Documente Academic
Documente Profesional
Documente Cultură
74 May/June 2015 Copublished by the IEEE Computer and Reliability Societies 1540-7993/15/$31.00 © 2015 IEEE
application layer message is 2,048 time of occurrence fields and
Application
octets, although this size is adjust- the measurements with which they
able if both ends agree on the value can be paired. This combination of Transport
of using out-of-band configuration. headers requires a common refer-
The application layer handles ence time header to precede one Link
messages called application data ser- or more relative times and acts as
vice units (ASDUs) that derive their a crude way of compressing what’s Figure 1. Abstract DNP3 communication stack. The link
semantics from a combination of normally 48-bit time stamps on layer has direct access to the communication channel.
function codes and objects. Mes- measurement values.
sages can consist of zero or more In any protocol, there’s an inherent
object headers that follow the main design tradeoff between structural
application layer header (see Fig- flexibility and attack surface, which Header
Header + Header +
(including ...
ure 2). Object headers describe the doesn’t favor cryptography. Indeed, data #1 data #N
function)
type and quantity of objects that underlying complexity or ambigu-
follow. The beginning of the next ity of encoding gave rise to a variety
header is discoverable only by pars- of attacks such as Serge Vaudenay’s Figure 2. DNP3 application layer messages consist of
ing the previous one. and Daniel Bleichenbacher’s as well a main header and zero or more object headers and
The rules for determining object as the more recent BEAST, CRIME, associated data.
payload lengths are complex and Lucky13, POODLE, BERserk, and
varied. This complexity gives imple- others, which all worked around
mentations of the DNP3 applica- the enduring strength of the crypto- protocol’s complexity aren’t theo-
tion layer a large attack surface due graphic primitives. retical. For nearly a decade, such
to potential programmer errors. For With its high level of flexibil- vulnerabilities in DNP3 and other
example, programmers might fail to ity, the DNP3 application layer is a SCADA protocol implementations
check a payload’s multiple object poor candidate for encoding cryp- have been found by fuzzing2,3;
lengths for consistency, interpret a tographic functions. Despite the however, little information has been
payload’s contents differently than constraints placed on function and made publicly available on DNP3
intended, or assume the presence object combinations, the number vulnerability specifics. A 2010 US
of objects that are actually absent of valid combinations of objects for government–funded report spe-
from a maliciously crafted pay- many DNP3 function codes is practi- cifically mentioned the dire need
load. As usual in software exploita- cally infinite. The ability to associate to improve input parsing routines
tion scenarios, acting on incorrect multiple objects to a single function in DNP3 implementations without
assumptions while allocating or makes the DNP3 application layer citing specific failure modes.4
copying maliciously crafted payload powerful in terms of flexibility and The most comprehensive study
data results in memory corruptions, bandwidth but also particularly vul- of DNP3 vulnerabilities was con-
which attackers can leverage to nerable when it comes to parsing and ducted by Crain (coauthor of
crash or control ICS processes. processing attacker-supplied input. this article) and Chris Sistrunk
Most types of valid messages By contrast, SCADA protocols of from 2013 to 2014 and resulted in
require at least one object header. similar functionality, such as IEC numerous disclosures coordinated
Notable exceptions are confirm, 60870-5-104, have more rigid appli- with vendors and asset owners (www
cold restart, warm restart, cation layer structures in which the .automatak.com/robus); a small rep-
d e l a y m e a s u r e m e n t , and function code completely defines resentative fraction of the raw vulner-
record current time, which are the type of data that follows, reduc- ability data was released publicly.5
never paired with any objects. The ing the combinatorial complexity of We recap the results of this study
specification exhaustively defines valid inputs (and thus the complex- here, as they pertain to DNP3 secu-
which objects can be paired with ity of the code that must validate rity extensions.
which function codes.1 them). Not surprisingly, DNP3’s
The vast majority of object complexity is reflected in its distribu- Examples of Vulnerabilities
headers can be processed indepen- tion of vulnerabilities. Crain and Sistrunk tested the effects
dently—that is, they aren’t context that crafted malformed frames
sensitive with regard to other ob- Fuzzing Vulnerable could have on DNP3 implemen-
ject headers in the ASDU. Nonse- Implementations tations in master controllers and
cure DNP3 has only one notable Vulnerabilities in DNP3 imple- outstation (remote) equipment.
exception to this rule: common mentations that arise due to the Nearly all vendor products were
www.computer.org/security 75
SYSTEMS SECURITY
www.computer.org/security 77
SYSTEMS SECURITY
object headers that use start and In this encoding, message au-
Normal request stop indices. At first blush, it appears thentication code (MAC) value
Function + (payload bytes) necessary to interpret the inner pay- length is unambiguous in the sense
Challenge load data to be able to determine that there’s only one way to deter-
Function + nonce the trailing HMAC’s position. mine its value. If the total size of the
Fortunately, in this case, there’s object is N and the length of all fields
Authentication a nonintuitive and undocumented preceding the MAC value is P, then
HMAC (key, request, nonce) workaround. The HMAC object the length of the MAC value is N –
Normal response and its header are of a known size P. However, this encoding scheme
and can be speculatively parsed off isn’t applied consistently. Some ob-
Figure 4. Challenge–response message flow. Parsing of the the end of the ASDU. Future ver- jects have a preceding length field
message payload can be deferred until after authentication. sions of the specification should for the final variable length field, as
HMAC is hash message authentication code. make explicit recommendations to Figure 7 shows.
implementers to use this methodol- Thus, there are two ways to
ogy for reading the aggressive mode determine the master chal-
HMAC. We note that the signing lenge data field’s length in an
Normal User ID Payload schemes for Linux’s loadable kernel update key change request.
objects HMAC
function and CSQ
... modules have finally converged on In a valid encoding of this object,
a similar design in which a fixed- the entire object’s length must agree
size signature is simply appended with the final field’s explicit length
Figure 5. In aggressive mode, application data service units to the end of the module object value. To complicate the issue, the
sandwich the payload to be processed inside an ad hoc file after a string of unsuccessful specification informs implement-
envelope consisting of user and sequence information and designs that attempted to use more ers that they can use either method
a trailing message digest. The challenge sequence number complex formats and metadata. to establish the final field’s length,1
(CSQ) protects messages from replay attacks. which can lead to implementations
Conflicting Encodings that disagree on the cryptographic
of Length data’s contents. If the protocol
Aggressive Mode Ambiguity Many variable-length objects related can’t be redesigned to remove such
The first issue with aggressive mode to security functionality have incon- encoding ambiguities, the pars-
request encoding is the ambigu- sistent encodings between objects ing recommendation should be to
ity of the request. Normally, DNP3 as well as encodings with multiple always check that these two meth-
message payloads can be processed ways of representing the length of ods produce the same length value.
solely based on the function code. certain fields in a single object. Hav-
In aggressive mode, the first object ing two sources of truth for lengths
header must be inspected to deter-
mine whether the ASDU is a nor-
mal request or an aggressive mode
of certain payload elements has been
a common source of implementa-
tion defects in various protocols,
D NP3 SA contains a num-
ber of anti-patterns that will
likely serve as a significant source
request. The lack of a proper envelope most recently OpenSSL’s Heart- of bugs. Vendors and standards
for the payload data requires imple- bleed and the GNU TLS Hello bodies adding security to SCADA/
menters to perform special-case pars- bug, as well as classic preauthen- ICS protocols should strongly favor
ing in multiple places to safely handle tication bugs such as OpenSSH’s a layered approach to security in
aggressive mode requests. challenge–response vulnerability. which legacy protocol issues can
The most dangerous issue with In DNP3, all variable-length be decoupled from SCADA object
aggressive mode encoding is that objects are preceded by a UINT16 models and semantics.
many implementers will naively length that defines the entire
parse the entire payload data to object’s length. Fixed-length fields Acknowledgments
reach the HMAC trailer. Recall come first in the object, and vari- This specification review was performed
that DNP3 object headers can’t able-length fields come last. All as part of the process of implementing
normally be skipped over without but the last variable-length field it in a preexisting open source project.
at least some level of light pars- is preceded by its own UINT16 The DHS S&T HOST program award
ing. Numerous vulnerabilities were length field. The last field’s length partially funded this work.
identified in the parsing of these is implicitly established as the
object headers, particularly integer remainder of the envelope length. References
overflow issues related to handling Figure 6 shows this pattern. 1. IEEE Std. 1815-2012, IEEE Stan-
www.computer.org/security 79