Fuzzing proprietary SCADA protocols

Transcription

1 Fuzzing proprietary SCADA protocols Sergey Bratus Black Hat 2008 INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Cyber Security and Trust Research & Development

2 Fuzzing SCADA Ganesh Devarajan (TippingPoint) DNP3 module for Sulley the fuzzer (BH 07, Amini & Portnoy) BH 07 talk caused much media stir Digital Bond's ICCPSic test tools released to subscribers who are vetted asset owners...will crash vulnerable ICCP servers. Image Image SecuriTeam's bestorm DNP3 fuzzer crashed Wireshark's parser Mu Security's hardware fuzzer,...

3 TCIP Project

4 Kinds of fuzzing Generation-based: input created from models (knowledge) of: protocol specs (SPIKE, Peach, Sulley,...) file formats (SPIKEfile, FileFuzz,...) Mutation-based: input created from samples of traffic/data: packet captures (e.g., the GPF) proxying ongoing communications Requires little knowledge of protocol

5 This...is...SCADA! (1) Proprietary protocol: cannot get specs Luckily, protocol is plain text Access to actual live equipment Isolated test control network Ability to observe and inject packets SCADA: traffic is continual and repetitive Endpoints will keep trying to re-establish connections that went wrong.

6 Protocol blocks? Fuzzer must mimic the protocol well enough to not be rejected outright Purpose of the protocol model Most generation fuzzers use block models Aitel had it had it right with SPIKE -- Sulley How to guess blocks of unknown protocols? Just (im)precisely enough to mutate them better than inserting/deleting runs of random or special bytes

7 This...is...SCADA! (2) Distinct, elaborate initial handshake fuzz it to test initial auth code, or let it happen, and fuzz data parsing code Frequent keep-alives / status messages easier to see if target crashed: TCP RSTs back off and let the connection be reestablished, then fuzz again Regular, repeating structure of data packets

8 LZfuzz /Lazy-fuzz/ Guesses blocks ( tokens ) based on repeated occurrence runs a variant of the Lempel-Ziv compression algorithm (cf. GZIP) frequently repeated byte strings end up in a string table seeds the table with likely tokens from packet captures Applies GPF-like mutations to tokens: long byte runs for buffers extra delimiters, bit flips,...

9 LZfuzz Desktop Tokenize & mutate Server Reassemble & send Intercept packets LZfuzz string table Laptop xxx gjhjhgjhgjhg http get put aquire resetxxx gjhjhg http get put aquire rese xxx gj hjhgjhgjhg http get put aquire reset xxx gjhjhgj hgjhg http get put aquire reset xxx g jhg http get put aquire resett

10 LZfuzz is lazy Guessing protocol field boundaries in ICMP

11 ... but it tries INSTITUTE FOR SECURITY MITMs and forwards live communications Standard LAN ARP-poisoning tricks Rewrites packets in transit Reacts to broken connections by backing off and changing fuzzing mode Detects RSTs and repeated SYNs Waits (passes packets unmolested) till normal data exchange resumes Shifts window of fuzzed tokens Must know locations and algorithms of integrity checksums for packet fix-up

12 Components LZfuzz learning LZfuzz tokenizer GPF token fuzzing ARP spoofing: arp-sk libipq ip_forward libnet ip_queue sniffing/ interception IP forwarding/ routing raw sockets injection/ spoofing

13 Misplaced trust in peers You are far too trusting. Unless authenticated and integrity checked with crypto, packets can be modified in transit even if sent by a wellbehaved peer selectively dropped or fragmented by MITM crafted and inserted into the network by an entirely different stack

14 Lessons learned? Vendors' false assumptions? Unauthorized connections the only threat? Making sure connected peers do not emit bad packets is enough? Control network does not allow packet injection or link layer attacks? Control networks need anti-injection measures more than others! IPSec, other VPNs: must know a secret to join (must be an insider) L2 measures, monitoring may help, too

15 Thanks! LZ tokenizer: Perl + GzPF : modified GPF fuzzer (accepts pre-tokenized input and other hints from LZ tokenizer) + MITM scripts (ARP spoofing, libipq, etc.)

16 Contact Information Institute for Security Technology Studies 6211 Sudikoff Laboratory Hanover, NH Phone: Fax: