Pointer taintedness is a concept which has been successfully employed as basis for vulnerability ... more Pointer taintedness is a concept which has been successfully employed as basis for vulnerability analysis of C/C ++ source code, and as a run-time mitigation technique against memory corruption attacks. Nevertheless, pointer taintedness interferes with the specification of several industrial control protocols. As a consequence it is not directly usable in detecting memory corruption vulnerabilities in implementations of those industrial control protocols. Furthermore, source-code analysis may have no visibility on certain low-level vulnerabilities since there may be a considerable difference between what programmers intend with the source code they write and what the CPU really executes. A set of memory corruption vulnerabilities specific to implementations of industrial control protocols may escape source code analysis as they are related to a dynamic organization of data in memory. In this paper we define a new concept referred to as memory access taintedness. We discuss the logical motivations behind our definition of memory access taintedness and demonstrate that memory access taintedness is fully employable in vulnerability analysis of the machine code of implementations of industrial control protocols. We analyze the main low-level characteristics of both traditional attacks and attacks specific to process control systems, and demonstrate the ability of memory access taintedness to detect memory corruption vulnerabilities. We represent memory access taintedness as a decision tree and use it as the fundamental component of a finite state machine model we devised for the purpose of dynamically detecting memory corruption vulnerabilities in implementations of industrial control protocols.
Abstract Real-time systems are becoming increasingly important in the everyday life. The use of s... more Abstract Real-time systems are becoming increasingly important in the everyday life. The use of such systems for critical applications requires tools and techniques for increasing correctness and reliability of the final product. In this paper, we describe a toolset (Merlot) for analyzing real-time system specifications. Merlot allows the automatic verification of temporal properties for a large set of specifications and requires the interaction with the user only when the complexity of the specification overcomes a reasonable automatable level. ...
This paper reviews past work done by our group in the area of formal specification for reactive, ... more This paper reviews past work done by our group in the area of formal specification for reactive, real-time systems. Different approaches are discussed, emphasizing their ability to verify formal specifications and systematically derive test cases for the implementation. The specification languages reviewed here are TB nets (a specification formalism belonging to the class of high-level Petri nets) and TRIO (a real-time temporal logic language).
Many organizations using agile processes would like to adopt a process measurement framework, e.g... more Many organizations using agile processes would like to adopt a process measurement framework, e.g. for assessing their process maturity. In this paper we propose a meta-model supporting derivation of specific data models for agile development processes. Then, we show how our meta-model can be used to derive a model of the Scrum process.
One of the most important qualities of run-time supports for real-time systems is predictability.... more One of the most important qualities of run-time supports for real-time systems is predictability. The knowledge of behavior and execution time of a system is necessary to define feasible and dependable real-time scheduling. Often real-time operating systems are based on concurrency models that are intrinsically not suitable for real-time execution since timing remains external to the execution model. This approach imposes a translation of time constraints to perform realtime executions. TDE bases the execution of tasks directly on their time constraints. This approach allows the system designer to concentrate on timing issues, and the run-time support to constantly control the system behavior according to timed plans. TDE has been integrated with a commercial real-time operating system. This paper presents the concepts behind TDE and describes the architecture of the implementation.
Memory corruption attacks on SCADA devices can cause significant disruptions to control systems a... more Memory corruption attacks on SCADA devices can cause significant disruptions to control systems and the industrial processes they operate. However, despite the presence of numerous memory corruption vulnerabilities, few, if any, techniques have been proposed for addressing the vulnerabilities or for combating memory corruption attacks. This paper describes a technique for defending against memory corruption attacks by enforcing logical boundaries between potentially hostile data and safe data in protected processes. The technique encrypts all input data using random keys; the encrypted data is stored in main memory and is decrypted according to the principle of least privilege just before it is processed by the CPU. The defensive technique affects the precision with which attackers can corrupt control data and pure data, protecting against code injection and arc injection attacks, and alleviating problems posed by the incomparability of mitigation techniques. An experimental evaluation involving the popular Modbus protocol demonstrates the feasibility and efficiency of the defensive technique.
In this paper we propose an anomaly intrusion detection model based on shuffle operation and prod... more In this paper we propose an anomaly intrusion detection model based on shuffle operation and product machines targeting persistent interposition attacks on control systems. These at actuallyareundetectable by the most advanced system call monitors as they issue no system calls and are stealthy enough to transfer control to hijacked library functions without letting their saved instruction pointers get stored on stack. We exploit the fact that implementations of control protocols running in control systems, which in turn are attached to physical systems such as power plants and electrical substations, exhibit strong regularities in terms of sequences of function calls and system calls issued during protocol transactions. The main idea behind the proposed approach is to introduce NULL function calls within a Modbus binary and to apply the shuffle operation between them and existing function calls. We then devise and implement a product machine capable of recognizing the shuffle representation of function call and system call regularities. A sensor uses a unidirectional interprocess communication channel based on shared memory to receive profile data from a Modbus process, and subsequently submits them to the product machine. We describe an experimental evaluation of our model on an ARM-based Modbus device and demonstrate that the proposed model overcomes the limitations of state of the art approaches with regard to detection of persistent interposition attacks on control systems.
We introduce a technique for reachability analysis of Time-Basic (TB) Petri nets, a powerful form... more We introduce a technique for reachability analysis of Time-Basic (TB) Petri nets, a powerful formalism for real- time systems where time constraints are expressed as intervals, representing possible transition firing times, whose bounds are functions of marking's time description. The technique consists of building a symbolic reachability graph relying on a sort of time coverage, and overcomes the limitations of the only available analyzer for TB nets, based in turn on a time-bounded inspection of a (possibly infinite) reachability-tree. The graph construction algorithm has been automated by a tool-set, briefly described in the paper together with its main functionality and analysis capability. A running example is used throughout the paper to sketch the symbolic graph construction. A use case describing a small real system - that the running example is an excerpt from - has been employed to benchmark the technique and the tool-set. The main outcome of this test are also presented in the paper. Ongoing work, in the perspective of integrating with a model-checking engine, is shortly discussed.
Traditional support tools for software engineers, normally based on a client–server architecture,... more Traditional support tools for software engineers, normally based on a client–server architecture, are unsuitable to deal with the new issues emerging from the current (and future) cooperative work scenarios (where connectivity is intrinsically transient, the number of interacting partners dynamically changes, etc.). This paper presents a quantitative assessment of a fully decentralized, peer-to-peer, cooperative infrastructure. Stochastic Well-formed Nets (SWNs) modeling the new peer-to-peer architecture, and a traditional (client– ...
State-space based techniques represent a powerful analysis tool of discrete-event systems. One wa... more State-space based techniques represent a powerful analysis tool of discrete-event systems. One way to face the state-space explosion is the exploitation of behavioral symmetries of distributed systems. Well-formed coloured Petri nets (WN) allow the direct construction of a symbolic reachability graph (SRG) that captures symmetries suitably encoded in WN syntax. Most real systems however mix symmetric and asymmetric behaviors. The SRG, and more generally, all those approaches based on a static description of symmetries, have shown not to be effective in such cases. In this paper two quotient graphs are proposed as effective analysis frameworks for asymmetric systems. Both rely on WN syntax extended with relational operators. The first one is an extension of the SRG that exploits local symmetries. The second technique uses linear constraints and substate inclusion in order to aggregate states. An asymmetric distributed leader-election algorithm is used as running example.
Abstract Most analysis techniques for discrete-event systems rely on building the system state-tr... more Abstract Most analysis techniques for discrete-event systems rely on building the system state-transition graphs. A known critical issue is represented by the state-space explosion. One way to face this problem is the exploitation of behavioral symmetries. Well-formed coloured Petri nets (WN)(thanks to their particular syntax) allow the automatic building of a quotient graph, called a symbolic reachability graph (SRG), able to exploit the structural symmetries of systems. The SRG reduction power vanishes when the modeled system ...
Pointer taintedness is a concept which has been successfully employed as basis for vulnerability ... more Pointer taintedness is a concept which has been successfully employed as basis for vulnerability analysis of C/C ++ source code, and as a run-time mitigation technique against memory corruption attacks. Nevertheless, pointer taintedness interferes with the specification of several industrial control protocols. As a consequence it is not directly usable in detecting memory corruption vulnerabilities in implementations of those industrial control protocols. Furthermore, source-code analysis may have no visibility on certain low-level vulnerabilities since there may be a considerable difference between what programmers intend with the source code they write and what the CPU really executes. A set of memory corruption vulnerabilities specific to implementations of industrial control protocols may escape source code analysis as they are related to a dynamic organization of data in memory. In this paper we define a new concept referred to as memory access taintedness. We discuss the logical motivations behind our definition of memory access taintedness and demonstrate that memory access taintedness is fully employable in vulnerability analysis of the machine code of implementations of industrial control protocols. We analyze the main low-level characteristics of both traditional attacks and attacks specific to process control systems, and demonstrate the ability of memory access taintedness to detect memory corruption vulnerabilities. We represent memory access taintedness as a decision tree and use it as the fundamental component of a finite state machine model we devised for the purpose of dynamically detecting memory corruption vulnerabilities in implementations of industrial control protocols.
Abstract Real-time systems are becoming increasingly important in the everyday life. The use of s... more Abstract Real-time systems are becoming increasingly important in the everyday life. The use of such systems for critical applications requires tools and techniques for increasing correctness and reliability of the final product. In this paper, we describe a toolset (Merlot) for analyzing real-time system specifications. Merlot allows the automatic verification of temporal properties for a large set of specifications and requires the interaction with the user only when the complexity of the specification overcomes a reasonable automatable level. ...
This paper reviews past work done by our group in the area of formal specification for reactive, ... more This paper reviews past work done by our group in the area of formal specification for reactive, real-time systems. Different approaches are discussed, emphasizing their ability to verify formal specifications and systematically derive test cases for the implementation. The specification languages reviewed here are TB nets (a specification formalism belonging to the class of high-level Petri nets) and TRIO (a real-time temporal logic language).
Many organizations using agile processes would like to adopt a process measurement framework, e.g... more Many organizations using agile processes would like to adopt a process measurement framework, e.g. for assessing their process maturity. In this paper we propose a meta-model supporting derivation of specific data models for agile development processes. Then, we show how our meta-model can be used to derive a model of the Scrum process.
One of the most important qualities of run-time supports for real-time systems is predictability.... more One of the most important qualities of run-time supports for real-time systems is predictability. The knowledge of behavior and execution time of a system is necessary to define feasible and dependable real-time scheduling. Often real-time operating systems are based on concurrency models that are intrinsically not suitable for real-time execution since timing remains external to the execution model. This approach imposes a translation of time constraints to perform realtime executions. TDE bases the execution of tasks directly on their time constraints. This approach allows the system designer to concentrate on timing issues, and the run-time support to constantly control the system behavior according to timed plans. TDE has been integrated with a commercial real-time operating system. This paper presents the concepts behind TDE and describes the architecture of the implementation.
Memory corruption attacks on SCADA devices can cause significant disruptions to control systems a... more Memory corruption attacks on SCADA devices can cause significant disruptions to control systems and the industrial processes they operate. However, despite the presence of numerous memory corruption vulnerabilities, few, if any, techniques have been proposed for addressing the vulnerabilities or for combating memory corruption attacks. This paper describes a technique for defending against memory corruption attacks by enforcing logical boundaries between potentially hostile data and safe data in protected processes. The technique encrypts all input data using random keys; the encrypted data is stored in main memory and is decrypted according to the principle of least privilege just before it is processed by the CPU. The defensive technique affects the precision with which attackers can corrupt control data and pure data, protecting against code injection and arc injection attacks, and alleviating problems posed by the incomparability of mitigation techniques. An experimental evaluation involving the popular Modbus protocol demonstrates the feasibility and efficiency of the defensive technique.
In this paper we propose an anomaly intrusion detection model based on shuffle operation and prod... more In this paper we propose an anomaly intrusion detection model based on shuffle operation and product machines targeting persistent interposition attacks on control systems. These at actuallyareundetectable by the most advanced system call monitors as they issue no system calls and are stealthy enough to transfer control to hijacked library functions without letting their saved instruction pointers get stored on stack. We exploit the fact that implementations of control protocols running in control systems, which in turn are attached to physical systems such as power plants and electrical substations, exhibit strong regularities in terms of sequences of function calls and system calls issued during protocol transactions. The main idea behind the proposed approach is to introduce NULL function calls within a Modbus binary and to apply the shuffle operation between them and existing function calls. We then devise and implement a product machine capable of recognizing the shuffle representation of function call and system call regularities. A sensor uses a unidirectional interprocess communication channel based on shared memory to receive profile data from a Modbus process, and subsequently submits them to the product machine. We describe an experimental evaluation of our model on an ARM-based Modbus device and demonstrate that the proposed model overcomes the limitations of state of the art approaches with regard to detection of persistent interposition attacks on control systems.
We introduce a technique for reachability analysis of Time-Basic (TB) Petri nets, a powerful form... more We introduce a technique for reachability analysis of Time-Basic (TB) Petri nets, a powerful formalism for real- time systems where time constraints are expressed as intervals, representing possible transition firing times, whose bounds are functions of marking's time description. The technique consists of building a symbolic reachability graph relying on a sort of time coverage, and overcomes the limitations of the only available analyzer for TB nets, based in turn on a time-bounded inspection of a (possibly infinite) reachability-tree. The graph construction algorithm has been automated by a tool-set, briefly described in the paper together with its main functionality and analysis capability. A running example is used throughout the paper to sketch the symbolic graph construction. A use case describing a small real system - that the running example is an excerpt from - has been employed to benchmark the technique and the tool-set. The main outcome of this test are also presented in the paper. Ongoing work, in the perspective of integrating with a model-checking engine, is shortly discussed.
Traditional support tools for software engineers, normally based on a client–server architecture,... more Traditional support tools for software engineers, normally based on a client–server architecture, are unsuitable to deal with the new issues emerging from the current (and future) cooperative work scenarios (where connectivity is intrinsically transient, the number of interacting partners dynamically changes, etc.). This paper presents a quantitative assessment of a fully decentralized, peer-to-peer, cooperative infrastructure. Stochastic Well-formed Nets (SWNs) modeling the new peer-to-peer architecture, and a traditional (client– ...
State-space based techniques represent a powerful analysis tool of discrete-event systems. One wa... more State-space based techniques represent a powerful analysis tool of discrete-event systems. One way to face the state-space explosion is the exploitation of behavioral symmetries of distributed systems. Well-formed coloured Petri nets (WN) allow the direct construction of a symbolic reachability graph (SRG) that captures symmetries suitably encoded in WN syntax. Most real systems however mix symmetric and asymmetric behaviors. The SRG, and more generally, all those approaches based on a static description of symmetries, have shown not to be effective in such cases. In this paper two quotient graphs are proposed as effective analysis frameworks for asymmetric systems. Both rely on WN syntax extended with relational operators. The first one is an extension of the SRG that exploits local symmetries. The second technique uses linear constraints and substate inclusion in order to aggregate states. An asymmetric distributed leader-election algorithm is used as running example.
Abstract Most analysis techniques for discrete-event systems rely on building the system state-tr... more Abstract Most analysis techniques for discrete-event systems rely on building the system state-transition graphs. A known critical issue is represented by the state-space explosion. One way to face this problem is the exploitation of behavioral symmetries. Well-formed coloured Petri nets (WN)(thanks to their particular syntax) allow the automatic building of a quotient graph, called a symbolic reachability graph (SRG), able to exploit the structural symmetries of systems. The SRG reduction power vanishes when the modeled system ...
Uploads
Papers by carlo bellettini