Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Umbra: Embedded Web Security Through Application-Layer Firewalls

  • Conference paper
  • First Online:
Security of Industrial Control Systems and Cyber Physical Systems (CyberICS 2015, WOS-CPS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9588))

  • 1254 Accesses

Abstract

Embedded devices with web interfaces are prevalent, but, due to memory and processing constraints, implementations typically make use of Common Gateway Interface (CGI) binaries written in low-level, memory-unsafe languages. This creates the possibility of memory corruption attacks as well as traditional web attacks. We present Umbra, an application-layer firewall specifically designed for protecting web interfaces in embedded devices. By acting as a “friendly man-in-the-middle,” Umbra can protect against attacks such as cross-site request forgery (CSRF), information leaks, and authentication bypass vulnerabilities. We evaluate Umbra’s security by analyzing recent vulnerabilities listed in the CVE database from several embedded vendors and find that it would have prevented half of the vulnerabilities. We also show that Umbra comfortably runs within the constraints of an embedded system while incurring minimal performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Apache Software Foundation: ab–Apache HTTP server benchmarking tool, April 2015. http://httpd.apache.org/docs/2.4/programs/ab.html

  2. AppArmor Security Project: Getting Started, September 2011. http://wiki.apparmor.net/index.php/GettingStarted

  3. Barracuda Networks: Barracuda web application firewall (2015). https://www.barracuda.com/products/webapplicationfirewall

  4. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security, pp. 75–88. CCS (2008)

    Google Scholar 

  5. Bigg, R., et al.: Ruby on Rails security guide (2015). http://guides.rubyonrails.org/security.html

  6. Bonkoski, A., Bielawski, R., Halderman, J.A.: Illuminating the security issues surrounding lights-out server management. In: 7th USENIX Workshop on Offensive Technologies. WOOT (2013)

    Google Scholar 

  7. Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  8. Certec EDV: Atvise SCADA (2014). http://www.atvise.com/en/products-solutions/atvise-scada

  9. Check Point: Misfortune cookie. http://blog.checkpoint.com/2014/12/18/misfortune-cookie-the-hole-in-your-internet-gateway-3/

  10. Cisco Systems: Cisco ACE web application firewall, May 2008. http://www.cisco.com/c/en/us/products/collateral/application-networking-services/ace-web-application-firewall/data_sheet_c78-458627.html

  11. Cisco Systems: Home network administration protocol (HNAP) whitepaper, January 2009. http://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf

  12. Coen, T.: Bypass CSRF via XSS. Software talk, March 2015. http://software-talk.org/blog/2015/03/bypass-csrf-via-xss/

  13. Cowan, C., et al.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: 7th USENIX Security Symposium (1998)

    Google Scholar 

  14. D-Link: DIR-645: Rev. Ax–Command injection–Buffer overflow: FW 1.04b12, January 2015. http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051

  15. Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: 6th ACM Symposium on Information, Computer, and Communications Security, pp. 40–51. ASIACCS (2011)

    Google Scholar 

  16. DD-WRT Wiki: Web interface. http://www.dd-wrt.com/wiki/index.php/Web_Interface

  17. Django Software Foundation: Cross site request forgery protection (2015). https://docs.djangoproject.com/en/1.8/ref/csrf/

  18. Doyle, J.: Lorex IP camera authentication bypass (CVE-2012-6451), December 2012. https://www.fishnetsecurity.com/6labs/blog/lorex-ip-camera-authentication-bypass-cve-2012-6451

  19. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (2013)

    Google Scholar 

  20. epoll(7): process trace. Linux Programmer’s Manual

    Google Scholar 

  21. Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: basic and digest access authentication. RFC 2617 (Draft Standard), June 1999, updated by RFC 7235. http://www.ietf.org/rfc/rfc2617.txt

  22. Fu, K., Blum, J.: Inside risks: controlling for cybersecurity risks of medical device software. Commun. ACM 56(10), 21–23 (2013)

    Article  Google Scholar 

  23. Ghena, B., Beyer, W., Hillaker, A., Pevarnek, J., Halderman, J.A.: Green lights forever: analyzing the security of traffic infrastructure. In: 8th USENIX Workshop on Offensive Technologies. WOOT (2014)

    Google Scholar 

  24. Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: 21st USENIX Security Symposium, August 2012

    Google Scholar 

  25. Hewlett-Packard: HP Jetdirect print servers–Using Telnet to configure the HP Jetdirect print server. http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-bpj05732

  26. Hewlett-Packard: HP embedded web server user guide, August 2007. http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c01151842-2.pdf

  27. Hewlett-Packard: TippingPoint next-generation firewall (NGFW) technical specifications (2015). http://www8.hp.com/us/en/software-solutions/ngfw-next-generation-firewall/tech-specs.html

  28. Internet Security Research Group: Let’s Encrypt (2015). https://letsencrypt.org/

  29. Jones, N.: Exploiting embedded devices, June 2012. http://pen-testing.sans.org/resources/papers/gpen/exploiting-embedded-devices-129676

  30. Joyent: HTTP parser, April 2015. https://github.com/joyent/http-parser

    Google Scholar 

  31. Ketkar, C.: Standard versus proprietary security protocols. Justice League Blog, May 2014. http://www.cigital.com/justice-league-blog/2014/05/28/standard-versus-proprietary-security-protocols/

  32. Klein, G., et al.: seL4: Formal verification of an OS kernel. In: 22nd Symposium on Operating Systems Principles. pp. 207–220. SOSP, October 2009

    Google Scholar 

  33. Kneschke, J.: Lighttpd: Fly light, March 2014. http://www.lighttpd.net/

  34. Lafon, Y., Mendelsohn, N., Karmarkar, A., Nielsen, H.F., Hadley, M., Gudgin, M., Moreau, J.J.: SOAP version 1.2 part 2: Adjuncts (2nd edn.). W3C recommendation, April 2007. http://www.w3.org/TR/soap12-part2/

  35. Leroy, X., Blazy, S., Dargaye, Z., Jourdan, J.H., Tristan, J.B.: CompCert, June 2015. http://compcert.inria.fr/

  36. Lewis, D.: Security and the Internet of Things. Forbes, September 2014. http://www.forbes.com/sites/davelewis/2014/09/16/security-and-the-internet-of-things/

  37. Linksys: GPL code center (2014). http://support.linksys.com/en-us/gplcodecenter

  38. Medin, T.: Invasion of the network snatchers: Part I. SANS Penetration Testing, May 2013. http://pen-testing.sans.org/blog/2013/05/31/invasion-of-the-network-snatchers-part-i

  39. MITRE Corporation: CVE-2014-4645, June 2014. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4645

  40. MITRE Corporation: Common vulnerabilities and exposures, April 2015. https://cve.mitre.org/

  41. Moore, H.D.: Penetration tester’s guide to IPMI and BMCs. Rapid7Community, July 2013. https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

  42. Nachreiner, C.: H.D. Moore unveils major UPnP security vulnerabilities. WatchGuard Security Center, January 2013. http://watchguardsecuritycenter.com/2013/01/31/h-d-moore-unveils-major-upnp-security-vulnerabilities/

  43. Open Crypto Audit Project: Welcome to the Open Crypto Audit Project, June 2014. https://opencryptoaudit.org/

  44. OpenSSL Project: Welcome to the OpenSSL project (2015). https://www.openssl.org/

  45. OpenWRT Project: Web server configuration uHTTPd (2014). http://wiki.openwrt.org/doc/uci/uhttpd

  46. Orchard, D., McCabe, F., Newcomer, E., Haas, H., Ferris, C., Booth, D., Champion, M.: Web services architecture. W3C note, February 2004. http://www.w3.org/TR/2004/NOTE-ws-arch-20040211/

  47. PCI Security Standards Council: Payment Card Industry (PCI) data security standard requirements and security assessment procedures version 3.1, April 2015. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

  48. Rectanus, B.: IronBee reference manual (2014). https://www.ironbee.com/docs/manual/

  49. Rocha, M., Riva, N., Falcon, F., Santamaria, P.: D-Link IP cameras multiple vulnerabilities, April 2013. http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities

  50. Rosenblatt, S.: Car hacking code released at Defcon. CNET, August 2013. http://www.cnet.com/news/car-hacking-code-released-at-defcon/

  51. Rust Core Team: The Rust programming language. http://www.rust-lang.org/

  52. Rust Core Team: Announcing Rust 1.0. Rust Programming Language Blog, May 2015. http://blog.rust-lang.org/2015/05/15/Rust-1.0.html

  53. Siemens: WinCC/Web navigator: Operator control and monitoring via the web. http://w3.siemens.com/mcms/human-machine-interface/en/visualization-software/scada/wincc-options/wincc-web-navigator/pages/default.aspx

  54. Spengler, B.: Grsecurity ACL documentation v1.5, April 2003. https://grsecurity.net/gracldoc.htm

  55. Supermicro: Supermicro intelligent management (2015). http://www.supermicro.com/products/nfo/IPMI.cfm

  56. Trustwave SpiderLabs: ModSecurity: Open source web application firewall (2015). https://www.modsecurity.org/

  57. Wagle, P., Cowan, C.: StackGuard: simple stack smash protection for GCC. In: GCC Developers Summit, pp. 243–255, May 2003

    Google Scholar 

Download references

Acknowledgments

This material is based upon work supported by a gift from Super Micro Computer, Inc. We would particularly like to thank Arun Kalluri, Joe Tai, Linda Wu, Mars Yang, Tau Leng, and Charles Liang from Supermicro. Additional support was provided by the National Science Foundation under grants CNS-1345254, CNS-1409505, and CNS-1518888.

Author information

Authors and Affiliations

  1. University of Michigan, Ann Arbor, USA

    Travis Finkenauer & J. Alex Halderman

Authors
  1. Travis Finkenauer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. J. Alex Halderman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Travis Finkenauer .

Editor information

Editors and Affiliations

  1. Airbus Defence & Space Cybersecurity, Elancourt, France

    Adrien Bécue

  2. Télécom Bretagne, Cesson-Sévigné, France

    Nora Cuppens-Boulahia

  3. Télécom Bretagne, Cesson Sévigné, France

    Frédéric Cuppens

  4. Center for Cyber & Information Security, Norwegian Univ. of Science & Technology, Gjøvik, Norway

    Sokratis Katsikas

  5. Department of Digital Systems, University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Finkenauer, T., Halderman, J.A. (2016). Umbra: Embedded Web Security Through Application-Layer Firewalls. In: Bécue, A., Cuppens-Boulahia, N., Cuppens, F., Katsikas, S., Lambrinoudakis, C. (eds) Security of Industrial Control Systems and Cyber Physical Systems. CyberICS WOS-CPS 2015 2015. Lecture Notes in Computer Science(), vol 9588. Springer, Cham. https://doi.org/10.1007/978-3-319-40385-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40385-4_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40384-7

  • Online ISBN: 978-3-319-40385-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation