The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Vulnerability Discovery Method Based on Control Protocol Fuzzing for a Railway SCADA System

제어프로토콜 퍼징 기반 열차제어시스템 취약점 검출 기법

  • Received : 2014.01.15
  • Accepted : 2014.04.07
  • Published : 2014.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

A railway SCADA system is a control systems that provide the trains with the electricity. A railway SCADA system sends commands to the RTUs(remote terminal unit) and then it gathers status information of the field devices in the RTUs or controls field devices connected with the RTUs. The RTU can controls input output modules directly, gathers the status information of the field devices connected with it, and send the information to the control center. In this way, a railway SCADA system monitors and controls the electricity power for running trains. The cyber attackers may use some vulnerabilities in the railway SCADA system software to attack critical infrastructures. The vulnerabilities might be created in the railway software development process. Therefore it need to detect and remove the vulnerabilities in the control system. In this paper we propose a new control protocol fuzzing method to detect the vulnerabilities in the DNP3 protocol based application running on VxWorks in RTU(Remote Terminal Unit) that is a component of the centralized traffic control system for railway. Debug-channel based fuzzing method is required to obtain process status information from the VxWorks.

열차전력원격감시제어시스템은 열차 운행에 필요한 전력을 공급하는 제어시스템이다. 열차전력원격감시제어시스템은 관제실에서 원격지의 RTU(Remote Terminal Unit) 장치에 제어명령을 내리면, RTU는 이를 해석하여 입출력 모듈을 제어하고, 각 입출력 모듈로부터 수집된 데이터는 사령실로 전송함으로써, 사령실에서 열차에 공급되는 전력 상태를 감시 및 제어하는 시스템이다. 본 논문은 열차전력원격감시제어시스템의 구성요소인 VxWorks 실시간 운영체제 기반의 RTU에서 동작하는 DNP3 제어프로토콜 통신 소프트웨어의 취약점을 검출하기 위한 퍼징 기술에 대하여 제안한다. VxWorks는 동작중인 프로세스의 상태를 감시하기 위한 모니터링 에이전트를 설치할 수 없기 때문에, 모니터링 에이전트 없이 프로세스의 상태 정보를 획득하기 위해서 VxWorks의 디버그 채널을 이용하였다. 또한 DNP3 제어프로토콜은 제어명령을 순서대로 전송하지 않을 경우 패킷을 무시하기 때문에 제어프로토콜 함수코드 순서를 고려한 퍼징을 수행하였다. 이러한 두 가지 기술을 이용하여 VxWorks 기반의 RTU에서 실행되는 DNP3 제어프로토콜 응용프로그램의 취약점을 시험할 수 있었다.

Keywords

References

  1. H. Yoo, J.-H. Yun, and T. Shon, "Whitelist-based anomaly detection for industrial control system security," J. KICS, vol. 38, no. 08, pp. 641-653, Aug. 2013. https://doi.org/10.7840/kics.2013.38B.8.641
  2. R. Shapiro, S. Bratus, E. Rogers, and S.W. Smith, "Identifying vulnerabilities in SCADA systems via fuzz-testing," in Proc. Critical Infrastructure Protection, pp. 57-72, Berlin Heidelberg, 2011.
  3. R. Langner, To kill a centrifuge, a technical analysis of what stuxnet's creators tried to achieve, The Langner Group, Nov. 2013.
  4. I. J. Kim, Y. J. Chung, J. Y. Koh, and D. Won, "A study on the security management for critical key infrastructure(SCADA)," J. KICS, vol. 30, no. 8C, pp. 838-848, Aug. 2005.
  5. B. Liu, L. Shi, Z. Cai, and M. Li, "Software vulnerability discovery techniques: A survey," in Proc. Multimedia Inf. Netw. Security, pp. 152-156, 2012.
  6. J. Bang and R. Ha, "Validation test codesdevelopment of static analysis tool for secure software," J. KICS, vol. 38, no. 05, pp.420-427, May 2013. https://doi.org/10.7840/kics.2013.38C.5.420
  7. B. P. Miller, L. Fredriksen, and B. So, "Anempirical study of the reliability of UNIXutilities," Commun. ACM, vol. 33, 1990.
  8. P. Oehlert, "Violating assumptions withfuzzing," IEEE Security and Privacy, vol. 3,no. 2, 2005.
  9. K. Stouffer, J. Falco, and K. Scarfone, "Guide to industrial control systems (ICS) security," NIST SP 800-82, pp. 83-98, Jun. 2011.
  10. G. Devarajan, "Unraveling SCADA protocols: Using sulley fuzzer," , 2007.
  11. A. B. M. Omar Faruk, "Testing & exploring vulnerabilities of the applications implementing DNP3 protocol," Master Thesis, KTH, 2008.
  12. S. Oh, Y. Yoon, M. Kim, and Y. Kim,"System configuration of communicationnetwork for Korean radio-based train controlsystem," Korea Soc. Precision Eng., pp.989-990, 2012.