Uploaded by aantineskul

bezukladnikov

advertisement
Method to Counter the threat of Covert Channels in
LONWorks-based Industrial Control Systems
Igor I. Bezukladnikov
Efim L. Kon
Perm National Research Polytechnic University
Prof.Pozdeeva str. 7
Perm, Russian Federation, 614013
Perm National Research Polytechnic University
Prof.Pozdeeva str. 7
Perm, Russian Federation, 614013
corrector@at.pstu.ru
ABSTRACT
The problem of countering one of most dangerous unconventional information security threats for modern industrial
control systems covert channels is considered. A universal
method of countering such a threat based on earlier unknown
formal condition of existence of covert channels is proposed.
An illustration of the method to counter covert channels in
a real industrial control system is given.
Keywords
Information security, Covert channels, ICS, LonWorks
1. INTRODUCTION
Rapid growth of various information control systems (ICS)
operating in different industries and their increasing complexity make questions associated with their information security assume prominence. Among the least studied and
at the same time one of the most dangerous types of malicious for ICS attacks are the attacks through covert channels
(CC). In the existing information security standards for such
systems specialized measures to directly counter the covered
channels are practically non-existent. Conventional generalpurpose countermeasures offered by the standards have no
effect on CC functioning. Studies in the field of covert channels as a separate class of information security threats have
not been started until recent years and the works on this
subject are extremely few. Analytical review carried out
disclosed absence of consistent systematic approach to the
problem of analysis and countering the covert channels.
The known works are unsystematic description of specific
implementation variations of covert channel and corresponding to them specific countermeasures, without analysis of
their domain of applicability and without attempts to formalize and generalize them. This paper is concerned with
description of a universal method of countering covert channels based on destruction of conditions essential for their
existence, according to the suggested by the authors formal
kel-40@yandex.ru
model of covert channel. The method is an integral part of
the proposed by the authors general method of building, analyzing and countering the covert channels, including formal
model of covert channel, their classification, methods of evaluating the danger and methods of countering the detected
dangerous covert channels. More detailed information about
the said elements of the general method is presented in earlier publications by the authors [2, 3, 1, 4, 5].
2.
FORMAL MODEL OF COVERT CHANNEL
The first step to create formal approach to analyze and
counter the covert channels is to create a formal model describing the covert channel as it is. Taking into account that
the communications systems on the whole and LonWorks in
particular, used in industrial ICSs, can be described by multilevel interaction model ISO OSI a decision was made to use
for the original assumption in development of such a model
of covert channel the following assertions:
Assertion 1. Hidden transformation of information is possible at any level of systems described by multilevel model
ISO OSI, when the communication channel resource is underexploited in the open exchange process (Fig.1).
Potential presence of underexploited resources discovered at
every level of ISO OSI allows to pass on to the search of
general solution of building a covert channel invariant to
ISO OSI level. Further analysis is based on the following
assertion:
Assertion 2. The problem of building a covert channel
on arbitrary level of ISO OSI is equivalent to the problem
of building an information transmission channel under the
following basic conditions:
• Potentially any underexploited information resource of
the corresponding level of seven-level IOS OSI model of
general-purpose open net or corresponding levels of the
models of specialized-application nets is an informative
parameter of the covert channel.
• The main problem in building a covert channel is that
equivalent to the problem solved by the physical level
of the channel (as applied to CC the problem of modulation and demodulation of underexploited resource).
Studies carried out by the authors showed that with ac-
Speed, bps
Underexploited resources of communication channel
Resources occupied with legal(open) channel
Maximum achievable speed
Speed in legal(open) channel
Time,
sec.
Figure 1: A sample black and white graphic (.eps format) that needs to span two columns of text.
count of the said conditions it is admissible to use the models of physical level of communication channel to describe
the covert channel operating at arbitrary level of ISO OSI.
There quite a few models describing functioning of the physical level of a communication channel. Selection of a communication channel model to describe a covert channel is
based on the following assertions:
Assertion 3. Active countermeasures against the covert
channel under conditions of effective information security
policy (ESP) are a priori non-existent (according to the definition a covert channel is such when it does not contradict
the effective information security policy).
, where bi - are the detected states of the resource, |B| ≥ 2,
at that; there should exist a matrix of transitions between
the states of transmitter and states of information receiver
through the covert channel


Pa1−b1 · · · Pa1−bk

.. 
..
P (x|y) =  ...
(3)
.
. 
Pan−b1 · · · Pan−bk
, where P (x|y) is the probability of receiving symbol by in
transmission of symbol ax between participants of hidden
n
∑
exchange of information,
Pai−bj = 1 for every i = 1..k.
j=1
Assertion 4. A covert channel functions under conditions
of unintentional random noise which can be represented in
the form of white Gaussian noise (the proof is based on
assertion 3).
2.1 Covert Channel Existence Conditions
The above assertions considered, to describe the physical
level of covert channel we suggest to use the discrete communication channel (DCC) model. The proposed model made
possible to find earlier unknown formal necessary conditions
of existence of covert channel in terms of DCC, its invariant
variations:
Condition 1. The system should have underexploited resource (UEr) satisfying the following requirements ensuing
from CC representation as DCC:
UEr modulation requirement: Covert channel information transmitter should have the capacity of forming at least
two states of underexploited resource. I.e. there should exist
transmitting alphabet
A = {a1 , a2 , a3 , ...an }
(1)
,where ai is the state of the resource formed by the transmitter, |A| ≥ 2, at that.
UEr demodulation requirement: The receiver of hidden information should have the capacity of detecting and
recognizing at least two states of underexploited resource.
I.e. there should exist a reception alphabet
B = {b1 , b2 , b3 , ...bm }
(2)
Condition 2 (condition of consistency with effective ISP):
The hidden channel shall be consistent with information security policy (ISP) effective within the system or the time
of its compromise/destruction should exceed the time necessary to carry out the required malicious actions according
to the attack scenarios selected.
Otherwise the reason of existence of a covert channel is lost,
because to conduct an attack through such a channel is impossible because of its discredit/destruction.
For the systems with limited resources, a particular case
of which are the lower levels of modern industrial ICSs it
is expedient to introduce one more condition in the set of
necessary ones the condition of consistency with the existing restrictions on software and hardware resources. Such a
condition can be formulated as follows:
Condition 3 (condition of satisfying resource restrictions):
Creation and operation of a covert channel shall not take the
system on the whole and its specific components beyond the
framework of software and hardware restrictions existing in
the system.
2.2
A Method of Countering Covert Channels
by Destruction of Necessary Conditions of
Existence
The mentioned necessary conditions of covert channels existence makes possible to approach the problem of countermeasures against covert channels from the formal standpoint. This becomes possible because failure of any of the
above conditions automatically makes the covert channel unrealizable. Thus, on the basis of analysis of necessary conditions it is possible to isolate the following countermeasures
based on their failure:
1. Failure of condition 1 (existence of underexploited
resource with required characteristics). This can be realized by introduction of additional restrictions denying creation or selection of required states of underexploited resource; this will result in destruction of the
covert channel exploiting the corresponding underexploitation type.
Note, that the UEr modulation and demodulation requirements can be violated by an alternative method
which we failed to find in the earlier known works. The
method is based on creating a legal covert channel using for its operation the same underexploitation of the
open resource. The fact of transmitting information by
such a legal covert channel substantially decreases the
underexploitation available for the creator of a malicious covert channel; this deteriorates the performance
of such a channel or makes its implementation impossible. In addition, the use by the violator of the
same underexploitation inevitably generates a conflict
caused by lack of coordination of access to the general
resource, and as a consequence to damaged information transmitted both by the covert channel of the violator and by the legal covert channel. This fact can
be easily traced and, accordingly used to discredit the
malicious covert channel.
2. Violation of one of additional conditions (condition of consistency with effective information security
policy, condition of satisfying resource restrictions).
This can be achieved by improvement of respective ISP
filters and, as a consequence, by decrease of time costs
to discredit the malicious covert channel, or by additional filters analyzing parameters necessary to detect
the covert channel.
For systems with restricted resources it is possible to
use the version in which implementation of the covert
channel is countered by decreasing software and hardware resources accessible for the violator. E.g. in the
case of field level devices (TL1 by multilevel distributed
measurement control system (DMCS) considered in[2])
considerable limitation of its hardware resources makes
possible to exclude or substantially decrease the probability or essential characteristics of malicious covert
channel by introduction of an additional legal problem
exploiting to the extent possible all free resources.
Note, that the proposed intensifying countermeasures can
be used in any possible combination. Consider as an example such a combination countering covert channels in a real
system.
2.3 Example of The Proposed Method used in
Real Measurement Control System
Aircraft engine test automation system (TAS) shown in Fig.2
is designed to measure, record and display basic test parameters to adjust, fine tune and check functional performance
Engineering
Terminal
Antivirus software
Personal firewall
Log
Server
Auxiliary
Peripherals
LAN
LAN
IDS
Firewall
Firewall
Local Control Network (LCN)
TL2
TL1-TL2 Gateway
Access monitor
(reference monitor)
Modbus, LonWorks
TL1
to
Measurement Sensors
TL0
Figure 2: Model of LONWorks-based protected TAS
of various aggregates and is a complex information and measurement system. In its operation TAS handles numerous
parameters to be measured with wide range of measured
analog signals with considerable total intensity. Preliminary
analysis carried out by CRAMM v5 methods shows that the
main risks which can be realized by software-technical methods and cause the greatest damage are the risks connected
with leakage (hereinafter scenario of attack A1) and modification (scenario A2) of measurement data.
Further analysis carried out by general method [1], detected
three covert channel types1 classified according to [2]: exploiting underexploitation of the information structure resource (class A), time resource (class B), ordering resource
(class C). A part of detected covert channel (see Table) is,
at that, dangerous2 for respective attack scenarios, and they
should be countered.
In the general form, as has been noted above, according to
the given approach to counter the covert channels suffice is to
violate at least one of the necessary and sufficient conditions
of its existence.
Within the framework of countering the attack by modification of the data (scenario A2) it is suggested to destroy
the second necessary condition (consistency with effective
ISP) and narrow the vulnerability window to safe limits.
We suggest to perform such a narrowing by introduction of
algorithms of integrity of transmitted data. In compliance
with the existing algorithm the software of existing in TAS
reference monitor should, at this, be added the integrity
analyzer. The principle of operation of such a protection
system is shown in the figure below: It should be noted that
implementability in principle of such a protection scheme is
1
All detected covert channels are using underexploitation of
Application Layer of LonTalk protocol stack
2
Dangerous are the cover channels whose attack time is not
more than the width of vulnerability window 1800
seconds. Such channels are highlighted in table 1
LONWorks node A
Access monitor
Coder of
integrity
algorithm
Decoder of
integrity
algorithm
LONWorks node B
Applied
task
Applied
task
Malicious
logic
Malicious
logic
Figure 3: Model of LONWorks-based protected TAS
determined by the fact that application processor of Neuron
Chip performs the available applied tasks separately, and
the logic present at the same node has not possibility to
substitute input values of network variables received from
directly connected sensors.
Regretfully, to transmit directly additional information to
monitor the integrity by conventional method using the open
channel (solid line in Fig. 2) is impossible because additional
network variable in the received traffic can be wrongly interpreted by the software performing the function of data
collection at the upper TAS level. To modify this software
is impossible because of its proprietary nature.
In this connection on the basis of proposed universal methods of countermeasures it is suggested to solve these two
problems simultaneously, organizing the transmission of control information through the legal covert channel of class
C (underexploitation of ordering resource, see classification
[2]). The use of the same underexploited resource by the legal channel and potential malicious covert channel (in case
of presence of the latter) shall violate the first necessary condition of existence and failure of both organized
covert channels and, as a consequence, damage the transmitted control information which can be detected by the
reference monitor.
In this case the process of control information transmission
has no effect on the measurement information transmitted
by the open channel, thus, to modify the software at the
nodes of TL2 level is not needed.
As the only dangerous covert channel relative to attack scenario A1(data leakage) is the covert channel of class C, the
proposed version of protection at the same time solves the
problem of countering such an attack scenario, disrupting
by its functioning the necessary conditions of existence of
the illegal channel.
As an algorithm of calculating the checksum we suggest to
use the well-known and simply realizable even in systems
with restricted resources CRC16 algorithm. To simplify the
Table 1: Summarized results of analysis of CC danger for attack scenarios A1, A2 for Neuron Chip
3150-based TAS units
Time required for successful attack,
in seconds
Information
CC
CC
CC
CC
capacity
ofA
ofC
ofB
ofB
type,
type,
type,
type,
of CC
alphabetic
(CC1)
(CC2)
(CC3)
(CC4)
character
[log2 (|A|)],
bit/symbol
Scenario A1
(length of transmitted message - 32768 bytes)
1
28695,6 23244,4
12873,8
5977,1
2
17680,7 15573,7
19310,7
4736,7
3
13912,5
4
13982,1
38621,5
2988,5
6
128738,4
2313,1
9
1716,74
Scenario A2
(length of transmitted message - 4096 bytes)
1
3474,8
2905,5
1609,2
947,1
2
1985,1
1946,7
2413,8
792,1
3
1739,1
4
1747,7
4827,6
573,5
6
16092,3
489,1
9
414,5
data transmission algorithm through the legal covert channel and exclude the shift operation we suggest to use 8 bits
per one event of hidden transmission (manipulations with
order within the framework of sequence of 6 network variables). The checksums are to be calculated on the basis of
one checksum per 2 measurement packages (8 network variables each) of transmitted information. Earlier analysis of
resource costs to perform the algorithm of data transmission
through covert channel of class C yields the following results
for the chosen length of sequence N = 6:
• The time to perform the algorithm of legal CC Talg =
4.7ms
The obtained value is one order higher than the average time to perform applied tasks in TAS LONWorks node (50 ms) and can be considered unnoticeable against their background.
• Memory requirements for legal CC MRAM = 146bytes,
read-only memory MROM = 1792bytes
Both values do not exceed the threshold of 10% of
available resources of the node (2048 and 18432 bytes,
respectively) and can also be considered unnoticeable
within the framework of chosen hardware basis.
Guided by the presented initial data (length of sequence of
exchanges N=6, respective information capacity of alphabetic character Isymb = [log2 (6!)] = 9 bit/symb, the used
information capacity of the symbol - 8 bit/symb, the length
1. The proposed protection solution makes possible to exclude the necessity of modernizing TL2 level because
from the standpoint of such software the proposed solution does not make any changes in the flow of data
transmitted through the open channel.
Table 2: Evaluation of CC danger with account of
countermeasures
Conclusion
Covert chan- Attack
Counterabout
nel type
time, s
measure
danger
Destruction
All CCs of C
not
dansee Table 1 of conditype
gerous
tion 1
Narrowing
CC
of
B
Wwindow
not
dantype, Isymb = 1739.1
from 1800 gerous
3bit/symb
s to 0.19 s
CC
of
B
Same
as not
dantype, Isymb = 1747.7
above
gerous
4bit/symb
2. The proposed solution provides efficient countermeasure to all detected by analysis kinds of covert channels presenting danger for the system by the method
of violation of necessary and sufficient conditions: for
the covert channel of class C for all attack scenarios
by complete destruction of the covert channel of class
C, for the covert channels of other classes within the
frameworks of scenario A2 by radical decreases of the
vulnerability window.
4.
of transmitted information sequence LCRC16 = 16bit), it is
possible to evaluate the time required to successfully transmit one checksum CRC16 through the legal covert channel3 :
TCRC =
2
∑
Tcoding (xi ) + Tdecoding (xi ) + TCEW T (xi ) (4)
i=1
TCRC = 2 ∗ (0.0032 + 0.0047 + 0.091) = 0.19s
,where Tcoding (xi ) is the encoding algorithm delay for symbol xi , Tdecoding (xi ) - decoding algorithm delay for symbol
xi , TCEW T (xi ) - covert channel availability4 delay for symbol xi
The evaluation performed shows that to transmit one checksum through presented implementation of the legal covert
channel takes 0.19 second only.
As in compliance with effective ISP upon detection of inconsistency of transmitted checksum and measurement data
the TAS reference monitor generates a signal to stop the
experiment, this makes possible to narrow the vulnerability window of the system in implementation of the
attack according to scenario A2 (modification of transmitted measurement information) before the time necessary
to transmit this checksum. To prove the efficiency of proposed countermeasures the danger of detected covert channels was reanalyzed for the TAS under consideration with
account of changes made. From the given table (Table 2) it
is apparent that implementation of covert channels of type
C became impossible because of absence of respective underexploited resource (the ordering resource was used to realize
the legal covert channel transmitting CRC16). Decrease of
the width of the vulnerability window for attack scenario
′
A2 with WA1 = 1800s to WA1 = 0.19s made possible to
transfer the covert channel of class C into the category of
non-dangerous bit.
3. CONCLUSIONS
So, the analysis performed allows making a conclusion about
efficiency of proposed protection solution and its following
advantages:
3
According to method described in [4]
Delay caused by necessity to wait for suitable conditions
for the transmission of selected symbol through the covert
channel
4
REFERENCES
[1] I. I. Bezukladnikov and E. L. Kon. Covert channels in
industrial control systems. In Problems of
telecommunication processes and technology:
Proceedings of XI International scientific and technical
conference, pages 84–89. Kazan, KGTU, November
2011.
[2] I. I. Bezukladnikov and E. L. Kon. Problem of covert
channels in industrial control and infocommunication
networks. Industrial automated control systems and
controllers, (7):61–64, 2011.
[3] I. I. Bezukladnikov and E. L. Kon. Covert channels in
distributed information control systems. Vestnik KGTU
im. A.N. Tupoleva, (3):124–131, 2012.
[4] I. I. Bezukladnikov and E. L. Kon. Threat risk
assessment of covert channels in distributed industrial
lonworks-based networks. Neurocomputers:Development
and Application, (11):53–58, 2013.
[5] N. I. of Standarts and Technology. NIST800-82. Guide
to Industrial Control Systems Security.
http://csrc.nist.gov/publications/nistpubs/80082/SP800-82-final.pdf/, 2011. [Online; accessed
08-May-2015].
Download