Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness

Pointer taintedness is a concept which has been successfully employed as basis for vulnerability analysis of C/C++ source code, and as a run-time mitigation technique against memory corruption attacks. Nevertheless, pointer taintedness interferes with the specification of several industrial control protocols. As a consequence it is not directly usable in detecting memory corruption vulnerabilities in implementations of those industrial control protocols. Furthermore, source-code analysis may have no visibility on certain low-level vulnerabilities since there may be a considerable difference between what programmers intend with the source code they write and what the CPU really executes. A set of memory corruption vulnerabilities specific to implementations of industrial control protocols may escape source code analysis as they are related to a dynamic organization of data in memory. In this paper we define a new concept referred to as memory access taintedness. We discuss the logical motivations behind our definition of memory access taintedness and demonstrate that memory access taintedness is fully employable in vulnerability analysis of the machine code of implementations of industrial control protocols. We analyze the main low-level characteristics of both traditional attacks and attacks specific to process control systems, and demonstrate the ability of memory access taintedness to detect memory corruption vulnerabilities. We represent memory access taintedness as a decision tree and use it as the fundamental component of a finite state machine model we devised for the purpose of dynamically detecting memory corruption vulnerabilities in implementations of industrial control protocols.