Skip to main content
SpringerLink
Log in

Runtime Integrity Checking for Exploit Mitigation on Lightweight Embedded Devices

  • Conference paper
  • First Online:
Trust and Trustworthy Computing (Trust 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9824))

Included in the following conference series:

Abstract

Entering the age of the Internet of things, embedded devices are everywhere. They are built using common hardware such as RISC-based ARM and MIPS platforms, and lightweight open software components. Because of their limited resources, such systems often lack the protection mechanisms that have been introduced to the desktop and server world. In this paper, we present BINtegrity, a novel approach for exploit mitigation that is specifically tailored towards embedded systems that are based on the common RISC architecture. BINtegrity leverages architectural features of RISC CPUs to extract a combination of static and dynamic properties relevant to OS service requests from executables, and enforces them during runtime. Our technique borrows ideas from several areas including system call monitoring, static analysis, and code emulation, and combines them in a low-overhead fashion directly in the operating system kernel. We implemented BINtegrity for the Linux operating system. BINtegrity is practical, and restricts the ability of attackers to exploit generic memory corruption vulnerabilities in COTS binaries. In contrast to other approaches, BINtegrity does not require access to source code, binary modification, or application specific configuration such as policies. Our evaluation demonstrates that BINtegrity incurs a very low overhead – only 2 % on whole system performance, – and shows that our approach mitigates both code injection and code reuse attacks.

E. Kirda—Thanks to Secure Business Austria.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    SELinux http://www.selinuxproject.org.

  2. 2.

    AppArmor http://apparmor.net.

  3. 3.

    GRsecurity http://grsecurity.net.

  4. 4.

    AnTuTu https://play.google.com/store/apps/details?id=com.antutu.ABenchMark.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)

    Google Scholar 

  2. Andersen, S., Abella, V.: Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies (2004)

    Google Scholar 

  3. Baume, T.: Netcomm NB5 Botnet Psyb0t. http://baume.id.au/psyb0t/PSYB0T.pdf

  4. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Network and Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

  5. Heffner, C.: OSVDB 86824 Exploit. http://www.devttys0.com/wp-content/uploads/2012/10/dir605l_exploit.txt

  6. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: HAFIX: Hardware-assisted flow integrity extension. In: Proceedings of the Annual Design Automation Conference (2015)

    Google Scholar 

  7. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: IEEE Symposium on Security and Privacy (Oakland) (2003)

    Google Scholar 

  8. Goektas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: IEEE Symposium on Security and Privacy (Oakland) (2014)

    Google Scholar 

  9. Holcomb, J.: CVE-2013-465 Exploit. http://www.exploit-db.com/exploits/27133/

  10. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  11. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)

    Google Scholar 

  12. McVoy, L., Staelin, C.: Lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference (USENIX ATC) (1996)

    Google Scholar 

  13. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security Symposium (USENIX SEC) (2013)

    Google Scholar 

  14. Provos, N.: Improving host security with system call policies. In: USENIX Security Symposium (USENIX SEC) (2003)

    Google Scholar 

  15. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (Oakland) (2015)

    Google Scholar 

  16. Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: ACM SIGSAC Conference on Computer and Communications Security (CCS) (2015)

    Google Scholar 

  17. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (Oakland) (2013)

    Google Scholar 

  18. Cymru, T.: SOHO Pharming (2014). https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf

  19. Ullrich, J.: Linksys Worm The Moon (2014). https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633

  20. Vaughan, J.A., Hilton, A.D.: Paladin: Helping Programs Help Themselves with Internal System Call Interposition (2010)

    Google Scholar 

  21. van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: ACM Conference on Computer and Communications Security (CCS) (2015)

    Google Scholar 

  22. van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  23. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy (Oakland) (2001)

    Google Scholar 

  24. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM Conference on Computer and Communications Security (CCS) (2002)

    Google Scholar 

  25. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security Symposium (USENIX SEC) (2013)

    Google Scholar 

  26. Zhou, Y., Wang, X., Chen, Y., Wang, Z.: ARMlock: hardware-based fault isolation for ARM. In: ACM Conference on Computer and Communications Security (CCS), November 2014

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Research Zurich, Rüschlikon, Switzerland

    Matthias Neugschwandtner

  2. Northeastern University, Boston, USA

    Matthias Neugschwandtner, Collin Mulliner, William Robertson & Engin Kirda

Authors
  1. Matthias Neugschwandtner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Collin Mulliner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William Robertson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthias Neugschwandtner .

Editor information

Editors and Affiliations

  1. University of California , Irvine, USA

    Michael Franz

  2. Royal Institute of Technology , Stockholm, Sweden

    Panos Papadimitratos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Neugschwandtner, M., Mulliner, C., Robertson, W., Kirda, E. (2016). Runtime Integrity Checking for Exploit Mitigation on Lightweight Embedded Devices. In: Franz, M., Papadimitratos, P. (eds) Trust and Trustworthy Computing. Trust 2016. Lecture Notes in Computer Science(), vol 9824. Springer, Cham. https://doi.org/10.1007/978-3-319-45572-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45572-3_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45571-6

  • Online ISBN: 978-3-319-45572-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation