Abstract
Security of embedded devices today is a critical requirement for the Internet of Things (IoT) as these devices will access sensitive information such as social security numbers and health records. This makes these devices a lucrative target for attacks exploiting vulnerabilities to inject malicious code or reuse existing code to alter the execution of their software. Existing defense techniques have major drawbacks such as requiring source code or symbolic debugging information, and high overhead, limiting their applicability. In this paper we propose a novel defense technique, DisARM, that protects against both code-injection and code-reuse based buffer overflow attacks by breaking the ability for attackers to manipulate the return address of a function. Our approach operates on arbitrary executable binaries and thus does not require compiler support. In addition it does not require user interactions and can thus be automatically applied. Our experimental results show that our approach incurs low overhead and significantly increases the level of security against both code-injection and code-reuse based attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
byte-unixbench: A Unix benchmark suite. http://code.google.com/p/byte-unixbench/
Aleph One: Smashing the stack for fun and profit. Phrack Magazine 49, 14 (November 1996)
ARM Holdings plc. ARM Architecture Reference Manual
Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proc. of the 12th USENIX Security Symposium, pp. 105–120 (2003)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proc. of the 14th Conference on USENIX Security Symposium. SSYM 2005, vol. 14, pp. 17–17 (2005)
Bletsch, T., Jiang, X., Freeh, V.: Jump-oriented programming: A new class of code-reuse attack. Tech. Rep. TR-2010-8, North Carolina State University (2010)
Bletsch, T., Jiang, X., Freeh, V.: Mitigating code-reuse attacks with control-flow locking. In: Proc. of the 27th Annual Computer Security Applications Conference. ACSAC 2011, pp. 353–362. ACM, New York (2011)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proc. of the 15th ACM Conference on Computer and Communications Security, pp. 27–38 (2008)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proc. of the 17th ACM Conference on Computer and Communications Security, pp. 559–572 (2010)
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: Proc. of the 20th USENIX Conference on Security. SEC 2011, p. 6. USENIX Association, Berkeley (2011)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient detection of the return-oriented programming malicious code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010)
Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 340–354. Springer, Heidelberg (2010)
Miessler, D.: HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack (July 2014). http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of//-Internet-of-Things-Devices/ba-p/6556284#.VH4faTHF9Zg
Evans, D.: The Internet of Things How the Next Evolution of the Internet is Changing Everything (April 2011). http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.-R.: Mocfi: a framework to mitigate control-flow attacks on smartphones. In: NDSS (2012)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Proc. of the 13th International Conference on Information Security, pp. 346–360 (2011)
Davi, L., Sadeghi, A.-R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proc. of the 2009 ACM workshop on Scalable trusted computing, pp. 49–54 (2009)
Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51 (2011)
Davi, L.V., Dmitrienko, A., Nürnberger, S., Sadeghi, A.-R.: Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and arm. In: Proc. of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. ASIA CCS 2013, pp. 299–310. ACM, New York (2013)
Debian Foundation. Raspbian. http://www.raspbian.org/
Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proc. of the 15th ACM Conference on Computer and Communications Security, pp. 15–26 (2008)
Franz, M., Brunthaler, S., Larsen, P., Homescu, A., Neisius, S.: Profile-guided automated software diversity. In: Proc. of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). CGO 2013, pp. 1–11. IEEE Computer Society, Washington (2013)
Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: Proc. of the 21st USENIX Conference on Security Symposium. Security 2012, pp. 40–40. USENIX Association, Berkeley (2012)
Gupta, A., Habibi, J., Kirkpatrick, M., Bertino, E.: Marlin: Mitigating code reuse attacks using code randomization. IEEE Transactions on Dependable and Secure Computing PP(99), 1–1 (2014)
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: Ilr: where’d my gadgets go? In: Proc. of the 2012 IEEE Symposium on Security and Privacy, pp. 571–585 (2012)
Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: Proc. of the 2013 ACM SIGSAC Conference on Computer & Communications Security. CCS 2013, pp. 993–1004. ACM, New York (2013)
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proc. of the 18th Conference on USENIX Security Symposium. SSYM 2009, pp. 383–398 (2009)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proc. of the 10th ACM Conference on Computer and Communications Security. CCS 2003, pp. 272–280. ACM, New York (2003)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with “return-less” kernels. In: Proc. of the 5th European Conference on Computer Systems, pp. 195–208 (2010)
Newsome, J., Shi, E., Song, D., Perrig, A.: The sybil attack in sensor networks: analysis & defenses. In: Proc. of the 3rd International Symposium on Information Processing in Sensor Networks. IPSN 2004, pp. 259–268. ACM, New York (2004)
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-less binaries. In: Proc. of the 26th Annual Computer Security Applications Conference, pp. 49–58 (2010)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: Proc. of the 2012 IEEE Symposium on Security and Privacy. SP 2012, pp. 601–615. IEEE Computer Society, Washington (2012)
PaX Team. PaX. http://pax.grsecurity.net/
Pewny, J., Holz, T.: Control-flow restrictor: compiler-based CFI for IOS. In: Proc. of the 29th Annual Computer Security Applications Conference, pp. 309–318. ACM (2013)
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)
Roglia, G., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Annual Computer Security Applications Conference. ACSAC 2009, pp. 60–69, December 2009
Salwan, J.: ROPgadget tool. http://shell-storm.org/project/ROPgadget/
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proc. of the 11th ACM Conference on Computer and Communications Security, pp. 298–307 (2004)
Shioji, E., Kawakoya, Y., Iwamura, M., Hariu, T.: Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks. In: Proc. of the 28th Annual Computer Security Applications Conference. ACSAC 2012, pp. 309–318. ACM, New York (2012)
Sovarel, A.N., Evans, D., Paul, N.: Where’s the feeb? The effectiveness of instruction set randomization. In: Proc. of the 14th Conference on USENIX Security Symposium, vol. 14, pp. 10–10 (2005)
Verdult, R., Garcia, F.D., Balasch, J.: Gone in 360 seconds: hijacking with hitag2. In: Proc. of the 21st USENIX Conference on Security Symposium. Security 2012, pp. 37–37. USENIX Association, Berkeley (2012)
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proc. of the 2012 ACM Conference on Computer and Communications Security. CCS 2012, pp. 157–168. ACM, New York (2012)
Williams, D., Hu, W., Davidson, J., Hiser, J., Knight, J., Nguyen-Tuong, A.: Security through diversity: leveraging virtual machine technology. IEEE Security Privacy 7(1), 26–33 (2009)
Wright, A.: Hacking cars. Commun. ACM 54(11), 18–19 (2011)
Li, X.-F.: ELF Parser. http://people.apache.org/ xli/
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, pp. 559–573 (2013)
Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Proc. of the 22Nd USENIX Conference on Security. SEC 2013, pp. 337–352. USENIX Association, Berkeley (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Habibi, J., Panicker, A., Gupta, A., Bertino, E. (2015). DisARM: Mitigating Buffer Overflow Attacks on Embedded Devices. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)