skip to main content
10.1145/3174776.3174780acmotherconferencesArticle/Chapter ViewAbstractPublication PagesicssConference Proceedingsconference-collections
research-article

DoS Exploitation of Allen-Bradley's Legacy Protocol through Fuzz Testing

Published: 05 December 2017 Publication History

Abstract

EtherNet/IP is a TCP/IP-based industrial protocol commonly used in industrial control systems (ICS). TCP/IP connectivity to the outside world has enabled ICS operators to implement more agile practices, but it also has exposed these cyber-physical systems to cyber attacks. Using a custom Scapy-based fuzzer to test for implementation flaws in the EtherNet/IP software of commercial programmable logic controllers (PLC), we uncover a previously unreported denial-of-service (DoS) vulnerability in the Ethernet/IP implementation of the Rockwell Automation/Allen-Bradley MicroLogix 1100 PLC that, if exploited, can cause the PLC to fault. ICS-CERT recently announces this vulnerability in the security advisory ICSA-17-138-03. This paper describes this vulnerability, the development of an EtherNet/IP fuzzer, and an approach to remotely monitor for faults generated when fuzzing.

References

[1]
2011. Scapy. (2011). http://www.secdev.org/projects/scapy Accessed: Aug. 14, 2016.
[2]
2012. CVE-2012-4690. (2012). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4690 Accessed Aug. 14, 2016.
[3]
2017. Advisory ICSA-17-138-03. (2017). https://ics-cert.us-cert.gov/advisories/ICSA-17-138-03 Accessed Sept. 3, 2017.
[4]
n.d. Achilles Platform. (n.d.). https://www.wurldtech.com/product/achilles Accessed: March 25, 2016.
[5]
n.d. BeSTORM software software security testing tool. (n.d.). http://www.beyondsecurity.com/bestorm.html Accessed: March 25, 2016.
[6]
n.d. Critical Infrastructure Sectors. (n.d.). https://www.dhs.gov/critical-infrastructure-sectors Accessed Aug. 14, 2016.
[7]
n.d. Defensics. (n.d.). http://www.codenomicon.com/products/defensics/ Accessed: March 25, 2016.
[8]
n.d. OpENer. (n.d.). https://github.com/EIPStackGroup/OpENer Accessed: Sept. 8, 2017.
[9]
n.d. Peach Introduction. (n.d.). http://community.peachfuzzer.com/Introduction.html Accessed: March 25, 2016.
[10]
Automatak. {n. d.}. ({n. d.}). https://github.com/ITI/ICS-Security-Tools/tree/master/protocols Accessed March 25, 2016.
[11]
Rockwell Automation. 2009. Rockwell Automation Sponsors Development of Open-Source Software Stack. (2009). http://phx.corporate-ir.net/phoenix.zhtml?c=196186&p=irol-newsArticle&ID=1356918 Accessed Sept. 8, 2017.
[12]
Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin Almeroth, Richard Kemmerer, and Giovanni Vigna. 2006. SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr. In International Conference on Information Security. Heidelberg, Germany, 343--358.
[13]
Zachary H Basnight. 2013. Firmware Counterfeiting and Modification Attacks on Programmable Logic Controllers. Wright-Patterson AFB, OH.
[14]
Allen Bradley. 1996. DF1 Protocol and Command Set, Reference Manual. Milwaukee, WI.
[15]
Allen Bradley. 2011. MicroLogix 1100 Programmable Controller Instruction Set Reference Manual. Milwaukee, WI.
[16]
Allen Bradley. 2014. MicroLogix 1100 Programmable Controller FRN14. Milwaukee, WI.
[17]
Allen Bradley. 2016. Logix5000 Data Access Programming Manual. Milwaukee, WI.
[18]
Sergey Bratus, Axel Hansen, and Anna Shubina. 2008. LZfuzz: a fast compression-based fuzzer for poorly documented protocols. Technical Report TR-2008 634. Darmouth College, Hanover, NH.
[19]
Eric J Byres, Dan Hoffman, and Nate Kube. 2006. On Shaky Ground--A Study of Security Vulnerabilities in Control Protocols. (2006), 782--788.
[20]
Ganesh Devarajan. 2007. Unraveling SCADA Protocols: Using Sulley Fuzzer. prestend at DEF CON 15. Las Vegas, NV.
[21]
Stephen J Dunlap. 2013. Timing-based Side Channel Analysis for Anomaly Detection in the Industrial Control System Environment. Wright-Patterson AFB, OH.
[22]
Matthew Franz. 2007. ICCP Exposed: Assessing the Attack Surface of the Utility Stack. In Proceedings of SCADA Security Scientific Symposium. Miami, FL.
[23]
Roland Koch. {n.d.}. ({n.d.}). https://github.com/HSASec/ProFuzz Accessed March 25, 2016.
[24]
Luis Mora. 2007. OPC Security White Paper. (January 2007). https://scadahacker.com/library/Documents/OPC_Security/OPC%20Security%20-%20OPC%20Exposed.pdf
[25]
Inc. Open DeviceNet Vendor Association. 2008. Communicating with RA Products Using EtherNet/IP Explicit Messaging. Technical Report 1.2. ODVA, Inc., Ann Arbor, MI.
[26]
Open DeviceNet Vendor Association, Inc. 2017. The CIP Networks Library Volume 1: Common Industrial Protocol (3.22 ed.). Open DeviceNet Vendor Association, Inc., Ann Arbor, MI.
[27]
Open DeviceNet Vendor Association, Inc. 2017. The CIP Networks Library Volume 2: EtherNet/IP Adaptation of CIP (1.23 ed.). Open DeviceNet Vendor Association, Inc., Ann Arbor, MI.
[28]
Aaron Portnoy, Pedram Amini, and Ryan Sears. {n. d.}. ({n. d.}). https://github.com/OpenRCE/sulley Accessed March 25, 2016.
[29]
Xiong Qi, Peng Yong, Zhonghua Dai, Shengwei Yi, and Ting Wang. 2014. OPC-MFuzzer: A Novel Multi-Layers Vulnerability Detection Tool for OPC Protocol Based on Fuzzing Technology. International Journal of Computer and Communication Engineering 3, 4 (July 2014). http://search.proquest.com/docview/1618797232?pq-origsite=gscholar
[30]
Rebecca Shapiro, Sergey Bratus, Edmond Rogers, and Sean Smith. 2011. Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing. In International Conference on Critical Infrastructure Protection. Heidelberg, Germany, 57--72.
[31]
Christopher Smith and Guillermo Francia III. 2012. Security fuzzing toolset. In Proceedings of the 50th Annual Southeast Regional Conference. Tuscaloosa, AL, 329--330.
[32]
Keith A Stouffer, Joseph A Falco, and Karen A Scarfone. 2015. SP 800--82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Other Control System Configurations Such as Programmable Logic Controllers (PLC). (May 2015). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
[33]
Michael Sutton, Adam Greene, and Pedram Amini. 2007. Fuzzing: Brute Force Vulnerability Discovery (1st ed. ed.). Addison-Wesley Professional, Boston, MA.
[34]
Alexander Timorin. {n. d.}. ({n. d.}). https://github.com/atimorin/scada-tools Accessed March 25, 2016.
[35]
A. Timorin. {n. d.}. Scada deep inside: protocols and security mechanisms. ({n. d.}). unpublished.
[36]
Artemios G Voyiatzis, Konstantinos Katsigiannis, and Stavros Koubias. 2015. A Modbus/TCP fuzzer for testing internetworked industrial systems. In 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation. Luxembourg City, Luxembourg, 1--6.
[37]
Ting Wang, Qi Xiong, Haihui Gao, Yong Peng, Zhonghua Dai, and Shengwei Yi. 2013. Design and Implementation of Fuzzing Technology for OPC Protocol. In 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing. Beijing, China, 424--428.
[38]
Wireshark. n.d. Code Review. (n.d.). https://code.wireshark.org/review/gitweb?p=wireshark.git; a=tree; f=epan/dissectors Accessed: 2016-08-18.

Cited By

View all
  • (2024)Cyber Resiliency of a Solid-State Power Substation2024 IEEE Applied Power Electronics Conference and Exposition (APEC)10.1109/APEC48139.2024.10509048(2293-2300)Online publication date: 25-Feb-2024
  • (2024)A survey on fuzz testing technologies for industrial control protocolsJournal of Network and Computer Applications10.1016/j.jnca.2024.104020(104020)Online publication date: Sep-2024
  • (2023)A Survey on Programmable Logic Controller Vulnerabilities, Attacks, Detections, and ForensicsProcesses10.3390/pr1103091811:3(918)Online publication date: 17-Mar-2023
  • Show More Cited By

Index Terms

  1. DoS Exploitation of Allen-Bradley's Legacy Protocol through Fuzz Testing

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ICSS 2017: Proceedings of the 3rd Annual Industrial Control System Security Workshop
    December 2017
    35 pages
    ISBN:9781450363334
    DOI:10.1145/3174776
    Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

    In-Cooperation

    • ACSA: Applied Computing Security Assoc

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 05 December 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. EtherNet/IP
    2. Industrial control system
    3. MicroLogix
    4. fuzz testing

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ICSS 2017

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)26
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Cyber Resiliency of a Solid-State Power Substation2024 IEEE Applied Power Electronics Conference and Exposition (APEC)10.1109/APEC48139.2024.10509048(2293-2300)Online publication date: 25-Feb-2024
    • (2024)A survey on fuzz testing technologies for industrial control protocolsJournal of Network and Computer Applications10.1016/j.jnca.2024.104020(104020)Online publication date: Sep-2024
    • (2023)A Survey on Programmable Logic Controller Vulnerabilities, Attacks, Detections, and ForensicsProcesses10.3390/pr1103091811:3(918)Online publication date: 17-Mar-2023
    • (2023)Security of Programmable Logic Controllers and Related Systems: Today and TomorrowIEEE Open Journal of the Industrial Electronics Society10.1109/OJIES.2023.33359764(659-693)Online publication date: 2023
    • (2022)Versatile unsupervised anomaly detection method for RTE-based networksExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117751206:COnline publication date: 15-Nov-2022
    • (2022)A Communications Validity Detector for SCADA NetworksCritical Infrastructure Protection XV10.1007/978-3-030-93511-5_8(155-183)Online publication date: 4-Jan-2022
    • (2021)Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security IncidentsIEEE Access10.1109/ACCESS.2021.31333489(165295-165325)Online publication date: 2021
    • (2021)A general optimization-based approach to the detection of real-time Ethernet traffic eventsComputers in Industry10.1016/j.compind.2021.103413128(103413)Online publication date: Jun-2021
    • (2019)Improved Modbus/TCP Multi-dimensional Fuzzing Test Method2019 Chinese Control And Decision Conference (CCDC)10.1109/CCDC.2019.8833281(3233-3237)Online publication date: Jun-2019
    • (2019)Research on Fuzzing Test Case Generation Method Based on Gaussian Mixture Model2019 Chinese Control And Decision Conference (CCDC)10.1109/CCDC.2019.8833034(2674-2678)Online publication date: Jun-2019
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media