The power grid depends on embedded control systems or SCADA systems to function properly. Securing these systems presents unique challenges.In addition to the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are non-negotiable, and their massive scale greatly amplifies costs such as power consumption.
Together, these constraints make the conventional approach to host intrusion detection – using a hypervisor to create a safe environment from which a monitoring entity can operate – too costly or impractical for embedded control systems in the critical infrastructure.
This paper discusses the design and implementation of Autoscopy, an experimental host-based intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to identify control-flow anomalies, which are most often caused by rootkits that hijack kernel hooks.
This paper presents the concepts underlying the original Autoscopy prototype, highlights some of the issues that arose from it, and introduces the new system, dubbed Autoscopy Jr., which addresses the issues.
The paper also describes the use of an optimized probe framework to reduce overhead and the test results obtained for a hardened kernel. The results demonstrate that Autoscopy Jr.’s design and effectiveness render it uniquely suited to intrusion detection for SCADA systems.
The system leverages Kprobes, a tracing framework included in the Linux kernel, to place probes in indirectly called functions within the kernel to dynamically monitor the control flow of running programs for anomalies.
In tests run on a standard laptop system, Autoscopy was able to detect every one of the published control-flow hooking rootkit techniques it was tested against, while imposing an overhead of 5% or less on a wide range of performance benchmarks.
Our second iteration of the program, dubbed Autoscopy Jr., includes a system profiler, which permits the location and removal of “heavy” probes that generate too much overhead, helping balance security with performance and allowing the customization of the mediation scope to keep the overhead under the 5% limit.
These results indicate that, unlike virtualized intrusion detection solutions, Autoscopy’s design and performance make it well-suited to the task of protecting embedded control devices, including those that are used within the critical infrastructure.
(To read this external content in full, download the technical paper from the author’s article archives at the University of Calgary, Canada. ) http://pages.cpsc.ucalgary.ca/~locasto/papers/autoscopyjr.pdf