We were thrilled to have some of the world’s top security researchers enter the ICS world and present at S4x14. In this case, S4 veteran Darren Highfill introduced langsec pioneers Sergey Bratus and Meredith Patterson to the world of ICS, and they worked together to give a novel talk to the ICS community.
After an introduction to langsec, they look at the DNP3 protocol. They actually created a DNP3 parser using the Hammer parser generator library. But you start to see the problems, or challenges, in a robust DNP3 protocol stack with the context dependency between the three DNP3 layers.
The money quote from the session was “Your parser two layers down from where you started parsing the packet has to be able to refer back up to its ancestor just to know how many bytes it is suppose to parse. This puts us way, way, way out in to heavily context sensitive territory.” After listening to this talk it is not surprising that DNP3 protocol stacks are bug filled.
The presenters actually worked with Adam Crain & Chris Sistrunk to analyze a specific Project Robus DNP3 protocol stack vulnerability from a langsec perspective. The DNP3 protocol requires a Transport Frame to have at least one valid APDU. Bad things happened when this was violated.
I found myself writing down a number of notes to think about more from this session.
- Context Dependency – Do you have to have additional information to determine the value or meaning.
- Weird Machines – Hidden functionality unintentionally built into a device.
- You save when you throw out bad input early.
- Computational power is a privilege; don’t expose it to an attacker too early.
- If you want fast, simplify your language.