Ashwin Ramaswamy

Intrusion detection for resource-constrained embedded control systems in the power grid

Abstract The power grid depends on embedded control systems or SCADA systems to function properly. Securing these systems presents unique challenges—in addition to the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are non-negotiable, and their massive scale greatly amplifies costs such as power consumption. Together, these constraints make the conventional approach to host intrusion detection–using a hypervisor to create a safe environment from which a monitoring entity can operate–too costly or impractical for embedded control systems in the critical infrastructure. This paper discusses the design and implementation of Autoscopy, an experimental host-based intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to identify control-flow anomalies, which are most often caused by rootkits that hijack kernel hooks. The paper presents the concepts underlying the original Autoscopy prototype, highlights some of the issues that arose from it, and introduces the new system, dubbed Autoscopy Jr., which addresses the issues. Tests on non-embedded systems demonstrated that the monitoring scope could be managed to limit Autoscopy Jr.’s performance impact on its host to under 5%. The paper also describes the use of an optimized probe framework to reduce overhead and the test results obtained for a hardened kernel. The results demonstrate that Autoscopy Jr.’s design and effectiveness render it uniquely suited to intrusion detection for SCADA systems.

Katana: A Hot Patching Framework for ELF Executables

Despite advances in software modularity, security, and reliability,offline patching remains the predominant form of updating or protecting commodity software. Unfortunately, the mechanics of hot patching (the process of upgrading a program while it executes) remain understudied, even though such a capability offers practical benefits for both consumer and mission-critical systems. A reliable hot patching procedure would serve particularly well by reducing the downtime necessary for critical functionality or security upgrades. Yet, hot patching also carries the risk -- real or perceived -- of leaving the system in an inconsistent state, which leads many owners to forego its benefits as too risky. In this paper, we propose a novel method for hot patching ELF binaries that supports (a) synchronized global data and code updates and (b)reasoning about the results of applying the hot patch. We propose a format, which we call a Patch Object, for encoding patches as a special type of ELF relocatable object file. Our tool, Katana, automatically creates these patch objects as a by-product of the standard source build process. Katana also allows an end-user to apply the Patch Objects to a running process. In essence, our method can be viewed as an extension of the Application Binary Interface (ABI), and we argue for its inclusion in future ABI standards.

The cake is a lie: privilege rings as a policy resource

Components of commodity OS kernels typically execute at the same privilege level. Consequently, the compromise of even a single component undermines the trustworthiness of the entire kernel and its ability to enforce separation between user-level processes. Reliably containing the extent of a compromised kernel component is a problem to which few practical solutions exist. While many approaches have been proposed to reduce the need to trust large portions of the kernel, most of these approaches represent exotic reorganizations of the hardware or OS kernel that are either not applicable to commodity systems or are relatively complex and difficult to debug in their own right (e.g., microkernels). We propose simple, natural modifications to commodity---x86---hardware that enable vertical isolation down through the kernel without the use of virtualization or major OS rewrites; specifically, extending and reinterpreting the x86 segmentation mechanism, extending the existing Current Privilege Level and Descriptor Privilege Level fields. We believe our proposal is a compelling alternative to traditional virtualization because the hardware virtualizes permissions, not I/O.

Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems

Securing embedded control systems presents a unique challenge. In addition to the resource restrictions inherent to embedded devices, embedded control systems must accommodate strict, non-negotiable timing requirements, and their massive scale greatly increases other costs such as power consumption. These constraints render conventional host-based intrusion detection – using a hypervisor to create a safe environment under which a monitoring entity can operate – costly and impractical.

Katana: Towards Patching as a Runtime Part of the Compiler-Linker-Loader Toolchain

The mechanics of hot patching the process of upgrading a program while it executes remain understudied, even though it offers capabilities that act as practical benefits for both consumer and mission-critical systems. A reliable hot patching procedure would serve particularly well by reducing the downtime necessary for critical functionality or security upgrades. However, hot patching also carries the risk-real or perceived-of leaving the system in an inconsistent state, which leads many owners to forgo its benefits as too risky; for systems where availability is critical, this decision may result in leaving systems un-patched and vulnerable. In this paper, the authors present a novel method for hot patching ELF binaries that supports synchronized global data and code updates, and reasoning about the results of applying the hot patch. In this regard, the Patch Object format was developed to encode patches as a special type of ELF re-locatable object file. The authors then built a tool, Katana, which automatically creates these patch objects as a by-product of the standard source build process. Katana also allows an end-user to apply the Patch Objects to a running process.