The paradigm shift of enabling extensive intercommunication between the Operational Technology (OT) and Information Technology (IT) devices allows vulnerabilities typical to the IT world to propagate to the OT side. Therefore, the security layer offered in the past by air gapping is removed, making security patching for OT devices a hard requirement. Conventional patching involves a device reboot to load the patched code in the main memory, which does not apply to OT devices controlling critical processes due to downtime, necessitating in-memory vulnerability patching. Furthermore, these control binaries are often compiled by in-house proprietary compilers, further hindering the patching process and placing reliance on OT vendors for rapid vulnerability discovery and patch development. The current state-of-the-art hotpatching approaches only focus on firmware and/or RTOS. Therefore, in this work, we develop ICSPatch, a framework to automate control logic vulnerability localization using Data Dependence Graphs (DDGs). With the help of DDGs, ICSPatch pinpoints the vulnerability in the control application. As an independent second step, ICSPatch can non-intrusively hotpatch vulnerabilities in the control application directly in the main memory of Programmable Logic Controllers while maintaining reliable continuous operation. To evaluate our framework, we test ICSPatch on a synthetic dataset of 24 vulnerable control application binaries from diverse critical infrastructure sectors. Results show that ICSPatch could successfully localize all vulnerabilities and generate patches accordingly. Furthermore, the patch added negligible latency increase in the execution cycle while maintaining correctness and protection against the vulnerability.
翻译:操作技术(OT)和信息技术(IT)装置之间能够进行广泛沟通的范式转变使得信息技术世界特有的脆弱性能够传播到OT方面。 因此,消除了过去通过空隙提供的安全层,使OT装置的安全补丁成为硬性要求。 常规补丁需要重新启用设备,在主记忆中装入补丁代码,这不适用于操作技术(OT)和信息技术(IT)装置控制关键流程的故障,需要模拟弱点补补补补。 此外,这些控制二进制的二进制常常由内部专有编译员汇编,进一步阻碍补补补进程,并依靠OT供应商迅速发现脆弱性和补补丁发展。 目前的先进热补补补方法只侧重于固软件和(或)RTOS。 因此,在这项工作中,我们开发了ICSPatch,这是使用数据脱脂图(DG)控制自动控制逻辑脆弱性的框架。 在DDDGs的帮助下, ICSatch增加了控制应用程序中的脆弱性。 作为独立一步,ICSDSDS的精确操作系统测试框架可以持续测试。