Guarding the Factory Floor: Catching Insecure Industrial Robot Programs

What if a perfectly patched industrial manufacturing machine can still harbor for vulnerabilities where no one is looking? What if the powerful programming languages used to program these machines can go beyond simple movement instructions, and actually allow threat actors to hide malware into the logic?

Industrial robot OEMs provide proprietary, legacy programming languages to automate these complex machines. Mostly offering movement primitives, theseprogramming languages also give access to low-level system resources like files, network sockets, and some even allow memory and program pointer. While useful, these features may lead to insecure programming patterns such as input-validation vulnerabilities. Also, they’re powerful enough to allow the implementation of advanced malware functionalities, with an underlying runtime environment that provides no resource isolation.

After going through the technical features of the languages by eight leading OEMs, we'll share cases of vulnerable and malicious usage. We'll then present a static code analyzer that we created and patented, to scan robotic programs and discover unsafe code patterns. Our evaluation on 100 automation task program files show that insecure patterns are indeed found in real-world code, and that static source code analysis is an effective defense tool in the short term.

Slido

Federico Maggi

With more than a decade of research experience in the cybersecurity field, Federico Maggi has done offensive and defensive research on web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. Some of his research work has been featured on mainstream and media outlets such as Wired, Reuters, Forbes, Hackread, ZDNet, and MIT Technology Review.
Currently employed as a Senior Researcher with security giant Trend Micro (https://trendmicro.com), Federico was an Assistant Professor at Politecnico di Milano, one of the leading engineering technical universities in Italy. Aside his teaching activities, Federico co-directed the security group and has managed hundreds of graduate students.
Federico has given several lectures and talks as an invited speaker at international venues and research schools, and also serves in the review or organizing committees of well-known conferences.
More info about Federico and his work is available online at https://maggi.cc

Davide Quarta

While working on this project Davide Quarta was a Postdoctoral Researcher with the System Security group under the supervision of Davide Balzarotti. He received his PhD from Politecnico di Milano where he worked in the NECSTLab under the supervision of Stefano Zanero and Federico Maggi. During this journey, he co-advised more than 10 students on their master thesis, and projects. He received my Laurea Magistrale in Software and Digital Systems, and Laurea from Politecnico di Torino. As a Marie-Skłodowska Curie alumni, Davide has been an exchange student at UC Santa Barbara' SecLab, working under the supervision of Giovanni Vigna and Christopher Kruegel. At the end of his PhD, Davide had a chance to work as an engineering intern in Qualcomm' Product Security group under the supervision of Pouyan Sepehrdad. He served as a reviewer for several journals, and as part of the Security&Privacy '18 student program committee, and WOOT '19 Artifact Evaluation Committee. Davide loves teaching: He worked as TA in basic programming, and computer security courses. As a freelance consultant, he taught malware analysis, and mobile and windows reverse engineering for the Consorzio Interuniversitario Nazionale per l'Informatica, and national, and international clients of Italian security firms Secure Network, and Shorr Kan.

Marcello Pogliani

Marcello Pogliani holds a PhD in information technology (computer security) from Politecnico di Milano. His research interests focus on cybersecurity in general, and particularly on security analysis topics concerning cyber-physical and industrial systems. In his spare time, he enjoys playing and organizing Capture the Flag competitions with Politecnico's team, Tower of Hanoi, and with the Italian team mHACKeroni. Currently, Marcello is a Security Engineer with Secure Network Srl, an information security consultancy firm, and sometimes collaborates on research work with his former colleagues at Politecnico. The research presented at Black Hat 2020 was performed while Marcello was a PhD candidate at Politecnico di Milano.

Stefano Zanero

Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyberphysical security, and cybersecurity in general. Besides teaching "Computer Security" and "Computer Forensics" at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 70 scientific papers and books. He is a Senior Member of the IEEE (for which he sits on the MGA board), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association). He has been named a Fellow of ISSA and sits in its International Board of Directors. Stefano is also a co-founder and chairman of Secure Network, a leading information security consulting firm based in Milan and in London; a co-founder of 18Months, a cloud-based ticketing solutions provider; and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.

Marco Balduzzi

Dr. Marco Balduzzi holds a PhD in applied security from Télécom ParisTech and a M.Sc. in computer engineering from University of Bergamo. His interests concern all aspects of computer security, with particular emphasis on real problems that affect systems and networks. Some topics of interest are web and browser security, code analysis, malware detection, cyber-crime, privacy, and threats in the IoT space. With 15 years of experience in IT security, he's now with Trend Micro as a Senior Research Scientist. His work has been published in top peer-reviewed conferences like NDSS, RAID and ACSAC, and featured by distinguished media like Forbes, The Register, InfoWorld, DarkReading, BBC, and CNN. He's a regular speaker at conferences like Black Hat, HITB, OWASP AppSec, and now sits on the review board of IEEE journals and venues like HITB, AppSec, eCrime, and DIMVA.