Trustworthiness Enhancement Tools for SCADA Software and Platforms

Activity Leads: 
Industry Collaborators: 

Schweitzer Engineering Laboratories, Inc.

Research Summary: 

The ultimate goal of this activity was to preserve the trustworthiness of the various control systems being rolled out as part of the smart grid. These systems present a unique challenge from an IT perspective, since they 1) are fairly static devices, 2) are expected to remain in service for up to several decades, and 3) must perform their prescribed tasks in the face of both accidents and malicious intrusions. On top of all that, any security solutions installed on such systems must be lightweight enough not to get in the way of the system’s primary function.

To address those issues, we built a number of flexible, lightweight security systems operating seamlessly throughout different levels inside a control device, ranging from process-level protection to low-level network message encryption and bus message validation. The complete list of our solutions is below.

TRUST STACK LEVEL OUR SOLUTION
Process-Level Mediation
 
ELFBac: An instrumentation system for programs that allows users to isolate and secure pieces of a binary without needing to rewrite the original program.
System Call Mediation
 
Behavior-Based Policy: Policy languages that clearly identify trustworthy behaviors, and use techniques such as context-dependent goals and isolation primitives to enforce the policy.
Kernel Host Intrusion Detection System Autoscopy Jr.: An intrusion detection system that lives within the OS kernel itself, monitoring for control-flow anomalies while imposing minimal overhead.
Hardened Kernel grsecurity/PaX*: A set of kernel hardening patches that include additional OS protection mechanisms.
Custom Trapping Scheme
 
FlexTrap: A system that allows for variable-sized caching in the Translation Lookaside Buffer (TLB) of a system, letting users define their memory accesses to be as coarse or granular as needed.
Kernel Drivers CrossingGuard: An application of traditional IP network defenses to the USB interface.
Network Hardware
 
Predictive YASIR: A low-latency message authentication system that tries to predict the plain-text content of messages and pre-send the ciphertext before receiving the entire message.

*Note that grsecurity/PaX is © Open Source Security, Inc., and is NOT a Dartmouth product, but rather a set of patches that are freely available at http://grsecurity.net.

This process produced several prototype technologies that we made available to TCIPG industry partners and that resulted in several technology transfers to Schweitzer Engineering Labs (SEL). In particular, SEL incorporated our Autoscopy technology into its product line of protected control devices, and the transfer on the ELFbac technology is ongoing, together with the prototype of a hardened parser for the popular DNP3 protocol.

Research Demo:

Crossing Guard: Defending Against Novel Bus Attacks: Peter Johnson, Dartmouth College, presenting work on protecting systems from novel bus attacks by creating a "firewall" for USB devices. Presented at the TCIPG Industry Workshop in November 2013.

More Information: