1. Air Force Institute of Technology
The AFIT of Today is the Air Force of Tomorrow.
PLC Code Protection
Center for Cyberspace Research
Stephen Dunlap
Jonathan Butts, PhD
CCR - The Center for Cyberspace Research
2. What’s the Story?
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
4. Resources
The AFIT of Today is the Air Force of Tomorrow.
• Requirements
• Helpful:
CCR - The Center for Cyberspace Research
5. Static Analysis
The AFIT of Today is the Air Force of Tomorrow.
Device? We don’t need no stinkin
device…
CCR - The Center for Cyberspace Research
6. Hardware Analysis
The AFIT of Today is the Air Force of Tomorrow.
But I’ll take it if I can get it…
CCR - The Center for Cyberspace Research
7. Dynamic Analysis
The AFIT of Today is the Air Force of Tomorrow.
I don’t always do dynamic
analysis, but when I do, I use
JTAG…
CCR - The Center for Cyberspace Research
8. Let’s Do This
The AFIT of Today is the Air Force of Tomorrow.
Attacks Need:
Triggers
Payloads
Deployment
CCR - The Center for Cyberspace Research
9. The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
10. Time Bomb
The AFIT of Today is the Air Force of Tomorrow.
• Hook regularly executed function
• Count executions
Jump Instruction
before modification
After modification
CCR - The Center for Cyberspace Research
11. Time Bomb Cont.
The AFIT of Today is the Air Force of Tomorrow.
Store a counter in memory
Load counter
and subtract
Test for zero
Continue operation
if greater
CCR - The Center for Cyberspace Research
12. Logic Bomb
The AFIT of Today is the Air Force of Tomorrow.
• Hook jump table for CPU mode change
• Keep track of changes for specific sequence
RUN
REM PROG
PROG
REM RUN
CCR - The Center for Cyberspace Research
13. Remote Commands
The AFIT of Today is the Air Force of Tomorrow.
• Hook CIP command handler jump table
CCR - The Center for Cyberspace Research
14. Remote Commands Cont.
The AFIT of Today is the Air Force of Tomorrow.
• Check for custom service and instance
CCR - The Center for Cyberspace Research
15. The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
16. Soft DoS
The AFIT of Today is the Air Force of Tomorrow.
• Endless loop causes recoverable fault
• Fault shutdown routine
CCR - The Center for Cyberspace Research
17. Persistent DoS
The AFIT of Today is the Air Force of Tomorrow.
• Write value to flash
• Fault if value exists
• Exploit Flash Writing Function
• R0 – Destination address
• R1 – Source Address
• R1 – Data Length
Flash end address
CCR - The Center for Cyberspace Research
18. Where to From Here?
The AFIT of Today is the Air Force of Tomorrow.
• Traffic Modification
• Modify CIP values
• Propagation
• Persistence
• Implant in bootloader
• Ignore firmware updates
• Modify version number
CCR - The Center for Cyberspace Research
19. The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
21. Pivoting Through Router
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
22. Pivoting Through Router
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research
23. Implications
The AFIT of Today is the Air Force of Tomorrow.
•
•
•
•
Vendor agnostic
Expensive devices not needed
Supply chain
Cost of entry
• Team composition: Two guys
• Time: Approx 3 months
• Money: $3,500
NATION STATE NOT REQUIRED
CCR - The Center for Cyberspace Research
24. Protection Mechanisms
The AFIT of Today is the Air Force of Tomorrow.
• Vendor
• Digital Signatures
• Trusted Platform Module
• Integrator
• Source Verification
• Access Control
• Configuration Management
• Asset Owner
• Deep Packet Inspection
• Data Diodes
• Configuration Management
CCR - The Center for Cyberspace Research
25. Thank You
The AFIT of Today is the Air Force of Tomorrow.
CCR - The Center for Cyberspace Research