensic artefacts, establishing a research foundation for this progressively vital domain. ...
Article
Cyber-physical systems are being increasingly connected to the physical world, making them attractive targets for cyber-attacks. The consequences of CPS cyber threats are even more drastic in critical infrastructures. This issue has triggered a surge in academic publications in this field within the past decade only. Recognizing the necessity of a comprehensive analysis of academic documents published on this topic, this study intends to conduct a bibliometric analysis of cyber-physical systems cyber security in critical infrastructures. Gathering a total of 1649 documents from the Scopus and Web of Science databases, a performance analysis is first carried out through a set of performance criteria. Then, a scientific mapping is performed based on keyword co-occurrence to visualize the knowledge area for further inference. As a result, seven thematic clusters were discovered and discussed in detail. Furthermore, an agenda for future research is identified based on the results of the bibliometric analysis, providing scope to advance the knowledge area. The outcomes of this study may be used by researchers and cyber security practitioners to have an illuminated and structured view of all the research conducted on cyber-physical systems cyber security in critical infrastructures and identify paths for further investigations on the topic.
Article
Full-text available
Programmable Logic Controllers (PLCs) are indispensable in Critical Infrastructures (CIs) and Industrial Control Systems (ICSs). The increasing demand for enhanced cost-effectiveness and production efficiency has driven automation manufacturers to integrate PLC based applications and systems with external networks, such as Internet. Unfortunately, this connectivity has exposed systems to potential malicious attacks from motivated adversaries. Addressing this pressing issue necessitates a comprehensive summary of ongoing research related to PLCs and their related systems. This summary should classify these systems based on disclosed vulnerabilities, potential threats, and proposed security solutions, catering to both scientists and industrial engineers. While several recent surveys have reviewed and discussed PLC security and related topics, they often fell short of covering all essential aspects comprehensively. Furthermore, prior surveys tended to focus on analyzing vulnerabilities at the system level, overlooking the vulnerabilities specific to PLCs themselves. Consequently, their findings failed to effectively secure current operational systems or propose improved solutions for future PLC designs. In this paper, we bridge this research gap by providing a detailed review of all aspects concerning the security of PLCs and related systems. This includes vulnerabilities, potential attacks, security solutions including digital forensics. We aim to offer a precise analysis, addressing the shortcomings of previous studies. Finally, we conclude the paper by presenting our recommendations tailored for PLC manufacturers, researchers and engineers. We hope that these recommendations will contribute to the development of more secure PLCs in the future.
Article
Purpose: Businesses in all sectors, including the secondary industry, will turn to tech-business analytics as a crucial tool. Tech-Business Analytics' role in the secondary industrial sector is to support companies in making data-driven decisions that optimize their operations, boost productivity, and boost profitability. Businesses may optimize their supply chains by accessing data on suppliers, inventories, logistics, and other aspects to spot inefficiencies and areas for improvement. Organizations can use this information to reduce downtime and boost production to schedule maintenance in advance and predict when machinery and equipment will likely break. Examining data on product flaws, customer complaints, and other aspects can help firms improve their quality control systems by identifying root causes and implementing corrective measures. Studying data on consumer behaviour, industry trends, and other factors can help organizations optimize their sales and marketing activities and find chances for expansion and higher profitability. Design/Methodology/Approach: Businesses can use several processes in the tech-business analytics methodology to help them make decisions based on data in the secondary industry sector. This secondary industry sector can entail enhancing the effectiveness of the supply chain or decreasing equipment downtime. After identifying the issue, the necessary data must be gathered and prepared. Once the data is collected, it must be analyzed using statistical models and other analytical methods. This collected data might entail looking for relationships between multiple variables, spotting trends in consumer behaviour, or predicting outcomes using predictive models. Findings/Result: It is described in the article how tech-business analytics in the secondary industrial sector will have managed the growth itself from its inception to the present. The Tech-Business Analytics technique in the secondary industry sector offers a structured approach to problem-solving using data analysis to assist in better decision-making and improve business outcomes. Originality/Value: Exploring the evolutionary path of business analytics transforms into the advanced realm of technology-driven business analytics within the secondary industry sector. A generic architecture also examines 130 recently published Tech Business Analytics in Secondary Industry sector research projects for technical purposes. Tech-Business Analytics is a new field that applies ICCT-underpinning technologies in Tech-Business Analytics (TBA). TBA is intended to provide businesses with unprecedented opportunities for growth and innovation in secondary industry sectors. Paper Type: Exploratory research.
Preprint
Programmable Logic Controllers (PLCs) are indispensable in Critical Infrastructures (CIs) and Industrial Control Systems (ICSs). The growing demand for enhanced cost-effectiveness and production efficiency has prompted automation manufacturers to integrate PLC based applications/systems with external networks like the Internet. Unfortunately, this connectivity has exposed the systems to potential malicious attacks from motivated adversaries. Addressing this pressing issue requires a comprehensive summary of ongoing research related to PLC applications, categorizing them based on disclosed vulnerabilities, possible threats and potential detection and mitigation solutions for both scientists and engineers. Despite that several surveys have recently reviewed and discussed the security of PLCs or related topics, they all did not fully success in covering all the essential aspects comprehensively. Furthermore, previous surveys focused more on analyzing vulnerabilities at the "system-level" rather than specifically examining the vulnerabilities of PLCs themselves. As a result, their findings couldn't effectively secure current operational systems or suggest improved solutions for future designs. In this paper, we cover exactly this research gap, and provide a concise review of four aspects related to the security of PLCs and their related applications i.e., vulnerabilities, attacks, security solutions and digital forensic. Finally we conclude the paper with our security recommendations for manufacturers, researchers and engineers, hoping to achieve more secure PLC based applications in the future.
Article
Full-text available
Instant messaging applications have gained considerable market share over the past decade and have become one of the most used applications for users worldwide. However, due to the low-barrier to entry and ease of use, these applications (apps) have also garnered the attention of criminals wanting to use the apps to facilitate criminal activities. The memory forensic examination of Discord and Slack on Linux operating system (specifically, Ubuntu 20.04.3 LTS), two popular instant messaging apps, has gone largely unexplored. In this paper, we examined both apps and found data remnants of users’ activities that are of forensic interest. We detected a variety of information including: Slack specific data, Discord specific data, username, emails, passwords, messages, conversations, and uploaded attachments, all of which could be utilized in a forensic investigation.
Article
Full-text available
In industrial control systems (ICS), programmable logic controllers (PLCs) are used to automate physical processes such as nuclear plants and power grid stations, and are often subject to cyber attacks. As in conventional IT domain, the memory analysis of the PLCs can help answer important forensic questions about the attack, such as the presence of malicious firmware, injection of modified control logic (the program running on the PLC), and manipulation of I/O devices (e.g., sensors and actuators). Unlike conventional IT domain, PLCs have heterogeneous hardware architecture, proprietary firmware and control software, making it challenging to employ a unified framework for their memory forensics. For merely extracting artifacts of forensic importance, reverse-engineering the firmware is a tedious task, and the effort needs to be repeated for every PLC model. As a community, a step-wise approach to tackle this challenge is to analyze the memory of specific PLCs, and subsequently find a generic framework applicable to all PLCs. Our work is a step forward in this direction. By following a methodology that focuses on the functional layer of PLCs instead of reverse engineering the firmware, we analyze the digital forensic artifacts available in a common PLC, Allen-Bradley ControlLogix 1756-L61. Before diving into the memory dump, we analyze the PLC control software to create a list of important artifacts that are sure to exist in the PLC memory dump. The approach employs a setup where PLC control software RSLogix-5000 is connected to the PLC, and the memory dump can be obtained as and when needed. We create test cases that sequentially highlight each category of artifacts, followed by an examination of the resultant impact on memory. After attaining the listed artifacts, we employ conventional string and known data searches to extract interesting information present in this PLC's memory. The memory analysis profile, presented as a Python library and shared with the community, can help a forensic investigator to readily extract forensic artifacts from the same model's controller. The adopted approach may help researchers in creating memory profile of other PLCs, and ultimately formulating a generic PLC memory analysis framework.
Article
Full-text available
In industrial control systems (ICS), programmable logic controllers (PLC) are the embedded devices that directly control and monitor critical industrial infrastructure processes such as nuclear plants and power grid stations. Cyberattacks often target PLCs to sabotage a physical process. A memory forensic analysis of a suspect PLC can answer questions about an attack, including compromised firmware and manipulation of PLC control logic code and I/O devices. Given physical access to a PLC, collecting forensic information from the PLC memory at the hardware-level is risky and challenging. It may cause the PLC to crash or hang since PLCs have proprietary, legacy hardware with heterogeneous architecture. This paper addresses this research problem and proposes a novel JTAG (Joint Test Action Group)-based framework, Kyros, for reliable PLC memory acquisition. Kyros systematically creates a JTAG profile of a PLC through hardware assessment, JTAG pins identification, memory map creation, and optimizing acquisition parameters. It also facilitates the community of interest (such as ICS owners, operators, and vendors) to develop the JTAG profiles of PLCs. Further, we present a case study of Kyros implementation over Allen-Bradley 1756-A10/B to help understand the framework's application on a real-world PLC used in industry settings. The sample PLC memory dumps are shared with the research community to facilitate further research.
Conference Paper
Full-text available
Programmable logic controllers (PLCs) run a `control logic' program that defines how to control a physical process such as a nuclear plant, power grid stations, and gas pipelines. Attackers target the control logic of a PLC to sabotage a physical process. Most PLCs employ password-based authentication mechanisms to prevent unauthorized remote access to control logic. This paper presents an empirical study on proprietary authentication mechanisms in five industry-scale PLCs to understand the security-design practices of four popular ICS vendors, i.e., Allen-Bradley, Schneider Electric, AutomationDirect, and Siemens. The empirical study determines whether the mechanisms are vulnerable by design and can be exploited. It reveals serious design issues and vulnerabilities in authentication mechanisms, including lack of nonce, small-sized encryption key, weak encryption scheme, and client-side authentication. The study further confirms the findings empirically by creating and testing their proof-of-concept exploits derived from MITRE ATT&CK knowledge base of adversary tactics and techniques. Unlike existing work, our study relies solely on network traffic examination and does not employ typical reverse-engineering of binary files (e.g., PLC firmware) to reveal the seriousness of design problems. Moreover, the study covers PLCs from different vendors to highlight an industry-wide issue of secure PLC authentication that needs to be addressed.
Article
Full-text available
Identification of operating system kernel version is essential in a large number of forensic and security applications in both cloud and local environments. Prior state-of-the-art uses complex differential analysis of several aspects of kernel implementation and knowledge of kernel data structures. In this paper, we present a working research prototype codeid-elf for ELF binaries based on its Windows counterpart codeid, which can identify kernels through relocation entries extracted from the binaries. We show that relocation-based signatures are unique and distinct and thus, can be used to accurately determine Linux kernel versions and derandomize the base address of the kernel in memory (when kernel Address Space Layout Randomization is enabled). We evaluate the effectiveness of codeid-elf on a subset of Linux kernels and find that the relocations in kernel code have nearly 100% code coverage and low similarity (uniqueness) across various kernels. Finally, we show that codeid-elf, which leverages relocations in kernel code, can detect all kernel versions in the test set with almost 100% page hit rate and nearly zero false negatives.
Conference Paper
Full-text available
In industrial control systems (ICS), attackers inject malicious control-logic into programmable logic controllers (PLCs) to sabotage physical processes, such as nuclear plants, traffic-light signals, elevators, and conveyor belts. For instance, Stuxnet operates by transferring control logic to Siemens S7-300 PLCs over the network to manipulate the motor speed of centrifuges. These devastating attacks are referred to as control-logic injection attacks. Their network traffic, if captured, contains malicious control logic that can be leveraged as a forensic artifact. In this paper, we present Reditus to recover control logic from a suspicious ICS network traffic. Reditus is based on the observation that an engineering software has a built-in decompiler that can transform the control logic into its source-code. Reditus integrates the decompiler with a (previously-captured) set of network traffic from a control-logic to recover the source code of the binary control-logic automatically. We evaluate Reditus on the network traffic of 40 control logic programs transferred from the SoMachine Basic engineering software to a Modicon M221 PLC. Our evaluation successfully demonstrates that Reditus can recover the source-code of control logic from its network traffic.
Chapter
Programmable logic controllers monitor and control physical processes in critical infrastructure assets, including nuclear power plants, gas pipelines and water treatment plants. They are equipped with control logic written in IEC 61131 languages such as ladder diagrams and structured text that define how the physical processes are monitored and controlled. Cyber attacks that seek to sabotage physical processes typically target the control logic of programmable logic controllers.
Article
Nowadays programmable logic controllers (PLCs) are suffering increasing cyberattacks. Attackers could reprogram PLCs to inject malware that would cause physical damages and economic losses. These PLC malwares are highly customized for the target which makes it difficult to extract a general pattern to detect them. In this article, we propose a PLC malware detection method based on model checking. Firstly, we improve the existing modeling method for PLC system by using the Satisfiability Modulo Theory (SMT) constraints to model the PLC system. We also present an algorithm that can transform the PLC program to the model. Our SMT‐based model can deal with the features of the PLC system such as undetermined input signals, edge detection and so on. Secondly, we focus on malware detection and propose two methods, invariant extraction and rule design pattern, to generate detection rules. The former can extract the invariants from an original program, and the latter can lower the bar for user to design detection rules. Finally, we implement a prototype and evaluate it on three representative ICS scenarios. The evaluation result shows that our proposed method can successfully detect the malwares using four attack patterns.