Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak.

Slides:

Advertisements

Similar presentations

Arctic IEC-104 Gateway Jari Lahti, CTO.

Advertisements

Why to learn OSI reference Model? The answer is too simple that It tells us that how communication takes place between computers on internet but how??

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

CCNA – Network Fundamentals

Data Communications System By Ajarn Preecha Pangsuban.

Lecture 2 Protocol Layers CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

Semester Copyright USM EEE442 Computer Networks Introduction: Protocols En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex, UK)

1 K. Salah Module 4.0: Data Link Layer The Logical Link Control (LLC) sublayer –Framing –Flow Control –Error Control The Media Access Control (MAC) sublayer.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

Data Communications Architecture Models. What is a Protocol? For two entities to communicate successfully, they must “speak the same language”. What is.

1 Diagnostics Project Introduction Matt Morgan. 2 Diagnostic ’ s Project Purpose Develop the Network layer services for diagnostics on CAN for road vehicle.

IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.

Gursharan Singh Tatla Transport Layer 16-May

CMPT 471 Networking II Address Resolution IPv6 Neighbor Discovery 1© Janice Regan, 2012.

CS 356 Systems Security Spring Dr. Indrajit Ray

Tcipg.org 1 An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems Objectives/Problem Investigate a simple but effective attack to block legitimated.

Matt Michael Presentation Overview Motivation DNP3 overview Available decoders Implementation details Example of use of decoder.

DCP COMMAND …bringing two-way communications to your DCPs.

CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.

Network Architecture and Protocol Concepts. Network Architectures (1) The network provides one or more communication services to applications –A service.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

Midterm Review - Network Layers. Computer 1Computer 2 2.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Presentation on Osi & TCP/IP MODEL

Copyright Kenneth M. Chipps Ph.D. PPP Last Update

Network Architecture & Standards

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.

Mukesh N. Tekwani Elphinstone College Mumbai

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Introduction Slide 1 A Communications Model Source: generates.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

Fundamentals of Computer Networks ECE 478/578 Lecture #19: Transport Layer Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Web Security : Secure Socket Layer Secure Electronic Transaction.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Next Generation Space Link Protocol – Raison d’etre Greg Kazz Ed Greenberg SLS-SLP WG Fall 2013 CCSDS Meeting - San Antonio, TX, USA.

User Datagram Protocol (UDP) Chapter 11. Know TCP/IP transfers datagrams around Forwarded based on destination’s IP address Forwarded based on destination’s.

1 Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

William Stallings Data and Computer Communications

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Dynamic Host Configuration Protocol (DHCP)

EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Protocols and Architecture Slide 1 Use of Standard Protocols.

GBT SCA overview Slide 1-5 Work status Slide 6-10 Shuaib Ahmad Khan.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

1 Number Theory and Advanced Cryptography 9. Authentication Protocols Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced.

Protocol Layering Chapter 11.

CSCI 465 D ata Communications and Networks Lecture 2 Martin van Bommel CSCI 465 Data Communications & Networks 1.

OSI Model. Open Systems Interconnection (OSI) is a set of internationally recognized, non proprietary standards for networking and for operating system.

Overview on Web Caching COSC 513 Class Presentation Instructor: Prof. M. Anvari Student name: Wei Wei ID:

Process-to-Process Delivery:

OSI Model OSI MODEL. Communication Architecture Strategy for connecting host computers and other communicating equipment. Defines necessary elements for.

OSI Model OSI MODEL.

The Transport Layer Implementation Services Functions Protocols

Secure Authentication in the Grid ESORICS, September 2017

Transfer Frame Structures

Chapter 6 Delivery & Forwarding of IP Packets

Next Generation Space Link Protocol – Raison d’etre

TCP Transport layer Er. Vikram Dhiman LPU.

Layers of The ATM Model.

Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.

Chapter 3: Open Systems Interconnection (OSI) Model

Process-to-Process Delivery:

CPEG514 Advanced Computer Networkst

Net 323 D: Networks Protocols

OSI Model OSI MODEL.

Chapter 2. Protocols and Architecture

Chapter 3 Transport Layer

Presentation transcript:

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak

Developed by Harris Corp, handed over to a vendor- neutral User Group in Many features have been “bolted on”, including security.

Layered Architecture Transport Layer Application Layer Link Layer Application Service Data Unit (ASDU) Typical max size of 2KB semantics == functions + objects Tx segmentation Rx re-assembly of APDUs User code IED/RTU or your SCADA master Adds CRCs and addressing. Error checking and (de) multiplexing.

Application layer messages

Application-layer semantics READ WRITE OPERATE CONFIRM ….. RESPONSE UNSOLICITED FUNCTION CODES OBJECTS Measurements, time sync, file transfer, controls, etc, etc ● ∞ combinations ●multiple types per message ●Some function codes are “function only”

Project Robus Started in April CVEs found via fuzzing Deep study of failure modes in one protocol automatak.com/robus

Focus on serial / masters

DNP3 Fuzzing Test DNP3 Message (DL, TL, or AL) Request Link States Link Status x Num Test Cases Request Response x Num Retry (10)

Common Faults uint32_t count = stop - start + 1; // ← integer overflow F FF FF FF FF Unsolicited Response Group 1 Variation 0 Sizeless?! 4 byte start/stop

Less Common Faults Unexpected function code / object combinations DD C rnd(11) rnd(11) Unsolicited Response Control Relay Output Block 1 byte start/stop ●buffer overrun ●not malformed! ●unexpected objects ●accepts broadcast CROB #1CROB #2

DNP3 Security Transport Layer Link Layer Application Layer Secure Authentication ●Tightly coupled to the DNP3 application layer ●Auth-only ●New functions ●New objects ●2 modes of authentication

Application Layer Complex Parsing Porous Trust Boundary Data is dangerous, intended function matters not. Every time you extend DNP3, you make it less secure. Optional challenges make security state machine overly complex Logging %n%n%n

2 modes of authentication Challenge-response – 2 pass authentication “Aggressive mode” – 1 pass authentication

Aggressive mode message

///// Payload Headers ////Header / Function Issue #1: Aggressive-mode ambiguity ???? You can only tell if this is an aggressive mode request by speculatively parsing the 1 st object header. Ambiguity is dangerous.

Issue #2: Lack of an envelope for HMAC DNP3 headers cannot be “skipped”. They must be parsed sequentially (at least lightly), so that you known where the next one starts. //////////////////////////////////////////// HMACUSER, CSQHeader / Function

“Session key status object” Total size framed by TLV in wrapping header Composed of fixed-size and variable-length subfields Final v-length field is the remainder of the encapsulation.

“Update key change reply” Total size framed by TLV in wrapping header Composed of fixed-size and variable-length subfields Final v-length field is the remainder of the encapsulation AND a length prefix.

What does the spec have to say?

SA Conclusions Prefer a layered approach to SCADA security to that decouples legacy protocol encodings/semantics from security. Design security to address both function and implementation attack surface.

How can langsec help? Critical infrastructure vendors need better tools besides hand-rolled parsers. Standards bodies need the theory/guidance to produce better designs. Protocols need reference implementations to guide their evolution.

Questions?