Combating memory corruption attacks on scada devices

IFIP International Federation for Information Processing

Volumn 290, Issue , 2008, Pages 141-156

  Bellettini, Carlo ^a   Rrushi, Julian ^b  

^a UNIVERSITY OF MILAN   (Italy)

^b UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

Author keywords

Memory corruption attacks; Modbus protocol; SCADA systems

Indexed keywords

CRYPTOGRAPHY; SCADA SYSTEMS;

ENCRYPTED DATA; EXPERIMENTAL EVALUATION; INDUSTRIAL PROCESSS; LEAST PRIVILEGE; MEMORY CORRUPTION; MEMORY CORRUPTION ATTACKS; MITIGATION TECHNIQUES; MODBUS PROTOCOL;

CRIME;

EID: 55549084566     PISSN: 15715736     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-0-387-88523-0_11     Document Type: Article

References (44)

1. Aleph One, Smashing the stack for fun and profit, Phrack, vol. 7(49), 1996.
2. S. Alexander, Defeating compiler-level buker overflow protection,; login: The USENIX Magazine, vol. 30(3), pp. 59-71, 2005.
3. Anonymous, Once upon a free(), Phrack, vol. 10(57), 2001.
4. A. Baratloo, N. Singh and T. Tsai, Transparent run-time defense against stack smashing attacks, Proceedings of the USENIX Annual Technical Conference, 2000.
5. A. Baratloo, T. Tsai and N. Singh, libsafe: Protecting critical elements of stacks, White Paper, Avaya, Basking Ridge, New Jersey (pubs.research.avayalabs.com/pdfs/ALR-2001-019-whpaper.pdf), 1999.
6. E. Barrantes, D. Ackley, T. Palmer, D. Stefanovic and D. Zovi, Randomized instruction set emulation to disrupt binary code injection attacks, Proceedings of the Tenth ACM Conference on Computer and Communications Security, pp. 281-289, 2003.
7. C. Bellettini and J. Rrushi, SCADA protocol obfuscation: A proactive defense line in SCADA systems, presented at the SCADA Security Scientific Symposium, 2007.
8. C. Bellettini and J. Rrushi, Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness, Proceedings of the IEEE SMC Information Assurance and Security Workshop, pp. 341-348, 2007.
9. Bulba and Kil3r, Bypassing StackGuard and StackShield, Phrack, vol. 10(56), 2000.
10. S. Chen, K. Pattabiraman, Z. Kalbarczyk and R. Iyer, Formal reasoning of various categories of widely exploited security vulnerabilities by pointer taintedness semantics, in Security and Protection in Information Processing Systems, Y. Deswarte, F. Cuppens, S. Jajodia and L. Wang (Eds.), Kluwer, Boston, Massachusetts, pp. 83-100, 2004.
11. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk and R. Iyer, Defeating memory corruption attacks via pointer taintedness detection, Proceedings of the International Conference on Dependable Systems and Networks, pp. 378-387, 2005.
12. S. Chen, J. Xu, E. Sezer, P. Gauriar and R. Iyer, Non-control data attacks are realistic threats, Proceedings of the Fourteenth USENIX Security Symposium, pp. 177-192, 2005.
13. M. Conover and w00w00 Security Team, w00w00 on heap overflows (www.w00w00.org/lles/articles/heaptut.txt), 1999.
14. C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen and J. Lokier, FormatGuard: Automatic protection from printf format string vulnerabilities, Proceedings of the Tenth USENIX Security Symposium pp. 191-200, 2001.
15. C. Cowan, S. Beattie, J. Johansen and P. Wagle, PointGuard: Protecting pointers from buker overflow vulnerabilities, Proceedings of the Twelfth USENIX Security Symposium, pp. 91-104, 2003.
16. C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang, StackGuard: Automatic adaptive detection and prevention of buker overflow attacks, Proceedings of the Seventh USENIX Security Symposium, pp. 63-78, 1998.
17. I. Dobrovitski, Exploit for CVS double free() for Linux pserver, Neohapsis Archives (www.security-express.com/archives/fulldisclosure/ 2003-q1/0545.html), 2003.
18. Gera and Riq, Advances in format string exploitation, Phrack, vol. 10(59), 2002.
19. iDefense Labs, LiveData Protocol Server heap overflow vulnerability, Sterling, Virginia (labs.idefense.com/intelligence/vulnerabilities/ display.php?id=523), 2007.
20. International Electrotechnical Commission, Telecontrol Equipment and Systems - Part 6-503: Telecontrol Protocols Compatible with ISO Standards and ITU-T Recommendations - TASE.2 Services and Protocol, IEC Publication 60870-6-503, Geneva, Switzerland, 2002.
21. F. Iwanitz and J. Lange, OPC - Fundamentals, Implementation and Application, Huthig, Heidelberg, Germany, 2006.
22. M. Kaempf, Vudo malloc tricks, Phrack, vol. 11(57), 2001.
23. G. Kc, A. Keromytis and V. Prevelakis, Countering code injection attacks with instruction set randomization, Proceedings of the Tenth ACM Conference on Computer and Communications Security, pp. 272-280, 2003.
24. Klog, Frame pointer overwriting, Phrack, vol. 9(55), 1999.
25. A. Krennmair, ContraPolice: A libc extension for protecting applications from heap smashing attacks (synflood.at/papers/cp.pdf), 2003.
26. Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts (www.modbus.org/specs.php), 2004.
27. L. Mora, OPC exposed: Part I, presented at the SCADA Security Scientific Symposium, 2007.
28. Nergal, Advanced return-into-lib(c) exploits: PaX case study, Phrack vol. 10(58), 2001.
29. N. Nethercote and J. Seward, valgrind: A program supervision framework, Electronic Notes in Theoretical Computer Science, vol. 89(2), pp. 44-66, 2003.
30. NOP Ninjas, Format string technique (julianor.tripod.com/bc/ NN-formats.txt), 2001.
31. D. Novillo, From source to binary: The inner workings of GCC, Red Hat Magazine (www.redhat.com/magazine/002dec04/features/gcc), December 2004.
32. D. Patterson and J. Hennessy, Computer Organization and Design, Morgan Kaufmann, San Francisco, California, 2007.
33. PaX-Team, Documentation for the PaX Project (pax.grsecurity.net/docs), 2008.
34. J. Pincus and B. Baker, Mitigations for low-level coding vulnerabilities: Incomparability and limitations, Microsoft Corporation, Redmond, Washington, 2004.
35. T. Robbins, libformat, 2001.
36. M. Roesch and C. Green, Snort Users Manual 2.3.3, Sourcelre (www.snort.org/docs/snort_manual), 2006.
37. scut and team teso, Exploiting format string vulnerabilities (julianor.tripod.com/bc/formatstring-1.2.pdf), 2001.
38. S. Simmons, D. Edwards and N. Wilde, Securing control systems with multilayer static mutation, presented at the Process Control Systems Forum Annual Meeting (www.pcsforum.org/events/2007/atlanta/documents/ west.pdf), 2007.
39. A. Sovarel, D. Evans and N. Paul, Where's the FEEB? The ekectiveness of instruction set randomization, Proceedings of the Fourteenth USENIX Security Symposium, pp. 145-160, 2005.
40. TIS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification (www.x86.org/ftp/manuals/tools/elf.pdf), 1995.
41. US-CERT, LiveData ICCP Server heap buker overflow vulnerability, Vulnerability Note VU#190617, Washington, DC (www.kb.cert.org/vuls/id/ 190617), 2006.
42. US-CERT, Takebishi Electric DeviceXPlorer OPC Server fails to properly validate OPC server handles, Vulnerability note VU#926551, Washington, DC (www.kb.cert.org/vuls/id/926551), 2007.
43. Vendicator, StackShield: A stack smashing technique protection tool for Linux (www.angelfire.com/sk/stackshield), 2000.
44. C. Walter, FreeMODBUS: A Modbus ASCII/RTU and TCP implementation (v1.3), FreeMODBUS, Vienna, Austria (freemodbus.berlios.de), 2007.