Volatile Memory Extraction-Based Approach for Level 0-1 CPS Forensics

Rima Asmar Awad, Juan Lopez, Mike Rogers

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

8 Scopus citations

Abstract

Most security analyzers operate on system state that is far removed from end-point components in cyber-physical systems (CPS) identified as level 0-1 in the Purdue Architecture Reference Architecture (PERA) [1]. For example, many operate on system logs and other data dumps to disks. Tremendous value that can be gained in cyber security forensics if low level details such as dynamic changes to volatile memory can be extracted and provided to more sophisticated analysis tools. However, obtaining detailed and dynamic system state at the level of volatile memory is extremely challenging [2]. Here, we attempt to apply IT memory forensic mechanisms to CPS end-point devices and statistically evaluate them. Our focus is to extract volatile and dynamically changing internal information form CPS 0-1 level devices, and design preliminary schemes to exploit that extracted information. This new capability of generating a sequence of volatile memory snapshots for offline, detailed and sophisticated analysis opens a new class of cyber security schemes for CPS forensic analysis. As a case study for our ongoing research, we apply the proposed methodology to Modicon PLC using Modbus protocol. We extract the memory layout and subject the device to read operations at the most critical regions of memory. Similarly, write operations are initiated to carefully determine memory locations (for example, bytes that hold the firmware version number). This capability of generating a sequence of volatile memory snapshots for offline, detailed and sophisticated analysis opens a new class of cyber security schemes for CPS forensic analysis. Also, the ability to dynamically make controlled modifications to specific memory locations opens the potential for new mechanisms such as taint analysis and watermarking.

Original languageEnglish
Title of host publication2019 IEEE International Symposium on Technologies for Homeland Security, HST 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781728150925
DOIs
StatePublished - Nov 2019
Event2019 IEEE International Symposium on Technologies for Homeland Security, HST 2019 - Woburn, United States
Duration: Nov 5 2019Nov 6 2019

Publication series

Name2019 IEEE International Symposium on Technologies for Homeland Security, HST 2019

Conference

Conference2019 IEEE International Symposium on Technologies for Homeland Security, HST 2019
Country/TerritoryUnited States
CityWoburn
Period11/5/1911/6/19

Funding

*This manuscript has been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).

Keywords

  • CPS
  • Cyber Attacks
  • Forensics
  • Memory
  • Modbus
  • Watermarking

Fingerprint

Dive into the research topics of 'Volatile Memory Extraction-Based Approach for Level 0-1 CPS Forensics'. Together they form a unique fingerprint.

Cite this