Pin control attack

Last updated September 07, 2022

Pin control attack is a class of attack against a system on a chip (SoC) in an embedded system where an attacker targets the I/O configuration of the embedded systems and disables software or operating system I/O functions without detection. The attack is possible due to a lack of hardware protection for pin configuration and pin multiplexing configurations.

The most significant target for a pin control attack is a programmable logic controller (PLC). The application of pin control attack on PLCs is significant because I/O is the main mechanism through which PLCs interact with and control the outside world. PLC I/O like other embedded devices are controlled by a pin based approach. Pin control attack is an attack in which the attacker can tamper with the integrity and availability of PLC I/O by exploiting certain pin control operations and the lack of hardware interrupts associated with them.

The first example of such an attack was first unveiled at Black Hat Europe 2016.^[1] The pin control attack uses I/O peripheral configuration settings of the PLC SoC to physically terminate the I/O module communication interface from the PLC. By targeting the PLC I/O configuration instead of the PLC runtime or changing the logic program the attackers can avoid the typical detection mechanisms that exist in embedded systems.^[2]

Background

Classic attacks against PLCs rely on modifying the device's firmware, its configuration parameters, or the execution flow of running processes. These typical attacks trigger interrupts in the PLC's normal mode of operation, which the security software such as IDS picks up and alerts the human operator. A pin control attack targets the PLC's dynamic memory, where the device stores its I/O configuration.^[3]^[4]

Attack vectors

The researchers suggested at least two variants of the attack: Pin Configuration Attack and Pin Multiplexing Attack.^[5] While these two attack vectors act differently, their concept is similar and both physically terminate the I/O from software access without a hardware interrupt, thus preventing their detection.^[6]

Pin configuration attack

A PLC can receive and transmit various types of electrical and electronic signals. The input, which typically comes from sensors, and the output, which can be used to control motors, valves or relays, are linked to input and output pins on an integrated circuit known as a system on chip (SoC). The SoC’s pin controller can configure the modes of a pin (i.e. they are set to serve as input or output). The experts discovered that an attacker who has compromised the PLC can tamper with the input and output without being detected and without alerting the operators monitoring the process through a human-machine interface (HMI).^[7]

Pin multiplexing attack

Embedded SoCs usually employ hundreds of pins connected to the electrical circuit. Some of these pins have a single defined purpose. For example, some only provide electricity or a clock signal. Since different equipment vendors with diverse I/O requirements will use these SoCs, the SoC manufacturer produces its SoCs to use a certain physical pin for multiple mutually exclusive functionalities, depending on the application.^[8] The concept of redefining the functionality of the pin is called Pin Multiplexing and is one of the necessary specifications of the SoC design.^[9] Regarding the interaction of the Pin Multiplexing with OS, it is recommended by SoC vendors to only multiplex the pins during the startup since there is no interrupt for multiplexing. However, the user still can multiplex a pin at runtime and there is no limitation on that.

The current design of Pin Multiplexing in hardware level raises security questions. For example, assume that an application uses a particular peripheral controller connected to a pin with a particular multiplexing setup. At one point another application (second application) changes the multiplexing setup of the pin used by the first application. Once the pin is multiplexed, the physical connection to the first peripheral controller gets disconnected. However, since there is no interrupt at the hardware level, the OS will assume that the first peripheral controller is still available. Thus, the OS will continue to carry out the write and read operations requested by the application without any error.^[6]

The concept of changing the functionality of a pin connected to the I/O at the runtime is called Pin Multiplexing Attack.^[10]

Stealthiness

Both Pin Configuration and Pin Multiplexing don’t trigger any alert or hardware interrupt.^[7] Therefore, during an active attack, the PLC runtime will interact with a virtual I/O memory while the attacker physically terminated the connection of the I/O with virtual memory. The state where I/O values in the software memory do not reflect the physical I/O memory is known as I/O memory illusion.^[11]

Related Research Articles

In computing, BIOS (, BY-oss, -⁠ohss; Basic Input/Output System is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS firmware comes pre-installed on an IBM PC or IBM PC compatible's system board and exists in UEFI-based systems too. The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies looking to create compatible systems. The interface of that original system serves as a de facto standard.

In computer architecture, a bus is a communication system that transfers data between components inside a computer, or between computers. This expression covers all related hardware components and software, including communication protocols.

A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturing – hence the term field-programmable. The FPGA configuration is generally specified using a hardware description language (HDL), similar to that used for an application-specific integrated circuit (ASIC). Circuit diagrams were previously used to specify the configuration, but this is increasingly rare due to the advent of electronic design automation tools.

In digital computers, an interrupt is a request for the processor to interrupt currently executing code, so that the event can be processed in a timely manner. If the request is accepted, the processor will suspend its current activities, save its state, and execute a function called an interrupt handler to deal with the event. This interruption is often temporary, allowing the software to resume normal activities after the interrupt handler finishes, although the interrupt could instead indicate a fatal error.

A microcontroller is a small computer on a single VLSI integrated circuit (IC) chip. A microcontroller contains one or more CPUs along with memory and programmable input/output peripherals. Program memory in the form of ferroelectric RAM, NOR flash or OTP ROM is also often included on chip, as well as a small amount of RAM. Microcontrollers are designed for embedded applications, in contrast to the microprocessors used in personal computers or other general purpose applications consisting of various discrete chips.

A programmable logic controller (PLC) or programmable controller is an industrial computer that has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, machines, robotic devices, or any activity that requires high reliability, ease of programming, and process fault diagnosis. Dick Morley is considered as the father of PLC as he had invented the first PLC, the Modicon 084, for General Motors in 1968.

An embedded system is a computer system—a combination of a computer processor, computer memory, and input/output peripheral devices—that has a dedicated function within a larger mechanical or electronic system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use today. In 2009, it was estimated that ninety-eight percent of all microprocessors manufactured were used in embedded systems.

AVR is a family of microcontrollers developed since 1996 by Atmel, acquired by Microchip Technology in 2016. These are modified Harvard architecture 8-bit RISC single-chip microcontrollers. AVR was one of the first microcontroller families to use on-chip flash memory for program storage, as opposed to one-time programmable ROM, EPROM, or EEPROM used by other microcontrollers at the time.

The MSP430 is a mixed-signal microcontroller family from Texas Instruments, first introduced on 14 February 1992. Built around a 16-bit CPU, the MSP430 is designed for low cost and, specifically, low power consumption embedded applications.

The Serial Peripheral Interface (SPI) is a synchronous serial communication interface specification used for short-distance communication, primarily in embedded systems. The interface was developed by Motorola in the mid-1980s and has become a de facto standard. Typical applications include Secure Digital cards and liquid crystal displays.

JTAG is an industry standard for verifying designs and testing printed circuit boards after manufacture.

A hypervisor is computer software, firmware or hardware that allows partitioning the resources of a CPU among multiple operating systems or independent programs. IBM coined the term hypervisor for the 360/65 and later used it for the DIAG handler of CP-67. The contemporary usage is for virtual machine monitor (VMM) or virtualizer. It is computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

In computing, channel I/O is a high-performance input/output (I/O) architecture that is implemented in various forms on a number of computer architectures, especially on mainframe computers. In the past, channels were generally implemented with custom devices, variously named channel, I/O processor, I/O controller, I/O synchronizer, or DMA controller.

System Management Mode is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges.

PSoC is a family of microcontroller integrated circuits by Cypress Semiconductor. These chips include a CPU core and mixed-signal arrays of configurable integrated analog and digital peripherals.

The Parallax P8X32A Propeller is a multi-core processor parallel computer architecture microcontroller chip with eight 32-bit reduced instruction set computer (RISC) central processing unit (CPU) cores. Introduced in 2006, it is designed and sold by Parallax, Inc.

An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems (DCSs) with many thousands of field connections. Control systems receive data from remote sensors measuring process variables (PVs), compare the collected data with desired setpoints (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

A computer appliance is a home appliance with software or firmware that is specifically designed to provide a specific computing resource. Such devices became known as appliances because of the similarity in role or management to a home appliance, which are generally closed and sealed, and are not serviceable by the user or owner. The hardware and software are delivered as an integrated product and may even be pre-configured before delivery to a customer, to provide a turn-key solution for a particular application. Unlike general purpose computers, appliances are generally not designed to allow the customers to change the software and the underlying operating system, or to flexibly reconfigure the hardware.

A single-board microcontroller is a microcontroller built onto a single printed circuit board. This board provides all of the circuitry necessary for a useful control task: a microprocessor, I/O circuits, a clock generator, RAM, stored program memory and any necessary support ICs. The intention is that the board is immediately useful to an application developer, without requiring them to spend time and effort to develop controller hardware.

SHAKTI is an open-source initiative by the Reconfigurable Intelligent Systems Engineering (RISE) group at Indian Institute of Technology, Madras to develop the first indigenous Indian industrial-grade processor. The aim of SHAKTI initiative includes building an opensource production-grade processor, complete System on Chips (SoCs), development boards and SHAKTI based software platform. The primary focus of the team is architecture research to develop SoCs, which is competitive with commercial offerings in the market concerning area, power and performance. All the source codes for SHAKTI are open-sourced under the Modified BSD License. The project was funded by Ministry of Electronics and Information Technology (MeITY), Government of India.

References

↑ "Hacking industrial processes with and undetectable PLC Rootkit". Security Affairs. 2016-09-18. Retrieved 2016-11-08.
↑ "Researchers build undetectable rootkit for programmable logic controllers". PCWorld. Retrieved 2016-11-08.
↑ "Researchers Create Undetectable Rootkit That Targets Industrial Equipment". BleepingComputer. Retrieved 2016-11-08.
↑ "PLCs Possessed: Researchers Create 'Undetectable' Rootkit". Dark Reading. Retrieved 2016-11-08.
↑ "How to compromise PLC systems via stealthy Pin control attacks". Information Security Newspaper. 2016-11-05. Retrieved 2016-11-08.
1 2 "Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack" (PDF). Black Hat Europe Briefings 2016.
1 2 "How to compromise PLC systems via stealthy Pin control attacks". Security Affairs. 2016-11-05. Retrieved 2016-11-08.
↑ "Pin control subsystem in linux Kernel". Kernel.org.
↑ "A method to make soc verification independent of pin multiplexing change". International Conference on Computer Communication and Informatics (ICCCI). 2013.
↑ "PLCs Vulnerable to Stealthy Pin Control Attacks | SecurityWeek.Com". www.securityweek.com. Retrieved 2016-11-08.
↑ "Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack (Presentation)" (PDF). Black Hat Europe Briefings.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Hacking industrial processes with and undetectable PLC Rootkit". Security Affairs. 2016-09-18. Retrieved 2016-11-08.

[2] "Researchers build undetectable rootkit for programmable logic controllers". PCWorld. Retrieved 2016-11-08.

[3] "Researchers Create Undetectable Rootkit That Targets Industrial Equipment". BleepingComputer. Retrieved 2016-11-08.

[4] "PLCs Possessed: Researchers Create 'Undetectable' Rootkit". Dark Reading. Retrieved 2016-11-08.

[5] "How to compromise PLC systems via stealthy Pin control attacks". Information Security Newspaper. 2016-11-05. Retrieved 2016-11-08.

[:0-6] 1 2 "Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack" (PDF). Black Hat Europe Briefings 2016.

[:1-7] 1 2 "How to compromise PLC systems via stealthy Pin control attacks". Security Affairs. 2016-11-05. Retrieved 2016-11-08.

[8] "Pin control subsystem in linux Kernel". Kernel.org.

[9] "A method to make soc verification independent of pin multiplexing change". International Conference on Computer Communication and Informatics (ICCCI). 2013.

[10] "PLCs Vulnerable to Stealthy Pin Control Attacks | SecurityWeek.Com". www.securityweek.com. Retrieved 2016-11-08.

[11] "Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack (Presentation)" (PDF). Black Hat Europe Briefings.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]