Seven Turrets of Babel: Data Format is Code's Destiny: Security Anti-Patterns of Protocol Design
March 10, 2017
Abstract: Famous security vulnerabilities of recent years have been, in essence, input-handling bugs. The same scenario repeats itself: a programmer forgets to validate an assumption about a rarely used protocol construct; the attacker sends just such crafted inputs that exploit unchecked assumptions. The more complex the protocol---and ICS and energy delivery protocols in particular rank among the most complex---the higher the risk of errors. For EDS computing devices, these errors have especially high impact, due to the devices' long lifetimes, the physical consequences of an attack, and the difficulties of patching. To mitigate the risk, we must address the root causes of recurrent security errors.
These causes lie in protocols. I will discuss several security anti-patterns of protocol design that start with descriptions of data formats, and show how they lead to vulnerable implementations. I will use weaknesses in the protocols that underlie network and computer trust, and specifically in ICS protocols, e.g., several proposed features of DNP3-SA.