The Filmore Miami Beach, Miami Beach, Florida
|January 10-11, 2017|
The Antikernel – Hardware and Unprivileged Software
Dr. Andrew Zonenberg, January 10, 2017 – 10:30 am ET
Modular design has long been used in critical systems in order to ease verification and contain damage in the event of a failure (whether accidentally or maliciously induced). Truly compartmentalized real-time operating systems, however, have remained elusive. We present Antikernel, a novel decentralized operating system architecture composed entirely of hardware and unprivileged software, and discuss the applicability of the architecture to SCADA systems.
Tools for Practical Attacks on Analog-to-Digital Converter
Alexander Bolshev, January 10, 2017 – 2:30 pm ET
While we live in the analog world, we program and develop digital systems. The key element connecting these two worlds are ADCs (analog-to-digital converters), small integrated circuits (IC) that transform physical variables (amperage or voltage) into a bunch of bytes. It is important for the ADC to interpret and transform its data correctly. Ignoring this fact, especially in the ICS and embedded worlds, could lead to significant safety issues, and in the worst case, could have catastrophic consequences.
Due to the nature of the ADC’s conversion mechanisms it is possible to generate special signals (with arbitrary waveform, frequency and amplitude) that could be interpreted differently by devices on the same fieldbus. These “features” could be used for attacking or hiding attacks against ICS infrastructures. This session will demonstrate how to use AA-filters for attack and defense, and cover other types of ADCs, such as flash and pipeline. The main part of the talk will be about tools that could be used for such attacks: custom hardware boards for modeling and experimenting, and special firmwares for PLCs, sensors and transmitters.
Automatic Generation of Process Models Using Motion Acceleration Algorithms
Jason Larsen, January 11, 2017 – 10:45 am ET
Trivial disruption of a process is easy. Almost anything can cause a process to shut down. But to really cause more non-trivial damage, the attacker typically needs the process to stay up while it’s manipulated. This requires a model of the process, and is one of the least understood parts of ICS hacking. After the attack, focus is placed on why the payload worked and little is discovered about the process the attacker used to generate the physics payload.
In general, signals that are related by physics tend to move together. Bumping into the side of a table not only makes the table shake, but all the items on the table shake as well. They also tend to move at the same frequencies. Recent advances in motion acceleration algorithms have the potential to revolutionize this step. If those algorithms are applied to process data, a basic model of the process can be built with little or no human interaction. This presentation will take data from a water treatment plant and use it to show how a process model can be built directly from process data using motion acceleration algorithms.
About Andrew Zonenberg
Dr. Andrew Zonenberg is a senior security consultant at IOActive. He received a PhD and BS in computer science from Rensselaer Polytechnic Institute, where he designed and taught the first ever full-semester course on semiconductor reverse engineering.
His primary research focuses are integrated circuit (IC) security, IC reverse engineering, and embedded/hardware security. Other research interests include computer and system on chip (SoC) architecture, programmable logic, and operating system security. He is an active contributor to siliconpr0n.org and a regular speaker at industry and academic conferences in both the USA and Canada.
About Alexander Bolshev
Alexander Bolshev is a Security Consultant for IOActive. He holds a PhD in computer security and his research interests lie in distributed systems, mobile, hardware, and industrial protocols security. He is the author of several whitepapers on topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems, hardware, mobile, and ICS security. He has presented at conferences including Black Hat USA/EU/UK/Asia, ZeroNights, t2.fi, S4, CONFIdence, and others.
About Jason Larsen
Jason Larsen is Principal Security Consultant for IOActive, focusing primarily on SCADA systems and the security of critical infrastructure. Jason joined IOActive from Idaho National Labs (INL) where he performed security assessments of the software and hardware that runs the planet’s critical infrastructure. During his tenure at INL, he conducted full-scope assessments of all major power control system vendors. In addition to laboratory tests, he has performed live power grid penetrations in multiple countries, allowing him to gain control of electric power for a short period of time. Jason has worked in other sectors including chemical manufacturing, pharmaceutical, petroleum, and water.
Before his career in SCADA security, Jason explored numerous other fields, including modelling neutron beams for use in treating brain tumors and writing software to analyze nerve impulses. He has also acted as the analyst of last resort for critical infrastructure malware and served on the Windows 7 penetration testing team.
s4x17 entails three days of advanced ICS cybersecurity on three stages with the top 500 people in ICS security. This is is the event for people who understand the basics and want to learn and discuss advanced content with their peers. Topics will include ICS certification, machine learning, securing IoT, industrial drones, and more.
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, WA, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.