SCADA (Supervisory Control and Data Acquisition) systems

Transcription

1 Proceeings of the 2013 Feerate Conference on Computer Science an Information Systems pp Improving security in SCADA systems through firewall policy analysis Onrej Rysavy Jaroslav Rab Miroslav Svea Faculty of Information Technology Brno University of Technology, Brno, Czech Republic {rysavy, rabj, Abstract Moern SCADA networks are connecte to both the companys enterprise network an the Internet. Because these inustrial systems often control critical processes the cybersecurity requirements become a priority for their esign. This paper eals with the network security in SCADA environment implemente by firewall evices. We propose a metho for verification of firewall configurations against a security policy to etect an reveal potential holes in implemente rule sets. We present a straightforwar verification metho base on representation of a firewall configuration as a set of logical formulas suitable for automate analysis using SAT/SMT tools. We emonstrate how such configuration can be analyze for security policy violation that can be inferre from a security policy specification of an inustrial automation system. I. INTRODUCTION SCADA (Supervisory Control an Data Acquisition systems are commonly eploye to continuously monitor an control inustrial processes to assure proper functioning, by automating telemetry an ata acquisition. Historically, SCADA systems were believe to be secure because they were isolate networks: an operator console, or human-machine interface (HMI, connecte to remote terminal units (RTUs an programmable logic controllers (PLCs through a proprietary purpose-specific protocol. Yieling to market pressure, that emans inustries to operate with low costs an high efficiency, these systems are becoming increasingly more interconnecte. Many of moern SCADA networks are connecte to both the companys enterprise network an the Internet. Furthermore, it is common that the HMI is a commoity PC, which is connecte to RTUs an PLCs using stanar technologies, such as Ethernet an WLAN (see Fig. 1. Such configuration has expose these networks to a wie range of security problems. The access to iniviual subnetworks are secure by firewalls that implement basic network security policy. Securing networks properly by configuring firewall rules is ifficult, time consuming an error-prone task. Wool has analyze possible threats of incorrectly configure firewalls in [1] an calle for methos that woul help to improve the quality of firewall rules. The state observation consiers the complexity an the size of firewall rule sets as the main source of errors. He ientifie major source of ifficulties in creating complex firewall configurations. Although Wool consiere only a small set of relatively obvious errors, his survey emonstrate that a rule set having 1000 items inclues more than 8 errors on average. The approach escribe in this paper is close to the work one by Guttman [2], Bera, Ghosh an Dasgupta [3], an Al-Shaer et el [4]. Similarly we evelop the metho that is able to verify correctness an consistency of firewall configurations against network security policy given a set of simple policy rules. We show a simple translation of policies an firewall rules into logical formulas an escribe the Satifiability Moulo Theory (SMT verification metho. The SMT tools employ algorithms for solving logical formulas with respect to combinations of backgroun theories expresse in classical first-orer logic with equality. In the present work we use Microsoft s Z3 tool that implements an efficient SMT ecisions proceures. Packet filters implement the basic level of security policies in the network. By restricting the accessibility of certain services, computers or subnetworks, we eploy rough but efficient security measures. Our network moel eals only with IP aresses an services or ports. Therefore, the analysis oes not reflect harware or Operating Systems (OS attacks. The contents of TCP/UDP packets are not examine, but it is possible to exten the escription to support this. Our primary goal is to verify safety or resistance of the network with respect to the effect of ynamic routing. Therefore, this classification inclues only basic categories of network security properties. Since it can utilize typical fiels from IP, TCP, or UDP heaers, namely source/estination IP aress an service/port allows us to specify wie range of ifferent communications to be analyze in the network. This paper is structure as follows: Section II iscusses various packet filter representations. Section III presents representation of filtering rules in form of SMT formulas. In Section IV we efine a verification metho for a single firewall configuration. This is extene to the cascae of firewalls in Section V, thus proviing a metho for system-wie security policy verification. In Section VII we present a preliminary experimental results showing performance of the presente metho. The paper conclues in Section VII by comparing presente metho to relate work an suggesting further evelopment /$25.00 c 2013, IEEE 1423

2 1424 PROCEEDINGS OF THE FEDCSIS. KRAKÓW, 2013 TABLE I: Network fiel selectors Function Description st ar(p Destination aress of a packet p. src ar(p Source aress of a packet p. st port(p Destination port of up or tcp atagram carrie in packet p. src port(p Source port of up or tcp atagram carrie in packet p. service(p Service of a packet p. not matche by any of the previous rules. For a single rule set of an ACL configuration we compute two logical filter representations. A positive filter represents all packets permitte by the ACL configuration. A negative filter represents all packets enie by the ACL configuration. Fig. 1: An example of moern SCADA network. II. REPRESENTATION OF PACKET FILTERS Firewall configurations are usually written in form of access control lists (ACL. An ACL format is easy to unerstan for network aministrators an it is also suitable for machine processing. Nevertheless, for an efficient formal analysis this format may represent a problem because it amits conflicting rules. Conflicting rules are pairs of rules that match the same set of packets. These conflicts are solve at runtime by implementing first match semantics. However, certain classes of conflicts can signalize a configuration error, for instance, a rule that completely hies some other rules. Several methos to check conflicts in ACLs an constructing a non-conflicting rule sets were propose, e.g. [5], [6], [7], [8]. Rules have multiimensional structure. Dimensions correspon to fiels in a packet heaer, in particular, source an estination aresses, port numbers an a protocol type. Formally, we efine a rule as a tuple src, st, srv, act, where src an st are set of aresses, srv is a set of services, an act is an action. A logical formula that is a translation of a simple rule r = s,,v,a consists of a conjunction of all selectors. A selector is represente by a preicate that extracts require heaer fiel from packet p. Thus, for rule r the formula is written as follows: src ar(p s st ar(p service(p v. A list of all possible selectors is shown in Table I A network-mask convention is aapte for representing a sequence of continuous aresses. For instance, aress prefix /24 is a set of aresses ranging from to We can use the stanar set operations, e.g., src ar(p /24 or st ar(p / /24. The latter can be expane to st ar(p /24 st ar(p /24, which allows us to use network-mask format for the canonical aress representation. Often, rule sets implicitly assume the existence of a efault rule, which has the lowest priority an matches all packets III. FILTER REPRESENTATION As propose in [9] the output of reachability analysis an the input for consecutive security property analysis consist of a collection of reachability sets for forwaring paths in an analyze network. There are various methos to calculate reachability sets. In this section, we iscuss several issues relate to these calculations. We overview the problem of efficient aress encoing an rule set representation. Guttman has escribe an approach to eal with abstract aress scheme [2]. The abstract aress is a symbolic name of a host or a subnetwork. This aress scheme avois ealing with huge IP aress space, which consists of 2 32 aresses. An abstract packet consists of an abstract source aress, an abstract estination aress, service ientification, an a flow orientation. The flow irection represents the communication irection that is either client to server, or server to client. This approach leas to very reasonable complexity which is epenent on the size of the network an mainly on the number of interesting estinations an services. For an example, consiering a network with N ifferent istinguishe aresses, S ifferent istinguishe services, then the abstract packet space of size will be N 2 2S. Different approach was propose by Bera, Ghosh an Dasgupta in [3]. In their work, the IP aress space is explicitly represente by bit variables. The bit variables s 1,...,s 32 represents a source aress, bit variables 1, represents a estination aress, an a vector of bit variables v 1,...,v n of the appropriate length n, represents a service. A flow irection may be moele separately by a single bit variable or encoe in the service vector. In this way, there is an explicit representation not only for each packet but also for each network represente in network-mask format. Inepenently on whether we use abstract aress representation or explicit representation, we construct logical formula for each rule in a filter. These are use in composition of formulas for positive an negative filters. Such formula can be encoe as a SAT instance using the Boolean reuction approach, which is efine in etail for explicit aress scheme in [3]. If the abstract aress scheme is use each abstract aress has to be represente by a single Boolean variable. These two approaches iffer from the number of Boolean variables in generate SAT instances. While explicit represen-

3 ONDREJ RYSAVY, JAROSLAV RAB, MIROSLAV SVEDA: IMPROVING SECURITY IN SCADA SYSTEMS THROUGH FIREWALL POLICY ANALYSIS 1425 tation requires the fixe number of variables, the number of variables use by abstract approach epens on the number of abstract aresses. On the other han, the former may generate a large number of clauses while the latter tens to keep number of clauses smaller. It remains for future work to analyze an compare both approaches from the practical perspective on real ata. IV. SMT-BASED VERIFICATION METHOD In this section, we escribe an SMT-base verification metho for valiation of a network security policy. Given requirements on a packet flow an a filter specification in form of a rule set, we compute a subset of rules that violates these requirements. If the subset is empty than all requirements are satisfie. First, we present the metho to verify a single filter against a security policy. Later this metho will be extene for verifying a cascae of filters. Checking if the specifie packet flow p is permitte by a filter f it is enough to show that formula f p cannot be satisfie. For instance, assuming that s 0,s 1,s 2 are atomic propositions capturing abstract packet properties. Then filter f an a policy p are expresse as follows: f = s 0 s 1 s 0 s 2, p = s 0 s 1 s 1 s 2 In thi case, it is possible to fin an assignment s 0 = 1,s 1 = 0,s 2 = 1 that satisfies f p. While this gives us the require answer we woul like to obtain more information to track the problem. To o so, we enrich the filter representation with information that refers to corresponing filtering rules. f = r = 0 s 0 s 1 r = 1 s 0 s 2 r = 2 s 1 s 2, p = s 0 s 1 where r is a bit vector that encoes a rule number. Using this annotation the answer contains information on eny rule that enie the analyze packet flow, which is, r = 1. To capture network security policy we employ Security Policy Specification Language (SPSL as efine in [10]. This simple language allows us to express services available between ifferent network zones. For network presente in Fig.1, such policy specification can be as follows: zone ENTP [ /24]; zone DMZ [ /24]; zone PCN [ /24]; zone Inernet [*]; service HTTP = TCP [port = 80]; service SSH = TCP [port=22]; service TELNET = TCP [port=23]; policy p1 = eny [telnet,http]([entp],[pcn]; policy p2 = eny [*]([Internet],[PCN]; policy p3 = permit [http]([internet],[dmz]; For instance, a specification of policy p1 can be converte to the following SMT representation: 01 (efine-fun p_1 ( Bool 02 ; eny [telnet,http]([entp],[pcn] 03 (an 04 (= (bvan st_ip PCN_MASK PCN 05 (= (bvan src_ip ENTP_MASK ENTP 06 (or (an (= pt TCP(= st_pn HTTP 07 (an (= pt TCP(= st_pn TELNET This policy enies telnet an http traffic to the Process Control Network. This is encoe by specifying source (line 5 an estination (line 4 aress ranges of the packets that shoul be enie. Lines 6 an 7 escribe protocol type an estination port numbers that correspon to telnet an http traffic, respectively. Aresses are encoe as bit vectors of size 32. Encoing constraints on aresses follows the general pattern: (= (bvan x net_mask net_ar Here, bvan is a stanar bit wise AND operation on bit vectors. Port numbers are encoe as bit vectors of size 16. Using this irect encoing it is possible to irectly express policy rules using a stanar bit vector theory available in SMT tools. We emonstrate the translation of ACL configuration to positive an negative filters using the following ACL snippet: R ip access-list extene paper-example 1 permit icmp any any echo-reply 2 permit icmp any any echo 3 eny ip any eny ip any permit ip any any These five rules permit any icmp echo an echo-reply traffic an forbi other traffic to target network. The translation to SMT yiels four efinitions of functions. Note that efault permit rule is not translate. (efine-fun f1_r1 ( Bool ; permit icmp any any echo-reply (an (= pt ICMP (= st_pn ECHO_REPLY (efine-fun f1_r2 ( Bool ; permit icmp any any echo (an (= pt ICMP (= st_pn ECHO (efine-fun f1_r3 ( Bool ; eny ip any (an (= (bvor st_ip #x000000ff #x0a0a0aff (efine-fun f1_r4 ( Bool ; eny ip any (an (= (bvor st_ip #x000000ff #x0a0a0bff Rules constraint only properties explicitly efine. Argument any is not represente as it expresses that the variable

4 1426 PROCEEDINGS OF THE FEDCSIS. KRAKÓW, 2013 is constraine by the vali range of the corresponing type, which is implicitly enforce by the type system of SMT. The translation of aresses an wil cars are accoring to the following pattern: (= (bvor x wilcar (bvor aress wilcar To verify that ACL obeys a network security policy we nee to obtain a representation in form of two partial filters. The negative filter, enote as f1_eny, is a boolean formula that is satisfie for all enie abstract packets. Likewise, the positive filter, enote as f1_permit, is a boolean formula that is satisfie for all permitte packets. We use this splitting to simplify the process of verification an fining counterexamples. The general metho for computation of permit an eny filters is presente as Algorithm 1. We will explain the iea of this algorithm on an example of a eny filter. A list of ACL rules is processe in a reverse orer. The eny filter formula is constructe in several steps. The immeiate result of each step is enote as f i. Initially, f0 is empty. The formula is constructe as follows: f i+1 If ruler is eny than its logical representationφ r is ae to formula f i+1 = f i φ r. If rule r is permit than its logical representation φ r is combine with filter as f i+1 = f i ( φ r. Note that in the algorithm the construction of a formula is slightly moifie to improve compactness of the resulting formula. All consecutive rules sharing the same action is threate in a single step. Thus, in case of eny rule, we have f i+1 = f i,φ r 1,...,φ rn. The eny filter for ACL from the previous example is generate as follows: 01 (efine-fun f1_eny ( Bool 02 (an 03 (not f1_r1 04 (not f1_r2 05 (or 06 (an f1_r4 (= eny 4 07 (an f1_r3 (= eny 3 It can be seen that with eny rules there are annotations referring to ACL rules. The annotations allow us to infer information for counter-examples. The permit rule is compute in similar way. Line 8 contains a representation of permit all rule. Permit/Deny all rules match all abstract packets, thus logical representation is constant true. 01 (efine-fun f1_permit ( Bool 02 (or 03 (an f1_r1 (= permit 1 04 (an f1_r2 (= permit 2 05 (an 06 (not f1_r3 07 (not f1_r4 08 (an true (= permit 5 Policy verification is performe by checking formulas representing policy an filter by the SMT tool. For restricting policies, p 1 an p 2 it means to fin satisfying valuation for p 1 f. In SMT syntax this is represente by the following coe block: (assert (an f1_permit p_1 Algorithm 1 Computation of a permit filter Require: An input access-control list L, represente as an orere list of rules, r 1,...,r n L. action : {permit,eny},pt : protocol, r i src.ip : ip range, st.ip : ip range,. src.pn : port range, st.pn : port range Ensure: A boolean formula representing the eny filter f. f := true R = L.Reverse while R not empty o r := R.Pop if r.action = permit then p := true while r.action = permit & R not empty o p := p φ r r = R.Pop en while f := f p else := false while r.action = eny & R not empty o := φ r r = R.Pop en while f := f en if en while (check-sat The answer of SMT is unsat, which means that the conjunction cannot be satisfie an hence the filterf 1 is correct with respect to policy p 1. In case of policy p 2 the result given by SMT is sat an a ranom moel is provie, e.g., an assignment satisfying (assert (an f1_permit p_1 is as follows: permit = 2, pt = ICMP, src_ip = #x0a0a6400, st_pn = #x0800, st_ip = #x0a0a0a00 Such result contains iagnostic information telling us that policy is violate by ACL because permit rule 2 matches ICMP echo-reply packets originate from an estine to However, these packets shoul be enie accoring to the policy. A cascae of filters is verifie by applying essentially the same approach as escribe in previous sections. permit an eny preicates are compute for each filter. Then these filters are combine to a single formula representing the cascae of filters. f c p = f 1 p... f n p, f c = f1... fn, wheref 1 p,...,f n p are permit filter preicates anf 1,...,fn are eny filter preicates. Permit filter is combine using operator as a packet is permitte if it passes all ACL on the

5 ONDREJ RYSAVY, JAROSLAV RAB, MIROSLAV SVEDA: IMPROVING SECURITY IN SCADA SYSTEMS THROUGH FIREWALL POLICY ANALYSIS 1427 path. Contrary, a packet can be filtere by any ACL on the path an thus operator is use. V. SYSTEM-WIDE ANALYSIS In this section, we iscuss an extension of a escribe metho for verification of a security policy to system-wie scope. The main goal is to fin a network states that violate the given security policy. Recall that security policy is a list of permitte an enie traffic between specifie locations. Performing system-wie analysis amounts to check for every pair of network locations specifie in a policy rule the permit or eny requirements on the traffic. As there can be multiple paths between these locations these have to be consiere. Once we foun that a path violates the policy rule it is reporte to the user. Consiering SCADA network as shown in Fig. 1. Then the topology of this network is capture by the following specification: (eclare-const path (Array Int Bool ;path 1 = ENTP -> F1.1 -> F2.1 -> PCN (efine-fun fp1_permit ( Bool (an f1_1_permit f2_1_permit ;path 2 = ENTP -> F1.1 -> DMZ (efine-fun fp2_permit ( Bool (an f1_1_permit ;path 3 = PCN -> F2.2 -> F1.2 -> ENTP (efine-fun fp3_permit ( Bool (an f2_2_permit f1_2_permit ;path 4 = PCN -> F2.2 -> DMZ (efine-fun fp4_permit ( Bool (an f_2_2_permit ; checking violations for policy 1 (assert (or (an fp1_permit p1 (select path 1 (an fp2_permit p1 (select path 2 (an fp3_permit p1 (select path 3 (an fp4_permit p1 (select path 4 We use array to remark which paths violate the policy. The evaluation of SMT specification leas to fining a counter example in case of policy rule violation. The presente encoing brings any counter example epening on the run of SMT algorithm. However, it woul be esirable if the prouce counter example represent the largest subset of a rule set that violates a security policy. Using this approach the user is not confronte with an arbitrary counter example in case of policy violation, but with a counter-example that, if applie to path base policy checking, violates the greatest number of paths. The iea of fining the greatest number of paths, which violates the policy rule is base on binary search proceure that guarantees to fin the result in log 2 N steps. The search environment is initialize by introucing a counter array, which keeps the number of paths violating the policy rule. An inex in the array is compute as follows: sums [i] := sums [i 1]+ IF path[i] THEN 1 ELSE 0. This initialization is encoe as follows: (efine-sort SumT ( (Array Int Int (eclare-const sums SumT (assert (= (select sums 0 0 (assert (forall ((i Int (ite (select path i (= (store sums i (+ (select sums (- i 1 i sums (= (store sums i (select sums (- i 1 sums Note that it is better to unwin the forall statement to avoi ealing with quantifiers. The iteration consists of several steps for i by asserting the following: (assert (= (select sums n i Here, n is the total number of paths. Reaing sums [n] means to get a number of satisfie paths. The iterative steps are guie by the immeiate results of SMT executions for the current instance. VI. RESULTS AND DISCUSSION We experimentally implemente the propose SMT-base metho using Microsoft s Z3 tool. The results of execution of this metho on problems of various size are shown in Table II. The testing set of filtering rules consists of filters generate using the tool calle ClassBench [11]. This generator is equippe with templates of filtering rules erive from a collection of real firewall configurations. The tool generates ACLs of ifferent sizes an parameters. For our purpose, we generate filters for ifferent templates, enote as acl1-3 an fw1 an fw2. These templates iffer by the number of conflicting rules. For every template a range of filters of various size was generate. We use rule sets generate for these templates as an imput to our tool that translate them to SMT specification, which was consume by Z3 tool. We meassure time an memory requirements of the SMT metho that checks rule set consistency. Experiments were performe on a 2.53 Ghz Intel Core 2 Duo machine with 8 GB of RAM running Z3 version in 64 bit moe. Table II contains results for ifferent sizes of the problem. It can be seen that in most cases the time an memory consumption of the methos increases linearly with the number of rules in firewall configuration. The irregulairites are cause by the ifferent number of conflicting rules in those samples. VII. CONCLUSIONS In this paper, we presente an approach for verifying ACL configurations by translating them to rule sets, which can be formally analyze using SMT tools. The propose metho enables network aministrators to observe the quality an correctness of firewall configurations, which improves the overall security in aministere networks. This technique can be combine with other approaches suppose for securing inustrial networks. The overview of security threats in inustrial networks were presente by Alcaraz et el in [12] an later by Carenas et el in [13]. These analyses emphasize the

6 1428 PROCEEDINGS OF THE FEDCSIS. KRAKÓW, 2013 TABLE II: Time an memory requirements of SMT proceure Time[s] acl acl acl fw fw Memory[MB] acl acl acl fw fw importance of a combination of reactive an proactive methos in orer to secure the system against eception an DoS attack. Description of network security properties is relate to the classification of threats an intrusion. There are plenty of ifferent network security problems, such as HTTP attacks, spam, TCP flooing, DoS attacks, Web server misuse, spoofing an sniffing etc. Protection of critical components an network infrastructure is ientifie as a key requirements for improving security in SCADA system by Hentea in [14]. Analysis of firewall configuration has been intensively stuie. Namely, Guttmannin [2] propose algorithm for computing reachibilty sets base on the firewall configurations. Bera et al in [10] propose SAT-base methos for verification of security policy. Al-Shaer et al. [15] uses similar approach for representation of ACLs as permit an eny preicates. Their verification methos employ the BDD representation in moelchecking proceure. The network moel presente in this paper eals only with IP aresses an services or ports. Therefore, the analysis oes not reflect harware or OS attacks. It also oes not examine the contents of TCP/UDP packets. Therefore, this classification only inclues selecte categories of network security properties. Since it can utilize typical fiels from IP, TCP, or UDP heaers, namely source/estination IP aress an service/port, it allows to specify wie range of ifferent communications to be analyze in the network. In this paper we emonstrate the problem of automatic security analysis of IP base inustrial networks. The presente verification metho aims at valiating network esign against the absence of security an configuration flaws. The verification technique is base on the encoing problem into SMT instance solve automatically by the solver tool. REFERENCES [1] A. Wool, Trens in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese, IEEE Internet Computing, vol. 14, no. 4, pp , Jul [2] J. Guttman, Filtering postures: Local enforcement for global policies, in IEEE Symposium on Security an Privacy. IEEE Comput. Soc. Press, 1997, pp [3] P. Bera, S. Ghosh, an P. Dasgupta, Formal Verification of Security Policy Implementations in Enterprise Networks, Information Systems Security, pp , [4] E. Al-Shaer, W. Marrero, A. El-Atawy, an K. ElBaawi, Towars global verification an analysis of network access control configuration, DePaul University, Chicago, IL, USA, Tech. Rep, [5] L. Cholvy an F. Cuppens, Analyzing consistency of security policies, in Security an Privacy, Proceeings., 1997 IEEE Symposium on. IEEE, 1997, pp [6] a. Hari, S. Suri, an G. Parulkar, Detecting an resolving packet filter conflicts, in INFOCOM Nineteenth Annual Joint Conference of the IEEE Computer an Communications Societies. Proceeings. IEEE, vol. 3. IEEE, 2000, pp [7] E. Al-Shaer an H. Hame, Discovery of policy anomalies in istribute firewalls, in Ieee Infocom Ieee, 2004, pp [8] S. P. Hialgo, R. Ceballos, an R. M. Gasca, Fast Algorithms for Consistency-Base Diagnosis of Firewall Rule Sets, 2008 Thir International Conference on Availability, Reliability an Security, pp , Mar [9] G. Xie, D. Maltz, A. Greenberg, G. Hjalmtysson, an J. Rexfor, On static reachability analysis of IP networks, Proceeings IEEE 24th Annual Joint Conference of the IEEE Computer an Communications Societies., pp , [10] P. Bera, S. Maity, S. Ghosh, an P. Dasgupta, A Query base Formal Security Analysis Framework for Enterprise LAN, th IEEE International Conference on Computer an Information Technology, no. Cit, pp , Jun [11] D. E. Taylor, ClassBench: A Packet Classification Benchmark, IEEE/ACM Transactions on Networking, vol. 15, no. 3, pp , Jun [12] C. Alcaraz, G. Fernanez, R. Roman, A. Balastegui, an J. Lopez, Secure Management of SCADA Networks, New Trens in Network Management, Cepis UPGRADE, vol. 9, no. 6, pp , [13] A. a. Carenas, S. Amin, an S. Sastry, Secure Control: Towars Survivable Cyber-Physical Systems, in Proceeings of the 28th International Conference on Distribute Computing Systems Workshops. Ieee, Jun. 2008, pp [14] I. N. Fovino, A. Carcano, an M. Masera, A Secure an Survivable Architecture for SCADA Systems, 2009 Secon International Conference on Depenability, pp , Jun [15] E. Al-Shaer, H. Hame, an R. Boutaba, Conflict classification an analysis of istribute firewall policies, IEEE Journal on Selecte Areas in Communications, vol. 23, no. 10, 2005.