Skip to main content
SpringerLink
Log in

Breaking Embedded Software Homogeneity with Protocol Mutations

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2022)

Abstract

Network-connected embedded devices suffer from easy-to-exploit security issues. Due to code and platform reuse the same vulnerability oftentimes ends up affecting a large installed base. These circumstances enable destructive types of attacks, like ones in which compromised devices disrupt the power grid.

We tackle an enabling factors of these attacks: software homogeneity. We propose techniques to inject syntax mutations in application-level network protocols used in the embedded/IoT space. Our approach makes it easy to diversify a protocol into syntactically different dialects, at the granularity of individual deployments. This form of moving-target defense disrupts batch compromise of devices, preventing reusable network exploits. Our approach identifies candidate program data structures and functions via a set of heuristics, mutate them via static transformations, and selects correctness-preserving mutations using dynamic testing.

Evaluation on 4 popular protocols shows that we mitigate known exploitable vulnerabilities, while introducing no bugs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In Catalan mythology, an Aloja is a mythical creature able to shape-shift into a bird.

  2. 2.

    Note that a parametrized mutation with an n-bit parameter can be seen as a set of \(2^n\) possible distinct mutations.

References

  1. Micro Autonomous System Technologies (MAST). http://www.mast-cta.org/

  2. trailofbits/polytracker: An LLVM-based instrumentation tool for universal taint analysis. https://github.com/trailofbits/polytracker

  3. Eclipse Mosquitto (January 2020). https://mosquitto.org/

  4. DSVPN (February 2021). https://github.com/jedisct1/dsvpn

  5. GitHub - jtpereyda/boofuzz (February 2021). https://github.com/jtpereyda/boofuzz

  6. MQTT-C (February 2021). https://github.com/LiamBindle/MQTT-C

  7. OpenDDS (August 2021). https://opendds.org/

  8. Shodan (January 2021). https://www.shodan.io/

  9. wakaama (February 2021). https://www.eclipse.org/wakaama/

  10. Who’s Using DDS? (January 2021). https://www.dds-foundation.org/who-is-using-dds-2/

  11. CycloneDDS (2022). https://github.com/eclipse-cyclonedds/cyclonedds

  12. OpenIPC (December 2022). https://openipc.org/

  13. Al-Shaer, E.: Toward network configuration randomization for moving target defense. In: Moving Target Defense (2011)

    Google Scholar 

  14. Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: BYTEWEIGHT: Learning to recognize functions in binary code. In: USENIX Security Symposium (2014)

    Google Scholar 

  15. Beurdouche, B., et al.: A messy state of the union: Taming the composite state machines of tls. In: IEEE S &P (2015)

    Google Scholar 

  16. Brian Krebs: Who Makes the IoT Things Under Attack? — Krebs on Security (October 2016). https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

  17. Cabutto, A., Falcarin, P., Abrath, B., Coppens, B., De Sutter, B.: Software protection with code mobility. In: ACM MTD Workshop (2015)

    Google Scholar 

  18. Cameron, L.: IoT Meets the Military | IEEE Computer Society (March 2017). https://www.computer.org/publications/tech-news/research/internet-of-military-battlefield-things-iomt-iobt

  19. Caselli, M., Zambon, E., Sommer, R., Kargl, F., Amann, J.: Specification mining for intrusion detection in networked control systems. In: USENIX Security Symposium (2017)

    Google Scholar 

  20. Chung, T.: OFFensive Swarm-Enabled Tactics. https://www.darpa.mil/program/offensive-swarm-enabled-tactics

  21. Cimpanu, C.: Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices (January 2020). https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/

  22. Cohen, F.B.: Operating system protection through program evolution. Comput. Sec. 12(6), 565–584 (1993)

    Article  Google Scholar 

  23. Cojocar, L., Zaddach, J., Verdult, R., Bos, H., Francillon, A., Balzarotti, D.: Pie: Parser identification in embedded systems. In: ACSAC (2015)

    Google Scholar 

  24. Collberg, C., Martin, S., Myers, J., Nagra, J.: Distributed application tamper detection via continuous software updates. In: ACSAC (2012)

    Google Scholar 

  25. Cui, A., Stolfo, S.: Symbiotes and defensive mutualism: Moving target defense. In: Moving Target Defense, pp. 99–108 (August 2011)

    Google Scholar 

  26. Davi, L.V., Dmitrienko, A., Nürnberger, S., Sadeghi, A.R.: Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In: ASIA CCS (2013)

    Google Scholar 

  27. De Carli, L., Mignano, A.: Network security for home iot devices must involve the user: a position paper. In: FPS (2020)

    Google Scholar 

  28. De Carli, L., Torres, R., Modelo-Howard, G., Tongaonkar, A., Jha, S.: Botnet protocol inference in the presence of encrypted traffic. In: INFOCOM (2017)

    Google Scholar 

  29. Eduard Kovacs: Serious Vulnerabilities Found in Schneider Electric Power Meters \(|\) SecurityWeek.Com (March 2021). https://www.securityweek.com/serious-vulnerabilities-found-schneider-electric-power-meters

  30. Franz, M.: E unibus pluram: Massive-scale software diversity as a defense mechanism. In: NSPW (2010)

    Google Scholar 

  31. Goodin, D.: 100,000-strong botnet built on router 0-day could strike at any time (December 2017). https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time/

  32. Hariri, F., Shi, A.: Srciror: A toolset for mutation testing of c source code and llvm intermediate representation. In: ACM/IEEE ASE (2018)

    Google Scholar 

  33. Higgins, F., Tomlinson, A., Martin, K.M.: Threats to the Swarm: Security Considerations for Swarm Robotics. Int. J. Adv. Sec. 2(2 &3) (2009)

    Google Scholar 

  34. Hu, W., et al.: Secure and practical defense against code-injection attacks using software dynamic translation. In: VEE (2006)

    Google Scholar 

  35. Huang, Y., Ghosh, A.: Introducing diversity and uncertainty to create moving attack surfaces for web services. In: Moving Target Defense, pp. 131–151 (August 2011)

    Google Scholar 

  36. Jackson, T., et al.: Compiler-generated software diversity. In: Moving Target Defense, pp. 77–98 (August 2011)

    Google Scholar 

  37. Jafarian, J.H., Al-Shaer, E., Duan, Q.: Openflow random host mutation: Transparent moving target defense using software defined networking. In: HotSDN (2012)

    Google Scholar 

  38. Kat Hall: Hyperoptic’s ZTE-made 1gbps routers had hyper-hardcoded hyper-root hyper-password (April 2018). https://www.theregister.co.uk/2018/04/26/hyperoptics_zte_routers/

  39. Krebs, B.: Naming & Shaming Web Polluters: Xiongmai - Krebs on Security (October 2018). https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/

  40. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: Automated Software Diversity. In: IEEE S &P (2014)

    Google Scholar 

  41. Lewellen, T.: CERT/CC Vulnerability Note VU#800094 (September 2013). https://www.kb.cert.org

  42. Maruyama, Y., Kato, S., Azumi, T.: Exploring the performance of ros2. In: EMSOFT (2016)

    Google Scholar 

  43. Merces, F., Remillano II, A., Molina, J.: Mirai Botnet Attack IoT Devices via CVE-2020-5902 (July 2020). https://www.trendmicro.com/en_us/research/20/g/mirai-botnet-attack-iot-devices-via-cve-2020-5902.html

  44. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Sec. Privacy 1(4), 33–39 (2003)

    Article  Google Scholar 

  45. Moore, D., Shannon, C., claffy, k.: Code-Red: A case study on the spread and victims of an internet worm. In: ACM IMW (2002)

    Google Scholar 

  46. Muncaster, P.: A Third of Industrial Control Systems Attacked in H1 2021 (September 2021). https://www.infosecurity-magazine.com/news/third-industrial-control-systems/

  47. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE S &P (2012)

    Google Scholar 

  48. Pappas, V., Polychronakis, M., Keromytis, A.: Practical software diversification using in-place code randomization. In: Moving Target Defense (2013)

    Google Scholar 

  49. Pascu, L.: Multiple critical security flaws found in nearly 400 IP cameras - Bitdefender BOX Blog (June 2018), https://www.bitdefender.com/box/blog/ip-cameras-vulnerabilities/multiple-critical-security-flaws-found-nearly-400-ip-cameras/

  50. Ronen, E., Shamir, A., Weingarten, A., O’Flynn, C.: IoT goes nuclear: creating a zigbee chain reaction. In: IEEE S &P (2017)

    Google Scholar 

  51. Rudd, R., et al.: Address oblivious code reuse: on the effectiveness of leakage-resilient diversity. In: NDSS (2017)

    Google Scholar 

  52. Saltzer, J.H., Reed, D.P., Clark, D.D.: End-to-end arguments in system design. ACM Trans. Comput. Syst. (TOCS) 2(4), 277–288 (1984)

    Article  Google Scholar 

  53. Seibert, J., Okhravi, H., Söderström, E.: Information leaks without memory disclosures: Remote side channel attacks on diversified code. In: ACM CCS (2014)

    Google Scholar 

  54. Shapiro, M., Horwitz, S.: The effects of the precision of pointer analysis. In: Van Hentenryck, P. (ed.) SAS 1997. LNCS, vol. 1302, pp. 16–34. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0032731

    Chapter  Google Scholar 

  55. Shekari, T., Irvene, C., Beyah, R.: IoT Skimmer: Energy Market Manipulation through High-Wattage IoT Botnets - Black Hat USA 2020 (August 2020), https://www.blackhat.com/us-20/briefings/schedule/index.html#iot-skimmer-energy-market-manipulation-through-high-wattage-iot-botnets-20280

  56. Simpson, A.K., Roesner, F., Kohno, T.: Securing vulnerable home IoT devices with an in-hub security manager. In: PerCom Workshop (2017)

    Google Scholar 

  57. Soltan, S., Mittal, P., Poor, H.V.: BlackIoT: IoT botnet of high wattage devices can disrupt the power grid. In: USENIX Security (2018)

    Google Scholar 

  58. Sousa, M., Sen, A.: Generation of tlm testbenches using mutation testing. In: CODES+ISSS 2012 (2012)

    Google Scholar 

  59. Wang, N., Schmidt, D.C., van’t Hag, H., Corsaro, A.: Toward an adaptive data distribution service for dynamic large-scale network-centric operation and warfare (ncow) systems. In: MILCOM (2008)

    Google Scholar 

  60. Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: ACM CCS (2012)

    Google Scholar 

  61. Williams, D., Hu, W., Davidson, J.W., Hiser, J.D., Knight, J.C., Nguyen-Tuong, A.: Security through diversity: leveraging virtual machine technology. IEEE Sec. Privacy 7(1), 26–33 (2009)

    Article  Google Scholar 

  62. Wu, B., Ma, Y., Fan, L., Qian, F.: Binary software randomization method based on llvm. In: 2018 IEEE International Conference of Safety Produce Informatization (IICSPI), pp. 808–811 (2018)

    Google Scholar 

  63. Yin, X., Liu, S., Liu, L., Xiao, D.: Function recognition in stripped binary of embedded devices. IEEE Access 6, 75682–75694 (2018)

    Article  Google Scholar 

  64. Zheng, J., Siami Namin, A.: A survey on the moving target defense strategies: An architectural perspective. J. Comput. Sci. Technol. 34, 207–233 (2019)

    Article  Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for their insightful comments. This project was supported by the Office of Naval Research (Grants#: N00014-18-1-2660; N00014-21-1-2492). Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding agency.

Author information

Authors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, MA, 01609, USA

    Tongwei Ren, Sirshendu Ganguly & Lorenzo De Carli

  2. Northeastern University, Boston, MA, 02115, USA

    Ryan Williams & Long Lu

Authors
  1. Tongwei Ren
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ryan Williams
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sirshendu Ganguly
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lorenzo De Carli
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Long Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lorenzo De Carli .

Editor information

Editors and Affiliations

  1. University of Kansas, Lawrence, KS, USA

    Fengjun Li

  2. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  3. The Ohio State University, Columbus, OH, USA

    Zhiqiang Lin

  4. Norwegian University of Science and Tech, Gjøvik, Norway

    Sokratis K. Katsikas

Rights and permissions

Reprints and permissions

Copyright information

© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ren, T., Williams, R., Ganguly, S., De Carli, L., Lu, L. (2023). Breaking Embedded Software Homogeneity with Protocol Mutations. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds) Security and Privacy in Communication Networks. SecureComm 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 462. Springer, Cham. https://doi.org/10.1007/978-3-031-25538-0_40

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25538-0_40

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25537-3

  • Online ISBN: 978-3-031-25538-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation