Search

Your search keyword '"TIPPENHAUER, NILS OLE"' showing total 232 results
Start Over Author "TIPPENHAUER, NILS OLE"

Refine your results

more »

more »

more »

more »
232 results on '"TIPPENHAUER, NILS OLE"'

1. Sensor Deprivation Attacks for Stealthy UAV Manipulation

Author

Erba, Alessandro, Castellanos, John H., Sihag, Sahil, Zonouz, Saman, and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

Unmanned Aerial Vehicles autonomously perform tasks with the use of state-of-the-art control algorithms. These control algorithms rely on the freshness and correctness of sensor readings. Incorrect control actions lead to catastrophic destabilization of the process. In this work, we propose a multi-part \emph{Sensor Deprivation Attacks} (SDAs), aiming to stealthily impact process control via sensor reconfiguration. In the first part, the attacker will inject messages on local buses that connect to the sensor. The injected message reconfigures the sensors, e.g.,~to suspend the sensing. In the second part, those manipulation primitives are selectively used to cause adversarial sensor values at the controller, transparently to the data consumer. In the third part, the manipulated sensor values lead to unwanted control actions (e.g. a drone crash). We experimentally investigate all three parts of our proposed attack. Our findings show that i)~reconfiguring sensors can have surprising effects on reported sensor values, and ii)~the attacker can stall the overall Kalman Filter state estimation, leading to a complete stop of control computations. As a result, the UAV becomes destabilized, leading to a crash or significant deviation from its planned trajectory (over 30 meters). We also propose an attack synthesis methodology that optimizes the timing of these SDA manipulations, maximizing their impact. Notably, our results demonstrate that these SDAs evade detection by state-of-the-art UAV anomaly detectors. Our work shows that attacks on sensors are not limited to continuously inducing random measurements, and demonstrate that sensor reconfiguration can completely stall the drone controller. In our experiments, state-of-the-art UAV controller software and countermeasures are unable to handle such manipulations. Hence, we also discuss new corresponding countermeasures.

Published
2024

2. A Scheduling-Aware Defense Against Prefetching-Based Side-Channel Attacks

Author

Schlüter, Till and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

Modern computer processors use microarchitectural optimization mechanisms to improve performance. As a downside, such optimizations are prone to introducing side-channel vulnerabilities. Speculative loading of memory, called prefetching, is common in real-world CPUs and may cause such side-channel vulnerabilities: Prior work has shown that it can be exploited to bypass process isolation and leak secrets, such as keys used in RSA, AES, and ECDH implementations. However, to this date, no effective and efficient countermeasure has been presented that secures software on systems with affected prefetchers. In this work, we answer the question: How can a process defend against prefetch-based side channels? We first systematize prefetching-based side-channel vulnerabilities presented in academic literature so far. Next, we design and implement PreFence, a scheduling-aware defense against these side channels that allows processes to disable the prefetcher temporarily during security-critical operations. We implement our countermeasure for an x86_64 and an ARM processor; it can be adapted to any platform that allows to disable the prefetcher. We evaluate our defense and find that our solution reliably stops prefetch leakage. Our countermeasure causes negligible performance impact while no security-relevant code is executed, and its worst case performance is comparable to completely turning off the prefetcher. The expected average performance impact depends on the security-relevant code in the application and can be negligible as we demonstrate with a simple web server application. We expect our countermeasure could widely be integrated in commodity OS, and even be extended to signal generally security-relevant code to the kernel to allow coordinated application of countermeasures.

Published
2024

3. Enabling Physical Localization of Uncooperative Cellular Devices

Author

Oh, Taekkyung, Bae, Sangwook, Ahn, Junho, Lee, Yonghwa, Hoang, Tuan Dinh, Kang, Min Suk, Tippenhauer, Nils Ole, and Kim, Yongdae

Subjects
Computer Science - Cryptography and Security
Abstract

In cellular networks, authorities may need to physically locate user devices to track criminals or illegal equipment. This process involves authorized agents tracing devices by monitoring uplink signals with cellular operator assistance. However, tracking uncooperative uplink signal sources remains challenging, even for operators and authorities. Three key challenges persist for fine-grained localization: i) devices must generate sufficient, consistent uplink traffic over time, ii) target devices may transmit uplink signals at very low power, and iii) signals from cellular repeaters may hinder localization of the target device. While these challenges pose significant practical obstacles to localization, they have been largely overlooked in existing research. This work examines the impact of these real-world challenges on cellular localization and introduces the Uncooperative Multiangulation Attack (UMA) to address them. UMA can 1) force a target device to transmit traffic continuously, 2) boost the target's signal strength to maximum levels, and 3) uniquely differentiate between signals from the target and repeaters. Importantly, UMA operates without requiring privileged access to cellular operators or user devices, making it applicable to any LTE network. Our evaluations demonstrate that UMA effectively overcomes practical challenges in physical localization when devices are uncooperative.

Published
2024

4. Why Don't You Clean Your Glasses? Perception Attacks with Dynamic Optical Perturbations

Author

Han, Yi, Chan, Matthew, Wengrowski, Eric, Li, Zhuohuan, Tippenhauer, Nils Ole, Srivastava, Mani, Zonouz, Saman, and Garcia, Luis

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

Camera-based autonomous systems that emulate human perception are increasingly being integrated into safety-critical platforms. Consequently, an established body of literature has emerged that explores adversarial attacks targeting the underlying machine learning models. Adapting adversarial attacks to the physical world is desirable for the attacker, as this removes the need to compromise digital systems. However, the real world poses challenges related to the "survivability" of adversarial manipulations given environmental noise in perception pipelines and the dynamicity of autonomous systems. In this paper, we take a sensor-first approach. We present EvilEye, a man-in-the-middle perception attack that leverages transparent displays to generate dynamic physical adversarial examples. EvilEye exploits the camera's optics to induce misclassifications under a variety of illumination conditions. To generate dynamic perturbations, we formalize the projection of a digital attack into the physical domain by modeling the transformation function of the captured image through the optical pipeline. Our extensive experiments show that EvilEye's generated adversarial perturbations are much more robust across varying environmental light conditions relative to existing physical perturbation frameworks, achieving a high attack success rate (ASR) while bypassing state-of-the-art physical adversarial detection frameworks. We demonstrate that the dynamic nature of EvilEye enables attackers to adapt adversarial examples across a variety of objects with a significantly higher ASR compared to state-of-the-art physical world attack frameworks. Finally, we discuss mitigation strategies against the EvilEye attack., Comment: 15 pages, 11 figures

Published
2023

5. Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels

Author

Ibrahim, Ahmad, Nemati, Hamed, Schlüter, Till, Tippenhauer, Nils Ole, and Rossow, Christian

Subjects
Computer Science - Cryptography and Security
Abstract

The complexity of modern processor architectures has given rise to sophisticated interactions among their components. Such interactions may result in potential attack vectors in terms of side channels, possibly available to user-land exploits to leak secret data. Exploitation and countering of such side channels require a detailed understanding of the target component. However, such detailed information is commonly unpublished for many CPUs. In this paper, we introduce the concept of Leakage Templates to abstractly describe specific side channels and identify their occurrences in binary applications. We design and implement Plumber, a framework to derive the generic Leakage Templates from individual code sequences that are known to cause leakage (e.g., found by prior work). Plumber uses a combination of instruction fuzzing, instructions' operand mutation and statistical analysis to explore undocumented behavior of microarchitectural optimizations and derive sufficient conditions on vulnerable code inputs that, if hold can trigger a distinguishing behavior. Using Plumber we identified novel leakage primitives based on Leakage Templates (for ARM Cortex-A53 and -A72 cores), in particular related to previction (a new premature cache eviction), and prefetching behavior. We show the utility of Leakage Templates by re-identifying a prefetcher-based vulnerability in OpenSSL 1.1.0g first reported by Shin et al. [40].

Published
2022
Full Text
View/download PDF

6. FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network

Author

Bytes, Andrei, Rajput, Prashant Hari Narayan, Doumanidis, Constantine, Tippenhauer, Nils Ole, Maniatakos, Michail, and Zhou, Jianying

Subjects
Computer Science - Cryptography and Security
Abstract

Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain-specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.

Published
2022

7. Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge

Author

Esquivel-Vargas, Herson, Castellanos, John Henry, Caselli, Marco, Tippenhauer, Nils Ole, and Peter, Andreas

Subjects
Computer Science - Cryptography and Security
Abstract

Industrial Control Systems (ICSs) rely on insecure protocols and devices to monitor and operate critical infrastructure. Prior work has demonstrated that powerful attackers with detailed system knowledge can manipulate exchanged sensor data to deteriorate performance of the process, even leading to full shutdowns of plants. Identifying those attacks requires iterating over all possible sensor values, and running detailed system simulation or analysis to identify optimal attacks. That setup allows adversaries to identify attacks that are most impactful when applied on the system for the first time, before the system operators become aware of the manipulations. In this work, we investigate if constrained attackers without detailed system knowledge and simulators can identify comparable attacks. In particular, the attacker only requires abstract knowledge on general information flow in the plant, instead of precise algorithms, operating parameters, process models, or simulators. We propose an approach that allows single-shot attacks, i.e., near-optimal attacks that are reliably shutting down a system on the first try. The approach is applied and validated on two use cases, and demonstrated to achieve comparable results to prior work, which relied on detailed system information and simulations., Comment: This paper has been accepted at Applied Cryptography and Network Security (ACNS) 2022

Published
2022

8. Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems

Author

Erba, Alessandro, Müller, Anne, and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

The OPC UA protocol is an upcoming de-facto standard for building Industry 4.0 processes in Europe, and one of the few industrial protocols that promises security features to prevent attackers from manipulating and damaging critical infrastructures. Despite the importance of the protocol, challenges in the adoption of OPC UA's security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In this work, we systematically investigate 48 publicly available artifacts consisting of products and libraries for OPC UA and show that 38 out of the 48 artifacts have one (or more) security issues. In particular, we show that 7 OPC UA artifacts do not support the security features of the protocol at all. In addition, 31 artifacts that partially feature OPC UA security rely on incomplete libraries and come with misleading instructions. Consequently, relying on those products and libraries will result in vulnerable implementations of OPC UA security features. To verify our analysis, we design, implement, and demonstrate attacks in which the attacker can steal credentials exchanged between victims, eavesdrop on process information, manipulate the physical process through sensor values and actuator commands, and prevent the detection of anomalies.

Published
2021

9. White-Box Concealment Attacks Against Anomaly Detectors for Cyber-Physical Systems

Author

Erba, Alessandro, Tippenhauer, Nils Ole, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Gruss, Daniel, editor, Maggi, Federico, editor, Fischer, Mathias, editor, and Carminati, Michele, editor

Published
2023
Full Text
View/download PDF

10. No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems

Author

Erba, Alessandro and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

In recent years, a number of process-based anomaly detection schemes for Industrial Control Systems were proposed. In this work, we provide the first systematic analysis of such schemes, and introduce a taxonomy of properties that are verified by those detection systems. We then present a novel general framework to generate adversarial spoofing signals that violate physical properties of the system, and use the framework to analyze four anomaly detectors published at top security conferences. We find that three of those detectors are susceptible to a number of adversarial manipulations (e.g., spoofing with precomputed patterns), which we call Synthetic Sensor Spoofing and one is resilient against our attacks. We investigate the root of its resilience and demonstrate that it comes from the properties that we introduced. Our attacks reduce the Recall (True Positive Rate) of the attacked schemes making them not able to correctly detect anomalies. Thus, the vulnerabilities we discovered in the anomaly detectors show that (despite an original good detection performance), those detectors are not able to reliably learn physical properties of the system. Even attacks that prior work was expected to be resilient against (based on verified properties) were found to be successful. We argue that our findings demonstrate the need for both more complete attacks in datasets, and more critical analysis of process-based anomaly detectors. We plan to release our implementation as open-source, together with an extension of two public datasets with a set of Synthetic Sensor Spoofing attacks as generated by our framework., Comment: An updated version of the paper has been published at ACSAC'2022: Assessing Model-free Anomaly Detection in Industrial Control Systems Against Generic Concealment Attacks https://dl.acm.org/doi/10.1145/3564625.3564633

Published
2020

11. BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy

Author

Antonioli, Daniele, Tippenhauer, Nils Ole, Rasmussen, Kasper, and Payer, Mathias

Subjects
Computer Science - Cryptography and Security
Abstract

The Bluetooth standard specifies two transports: Bluetooth Classic (BT) for high-throughput wireless services and Bluetooth Low Energy (BLE) for very low-power scenarios. BT and BLE have dedicated pairing protocols and devices have to pair over BT and BLE to use both securely. In 2014, the Bluetooth standard (v4.2) addressed this usability issue by introducing Cross-Transport Key Derivation (CTKD). CTKD allows establishing BT and BLE pairing keys just by pairing over one of the two transports. While CTKD crosses the security boundary between BT and BLE, little is known about the internals of CTKD and its security implications. In this work, we present the first complete description of CTKD obtained by merging the scattered information from the Bluetooth standard with the results from our reverse-engineering experiments. Then, we perform a security evaluation of CTKD and uncover four cross-transport issues in its specification. We leverage these issues to design four standard-compliant attacks on CTKD enabling new ways to exploit Bluetooth (e.g., exploiting BT and BLE by targeting only one of the two). Our attacks work even if the strongest security mechanism for BT and BLE are in place, including Numeric Comparison and Secure Connections. They allow to impersonate, man-in-the-middle, and establish unintended sessions with arbitrary devices. We refer to our attacks as BLUR attacks, as they blur the security boundary between BT and BLE. We provide a low-cost implementation of the BLUR attacks and we successfully evaluate them on 14 devices with 16 unique Bluetooth chips from popular vendors. We discuss the attacks' root causes and present effective countermeasures to fix them. We disclosed our findings and countermeasures to the Bluetooth SIG in May 2020 (CVE-2020-15802), and we reported additional unmitigated issues in May 2021.

Published
2020

12. Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis

Author

Barbieri, Giovanni, Conti, Mauro, Tippenhauer, Nils Ole, and Turrin, Federico

Subjects
Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture
Abstract

Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify publicly open ports, they cannot identify legitimate use of insecure industrial traffic. In particular, source-based filtering in Network Address Translation or Firewalls prevent detection by active scanning, but do not ensure that insecure communication is not manipulated in transit. In this work, we compare Shodan-only analysis with large-scale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging industrial traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging industrial traffic, and only 7% of hosts identified by Shodan actually exchange industrial traffic. Therefore, Shodan do not allow to understand the actual use of insecure industrial protocols on the Internet and the current security practices in ICS communications. We show that 75.6% of ICS hosts still rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.

Published
2020

13. Decentralized Privacy-Preserving Proximity Tracing

Author

Troncoso, Carmela, Payer, Mathias, Hubaux, Jean-Pierre, Salathé, Marcel, Larus, James, Bugnion, Edouard, Lueks, Wouter, Stadler, Theresa, Pyrgelis, Apostolos, Antonioli, Daniele, Barman, Ludovic, Chatel, Sylvain, Paterson, Kenneth, Čapkun, Srdjan, Basin, David, Beutel, Jan, Jackson, Dennis, Roeschlin, Marc, Leu, Patrick, Preneel, Bart, Smart, Nigel, Abidin, Aysajan, Gürses, Seda, Veale, Michael, Cremers, Cas, Backes, Michael, Tippenhauer, Nils Ole, Binns, Reuben, Cattuto, Ciro, Barrat, Alain, Fiore, Dario, Barbosa, Manuel, Oliveira, Rui, and Pereira, José

Subjects
Computer Science - Cryptography and Security, Computer Science - Computers and Society
Abstract

This document describes and analyzes a system for secure and privacy-preserving proximity tracing at large scale. This system, referred to as DP3T, provides a technological foundation to help slow the spread of SARS-CoV-2 by simplifying and accelerating the process of notifying people who might have been exposed to the virus so that they can take appropriate measures to break its transmission chain. The system aims to minimise privacy and security risks for individuals and communities and guarantee the highest level of data protection. The goal of our proximity tracing system is to determine who has been in close physical proximity to a COVID-19 positive person and thus exposed to the virus, without revealing the contact's identity or where the contact occurred. To achieve this goal, users run a smartphone app that continually broadcasts an ephemeral, pseudo-random ID representing the user's phone and also records the pseudo-random IDs observed from smartphones in close proximity. When a patient is diagnosed with COVID-19, she can upload pseudo-random IDs previously broadcast from her phone to a central server. Prior to the upload, all data remains exclusively on the user's phone. Other users' apps can use data from the server to locally estimate whether the device's owner was exposed to the virus through close-range physical proximity to a COVID-19 positive person who has uploaded their data. In case the app detects a high risk, it will inform the user., Comment: 46 pages, 6 figures, first published 3 April 2020 on https://github.com/DP-3T/documents where companion documents and code can be found

Published
2020

14. Constrained Concealment Attacks against Reconstruction-based Anomaly Detectors in Industrial Control Systems

Author

Erba, Alessandro, Taormina, Riccardo, Galelli, Stefano, Pogliani, Marcello, Carminati, Michele, Zanero, Stefano, and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Recently, reconstruction-based anomaly detection was proposed as an effective technique to detect attacks in dynamic industrial control networks. Unlike classical network anomaly detectors that observe the network traffic, reconstruction-based detectors operate on the measured sensor data, leveraging physical process models learned a priori. In this work, we investigate different approaches to evade prior-work reconstruction-based anomaly detectors by manipulating sensor data so that the attack is concealed. We find that replay attacks (commonly assumed to be very strong) show bad performance (i.e., increasing the number of alarms) if the attacker is constrained to manipulate less than 95% of all features in the system, as hidden correlations between the features are not replicated well. To address this, we propose two novel attacks that manipulate a subset of the sensor readings, leveraging learned physical constraints of the system. Our attacks feature two different attacker models: A white box attacker, which uses an optimization approach with a detection oracle, and a black box attacker, which uses an autoencoder to translate anomalous data into normal data. We evaluate our implementation on two different datasets from the water distribution domain, showing that the detector's Recall drops from 0.68 to 0.12 by manipulating 4 sensors out of 82 in WADI dataset. In addition, we show that our black box attacks are transferable to different detectors: They work against autoencoder-, LSTM-, and CNN-based detectors. Finally, we implement and demonstrate our attacks on a real industrial testbed to demonstrate their feasibility in real-time., Comment: Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2020

Published
2019
Full Text
View/download PDF

15. Challenges for Security Assessment of Enterprises in the IoT Era

Author

Mathov, Yael, Agmon, Noga, Shabtai, Asaf, Puzis, Rami, Tippenhauer, Nils Ole, and Elovici, Yuval

Subjects
Computer Science - Cryptography and Security
Abstract

For years, attack graphs have been an important tool for security assessment of enterprise networks, but IoT devices, a new player in the IT world, might threat the reliability of this tool. In this paper, we review the challenges that must be addressed when using attack graphs to model and analyze enterprise networks that include IoT devices. In addition, we propose novel ideas and countermeasures aimed at addressing these challenges., Comment: 11 pages, 4 figures, 1 table

Published
2019

16. HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)

Author

Breitenbacher, Dominik, Homoliak, Ivan, Aung, Yan Lin, Tippenhauer, Nils Ole, and Elovici, Yuval

Subjects
Computer Science - Cryptography and Security
Abstract

Internet of Things (IoT) devices have become ubiquitous and are spread across many application domains including the industry, transportation, healthcare, and households. However, the proliferation of the IoT devices has raised the concerns about their security, especially when observing that many manufacturers focus only on the core functionality of their products due to short time to market and low-cost pressures, while neglecting security aspects. Moreover, it does not exist any established or standardized method for measuring and ensuring the security of IoT devices. Consequently, vulnerabilities are left untreated, allowing attackers to exploit IoT devices for various purposes, such as compromising privacy, recruiting devices into a botnet, or misusing devices to perform cryptocurrency mining. In this paper, we present a practical Host-based Anomaly DEtection System for IoT (HADES-IoT) that represents the last line of defense. HADES-IoT has proactive detection capabilities, provides tamper-proof resistance, and it can be deployed on a wide range of Linux-based IoT devices. The main advantage of HADES-IoT is its low performance overhead, which makes it suitable for the IoT domain, where state-of-the-art approaches cannot be applied due to their high-performance demands. We deployed HADES-IoT on seven IoT devices to evaluate its effectiveness and performance overhead. Our experiments show that HADES-IoT achieved 100% effectiveness in the detection of current IoT malware such as VPNFilter and IoTReaper; while on average, requiring only 5.5% of available memory and causing only a low CPU load.

Published
2019

18. Taking Control: Design and Implementation of Botnets for Cyber-Physical Attacks with CPSBot

Author

Antonioli, Daniele, Bernieri, Giuseppe, and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

Recently, botnets such as Mirai and Persirai targeted IoT devices on a large scale. We consider attacks by botnets on cyber-physical systems (CPS), which require advanced capabilities such as controlling the physical processes in real-time. Traditional botnets are not suitable for this goal mainly because they lack process control capabilities, are not optimized for low latency communication, and bots generally do not leverage local resources. We argue that such attacks would require cyber-physical botnets. A cyber-physical botnet needs coordinated and heterogeneous bots, capable of performing adversarial control strategies while subject to the constraints of the target CPS. In this work, we present CPSBot, a framework to build cyber-physical botnets. We present an example of a centralized CPSBot targeting a centrally controlled system and a decentralized CPSBot targeting a system distributed control. We implemented the former CPSBot using MQTT for the C&C channel and Modbus/TCP as the target network protocol and we used it to launch several attacks on real and simulated Water Distribution. We evaluate our implementation with distributed reply and distributed impersonation attacks on a CPS, and show that malicious control with negligible latency is possible.

Published
2018

19. Hide and Seek: An Architecture for Improving Attack-Visibility in Industrial Control Systems

Author

Giraldo, Jairo, Urbina, David, Cardenas, Alvaro A, and Tippenhauer, Nils Ole

Subjects
Artificial Intelligence & Image Processing
Abstract

In the past years we have seen an emerging field of research focusing on using the “physics” of a Cyber-Physical System to detect attacks. In its basic form, a security monitor is deployed somewhere in the industrial control network, observes a time-series of the operation of the system, and identifies anomalies in those measurements in order to detect potentially manipulated control commands or manipulated sensor readings. While there is a growing literature on detection mechanisms in that research direction, the problem of where to monitor the physical behavior of the system has received less attention. In this paper, we analyze the problem of where should we monitor these systems, and what attacks can and cannot be detected depending on the location of this network monitor. The location of the monitor is particularly important, because an attacker can bypass attack-detection by lying in some network interfaces while reporting that everything is normal in the others. Our paper is the first detailed study of what can and cannot be detected based on the devices an attacker has compromised and where we monitor our network. We show that there are locations that maximize our visibility against such attacks. Based on our analysis, we design a low-level security monitor that is able to directly observe the field communication between sensors, actuators, and Programmable Logic Controllers (PLCs). We implement that security monitor in a realistic testbed, and demonstrate that it can detect attacks that would otherwise be undetected at the supervisory network.

Published
2019

20. Detection of Unauthorized IoT Devices Using Machine Learning Techniques

Author

Meidan, Yair, Bohadana, Michael, Shabtai, Asaf, Ochoa, Martin, Tippenhauer, Nils Ole, Guarnizo, Juan Davis, and Elovici, Yuval

Subjects
Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition, H.2.8, C.2.5, K.6.5
Abstract

Security experts have demonstrated numerous risks imposed by Internet of Things (IoT) devices on organizations. Due to the widespread adoption of such devices, their diversity, standardization obstacles, and inherent mobility, organizations require an intelligent mechanism capable of automatically detecting suspicious IoT devices connected to their networks. In particular, devices not included in a white list of trustworthy IoT device types (allowed to be used within the organizational premises) should be detected. In this research, Random Forest, a supervised machine learning algorithm, was applied to features extracted from network traffic data with the aim of accurately identifying IoT device types from the white list. To train and evaluate multi-class classifiers, we collected and manually labeled network traffic data from 17 distinct IoT devices, representing nine types of IoT devices. Based on the classification of 20 consecutive sessions and the use of majority rule, IoT device types that are not on the white list were correctly detected as unknown in 96% of test cases (on average), and white listed device types were correctly classified by their actual types in 99% of cases. Some IoT device types were identified quicker than others (e.g., sockets and thermostats were successfully detected within five TCP sessions of connecting to the network). Perfect detection of unauthorized IoT device types was achieved upon analyzing 110 consecutive sessions; perfect classification of white listed types required 346 consecutive sessions, 110 of which resulted in 99.49% accuracy. Further experiments demonstrated the successful applicability of classifiers trained in one location and tested on another. In addition, a discussion is provided regarding the resilience of our machine learning-based IoT white listing method to adversarial attacks.

Published
2017

21. On Ladder Logic Bombs in Industrial Control Systems

Author

Govil, Naman, Agrawal, Anand, and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques., Comment: 11 pages, 14 figures, 2 tables, 1 algorithm

Published
2017

22. Gamifying Education and Research on ICS Security: Design, Implementation and Results of S3

Author

Antonioli, Daniele, Ghaeini, Hamid Reza, Adepu, Sridhar, Ochoa, Martín, and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

In this work, we consider challenges relating to security for Industrial Control Systems (ICS) in the context of ICS security education and research targeted both to academia and industry. We propose to address those challenges through gamified attack training and countermeasure evaluation. We tested our proposed ICS security gamification idea in the context of the (to the best of our knowledge) first Capture-The-Flag (CTF) event targeted to ICS security called SWaT Security Showdown (S3). Six teams acted as attackers in a security competition leveraging an ICS testbed, with several academic defense systems attempting to detect the ongoing attacks. The event was conducted in two phases. The online phase (a jeopardy-style CTF) served as a training session. The live phase was structured as an attack-defense CTF. We acted as judges and we assigned points to the attacker teams according to a scoring system that we developed internally based on multiple factors, including realistic attacker models. We conclude the paper with an evaluation and discussion of the S3, including statistics derived from the data collected in each phase of S3.

Published
2017

23. CPDY: Extending the Dolev-Yao Attacker with Physical-Layer Interactions

Author

Rocchetto, Marco and Tippenhauer, Nils Ole

Subjects
Computer Science - Cryptography and Security
Abstract

We propose extensions to the Dolev-Yao attacker model to make it suitable for arguments about security of Cyber-Physical Systems. The Dolev-Yao attacker model uses a set of rules to define potential actions by an attacker with respect to messages (i.e. information) exchanged between parties during a protocol execution. As the traditional Dolev-Yao model considers only information (exchanged over a channel controlled by the attacker), the model cannot directly be used to argue about the security of cyber-physical systems where physical-layer interactions are possible. Our Dolev-Yao extension, called cyber-physical Dolev-Yao (CPDY) attacker model, allows additional orthogonal interaction channels between the parties. In particular, such orthogonal channels can be used to model physical-layer mechanical, chemical, or electrical interactions between components. In addition, we discuss the inclusion of physical properties such as location or distance in the rule set. We present an example set of additional rules for the Dolev-Yao attacker, using those we are able to formally discover physical attacks that previously could only be found by empirical methods or detailed physical process models.

Published
2016

25. MiniCPS: A toolkit for security research on CPS Networks

Author

Antonioli, Daniele and Tippenhauer, Nils Ole

Subjects
Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security
Abstract

In recent years, tremendous effort has been spent to modernizing communication infrastructure in Cyber-Physical Systems (CPS) such as Industrial Control Systems (ICS) and related Supervisory Control and Data Acquisition (SCADA) systems. While a great amount of research has been conducted on network security of office and home networks, recently the security of CPS and related systems has gained a lot of attention. Unfortunately, real-world CPS are often not open to security researchers, and as a result very few reference systems and topologies are available. In this work, we present MiniCPS, a CPS simulation toolbox intended to alleviate this problem. The goal of MiniCPS is to create an extensible, reproducible research environment targeted to communications and physical-layer interactions in CPS. MiniCPS builds on Mininet to provide lightweight real-time network emulation, and extends Mininet with tools to simulate typical CPS components such as programmable logic controllers, which use industrial protocols (Ethernet/IP, Modbus/TCP). In addition, MiniCPS defines a simple API to enable physical-layer interaction simulation. In this work, we demonstrate applications of MiniCPS in two example scenarios, and show how MiniCPS can be used to develop attacks and defenses that are directly applicable to real systems., Comment: 8 pages, 6 figures, 1 code listing

Published
2015

27. Automatic Generation of Security Argument Graphs

Author

Tippenhauer, Nils Ole, Temple, William G., Vu, An Hoa, Chen, Binbin, Nicol, David M., Kalbarczyk, Zbigniew, and Sanders, William H.

Subjects
Computer Science - Cryptography and Security
Abstract

Graph-based assessment formalisms have proven to be useful in the safety, dependability, and security communities to help stakeholders manage risk and maintain appropriate documentation throughout the system lifecycle. In this paper, we propose a set of methods to automatically construct security argument graphs, a graphical formalism that integrates various security-related information to argue about the security level of a system. Our approach is to generate the graph in a progressive manner by exploiting logical relationships among pieces of diverse input information. Using those emergent argument patterns as a starting point, we define a set of extension templates that can be applied iteratively to grow a security argument graph. Using a scenario from the electric power sector, we demonstrate the graph generation process and highlight its application for system security evaluation in our prototype software tool, CyberSAGE., Comment: 10 pages, 8 figures, 1 table and 2 algorithms

Published
2014

28. Location Proximity Attacks Against Mobile Targets: Analytical Bounds and Attacker Strategies

Author

Wang, Xueou, Hou, Xiaolu, Rios, Ruben, Hallgren, Per, Tippenhauer, Nils Ole, Ochoa, Martín, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Lopez, Javier, editor, Zhou, Jianying, editor, and Soriano, Miguel, editor

Published
2018
Full Text
View/download PDF

29. On Ladder Logic Bombs in Industrial Control Systems

Author

Govil, Naman, Agrawal, Anand, Tippenhauer, Nils Ole, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Katsikas, Sokratis K., editor, Cuppens, Frédéric, editor, Cuppens, Nora, editor, Lambrinoudakis, Costas, editor, Kalloniatis, Christos, editor, Mylopoulos, John, editor, Antón, Annie, editor, and Gritzalis, Stefanos, editor

Published
2018
Full Text
View/download PDF

30. Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN

Author

Antonioli, Daniele, Siby, Sandra, Tippenhauer, Nils Ole, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Capkun, Srdjan, editor, and Chow, Sherman S. M., editor

Published
2018
Full Text
View/download PDF

34. Link-Layer Device Type Classification on Encrypted Wireless Traffic with COTS Radios

Author

Maiti, Rajib Ranjan, Siby, Sandra, Sridharan, Ragav, Tippenhauer, Nils Ole, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Foley, Simon N., editor, Gollmann, Dieter, editor, and Snekkenes, Einar, editor

Published
2017
Full Text
View/download PDF

35. Legacy-Compliant Data Authentication for Industrial Control System Traffic

Author

Castellanos, John Henry, Antonioli, Daniele, Tippenhauer, Nils Ole, Ochoa, Martín, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Gollmann, Dieter, editor, Miyaji, Atsuko, editor, and Kikuchi, Hiroaki, editor

Published
2017
Full Text
View/download PDF

37. On Attacker Models and Profiles for Cyber-Physical Systems

Author

Rocchetto, Marco, Tippenhauer, Nils Ole, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Askoxylakis, Ioannis, editor, Ioannidis, Sotiris, editor, Katsikas, Sokratis, editor, and Meadows, Catherine, editor

Published
2016
Full Text
View/download PDF

38. The Right Tool for the Job: A Case for Common Input Scenarios for Security Assessment

Author

Dong, Xinshu, Jauhar, Sumeet, Temple, William G., Chen, Binbin, Kalbarczyk, Zbigniew, Sanders, William H., Tippenhauer, Nils Ole, Nicol, David M., Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Kordy, Barbara, editor, Ekstedt, Mathias, editor, and Kim, Dong Seong, editor

Published
2016
Full Text
View/download PDF

44. High-Fidelity Cyber and Physical Simulation of Water Distribution Systems. I: Models and Data

Author

Murillo, Andrés (author), Taormina, R. (author), Tippenhauer, Nils Ole (author), Salaorni, Davide (author), van Dijk, Robert (author), Jonker, Luc (author), Vos, Simcha (author), Weyns, Maarten (author), Galelli, Stefano (author), Murillo, Andrés (author), Taormina, R. (author), Tippenhauer, Nils Ole (author), Salaorni, Davide (author), van Dijk, Robert (author), Jonker, Luc (author), Vos, Simcha (author), Weyns, Maarten (author), and Galelli, Stefano (author)

Abstract

Numerical simulation models are a fundamental tool for planning and managing smart water networks—an evolution of water distribution systems in which physical assets are monitored and controlled by information and communication technologies. While simulation models allow us to understand the interactions between physical processes and abstract control strategies, they ignore key implementation aspects of distributed control systems, such as the required communication over digital links. As a result, the effects of anomalies and faults in the communication on the process control cannot be investigated with existing tools. In this work, we fill this gap by introducing DHALSIM (Digital HydrAuLic SIMulator), a numerical modelling platform combining EPANET-based process simulation with a network and host emulation environment, offering a high-fidelity representation of the processes occurring in the cyber domain. We illustrate DHALSIM’s key functionalities by implementing it on a benchmark water distribution system, present case studies of simulated network traffic, and demonstrate how anomalies in the behavior of the communication network affect the process data received by the supervisory control and data acquisition (SCADA) server. In a companion paper, we further illustrate how DHALSIM enables research opportunities in the domain of cyber-physical security. The easily customizable and open source DHALSIM provides a “workbench” for studying smart water networks, developing digital twins, and designing a broad spectrum of engineering solutions., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Sanitary Engineering

Published
2023
Full Text
View/download PDF

45. High-fidelity cyber and physical simulation of water distribution systems. II: Enabling cyber-physical attack localization

Author

Murillo, Andrés (author), Taormina, R. (author), Tippenhauer, Nils Ole (author), Galelli, Stefano (author), Murillo, Andrés (author), Taormina, R. (author), Tippenhauer, Nils Ole (author), and Galelli, Stefano (author)

Abstract

A fundamental problem in the realm of cyber-physical security of smart water networks is attack detection, a key step towards designing adequate countermeasures. This task is typically carried out by algorithms that analyze time series of process data. However, the nature of the data available to develop these algorithms limits their capabilities: by relying on process data only, one cannot distinguish a cyber-attack from the failure of a system’s component or identify the root cause of an attack. Here, we show that these limitations can be addressed through the joint analysis of process and network data—with the latter representing the information exchanged between the components constituting the Industrial Control System, such as sensors and Programmable Logic Controllers (PLCs). For this purpose, we utilize a dataset generated by digital hydraulic simulator (DHALSIM)—a numerical modelling platform built on a two-way interaction between EPANET version 2.2 and a network emulation tool—which is extended here to include a framework for launching cyber-physical attacks. This paper presents a dataset with realistic network information of a smart water network under cyber-physical attacks and presents an analysis of how that information can enable the development of better intrusion detection systems that can localize and identify attacks. Through this analysis, the dataset provided here, and the open-source availability of DHALSIM, our work paves the way to a novel class of analytics for actionable detection., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Sanitary Engineering

Published
2023
Full Text
View/download PDF

47. CyberSAGE: A Tool for Automatic Security Assessment of Cyber-Physical Systems

Author

Vu, An Hoa, Tippenhauer, Nils Ole, Chen, Binbin, Nicol, David M., Kalbarczyk, Zbigniew, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Kobsa, Alfred, Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Norman, Gethin, editor, and Sanders, William, editor

Published
2014
Full Text
View/download PDF

50. Design and Implementation of a Terrorist Fraud Resilient Distance Bounding System

Author

Ranganathan, Aanjhan, Tippenhauer, Nils Ole, Škorić, Boris, Singelée, Dave, Čapkun, Srdjan, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Foresti, Sara, editor, Yung, Moti, editor, and Martinelli, Fabio, editor

Published
2012
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results