MID-042: Device Checks Consistency Between Binary/Running Code and Textual Code

Mitigation Tier: Foundational

Description

Devices, such as Programmable Logic Controllers (PLCs), oftentimes will have two copies of a program stored in their memory. One copy is the compiled binary that is executing run on the device - this program is machine readable but would be difficult for a human to easily read. The other copy is a textual code representation of the program. This form is in a human-readable format and is typically the form of the code that the programmer worked on before the program download. It is this latter copy that is returned to the programmer when using “upload from device” functions in the IDE. The binary and textual representations should be cryptographically bound so that the IDE can test whether the textual representation matches the executable representation.

One way to ensure consistency would be to perform upload both the running binaries and text code during a program upload. The IDE would then be able to recompile the text code and perform hashes over it and the binary code to check for consistency. Another way to do this would be to compile the text code on the device itself and then hash both it and the running binaries and then compare them.

IEC 62443 4-2 Mappings

CR 3.4 – Software and information integrity

References

[1] S. Brizinov. “The Old Switcheroo: Hiding Code on Rockwell Automation PLCs.” claroty.com. Accessed: Aug. 28, 2024. [Online.] Available: https://claroty.com/team82/research/hiding-code-on-rockwell-automation-plcs