Security research: CODESYS Runtime, a PLC control framework Alexander Nochvay 18.09.2019 Version 1.0 Contents The framework .............................................................................................................................................................. 3 CODESYS Runtime: description of the object of research .......................................................................................... 4 Product bundle offered by the CODESYS Group ..................................................................................................... 4 Architecture ............................................................................................................................................................... 5 Components ........................................................................................................................................................... 5 Component structure .............................................................................................................................................. 6 Structure of communication interfaces ................................................................................................................... 6 Component configuration ..................................................................................................................................... 11 Adaptation ............................................................................................................................................................... 12 Implementation ........................................................................................................................................................ 13 Installer file ........................................................................................................................................................... 13 Configuration file .................................................................................................................................................. 14 Executable file ...................................................................................................................................................... 15 Running process .................................................................................................................................................. 16 Information from public sources .................................................................................................................................. 20 Investigating the CODESYS PDU protocol stack ....................................................................................................... 21 Basic description of the protocol ............................................................................................................................. 21 Analysis of the protocol stack .................................................................................................................................. 24 Block Driver layer ................................................................................................................................................. 24 Datagram layer ..................................................................................................................................................... 27 Channel layer ....................................................................................................................................................... 36 Services layer ....................................................................................................................................................... 46 Tags...................................................................................................................................................................... 49 Detected vulnerabilities and potential attacks ............................................................................................................ 56 Description of the testing bench .............................................................................................................................. 56 Attacks at the Datagram layer ................................................................................................................................. 57 IP spoofing ........................................................................................................................................................... 57 Setting an arbitrary parent node ........................................................................................................................... 63 Vulnerability in the channel layer. Predictability of the channel ID .......................................................................... 66 Vulnerabilities of the Services layer ........................................................................................................................ 68 Vulnerabilities in the authentication system ......................................................................................................... 68 Vulnerability of application code ........................................................................................................................... 74 In conclusion ............................................................................................................................................................... 78 SECURITY RESEARCH: CODESYS RUNTIME, 1 A PLC CONTROL FRAMEWORK © KASPERSKY, 1997 – 2019 Research on the security of technologies used by automation system developers that can potentially be applied at industrial facilities across the globe is a high-priority area of work for the Kaspersky Industrial Systems Emergency Response Team (Kaspersky ICS CERT). This article continues the discussion of research on popular OEM technologies that are implemented in the products of a large number of vendors. Vulnerabilities in such technologies are highly likely to affect the security of many, if not all, products that use them. In some cases, this means hundreds of products that are used in industrial environments and in critical infrastructure facilities. This is the case with CODESYS Runtime®, a framework by CODESYS designed for developing and executing industrial control system software. The trademark rights are held by 3S-Smart Software Solutions – a member of the CODESYS Group. According to the developer’s official information, CODESYS Runtime has already been adapted for more than 350 devices from different vendors, used in the energy sector, industrial manufacturing, internet of things and industrial internet of things systems, etc. It should also be noted that the actual adoption figures are much higher, since many vendors’ PLCs that use the CODESYS Runtime framework are missing from the official list. The number of such devices continues to grow: there were only 140 of them in 2016. We won’t be surprised if this trend continues into the future. Fragments of technical information were removed at the request of the CODESYS Group. Request more information from [email protected]. SECURITY RESEARCH: CODESYS RUNTIME, 2 A PLC CONTROL FRAMEWORK © KASPERSKY, 1997 – 2019 The framework Today, the use of ready-made software code in a product is a rule rather than an exception. This enables the developers of a new product to avoid ‘reinventing the wheel’, helping reduce development time. The degree to which third-party code affects a software product that incorporates it, and the degree to which it affects the security of a system where that product us used, can vary. Third-party code is often used to implement a specific function or set of functions, such as rendering images or the user interface, sending files to the printer or saving data in a database. We have conducted security research and identified vulnerabilities in third-party code before. For example, in 2017, in part of SafeNet Sentinel, a hardware-based solution designed to control licensing agreement compliance and protect applications from being ‘cracked’, and in 2018, in the OPC UA library by OPC Foundation. The situation with the CODESYS framework is different: vendors of CODESYS-based PLCs adapt the framework for their hardware and, if necessary, develop additional modules using services provided by CODESYS. PLC end-users (i.e., engineers) use the CODESYS development environment to develop the code of industrial process automation programs. And the execution flow of the additional modules developed and the industrial process automation program is controlled on PLCs by the versions of CODESYS Runtime adapted for those PLCs. The fact that the framework controls the execution flow of the program means that using the framework imposes restrictions at the architecture level – at the product design stage. In other words, the framework is a sophisticated mechanism that is already in place, and the user’s code must be designed to be a cog in that mechanism. In terms of ensuring security when using a framework, the developer must address the following questions: What’s inside the framework? How does it work? How do I make my software secure if there is a vulnerability in the framework, rather than in my code? This paper is devoted to research on the security of CODESYS Runtime. In it, we address the first two of the above questions: what happens inside the framework and how it works. We also demonstrate a technique for identifying vulnerabilities