Abstract
The incidence of malicious code and software vulnerability exploits on embedded platforms is constantly on the rise. Yet, little effort is being devoted to combating such threats to embedded systems. Moreover, adapting security approaches designed for general-purpose systems generally fails because of the limited processing capabilities of their embedded counterparts.
In this work, we evaluate a malware and software vulnerability exploit defense framework for embedded systems. The proposed framework extends our prior work, which defines two isolated execution environments: a testing environment, wherein an untrusted application is first tested using dynamic binary instrumentation (DBI), and a real environment, wherein a program is monitored at runtime using an extracted behavioral model, along with a continuous learning process. We present a suite of software and hardware optimizations to reduce the overheads induced by the defense framework on embedded systems. Software optimizations include the usage of static analysis, complemented with DBI in the testing environment (i.e., a hybrid software analysis approach is used). Hardware optimizations exploit parallel processing capabilities of multiprocessor systems-on-chip.
We have evaluated the defense framework and proposed optimizations on the ARM-Linux operating system. Experiments demonstrate that our framework achieves a high coverage of considered security threats, with acceptable performance penalties (the average execution time of applications goes up to 1.68X, considering all optimizations, which is much smaller than the 2.72X performance penalty when no optimizations are used).
- Aaraj, N., Raghunathan, A., and Jha, N. K. 2008. Virtualization-based framework for malware defense. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment. 64--87. Google ScholarDigital Library
- Cabir. 2004. Virus descriptions: Cabir. http://www.disklabs.com/cabir.asp.Google Scholar
- Cert. 2007. Vulnerability notes database. Computer Emergency Response Team. Carnegie Mellon University, Pittsburgh, PA. http://www.kb.cert.org/vuls.Google Scholar
- Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. 177--192. Google ScholarDigital Library
- ELFCrypt. 2005. http://www.infogreg.com/source-code/public-domain/elfcrypt-v1.0.html.Google Scholar
- FindBugs. 2007. http://findbugs.sourceforge.net.Google Scholar
- Flexispy. 2006. Flexispy spills blackberry secrets. http://www.flexispy.com/news-flexispy-blackberry -windows-mobile.htm.Google Scholar
- Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium 191--206.Google Scholar
- Gupta, R., Soffa, M. L., and Howard, J. 1997. Hybrid slicing: Integrating dynamic information with static analysis. ACM Trans. Soft. Eng. Meth. 6, 370--397. Google ScholarDigital Library
- Hazelwood, K. and Klauser, A. 2006. Tracking down software bugs using automatic anomaly detection. In Proceedings of the International Conference Software Engineering. 291--301. Google ScholarDigital Library
- Kaspersky Lab. 2007. Anti-virus system protects mobile devices. http://rfdesign.com/next_generation_wireless/news/kaspersky-anti-virus-mobile-devices-0208.Google Scholar
- Kiriansky, V., Bruening, D., and Amarasinghe, S. 2002. Secure execution via program shepherding. In Proceedings of the USENIX Security Symposium. 191--206. Google ScholarDigital Library
- Kruegel, C., Robertson, W., Valeur, F., and Vigna, G. 2004. Static disassembly of obfuscated binaries. In Proceedings of the USENIX Security Symposium. 18--35. Google ScholarDigital Library
- Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the USENIX Security Symposium. 14--26. Google ScholarDigital Library
- McAfee. 2007. McAfee virusscanmobile proven security on the go. http://us.mcafee.com/root/landingpages/afflandpage.asp?lpname=vs_mobile.Google Scholar
- Miettinen, M., Halonen, P., and Hatonen, K. 2006. Host-based intrusion detection for advanced mobile devices. In Proceedings of the Conference on Advanced Information Networking and Applications. 72--76. Google ScholarDigital Library
- Nash, D. C., Martin, T. L., Ha, D. S., and Hsiao, M. S. 2005. Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshop. 141--145. Google ScholarDigital Library
- Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Conference on Network and Distributed System Security Symposium.Google Scholar
- Payne, B. D., Carbone, M., Sharif, M., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. 233--247. Google ScholarDigital Library
- Perkins, J. H. and Ernst, M. D. 2004. Efficient incremental algorithms for dynamic detection of likely invariants. In Proceedings of the ACM Symposium on the Foundations of Software Engineering. 23--32. Google ScholarDigital Library
- Qemu. 2008. QEMU: Open source processor emulator. http://fabrice.bellard. free.fr/qemu.Google Scholar
- Ravi, S., Raghunathan, A., Kocher, P., and Hattangady, S. 2004. Security in embedded systems: Design challenges. ACM Trans. Embedd. Comput. Syst. 3, 461--491. Google ScholarDigital Library
- Samfat, D. and Molva, R. 1997. IDAMN: An intrusion detection architecture for mobile networks. IEEE J. Select. Areas Comm. 15, 1373--1380. Google ScholarDigital Library
- Secunia. 2007. Vulnerabilities and virus information. http://secunia.com.Google Scholar
- Sharp. 2002. Device profile: Sharp's Zaurus SL-5500 Linux PDA. http://www.linuxdevices.com/articles/AT2134869242.html.Google Scholar
- Simics. 2004. Virtutech Simics. http://www.virtutech.com/whatissimics.html.Google Scholar
- SimIt-ARM. 2007. http://simit-arm.sourceforge.net.Google Scholar
- Sun, B., Yu, F., Wu, K., and Leung, V. C. M., Oct. 2004. Mobility-based anomaly detection in cellular mobile networks. In Proceedings of the Workshop on Wireless Security. 61--69. Google ScholarDigital Library
- UPX. 2007. The Ultimate Packer for eXecutables. http://upx.sourceforge.net.Google Scholar
- Vasudevan, A. and Yerraballi R. 2006. SPiKE: Engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the Australasian Computer Science Conference 311--320. Google ScholarDigital Library
- VX Heavens. 2007. http://vx.netlux.org.Google Scholar
- Wegman, M. and Zadeck, F. 1991. Constant propagation with conditional branches. ACM Trans. Program. Lang. Syst. 13, 181--210. Google ScholarDigital Library
- Wilander, J. and Kamkar, M. Feb. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the ACM Conference on Computer and Communication Security. 116--127. Google ScholarDigital Library
Index Terms
- A framework for defending embedded systems against software attacks
Recommendations
Defending against phishing attacks: taxonomy of methods, current issues and future directions
Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people's lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly ...
Potential Attacks on Onboard Aerospace Systems
Because security is becoming a major concern for aircraft manufacturers and satellite makers, vulnerability discovery and countermeasures should be integrated into onboard computing systems early during their development. Attacks against aerospace ...
Comments