BlackHat资料us-14-Larsen-Miniturization-WP.pdfVIP

TECHNICAL WHITE PAPER Miniaturization Jason Larsen CyberSecurity Researcher Black Hat Las Vegas, 2014 Abstract Too often researchers ignore the actual process in SCADA research. “I hacked into the control system so I win!” Ignoring the process means missing some of the interesting problems. Miniaturization is one of those interesting problems. How small can an attacker make SCADA attack code? Can it be made small enough to fit on a pressure sensor? This is an interesting problem. This paper covers a number of techniques for miniaturizing SCADA attack code down to its smallest size and then efficiently inserting it into the firmware of a target device. The paper is very algorithm and assembly heavy and is targeted towards and audience looking to research small attack code or researchers looking to do forensics of advanced payloads. The paper is broken into two parts. The first part covers some novel algorithms designed to perform the actual attack logic with a very small amount of data and code. The second part covers a method for efficiently merging the attack code with the existing code in the firmware while making maximum reuse of the existing code already in the firmware. It introduces an intermediate language called Binary Normal Form that can be used to translate assembly instructions from one architecture to another. These techniques show that it may be possible to create a Metasploit-like framework that can insert off- the-self attack code into a wide variety of firmware with minimal human interaction. Copyright ©2014. All Rights Reserved The Scenario The techniques described in a surprising number of papers on SCADA hacking are difficult to apply to real-world scenarios. They assume unreasonable access or take other shortcuts. To help avoid this pitfall, this paper uses a very specific scenario as a backdrop for the examples. The attack code in this pape