Aye: A Trusted Forensic Method for Firmware Tampering Attacks

The Programmable Logic Controller (PLC) is located at the junction of the virtual network and physical reality in the Industrial Control System (ICS), which is vulnerable to attacks due to its weak security. Specifically, firmware tampering attacks take the firmware under the PLC operating system as the primary attack target. The firmware provides the bridge between PLC’s hardware and software, which means tampering against the firmware can be more destructive and harmful than other attacks. However, existing defense and forensics methods against firmware tampering attacks are asymmetrical, which directly leads to the proliferation of such attacks and the difficulty of forensic tracing. How to accurately, quickly, and efficiently conduct forensics for such attacks is an urgent problem. In this paper, we designed and implemented a reliable detection method based on Joint Test Action Group (JTAG) and memory comparison—Aye, which can detect mainstream firmware tampering attacks reliably. To determine the effectiveness and reliability of Aye, we selected a widely used PLC to observe Aye’s performance in defense and forensics by simulating the two latest PLC firmware tampering attack methods. The experimental results show that Aye can effectively defend against firmware tampering attacks, helping improve the efficiency and accuracy of such attack detection and forensics.