BayesImposter: Bayesian Estimation Based .bss Imposter Attack on Industrial Control Systems

TL;DR

BayesImposter introduces a Bayesian estimation-based attack on industrial control systems that efficiently duplicates memory pages, enabling predictive false command injection and adversarial control with severe real-world consequences.

Contribution

This work presents a novel, domain-specific attack primitive using Bayesian estimation to efficiently duplicate memory pages in ICS cloud settings, improving over brute-force methods.

Findings

BayesImposter reduces memory usage to 4 KB from GB and attack time to 13 minutes from hours.

It successfully predicts and injects false commands into ICS PLCs, causing equipment damage.

The attack demonstrates potential for adversarial control leading to severe safety hazards.

Abstract

Over the last six years, several papers used memory deduplication to trigger various security issues, such as leaking heap-address and causing bit-flip in the physical memory. The most essential requirement for successful memory deduplication is to provide identical copies of a physical page. Recent works use a brute-force approach to create identical copies of a physical page that is an inaccurate and time-consuming primitive from the attacker's perspective. Our work begins to fill this gap by providing a domain-specific structured way to duplicate a physical page in cloud settings in the context of industrial control systems (ICSs). Here, we show a new attack primitive - \textit{BayesImposter}, which points out that the attacker can duplicate the .bss section of the target control DLL file of cloud protocols using the \textit{Bayesian estimation} technique. Our approach results in less memory (i.e., 4 KB compared to GB) and time (i.e., 13 minutes compared to hours) compared to the brute-force approach used in recent works. We point out that ICSs can be expressed as state-space models; hence, the \textit{Bayesian estimation} is an ideal choice to be combined with memory deduplication for a successful attack in cloud settings. To demonstrate the strength of \textit{BayesImposter}, we create a real-world automation platform using a scaled-down automated high-bay warehouse and industrial-grade SIMATIC S7-1500 PLC from Siemens as a target ICS. We demonstrate that \textit{BayesImposter} can predictively inject false commands into the PLC that can cause possible equipment damage with machine failure in the target ICS. Moreover, we show that \textit{BayesImposter} is capable of adversarial control over the target ICS resulting in severe consequences, such as killing a person but making it looks like an accident. Therefore, we also provide countermeasures to prevent the attack.