Authors: Syed Ali Qasim (Virginia Commonwealth University), Jared Smith (Oak Ridge National Laboratory), and Irfan Ahmed (Virginia Commonwealth University)
DFRWS USA 2020
Winner of the Best Student Paper Award USA 2020
In industrial control systems (ICS), attackers inject malicious control-logic into programmable logic controllers (PLCs) to sabotage physical processes, such as nuclear plants, traffic-light signals, elevators, and conveyor belts. For instance, Stuxnet operates by transferring control logic to Siemens S7-300 PLCs over the network to manipulate the motor speed of centrifuges. These devastating attacks are referred to as control-logic injection attacks. Their network traffic, if captured, contains malicious control logic that can be leveraged as a forensic artifact. In this paper, we present Reditus to recover control logic from a suspicious ICS network traffic. Reditus is based on the observation that an engineering software has a built-in decompiler that can transform the control logic into its source-code. Reditus integrates the decompiler with a (previously-captured) set of network traffic from a control-logic to recover the source code of the binary control-logic automatically. We evaluate Reditus on the network traffic of 40 control logic programs transferred from the SoMachineBasic engineering software to a Modicon M221 PLC. Our evaluation successfully demonstrates that Reditus can recover the source-code of a control logic from its network traffic.