TWC: Small: Run-Time Prediction and Preemption of Stuxnet-Like Attacks in Embedded Process Controllers

TWC：小型：嵌入式过程控制器中类 Stuxnet 攻击的运行时预测和抢占

• 批准号: 1222656
• 负责人: Cameron Patterson
• 金额: $ 50万
• 依托单位: Virginia Polytechnic Institute and State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-09-01 至 2016-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1222656&HistoricalAwards=false
• 关键词: TWC; Small; Run; Time; Prediction

Perimeter security and air gap approaches to preventing malware disruption of industrial and infrastructure processes are challenged by the complexity of modern control systems incorporating networked heterogeneous and software-updatable components such as personal computers and programmable logic controllers. Global supply chains and proprietary third-party hardware components, tools, and software limit the reach of static design verification techniques. As a consequence, attacks such as Stuxnet have demonstrated that these systems can be surreptitiously compromised. We are developing a run-time method for process control violation prediction to enhance system resilience against configuration attacks on embedded controllers. This approach copes with either malicious or unintentional errors in any software layer of any programmable component. The run-time system includes a second instance of the active controller connected to a model of the plant, giving a short-term projection of future controller actions and process state. To maintain convergence with the physical system, the model's state is periodically synchronized with the plant's state. The predictor is combined with run-time guards implemented in a configurable hardware-anchored root-of-trust to quickly detect when the projected process state violates specifications. Aberrant event- or time-triggered controller behavior is anticipated before it affects the physical process, allowing preemptive switchover to a minimal and static stability-preserving controller. A productive model-based design flow is being extended to synthesize the active and backup controllers, prediction module, and specification guards into a single commercially-available chip. The root-of-trust can be formally verified due to its hardware implementation and independence.

防止恶意软件破坏工业和基础设施过程的周界安全和空气间隙方法受到现代控制系统的复杂性的挑战，该控制系统包含联网的异构和软件可更新组件，例如个人计算机和可编程逻辑控制器。 全球供应链和专有的第三方硬件组件、工具和软件限制了静态设计验证技术的范围。 因此，像Stuxnet这样的攻击已经证明，这些系统可以被秘密地破坏。 我们正在开发一个运行时的方法，过程控制违规预测，以提高系统的弹性，对嵌入式控制器的配置攻击。 这种方法可以处理任何可编程组件的任何软件层中的恶意或无意错误。 运行时系统包括连接到工厂模型的主动控制器的第二实例，给出未来控制器动作和过程状态的短期预测。 为了保持与物理系统的收敛，模型的状态定期与工厂的状态同步。 预测器与运行时保护相结合，在可配置的硬件锚定的信任根中实现，以快速检测预计的进程状态何时违反规范。 异常事件或时间触发的控制器行为在影响物理过程之前就被预测到，从而允许对最小的和静态的保持稳定的控制器进行抢先控制。 一个生产性的基于模型的设计流程正在扩展到综合的主动和备份控制器，预测模块，并规范警卫到一个单一的商业芯片。 由于其硬件实现和独立性，信任根可以正式验证。