Randezvous: Making Randomization Effective on MCUs
Pages 28 - 41
Abstract
Internet-of-Things devices such as autonomous vehicular sensors, medical devices, and industrial cyber-physical systems commonly rely on small, resource-constrained microcontrollers (MCUs). MCU software is typically written in C and is prone to memory safety vulnerabilities that are exploitable by remote attackers to launch code reuse attacks and code/control data leakage attacks.
We present Randezvous, a highly performant diversification-based mitigation to such attacks and their brute force variants on ARM MCUs. Atop code/data layout randomization and an efficient execute-only code approach, Randezvous creates decoy pointers to camouflage control data in memory; code pointers in the stack are then protected by a diversified shadow stack, local-to-global variable promotion, and return address nullification. Moreover, Randezvous adds a novel delayed reboot mechanism to slow down persistent attacks and mitigates control data spraying attacks via global guards. We demonstrate Randezvous’s security by statistically modeling leakage-equipped brute force attacks under Randezvous, crafting a proof-of-concept exploit that shows Randezvous’s efficacy, and studying a real-world CVE. Our evaluation of Randezvous shows low overhead on three benchmark suites and two applications.
References
[1]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information Systems Security 13, 1, Article 4 (Nov. 2009), 40 pages. https://doi.org/10.1145/1609956.1609960
[2]
Ali Abbasi, Jos Wetzels, Thorsten Holz, and Sandro Etalle. 2019. Challenges in Designing Exploit Mitigations for Deeply Embedded Systems. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy(EuroSP ’19). IEEE Computer Society, Stockholm, Sweden, 31–46. https://doi.org/10.1109/EuroSP.2019.00013
[3]
Misiker Tadesse Aga and Todd Austin. 2019. Smokestack: Thwarting DOP Attacks with Runtime Stack Layout Randomization. In Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization(CGO ’19). IEEE Computer Society, Washington, DC, 26–36. https://doi.org/10.1109/CGO.2019.8661202
[4]
Salman Ahmed, Ya Xiao, Kevin Z. Snow, Gang Tan, Fabian Monrose, and Danfeng (Daphne) Yao. 2020. Methodologies for Quantifying (Re-)Randomization Security and Timing under JIT-ROP. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security(CCS ’20). ACM, Orlando, FL, 1803–1820. https://doi.org/10.1145/3372297.3417248
[5]
Naif Saleh Almakhdhub, Abraham A. Clements, Saurabh Bagchi, and Mathias Payer. 2020. μRAI: Securing Embedded Systems with Return Address Integrity. In Proceedings of the 2020 Network and Distributed System Security Symposium(NDSS ’20). Internet Society, San Diego, CA, 18 pages. https://doi.org/10.14722/ndss.2020.24016
[6]
Arm Holdings. 2008. SSL Library Mbed TLS. https://tls.mbed.org
[7]
Arm Holdings 2018. ARMv7-M Architecture Reference Manual. Arm Holdings. DDI 0403E.d.
[8]
Arm Holdings 2019. ARMv8-M Architecture Reference Manual. Arm Holdings. DDI 0553B.i.
[9]
Michael Backes and Stefan Nürnberger. 2014. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 433–447.
[10]
Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI ’06). ACM, Ottawa, ON, Canada, 158–168. https://doi.org/10.1145/1133981.1134000
[11]
Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. 2003. Address Obfuscation: An Efficient Approach to Combat a Board Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium(Security ’03). USENIX Association, Washington, DC, 105–120. https://www.usenix.org/conference/12th-usenix-security-symposium/address-obfuscation-efficient-approach-combat-broad-range
[12]
Sandeep Bhatkar and R. Sekar. 2008. Data Space Randomization. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’08). Springer-Verlag, Paris, France, 1–22. https://doi.org/10.1007/978-3-540-70542-0_1
[13]
Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney. 2005. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proceedings of the 14th USENIX Security Symposium(Security ’05). USENIX Association, Baltimore, MD, 255–270. https://www.usenix.org/conference/14th-usenix-security-symposium/efficient-techniques-comprehensive-protection-memory-error
[14]
David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 268–279. https://doi.org/10.1145/2810103.2813691
[15]
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking Blind. In Proceedings of the 2014 IEEE Symposium on Security and Privacy(SP ’14). IEEE Computer Society, Berkeley, CA, 227–242. https://doi.org/10.1109/SP.2014.22
[16]
Kjell Braden, Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Stephen Crane, Michael Franz, and Per Larsen. 2016. Leakage-Resilient Layout Randomization for Mobile Devices. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS ’16). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2016.23364
[17]
Nathan Burow, Xinping Zhang, and Mathias Payer. 2019. SoK: Shining Light on Shadow Stacks. In Proceedings of the 2019 IEEE Symposium on Security and Privacy(SP ’19). IEEE Computer Society, San Francisco, CA, 985–999. https://doi.org/10.1109/SP.2019.00076
[18]
Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Philippe Martin, and Miguel Castro. 2008. Data Randomization. Technical Report MSR-TR-2008-120. Microsoft Research.
[19]
Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-flow Integrity. In Proceedings of the 24th USENIX Security Symposium(Security ’15). USENIX Association, Washington, DC, 161–176. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carlini
[20]
Nicholas Carlini and David Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 385–399. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/carlini
[21]
Ping Chen, Jun Xu, Zhiqiang Lin, Dongyan Xu, Bing Mao, and Peng Liu. 2015. A Practical Approach for Adaptive Data Structure Layout Randomization. In Proceedings of the 20th European Symposium on Computer Security(ESORICS ’15). Springer-Verlag, Vienna, Austria, 69–89. https://doi.org/10.1007/978-3-319-24174-6_4
[22]
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats. In Proceedings of the 14th USENIX Security Symposium(Security ’05). USENIX Association, Baltimore, MD, 177–191. https://www.usenix.org/conference/14th-usenix-security-symposium/non-control-data-attacks-are-realistic-threats
[23]
Xi Chen, Asia Slowinska, Dennis Andriesse, Herbert Bos, and Cristiano Giuffrida. 2015. StackArmor: Comprehensive Protection from Stack-based Memory Error Vulnerabilities for Binaries. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS ’15). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2015.23248
[24]
Yue Chen, Zhi Wang, David Whalley, and Long Lu. 2016. Remix: On-Demand Live Randomization. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy(CODASPY ’16). ACM, New Orleans, LA, 50–61. https://doi.org/10.1145/2857705.2857726
[25]
Abraham A Clements, Naif Saleh Almakhdhub, Khaled S. Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer. 2017. Protecting Bare-Metal Embedded Systems with Privilege Overlays. In Proceedings of the 2017 IEEE Symposium on Security and Privacy(SP ’17). IEEE Computer Society, San Jose, CA, 289–303. https://doi.org/10.1109/SP.2017.37
[26]
Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium(Security ’98). USENIX Association, San Antonio, TX, 15 pages. https://www.usenix.org/conference/7th-usenix-security-symposium/stackguard-automatic-adaptive-detection-and-prevention
[27]
Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 2015 IEEE Symposium on Security and Privacy(SP ’15). IEEE Computer Society, San Jose, CA, 763–780. https://doi.org/10.1109/SP.2015.52
[28]
Stephen J. Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 243–255. https://doi.org/10.1145/2810103.2813682
[29]
CVE 2021. CVE-2021-27421. https://www.cve.org/CVERecord?id=CVE-2021-27421
[30]
Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS ’15). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2015.23262
[31]
Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 401–416. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/davi
[32]
Lucas Vincenzo Davi, Alexandra Dmitrienko, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2013. Gadge Me If You Can: Secure and Efficient Ad-Hoc Instruction-Level Randomization for x86 and ARM. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security(ASIACCS ’13). ACM, Hangzhou, China, 299–310. https://doi.org/10.1145/2484313.2484351
[33]
Yufei Du, Zhuojia Shen, Komail Dharsee, Jie Zhou, Robert J. Walls, and John Criswell. 2022. Holistic Control-Flow Protection on Real-Time Embedded Systems with Kage. In Proceedings of the 31st USENIX Security Symposium(Security ’22). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity22/presentation/du
[34]
EEMBC. 2018. CoreMark: An EEMBC Benchmark. https://www.eembc.org/coremark
[35]
EEMBC. 2019. CoreMark-Pro: An EEMBC Benchmark. https://www.eembc.org/coremark-pro
[36]
Embedded Security. 2018. PinLock. https://github.com/embedded-sec/ACES/tree/master/test_apps/pinlock
[37]
Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 901–913. https://doi.org/10.1145/2810103.2813646
[38]
Mark Gallagher, Lauren Biernacki, Shibo Chen, Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Misiker Tadesse Aga, Austin Harris, Zhixing Xu, Baris Kasikci, Valeria Bertacco, Sharad Malik, Mohit Tiwari, and Todd Austin. 2019. Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS ’19). ACM, Providence, RI, 469–484. https://doi.org/10.1145/3297858.3304037
[39]
Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security through Efficient and Fine-Grained Address Space Randomization. In Proceedings of the 21st USENIX Security Symposium(Security ’12). USENIX Association, Bellevue, WA, 475–490. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffrida
[40]
Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy(SP ’14). IEEE Computer Society, San Jose, CA, 575–589. https://doi.org/10.1109/SP.2014.43
[41]
Javid Habibi, Aditi Gupta, Stephen Carlsony, Ajay Panicker, and Elisa Bertino. 2015. MAVR: Code Reuse Stealthy Attacks and Mitigation on Unmanned Aerial Vehicles. In Proceedings of the 2015 IEEE 35th International Conference on Distributed Computing Systems(ICDCS ’15). IEEE Computer Society, Columbus, OH, 642–652. https://doi.org/10.1109/ICDCS.2015.71
[42]
Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson. 2012. ILR: Where’d My Gadgets Go?. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). IEEE Computer Society, San Francisco, CA, 571–585. https://doi.org/10.1109/SP.2012.39
[43]
Tomoaki Kawada, Shinya Honda, Yutaka Matsubara, and Hiroaki Takada. 2021. TZmCFI: RTOS-Aware Control-Flow Integrity Using TrustZone for Armv8-M. International Journal of Parallel Programming 49 (April 2021), 216–236. https://doi.org/10.1007/s10766-020-00673-z
[44]
Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. 2006. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In Proceedings of the 22nd Annual Computer Security Applications Conference(ACSAC ’06). IEEE Computer Society, Miami Beach, FL, 339–348. https://doi.org/10.1109/ACSAC.2006.9
[45]
Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P. Kemerlis, and Michalis Polychronakis. 2018. Compiler-Assisted Code Randomization. In Proceedings of the 2018 IEEE Symposium on Security and Privacy(SP ’18). IEEE Computer Society, San Francisco, CA, 461–477. https://doi.org/10.1109/SP.2018.00029
[46]
Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation(OSDI ’14). USENIX Association, Broomfield, CO, 147–163. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsov
[47]
Donghyun Kwon, Jangseop Shin, Giyeol Kim, Byoungyoung Lee, Yeongpil Cho, and Yunheung Paek. 2019. uXOM: Efficient eXecute-Only Memory on ARM Cortex-M. In Proceedings of the 28th USENIX Security Symposium(Security ’19). USENIX Association, Santa Clara, CA, 231–247. https://www.usenix.org/conference/usenixsecurity19/presentation/kwon
[48]
Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the 2nd International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization(CGO ’04). IEEE Computer Society, Palo Alto, CA, 12 pages. https://doi.org/10.1109/CGO.2004.1281665
[49]
Seongman Lee, Hyeonwoo Kang, Jinsoo Jang, and Brent Byunghoon Kang. 2022. SaVioR: Thwarting Stack-Based Memory Safety Violations by Randomizing Stack Layout. IEEE Transactions on Dependable and Secure Computing (July 2022), 2559–2575. https://doi.org/10.1109/TDSC.2021.3063843
[50]
Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu. 2009. Polymorphing Software by Randomizing Data Structure Layout. In Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Como, Italy, 107–126. https://doi.org/10.1007/978-3-642-02918-9_7
[51]
LLVM 2014. llvm::RandomNumberGenerator Class Reference. https://llvm.org/doxygen/classllvm_1_1RandomNumberGenerator.html
[52]
Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS ’16). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2016.23173
[53]
Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 280–291. https://doi.org/10.1145/2810103.2813694
[54]
Lan Luo, Xinhui Shao, Zhen Ling, Huaiyu Yan, Yumeng Wei, and Xinwen Fu. 2022. fASLR: Function-Based ASLR via TrustZone-M and MPU for Resource-Constrained IoT Systems. IEEE Internet of Things Journal 9, 18 (Sept. 2022), 17120–17135. https://doi.org/10.1109/JIOT.2022.3190374
[55]
Mbed TLS Contributors. 2009. Mbed TLS Benchmark Demonstration Program. https://github.com/ARMmbed/mbedtls/blob/development/programs/test/benchmark.c
[56]
Microchip 2020. 32-bit Microcontroller Families: Industry’s Broadest and Most Innovative 32-bit MCU Portfolio. Microchip. DS30009904V.
[57]
Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the Heap. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL) (CCS ’10). ACM, 573–584. https://doi.org/10.1145/1866307.1866371
[58]
NXP 2021. UM11147 User Manual: RT6xx User Manual. NXP. Rev. 1.4.
[59]
NXP 2021. UM11159 User Manual: i.MX RT685 Evaluation Board User Manual. NXP. Rev. 2.
[60]
Thomas Nyman, Jan-Erik Ekberg, Lucas Davi, and N. Asokan. 2017. CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers. In Proceedings of the 20th International Symposium on Research in Attacks, Intrusions, and Defenses(RAID ’17). Springer-Verlag, Atlanta, GA, 259–284. https://doi.org/10.1007/978-3-319-66332-6_12
[61]
Aleph One. 1996. Smashing the Stack for Fun and Profit. Phrack 7 (Nov. 1996). Issue 49. http://www.phrack.org/issues/49/14.html
[62]
James Pallister, Simon Hollis, and Jeremy Bennett. 2013. BEEBS: Open Benchmarks for Energy Measurements on Embedded Platforms. arXiv preprint arXiv:1308.5174 (Aug. 2013). arxiv:1308.5174 [cs.PF] https://arxiv.org/abs/1308.5174
[63]
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2012. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). IEEE Computer Society, San Francisco, CA, 601–615. https://doi.org/10.1109/SP.2012.41
[64]
Sergio Pastrana, Juan Tapiador, Guillermo Suarez-Tangil, and Pedro Peris-López. 2016. AVRAND: A Software-Based Defense Against Code Reuse Attacks for AVR Embedded Devices. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’16). Springer-Verlag, San Sebastián, Spain, 58–77. https://doi.org/10.1007/978-3-319-40667-1_4
[65]
PaX Team. 2001. Address Space Layout Randomization. https://pax.grsecurity.net/docs/aslr.txt
[66]
Jannik Pewny, Philipp Koppe, Lucas Davi, and Thorsten Holz. 2017. Breaking and Fixing Destructive Code Read Defenses. In Proceedings of the 33rd Annual Computer Security Applications Conference(ACSAC ’17). ACM, Orlando, FL, 55–67. https://doi.org/10.1145/3134600.3134626
[67]
Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse. In Proceedings of the 12th European Conference on Computer Systems(EuroSys ’17). ACM, Belgrade, Serbia, 420–436. https://doi.org/10.1145/3064176.3064216
[68]
Soumyakant Priyadarshan, Huan Nguyen, and R. Sekar. 2020. Practical Fine-Grained Binary Code Randomization. In Proceedings of the 36th Annual Computer Security Applications Conference(ACSAC ’20). ACM, Austin, TX, 401–414. https://doi.org/10.1145/3427228.3427292
[69]
Prabhu Rajasekaran, Stephen Crane, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2020. CoDaRR: Continuous Data Space Randomization against Data-Only Attacks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security(ASIACCS ’20). ACM, Taipei, China, 494–505. https://doi.org/10.1145/3320269.3384757
[70]
Renesas 2022. RA Family Brochure. Renesas. Document No. R01CP0035EJ0300.
[71]
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1, Article 2 (March 2012), 34 pages. https://doi.org/10.1145/2133375.2133377
[72]
Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In Proceedings of the 2017 Network and Distributed System Security Symposium(NDSS ’17). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2017.23477
[73]
Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS ’07). ACM, Alexandria, VA, 552–561. https://doi.org/10.1145/1315245.1315313
[74]
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security(CCS ’04). ACM, Washington, DC, 298–307. https://doi.org/10.1145/1030083.1030124
[75]
Zhuojia Shen, Komail Dharsee, and John Criswell. 2020. Fast Execute-Only Memory for Embedded Systems. In Proceedings of the 2020 IEEE Secure Development Conference(SecDev ’20). IEEE Computer Society, Atlanta, GA, 7–14. https://doi.org/10.1109/SecDev45635.2020.00017
[76]
Jiameng Shi, Le Guan, Wenqiang Li, Dayou Zhang, Ping Chen, and Ping Chen. 2022. HARM: Hardware-assisted Continuous Re-randomization for Microcontrollers. In Proceedings of the 2022 IEEE European Symposium on Security and Privacy(EuroSP ’22). IEEE Computer Society, Genoa, Italy, 520–536. https://doi.org/10.1109/EuroSP53844.2022.00039
[77]
Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proceedings of the 2013 IEEE Symposium on Security and Privacy(SP ’13). IEEE Computer Society, San Francisco, CA, 574–588. https://doi.org/10.1109/SP.2013.45
[78]
Alexander Sotirov. 2007. Heap Feng Shui in JavaScript. In Black Hat Europe.
[79]
STMicroelectronics 2020. DS12469 Datasheet: STM32L412xx. STMicroelectronics. DS12469 Rev 8.
[80]
STMicroelectronics 2021. DS11189 Datasheet: STM32F469xx. STMicroelectronics. DS11189 Rev 7.
[81]
STMicroelectronics 2022. AN4230 Application Note: STM32 Microcontroller Random Number Generation Validation Using the NIST Statistical Test Suite. STMicroelectronics. Rev 7.
[82]
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. 2009. Breaking the Memory Secrecy Assumption. In Proceedings of the 2nd European Workshop on System Security(EuroSec ’09). ACM, Nuremburg, Germany, 1–8. https://doi.org/10.1145/1519144.1519145
[83]
Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning. 2011. On the Expressiveness of Return-into-libc Attacks. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection(RAID ’11). Springer-Verlag, Menlo Park, CA, 121–141. https://doi.org/10.1007/978-3-642-23644-0_7
[84]
Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, and Bryan C. Ward. 2019. Control-Flow Integrity for Real-Time Embedded Systems. In Proceedings of the 31st Euromicro Conference on Real-Time Systems(ECRTS ’19). Schloss Dagstuhl–Leibniz-Zentrum füer Informatik, Stuttgart, Germany, 2:1–2:24. https://doi.org/10.4230/LIPIcs.ECRTS.2019.2
[85]
Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. 2017. ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments(VEE ’17). ACM, Xi’an, China, 143–156. https://doi.org/10.1145/3050748.3050752
[86]
Zhe Wang, Chenggang Wu, Yinqian Zhang, Bowen Tang, Pen-Chung Yew, Mengyao Xie, Yuanming Lai, Yan Kang, Yueqiang Cheng, and Zhiping Shi. 2019. SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-Randomization. In Proceedings of the 28th USENIX Security Symposium(Security ’19). USENIX Association, Santa Clara, CA, 1239–1256. https://www.usenix.org/conference/usenixsecurity19/presentation/wang
[87]
Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security(CCS ’12). ACM, Raleigh, NC, 157–168. https://doi.org/10.1145/2382196.2382216
[88]
Mario Werner, Thomas Unterluggauer, David Schaffenrath, and Stefan Mangard. 2018. Sponge-Based Control-Flow Protection for IoT Devices. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy(EuroSP ’18). IEEE Computer Society, London, United Kingdom, 214–226. https://doi.org/10.1109/EuroSP.2018.00023
[89]
David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation(OSDI ’16). USENIX Association, Savannah, GA, 367–382. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/williams-king
[90]
XAMPPRocky and contributors. 2015. Tokei: Count your code, quickly. https://github.com/XAMPPRocky/tokei
[91]
Jie Zhou, Yufei Du, Zhuojia Shen, Lele Ma, John Criswell, and Robert J. Walls. 2020. Silhouette: Efficient Protected Shadow Stacks for Embedded Systems. In Proceedings of the 29th USENIX Security Symposium(Security ’20). USENIX Association, Boston, MA, 1219–1236. https://www.usenix.org/conference/usenixsecurity20/presentation/zhou-jie
Index Terms
- Randezvous: Making Randomization Effective on MCUs
Recommendations
Return address randomization scheme for annuling data-injection buffer overflow attacks
Inscrypt'06: Proceedings of the Second SKLOIS conference on Information Security and CryptologyBuffer overflow(BOF) has been the most common form of vulnerability in software systems today, and many methods exist to defend software systems against BOF attacks. Among them, the instruction set randomization scheme, which makes attacker not to know ...
Defense Method of Ruby Code Injection Attack Based on Instruction Set Randomization
ICCCM '20: Proceedings of the 8th International Conference on Computer and Communications ManagementCode injection attack is a major security threat to applications, especially web applications. This type of attack stems from the attacker's ability to use the vulnerability/backdoor of the application to inject a malicious program into the server and ...
On the General Applicability of Instruction-Set Randomization
We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) ...
Comments
Information & Contributors
Information
Published In
December 2022
1021 pages
ISBN:9781450397599
DOI:10.1145/3564625
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 December 2022
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
ACSAC
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 604Total Downloads
- Downloads (Last 12 months)294
- Downloads (Last 6 weeks)40
Reflects downloads up to 03 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in