SABOT: Specification-based payload generation for Programmable Logic Controllers

Stephen McLaughlin, Patrick McDaniel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

41 Scopus citations

Abstract

Programmable Logic Controllers (PLCs) drive the behavior of industrial control systems according to uploaded programs. It is now known that PLCs are vulnerable to the uploading of malicious code that can have severe physical consequences. What is not understood is whether an adversary with no knowledge of the PLC's interface to the control system can execute a damaging, targeted, or stealthy attack against a control system using the PLC. In this paper, we present SABOT, a tool that automatically maps the control instructions in a PLC to an adversary-provided specification of the target control system's behavior. This mapping recovers sufficient semantics of the PLC's internal layout to instantiate arbitrary malicious controller code. This lowers the prerequisite knowledge needed to tailor an attack to a control system. SABOT uses an incremental model checking algorithm to map a few plant devices at a time, until a mapping is found for all adversary-specified devices. At this point, a malicious payload can be compiled and uploaded to the PLC. Our evaluation shows that SABOT correctly compiles payloads for all tested control systems when the adversary correctly specifies full system behavior, and for 4 out of 5 systems in most cases where there where unspecified features. Furthermore, SABOT completed all analyses in under 2 minutes.

Original languageEnglish (US)
Title of host publicationCCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security
Pages439-449
Number of pages11
DOIs
StatePublished - Nov 26 2012
Event2012 ACM Conference on Computer and Communications Security, CCS 2012 - Raleigh, NC, United States
Duration: Oct 16 2012Oct 18 2012

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other2012 ACM Conference on Computer and Communications Security, CCS 2012
CountryUnited States
CityRaleigh, NC
Period10/16/1210/18/12

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'SABOT: Specification-based payload generation for Programmable Logic Controllers'. Together they form a unique fingerprint.

  • Cite this

    McLaughlin, S., & McDaniel, P. (2012). SABOT: Specification-based payload generation for Programmable Logic Controllers. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security (pp. 439-449). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2382196.2382244