Defending Cyber–Physical Systems Through Reverse-Engineering-Based Memory Sanity Check

Cyber–physical systems (CPSs) are ubiquitous in critical infrastructures, where programmable logic controllers (PLCs) and physical components intertwine. However, multiple successful attacks targeting safety-related CPSs, in particular the PLCs, manifest their vulnerability toward malicious cyber attacks, which may cause significant damage consequently. Though several kinds of defending techniques exist in the literature, few of them can be practically and widely applied to real-world CPSs equipped with PLCs from leading vendors, primarily due to the lack of specific hardware or unrealistic defense assumptions. In this article, we propose PLC-READER, a practical memory attacks detection and response framework to secure the CPS. The core of PLC-READER includes: 1) a comprehensive semantic analysis solution specifically for PLC’s proprietary protocol based on software reverse engineering and network traffic difference analysis and 2) a fine-grained memory structure analysis solution to identify the critical memory data. Based on the results of such reverse engineering, PLC-READER further performs sanity checks for the PLC’s critical memory by periodically checking the hash values and dynamic checksum values of these memory data. We extensively evaluated PLC-READER against four types of 366 different memory attacks, with some newly developed ones which got six CVE IDs from Schneider and Rockwell, by analyzing three kinds of proprietary protocols and six kinds of memory structures in six kinds of real-world PLCs from three leading manufacturers. The results demonstrate that the PLC-READER can detect all memory attacks with an accuracy of 100% and perform corresponding emergency responses in time.