LOG IN TO MyLSU
Home
lecture image Cybersecurity Lecture Series
Reversing Rockwell: Preparing for the next TRISIS
Jimmy Wylie, Technical Lead Malware Analyst
Dragos, Inc.
Digital Media Center Theatre
November 14, 2023 - 04:30 pm
Abstract:

Reversing Rockwell: Preparing for the next TRISIS by journeying through compiler hell

In 2017, when we discovered TRISIS, we were lucky. Triconex program downloads were in a native assembly language, PowerPC, which matched the CPU we found in the Triconex. This fact meant that we could use standard reverse engineering tools to examine the underlying code and firmware and understand the malicious code's effects on the system. But, this situation is only sometimes the case across vendors. Rockwell is a major ICS vendor in the United States. While working on separate research (Broken Rungs - CS3STHLM2019), we realized that their program downloads were not in a native assembly, and we didn't have a way to understand the contents of program downloads to a Rockwell controller. In Rockwell's case, they appeared to be using an interpreted bytecode (think something like .NET). So, what if a threat group like XENOTIME or CHERNOVITE conducted a TRISIS-style attack against a Rockwell controller? At best, we could detect that an unauthorized download occurred and deduce the effects based on what happens to the process, but we'd have no ground-truth way of confirming based on the code.

With this situation in mind, we decided to explore this problem attempting to answer two questions:

  1. How much work, both in effort and time, is it to understand a custom assembly language?
  2. Once we understand the language, can we identify general "suspicious" techniques and then build follow-on tools to detect those techniques?

This talk will cover the project's current state and tell the story of the journey so far. We'll explain how we selected Rockwell , and the process of reversing their compiler thus far. The reverse engineering discussion will pay particular attention to overcoming problems when reverse engineering large binaries, and static reverse engineering of C++ classes, their respective heirarchies, as well as C++ templates.

 

Join Zoom Meeting 
https://lsu.zoom.us/j/98761020195?pwd=YVp3RFU3Rk8zQ1VlNktmb3EyKzRaUT09

Meeting ID: 987 6102 0195 
Passcode: cctcyber

 

div
Speaker's Bio:

Jimmy Wylie is a Technical Lead Malware Analyst at Dragos, Inc. who spends his days (and nights) searching for and analyzing threats to critical infrastructure. He was the lead analyst on PIPEDREAM, the first ICS attack "utility belt", TRISIS, the first malware to target a safety instrumented system, and analysis of historical artifacts of the CRASHOVERRIDE attack, the first attack featuring malware specifically tailored to disrupt breakers and switchgear in an electric transmission substation.

Starting as a hobbyist in 2009, Jimmy has over 10 years experience with reverse engineering and malware analysis. He has worked for various DoD contractors, leveraging a variety of skills against national level adversaries, including network analysis, dead disk and memory forensics, and software development for detection and analysis of malware. After leaving the DoD contracting world, he joined Focal Point Academy, where he developed and taught malware analysis courses to civilian and military professionals across the country.  In his off-time, Jimmy enjoys learning about operating systems internals, playing board games, and failing at crossword puzzles. He can be found on Mastodon: @mayahustle@infosec.exchange


 

 

div
This lecture has refreshments @ 05:30 pm