Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Trusted Safety Verifier for Process Controller Code

Published byBlaise Webb Modified over 5 years ago

Similar presentations

Presentation on theme: "A Trusted Safety Verifier for Process Controller Code"— Presentation transcript:

1 A Trusted Safety Verifier for Process Controller Code
Stephen McLaughlin, Saman Zonouz, Devin Pohly, Patrick McDaniel Presented by Xumiao Zhang and Shenghao Lin

2 Overview Programmable logic controller (PLC) Threat model
Trusted Safety Verifier (TSV) PLC code analysis Implementation Evaluation Conclusion

3 Programmable Logic Controller
A Programmable Logic Controller (PLC) is a digital, multi- input multi-output computer used for real-time automation of physical machinery. A PLC’s program is executed continuously as long as the PLC is running.

4 A PLC’s Life Turn left 2˚ Turn left!

5 A PLC’s Life Turn left 2˚ Turn left!

6 A PLC’s Life Not quite... Turn left!

7 A PLC’s Life Not quite... Turn left!

8 A PLC’s Life BINGO! Stop!

9 A PLC’s Life L DW2 ;; Degrees Control Logic < ID255 ST Q 3.2
Control Signal Scan Cycle Sensor Measurements

10 Bad news... Programmable Controllers are insecure by design
Control systems are not robust enough for security patches (i.e. stuxnet)

11 A PLC’s Life ;; Spin out ;; of control! S Q 3.2 Control Logic

12 Safety Properties Bounds on numerical device parameters (e.g. maximum drive velocity and acceleration) Safety interlocks, which ensure physically conflicting events do not occur.

13 Trusted Safety Verifier (TSV)
Goal: Only allow code to be run on a PLC if it satisfies a set of engineer-supplied safety properties.

14 TSV - Challenges Existing tools not up to the task.
Control systems are stateful, requiring temporal properties. State space explosion with existing analysis techniques.

15 TSV - Architecture

16 Sample PLC Code AI 0.5 ;; And input bit 5
=Q 0.1 ;; Store at output bit 1

17 Instruction List Intermediate Language
Side effects PLC special features Architecture dependent

18 Instruction List Intermediate Language
PLC Code

19 Symbolic Execution TSV symbolically executes an ILIL program to produce a mapping from path predicates to symbolic outputs. Symbolic execution follows all possible paths through a single scan cycle of the program. Lump together all inputs that produce that same output.

20 Symbolic Execution - Example
if input > 10 then output input + 6 else output 2 * input + 6 Without symbolic execution, an unsigned integer input can generate 2^32 different states. With symbolic execution, only 2 states. We will see its use later.

21 Symbolic Execution - Expression

22 Checking Temporal Properties
PLCs use stateful variables, which retain their values across the scan cycles. TEG (temporal execution graph) is applied for model checking.

23 Temporal Execution Graph (TEG)
A state machine in which each state transition represents a single scan cycle. Each state in the TEG contains the state and output variables.

24 TEG

25 TEG with Symbolic Execution

26 TSV - A Full Run

27 Conclusion Developed Trusted Safety Verifier (TSV), a trusted verification platform for programmable logic controllers. last-step security verification of control commands Combination of symbolic execution and model checking Implemented a real-world prototype of the TSV framework on an independent Raspberry PI chip with minimal attack surface. Demonstrated performance in checking various properties in control systems

Download ppt "A Trusted Safety Verifier for Process Controller Code"

Similar presentations

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Unit 7 Discrete Controllers

Unit 7 Discrete Controllers
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
INTRODUCTION COMPUTATIONAL MODELS. 2 What is Computer Science Sciences deal with building and studying models of real world objects /systems. What is.

INTRODUCTION COMPUTATIONAL MODELS. 2 What is Computer Science Sciences deal with building and studying models of real world objects /systems. What is.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Midterm Wednesday Chapter 1-3: Number /character representation and conversion Number arithmetic Combinational logic elements and design (DeMorgan’s Law)

Midterm Wednesday Chapter 1-3: Number /character representation and conversion Number arithmetic Combinational logic elements and design (DeMorgan’s Law)
Overview The von Neumann Machine - the programmable digital computer Introducing the LC-3 Computer - A “toy” computer for us to learn from Computer machine.

Overview The von Neumann Machine - the programmable digital computer Introducing the LC-3 Computer - A “toy” computer for us to learn from Computer machine.
State Machines Used to Design Sequential Circuits.

State Machines Used to Design Sequential Circuits.
Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.

Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
1 KU College of Engineering Elec 204: Digital Systems Design Lecture 20 Datapath and Control Datapath - performs data transfer and processing operations.

1 KU College of Engineering Elec 204: Digital Systems Design Lecture 20 Datapath and Control Datapath - performs data transfer and processing operations.
Design and Analysis of Algorithms

Design and Analysis of Algorithms
Unit 3b Industrial Control Systems

Unit 3b Industrial Control Systems
Formal Techniques for Verification Using SystemC By Nasir Mahmood.

Formal Techniques for Verification Using SystemC By Nasir Mahmood.
Computer Programming-1 CSC 111 Chapter 1 : Introduction.

Computer Programming-1 CSC 111 Chapter 1 : Introduction.
Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.

Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Computer Organization

Computer Organization
PLC introduction1 Discrete Event Control Concept Representation DEC controller design DEC controller implementation.

PLC introduction1 Discrete Event Control Concept Representation DEC controller design DEC controller implementation.

Similar presentations

Ads by Google