In industrial control systems (ICS), programmable logic controllers (PLCs) directly control and monitor physical processes in real-time such as nuclear plants, and power grid stations. Adversaries typically transfer malicious control logic to PLCs over the network to sabotage a physical process. These control logic attacks are well-understood containing machine instructions in network packets and are likely to be detected by network intrusion detection systems (IDS). On the other hand, return-oriented programming (ROP) reuses blocks (or gadgets) of existing code in computer memory to create and execute malicious code. It limits or eliminates the need to transfer machine instructions over the network, making it stealthier. Currently, ROP attacks on control logic has never been discussed in the literature to explore it as a practical ICS attack.
This paper is the first attempt in this direction to explore challenges for a successful ROP attack on real-world PLCs, including maintaining a continuous (control logic) scan cycle through ROP gadgets, no user input (to cause a buffer overflow) to overwrite the stack for gadget installation, and limited ROP gadgets in a PLC memory to find blocks of instructions equivalent to the high-level constructs of PLC programming languages (such as instruction list, and ladder logic). We identify and utilize typical PLC design features (that we find exploitable) to overcome these challenges, which makes ROP attacks applicable to most PLCs e.g., no stack protection, and remote access to certain PLC memory regions via ICS protocols. We demonstrate two successful ROP attacks on the control logic programs of three fully-functional physical processes, i.e., a belt conveyor system, a four-floor elevator, and a compact traffic light system. The first ROP attack manipulates a PLC’s current control logic and has two variants involving either a single or multiple gadgets; the second ROP attack constructs a control logic from scratch using gadgets in a PLC’s memory. Our evaluation results show that the attacks can be performed using a set of small-sized gadgets with no significant effect on a PLC’s scan time.