skip to main content
research-article

Physics-Driven Page Fault Handling for Customized Deception against CPS Malware

Published:28 May 2022Publication History
Skip Abstract Section

Abstract

Malware crafted to attack cyber-physical systems such as the electrical power grid have a physics-centric nucleus. Cyber-physical systems malware understand physics and hence use their knowledge to guide how they initiate physical damage on a compromised industrial computer. We develop a physics-driven page fault handler in the seL4 microkernel, which, in addition to reducing the page fault rate, differentiates active physics in main memory from passive physics in the backing store. We aid the identification of active physics via a CPU scheduler that tracks the evolution of active physics over time. We exploit the concept of active physics to develop deception that is customized to attack the physics-centric nucleus of malware. We evaluated this research against a variety of malware samples and techniques, including both numerous samples from publicly available repositories and custom-made academic code, and present our findings in the article. The physics data of reference pertain to an electrical substation, with a higher focus on a power transformer and related industrial computer algorithms.

REFERENCES

  1. [1] GitHub. n.d. GridPot: Symbolic Cyber-Physical Honeynet Framework. Retrieved February 11, 2022 from https://github.com/sk4ld/gridpot.Google ScholarGoogle Scholar
  2. [2] Luis Garcia, Ferdinand Brasser, Mehmet H. Cintuglu, Ahmad-Reza Sadeghi, Osama Mohammed, and Saman Zonouz. 2017. Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit. In Proceedings of the Networks and Distributed Systems Symposium.Google ScholarGoogle Scholar
  3. [3] Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Defense Use Case White Paper. Available at at https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf.Google ScholarGoogle Scholar
  4. [4] Abraham Silberschatz, Peter Baer Galvin, and Greg Gagne. 2012. Operating System Concepts (9th ed.). Wiley.Google ScholarGoogle Scholar
  5. [5] U.S. Department of Energy. 2006. Benefits of Using Mobile Transformers and Mobile Substations for Rapidly Restoring Electrical Service. Report to the United States Congress pursuant to Section 1816 of the Energy Policy Act of 2005. Retrieved February 11, 2022 from http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/MTS_Report_to_Congress_FINAL_73106.pdf.Google ScholarGoogle Scholar
  6. [6] William Eccles. 2011. Pragmatic Electrical Engineering: Fundamentals. Synthesis Lectures on Digital Circuits and Systems 6. Morgan & Claypool.Google ScholarGoogle Scholar
  7. [7] J. Duncan Glover, Thomas Overbye, and Mulukutla S. Sarma. 2016. Power System Analysis and Design (6th ed.). Cengage Learning.Google ScholarGoogle Scholar
  8. [8] Stuart Russell and Peter Norvig. 2020. Artificial Intelligence: A Modern Approach (2nd ed.). Prentice Hall.Google ScholarGoogle Scholar
  9. [9] AREVA. 2005. AREVA Network Protection and Automation Guide (3rd ed.). AREVA.Google ScholarGoogle Scholar
  10. [10] International Electrotechnical Commission. 2004. IEC 61850: Communication Networks and Systems in Substations. Parts 1 through 9. IEC.Google ScholarGoogle Scholar
  11. [11] Christopher D. Manning and Hinrich Schütze. 1999. Foundations of Statistical Natural Language Processing. MIT Press, Cambridge, MA.Google ScholarGoogle Scholar
  12. [12] Noam Nisan, Tim Roughgarden, Eva Tardos, and Vijay V. Vazirani. 2017. Algorithmic Game Theory. Cambridge University Press.Google ScholarGoogle Scholar
  13. [13] Erik Buchanan, Ryan Roemer, Stefan Savage, and Hovav Shacham. 2008. Return-Oriented Programming: Exploitation without Code Injection. BlackHat.Google ScholarGoogle Scholar
  14. [14] Julian Rrushi. 2019. Honeypot evader: Activity-guided propagation versus counter-evasion via Decoy OS Activity. In Proceedings of the 14th IEEE International Conference on Malicious and Unwanted Software.Google ScholarGoogle Scholar
  15. [15] RTDS Technologies. n.d. Real Time Digital Power Simulator. Retrieved February 11, 2022 from https://www.rtds.com.Google ScholarGoogle Scholar
  16. [16] Rayford B. Vaughn and Tommy Morris. 2016. Addressing critical industrial control system cyber security concerns via high fidelity simulation. In Proceedings of the 11th Annual Cyber and Information Security Research Conference.Google ScholarGoogle Scholar
  17. [17] Andrew J. Viterbi. 2006. A personal history of the Viterbi algorithm. IEEE Signal Processing Magazine 23, 4 (2006), 120–142.Google ScholarGoogle Scholar
  18. [18] Lawrence R. Rabiner. 1989. A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77, 2 (1989), 257–286.Google ScholarGoogle Scholar
  19. [19] Steve Miller, Nathan Brubaker, Daniel Kapellmann Zafra, and Dan Caban. 2019. TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. FireEye Technical Report. Available at https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html.Google ScholarGoogle Scholar
  20. [20] Jim Guinn, Luis Luque, and Josh Ray. 2017. Crashoverride/Industroyer Malware Assessment. iDefense Technical Report. Available at https://www.accenture.com/_acnmedia/PDF-55/Accenture-Security-Managing-Malware-CRASHOVERRIDE.pdf.Google ScholarGoogle Scholar
  21. [21] Frédéric Moisan and Cleotilde Gonzalez. 2017. Security under uncertainty: Adaptive attackers are more challenging to human defenders than random attackers. Frontiers in Psychology 8 (2017), Article 982.Google ScholarGoogle Scholar
  22. [22] Edward A. Cranford, Cleotilde Gonzalez, Palvi Aggarwal, Sarah Cooney, Milind Tambe, and Christian Lebiere. 2020. Towards personalized deceptive signaling for cyber defense using cognitive models. In Proceedings of the 17th Annual Meeting of the International Conference on Cognitive Modeling. 41–46.Google ScholarGoogle Scholar
  23. [23] Cleotilde Gonzalez, Palvi Aggarwal, Edward A. Cranford, and Christian Lebiere. 2020. Design of dynamic and personalized deception: A research framework and new insights. In Proceedings of the 53rd Hawaii International Conference on System Sciences. 1825–1834.Google ScholarGoogle Scholar
  24. [24] Kimberly Ferguson-Walter, Sunny Fugate, Justin Mauger, and Maxine Major. 2018. Game Theory for Adaptive Defensive Cyber Deception. Technical Report. SPAWAR.Google ScholarGoogle Scholar
  25. [25] Anita D’Amico, Kirsten Whitley, Daniel Tesone, Brianne O’Brien, and Emilie Roth. 2005. Achieving cyber defense situational awareness: A cognitive task analysis of information assurance analysts. In Proceedings of the 49th Annual Meeting of the Human Factors and Ergonomics Society. 229–233.Google ScholarGoogle Scholar
  26. [26] Robert S. Gutzwiller, Sarah M. Hunt, and Douglas S. Lange. 2016. A task analysis toward characterizing cyber-cognitive situation awareness (CCSA) in cyber defense analysts. In Proceedings of the IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.Google ScholarGoogle Scholar
  27. [27] Star Lab Software. n.d. Crucible Hypervisor. Available at https://starlab.io/crucible-version-6-1/crucible/.Google ScholarGoogle Scholar
  28. [28] MapuSoft. n.d. Cross-OS Hypervisor. Available at https://www.mapusoft.com/cross-os-hypervisor/.Google ScholarGoogle Scholar
  29. [29] General Dynamics. n.d. OKL4 Hypervisor. Available at https://gdmissionsystems.com/.Google ScholarGoogle Scholar
  30. [30] Sridhar Adepu, Nandha Kumar Kandasamy, and Aditya Mathur. 2018. EPIC: An electric power testbed for research and training in cyber physical systems security. In Proceedings of the 4th Workshop on the Security of Industrial Control Systems.Google ScholarGoogle Scholar
  31. [31] Hardkernel. n.d. ODROID. Available at https://www.hardkernel.com.Google ScholarGoogle Scholar
  32. [32] Symantec. 2014. Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Available at https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf.Google ScholarGoogle Scholar
  33. [33] Symantec. 2017. Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group. Available at https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks.Google ScholarGoogle Scholar
  34. [34] ICS-CERT. 2018. Cyber-Attack against Ukrainian Critical Infrastructure. Available at https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.Google ScholarGoogle Scholar
  35. [35] Dániel István Buza, Ferenc Juhász, György Miru, Márk Félegyházi, and Tamás Holczer. 2014. CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart Grid Security 8448 (2014), 181–192.Google ScholarGoogle Scholar
  36. [36] Lukas Rist, John Vestergaard, Daniel Haslinger, Andrea De Pasquale, and John Smith. CONPOT ICS/SCADA Honeypot. Available at http://conpot.org.Google ScholarGoogle Scholar
  37. [37] Todd Vollmer and Milos Manic. 2014. Cyber-physical system security with deceptive virtual hosts for industrial control networks. IEEE Transactions on Industrial Informatics 10, 2 (2014), 1337–1347.Google ScholarGoogle Scholar
  38. [38] seL4. n.d. The seL4 Microkernel. Retrieved February 11, 2022 from https://sel4.systems/.Google ScholarGoogle Scholar
  39. [39] Thomas Cormen, Charles Leiserson, Ronald Rivest, and Clifford Stein. 2009. Introduction to Algorithms (3rd ed.). MIT Press, Cambridge, MA.Google ScholarGoogle Scholar
  40. [40] John L. Hennessy and David A. Patterson. 2019. Computer Architecture: A Quantitative Approach (6th ed.). Elsevier.Google ScholarGoogle Scholar
  41. [41] Idaho National Lab. 2007. Aurora Generator Test. Retrieved February 11, 2022 from https://en.wikipedia.org/wiki/Aurora_Generator_Test.Google ScholarGoogle Scholar
  42. [42] Charlie McCarthy, Kevin Harnett, and Art Carter. 2014. Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach. Report No. DOT HS 812 074. National Highway Traffic Safety Administration, Washington, DC.Google ScholarGoogle Scholar

Index Terms

  1. Physics-Driven Page Fault Handling for Customized Deception against CPS Malware

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Embedded Computing Systems
        ACM Transactions on Embedded Computing Systems  Volume 21, Issue 3
        May 2022
        365 pages
        ISSN:1539-9087
        EISSN:1558-3465
        DOI:10.1145/3530307
        • Editor:
        • Tulika Mitra
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 28 May 2022
        • Online AM: 26 January 2022
        • Revised: 1 November 2021
        • Accepted: 1 November 2021
        • Received: 1 February 2021
        Published in tecs Volume 21, Issue 3

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed
      • Article Metrics

        • Downloads (Last 12 months)136
        • Downloads (Last 6 weeks)4

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!