Attacks on Embedded Systems

Attacks on Embedded Systems

Tuesday, November 25, 2014

Attacks on Control Systems 

   It is very important to mention that our very lives depend on Control Systems that manage the behavior of complex and critical components of the global industrial infrastructures such as transportation, water, power grid, gas, oil, food industry, and pharmaceutical. Thus, securing these control systems becomes government top priority and national security matter.
   According to the U.S. Department of Energy (DOE) and commercial security consultants, control systems are vulnerable to cyber attacks and their reliable operations are at risk.
   Now let us ask the ultimate question; what would happen if the control systems were hacked?
Stuxnet virus proved that we should expect another Chernobyl if similar attacks on control systems happen. Stuxnet was created and designed by the U.S to target the Iran's Uranium-Enrichment Center at " Natanz, which has 7,000 centrifuges " and was "inserted ... by Israeli agents." Its "... payload was rocket science; it's way above everything that we have ever seen before.
   The attack was the beginning of a new era of wars with new dimensions; the Binary Attacks. The virus was not a self-destructive program and its source code could be reverse engineered. Therefore, could be sold in the black market to terrorists. Although the aim of the attack was to immobilize the country's nuclear capabilities, that country now has a modern weapon with high level of destruction with low cost! The attacker just served his/her victim.
   Stuxnet attack was a turning point so that governments all over the world started changing their defense strategies and tactics against a silent weapon that has tremendous power of destructions. On 12 February 2014, the U.S National Institute of Standards & Technology (NIST) released the "Framework for Improving Critical Infrastructure Cybersecurity". The framework completes Obama Administration’s 2013 cybersecurity Executive Order. The Australian government made same announcement by introducing the Australian Cyber Security Centre (ACSC). 
   To encourage scientists and researchers in the field of Cyber security, governments and other contractors propose funds to strong projects and ideas. The National Science Foundation (NSF)  is an active source of money that scientists and students, at certain levels, can count on it.

Source:
http://apo.org.au/research/cybersecurity-executive-order
Finnie, S. (2012). Stuxnet Was a Wake-up Call, But Don’t Fall Back Asleep. Computerworld, 46(12), 60–60
  

Sunday, November 23, 2014

Network Intrusion Detection and Prevention Systems
Through
8-bit Microprocessor
Click on the picture for full resolution


Harmful codes over the Net, also known as malicious software, can be classified as viruses and worms. A virus needs an existing program to attach to it and releases its harmful code as soon as the program executes in the system. A worm, however, is independent and can release its harmful content without the need for a host program.
To detect these malicious codes, a virus scanner searches for signatures in a form of patterns that are present in each copy of the virus. These patterns are identified by specialists who work for security companies/organizations and store them in lists, which are downloadable from their websites to be used as dictionary or source of detection. The process of detecting these harmful codes is called "Patterns Matching", which takes a piece from the network data stream and matches it with the known virus signature. Although many sophisticated Network Intrusion Detection and Prevention Systems (NIDPS) ,including anti-viruses software, are available in the market and offer flexibility, their Patterns Matching Algorithms cannot handle the high-speed network traffic and, therefore,  compromising the speed. Most of NIDPS performances are on the scale of hundreds of megabytes only versus hardware (microprocessors) computations of thousands of signatures at gigabit rates.  Sourdis, Ioannis, and Dionisios Pnevmatikatos achieved 10 Gbps using parallelism (refer to the paper for more information).
Dedicated micprocessor for approximate content matching with k=1

To identify a threat in the network packets, an inspection of all single bits/bytes must be done through a "Deep Package Inspection" (DPI) that is the foundation of firewalls and NIDPS. However, the paper presents an 8-bit dedicated microprocessor approach for an exact string matching in an attempt to maintain speed and flexibility. Its architecture is based on two parts a Datapath and a Control unit. The Datapath consists of a registry file and one or more 8-bit comparators. The virus signature to be identified is in the form of (L * 8) represented as binary values (0s and 1s) where L is the length of the pattern (the signature). Characters in the incoming streams are presented at the Input of the Datapath during each clock cycle to be tested against the information in the registry file stored in the Comparators. The results are sent to the "status signal" to the Control Unit and if matched, a true value is forwarded to the Datapath, which outputs a binary value "1" signaling the recognition of the pattern. The paper mentions the use of a simulator known as "Xilinx ISE WebPack software".
Example:
Let's say we have a file of a dimention of (16*8) and as stated above 16 is L that is the length of the signature or the patter. So 16 =2^4 that is the pattern that will be recognized as four characters "abcd" and the address will be in a form of "0000". During the comparison process, the address will change as "0001", "0010", and "0011"; the sequence will end with "0100" that is a NULL value or a value that the programmer sets to indicate the end of the sequence.
The variations that occur in the memory addresses are based on the loaded characters "abcd". If the comparator finds "abcd", the result is true and then sends "1" to signal that. If it finds "axcd", "aybc", or "bxac"... this means a modification happened, but still the pattern has some pieces such as "a", "b", and "c" characters! Thus, based on my understanding the Control unit classifies it as a potential threat (Quarantine) and that needs more research on my side.



Cisco Intrusion Prevention System



Peer Reviewed Paper Citation:
Georgiev, D. R. (2014). Design of 8-bit dedicated microprocessor for content matching in NIDPS. International Journal of Information Security Science, 3(3), 209–215. 




Wednesday, November 19, 2014

Neural Networks


In the field of computer science, Neural Networks refers to as an Artificial Neural Network (ANN), a definition provided by Dr. Robert Hecht-Nielsen, the inventor of neurocomputers.
ANNs models are based on the neuronal structure of the mammalian cerebral cortex to include hundreds of processors versus billions of neurons in a mammalian brain. One of the first applications of neurocomputing is the retina scan and identification. However, the main purpose of this post is to introduce you the importance of neurocomputing in Neuro Networks and its impact on malware intrusion detection.
Neural Neworks design is based on three different parts on layers that include a huge number of interconnected nodes with "activation function". The input layer receives patterns that will be introduced to other hidden layers for data processing and then present them to an output layer, which provides the answer. As Hecht-Nielsen says, "The neurocomputer is inherently able to deal with small variations in the data -- with ums and ahs. It recognizes familiar patterns but is unconcerned about small mismatches". 

Hecht-Nielsen  achievement allows Neural Networks to provide solutions to problems where standard Networks fail " miserably ".  
It important to mention that Neural Networks' Applications are so vast and complicated, but some of well known research centers were able to advance this technology such as Ford Aerospace under subcontract to NASA that serve the U.S government, Global Holonetics that developed  "smart camera" that is capable of inspecting items on an assembly line at a rate of 15 items per second, and General Dynamics Corp developed a neural network to identify ships by their sonar signatures.

The technology will eliminate the need for humans in processing letters, bank receipts done by hand, and handwriting.
Neural networks in computers process data in the same manner neural networks in cells do. They are based on interconnection similar to synapses.
Based on the above achievements, this technology will bring an extreme power to detecting malicious codes, in other words, virus's intrusion detection.
 A host will have a Self-organizing feature to represent the behaviors of a system by using "Back Propagation" to model the intrusive patterns. The host will have the ability to learn and expand its knowledge about the discovery of malicious intrusions as time goes on.    













Source:

Bibliography:
Applying Neural Network based Approaches to Host based Intrusion Detection: Soft      Signatures
https://www.youtube.com/watch?v=aVId8KMsdUU



Sunday, November 16, 2014

Zero-day Vulnerability
 Sandworm affecting all versions of Windows



On 10/21/14, Microsoft issued a warning about a Zero-day vulnerability that cyber criminals are exploiting through PowerPoint files sent as email attachments!  
Although Microsoft provided a "Fixit" line that blocks the attacks seen so far and users can use it to protect their PCs until a patch is available, it is not same as " four-step threat scoring system it uses for security updates". This bug, after a successful exploit, allows hackers to hijack the PC and steal information and/or inject viruses
"The vulnerability affects all versions of Windows, from the aging Windows Vista to the very newest Windows 8.1, and is within the operating system's code that handles OLE (object linking and embedding) objects". The OLE is used by Microsoft Office for embedding data from Excel spreadsheet in Word document. Yet, hackers might use the flaw for other purposes!

iSight slapped the moniker "Sandworm" on 
the cyber-spy gang.
Although Microsoft patched a similar vulnerability in the same month with eight updates including OLE bug, hackers used it to make other attacks by exploiting " malformed PowerPoint files". Yet, According to researchers at iSight Partners, Russian hacker crew used MS14-060 to attack Ukrainian government agencies, NATO, Western European government agencies and companies in the telecommunications and energy sectors since December 2013.



Microsoft did not release a new patch yet, but they should as soon as possible.
Microsoft also urged windows users to pay a close attention to the "User Account Control (UAC) pop-ups" that alerts them before any action such as file downloads. However, this still not an effective solution since most users click without a second thought.

Saturday, November 15, 2014

Embedded Systems Security issues
      

In 2013, Nissan, Honda, and Subaru have all announced deadly problems linked to faulty embedded systems and sensors in their cars; they triggered premature airbag deployment and hard breaking assit that are supposed to function in emergency only. For Subaru, "the remote-start fob started cars on its own". In 2005, Toyota announced recalls of more than 150,000 cars because of code errors that cause the Prius to stall unexpectedly. In 2010, the same car manufacturer was responsible of the death of many innocent people because of faulty embedded systems that caused an unexpected acceleration .

To be able to fix these errors in embedded systems, the car must be wirelessly connected to the Internet so that the manufactures can patch the code remotely, in other words, an open gate to viruses attacks and new way to hack a person on the way! Nevertheless, embedded systems can be hacked without Internet connection; it can be done with an"ADC Code Injector"

But what is an Embedded System? 

An embedded system is a small computer hardware and software designed to do specific and very limited tasks and is implemented as part of a large system. The embedded system is composed of a single microprocessor board with software stored in Read Only Memory (ROM). Technically, all devices that have digital interface such as watches, microwaves, cars, routers, refrigerators, dishwashers, heating, ventilation, home alarm, Blu-Ray, garage, and air conditioning... use embedded systems .

All the above information let us ask a common question, how an attacker could get the processor to execute his/her code instead? Based on the article "Security fundamentals for embedded software", the attack happens by causing an array overflow via some commands such as alloca() or malloca(). The attacker looks into the storage of the analog-to-digital-converter (ADC) array, if it is stored on a stack, an array overflow occurs as shown in figure 2 whereas a normal stack is shown in figure 1.





Resources:
Finnie, S. (2012). Stuxnet Was a Wake-up Call, But Don’t Fall Back Asleep. Computerworld, 46(12), 60–60.
Higgins, K. J. (2012). Flame Gives Spyware A Next-Gen Update. InformationWeek, (1336), 20.
Kalinsky, D. (2012, March 24). Security fundamentals for embedded software. Retrieved October 28, 2014, from http://www.embedded.com/design/safety-and-security/4304104/1/Security-fundamentals-for-embedded-software
Rivière, P. (2011, March). Worm creates diplomatic wiggle room; Iran’s Stuxnet affair. Le Monde Diplomatique, English Ed., p. n/a. Paris, France.
Stallings, W. (2014). Operating Systems: Internals and Design Principles (8th ed.).
Traenkenschuh, J. (2013). Secure Your Embedded Systems Now! Retrieved from http://www.informit.com/articles/article.aspx?p=2140093
Webopedia. (2014). Embedded System. Retrieved from http://www.webopedia.com/TERM/E/embedded_system.html