Abstract
Embedded devices with web interfaces are prevalent, but, due to memory and processing constraints, implementations typically make use of Common Gateway Interface (CGI) binaries written in low-level, memory-unsafe languages. This creates the possibility of memory corruption attacks as well as traditional web attacks. We present Umbra, an application-layer firewall specifically designed for protecting web interfaces in embedded devices. By acting as a “friendly man-in-the-middle,” Umbra can protect against attacks such as cross-site request forgery (CSRF), information leaks, and authentication bypass vulnerabilities. We evaluate Umbra’s security by analyzing recent vulnerabilities listed in the CVE database from several embedded vendors and find that it would have prevented half of the vulnerabilities. We also show that Umbra comfortably runs within the constraints of an embedded system while incurring minimal performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apache Software Foundation: ab–Apache HTTP server benchmarking tool, April 2015. http://httpd.apache.org/docs/2.4/programs/ab.html
AppArmor Security Project: Getting Started, September 2011. http://wiki.apparmor.net/index.php/GettingStarted
Barracuda Networks: Barracuda web application firewall (2015). https://www.barracuda.com/products/webapplicationfirewall
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security, pp. 75–88. CCS (2008)
Bigg, R., et al.: Ruby on Rails security guide (2015). http://guides.rubyonrails.org/security.html
Bonkoski, A., Bielawski, R., Halderman, J.A.: Illuminating the security issues surrounding lights-out server management. In: 7th USENIX Workshop on Offensive Technologies. WOOT (2013)
Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)
Certec EDV: Atvise SCADA (2014). http://www.atvise.com/en/products-solutions/atvise-scada
Check Point: Misfortune cookie. http://blog.checkpoint.com/2014/12/18/misfortune-cookie-the-hole-in-your-internet-gateway-3/
Cisco Systems: Cisco ACE web application firewall, May 2008. http://www.cisco.com/c/en/us/products/collateral/application-networking-services/ace-web-application-firewall/data_sheet_c78-458627.html
Cisco Systems: Home network administration protocol (HNAP) whitepaper, January 2009. http://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf
Coen, T.: Bypass CSRF via XSS. Software talk, March 2015. http://software-talk.org/blog/2015/03/bypass-csrf-via-xss/
Cowan, C., et al.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: 7th USENIX Security Symposium (1998)
D-Link: DIR-645: Rev. Ax–Command injection–Buffer overflow: FW 1.04b12, January 2015. http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: 6th ACM Symposium on Information, Computer, and Communications Security, pp. 40–51. ASIACCS (2011)
DD-WRT Wiki: Web interface. http://www.dd-wrt.com/wiki/index.php/Web_Interface
Django Software Foundation: Cross site request forgery protection (2015). https://docs.djangoproject.com/en/1.8/ref/csrf/
Doyle, J.: Lorex IP camera authentication bypass (CVE-2012-6451), December 2012. https://www.fishnetsecurity.com/6labs/blog/lorex-ip-camera-authentication-bypass-cve-2012-6451
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (2013)
epoll(7): process trace. Linux Programmer’s Manual
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: basic and digest access authentication. RFC 2617 (Draft Standard), June 1999, updated by RFC 7235. http://www.ietf.org/rfc/rfc2617.txt
Fu, K., Blum, J.: Inside risks: controlling for cybersecurity risks of medical device software. Commun. ACM 56(10), 21–23 (2013)
Ghena, B., Beyer, W., Hillaker, A., Pevarnek, J., Halderman, J.A.: Green lights forever: analyzing the security of traffic infrastructure. In: 8th USENIX Workshop on Offensive Technologies. WOOT (2014)
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: 21st USENIX Security Symposium, August 2012
Hewlett-Packard: HP Jetdirect print servers–Using Telnet to configure the HP Jetdirect print server. http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-bpj05732
Hewlett-Packard: HP embedded web server user guide, August 2007. http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c01151842-2.pdf
Hewlett-Packard: TippingPoint next-generation firewall (NGFW) technical specifications (2015). http://www8.hp.com/us/en/software-solutions/ngfw-next-generation-firewall/tech-specs.html
Internet Security Research Group: Let’s Encrypt (2015). https://letsencrypt.org/
Jones, N.: Exploiting embedded devices, June 2012. http://pen-testing.sans.org/resources/papers/gpen/exploiting-embedded-devices-129676
Joyent: HTTP parser, April 2015. https://github.com/joyent/http-parser
Ketkar, C.: Standard versus proprietary security protocols. Justice League Blog, May 2014. http://www.cigital.com/justice-league-blog/2014/05/28/standard-versus-proprietary-security-protocols/
Klein, G., et al.: seL4: Formal verification of an OS kernel. In: 22nd Symposium on Operating Systems Principles. pp. 207–220. SOSP, October 2009
Kneschke, J.: Lighttpd: Fly light, March 2014. http://www.lighttpd.net/
Lafon, Y., Mendelsohn, N., Karmarkar, A., Nielsen, H.F., Hadley, M., Gudgin, M., Moreau, J.J.: SOAP version 1.2 part 2: Adjuncts (2nd edn.). W3C recommendation, April 2007. http://www.w3.org/TR/soap12-part2/
Leroy, X., Blazy, S., Dargaye, Z., Jourdan, J.H., Tristan, J.B.: CompCert, June 2015. http://compcert.inria.fr/
Lewis, D.: Security and the Internet of Things. Forbes, September 2014. http://www.forbes.com/sites/davelewis/2014/09/16/security-and-the-internet-of-things/
Linksys: GPL code center (2014). http://support.linksys.com/en-us/gplcodecenter
Medin, T.: Invasion of the network snatchers: Part I. SANS Penetration Testing, May 2013. http://pen-testing.sans.org/blog/2013/05/31/invasion-of-the-network-snatchers-part-i
MITRE Corporation: CVE-2014-4645, June 2014. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4645
MITRE Corporation: Common vulnerabilities and exposures, April 2015. https://cve.mitre.org/
Moore, H.D.: Penetration tester’s guide to IPMI and BMCs. Rapid7Community, July 2013. https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
Nachreiner, C.: H.D. Moore unveils major UPnP security vulnerabilities. WatchGuard Security Center, January 2013. http://watchguardsecuritycenter.com/2013/01/31/h-d-moore-unveils-major-upnp-security-vulnerabilities/
Open Crypto Audit Project: Welcome to the Open Crypto Audit Project, June 2014. https://opencryptoaudit.org/
OpenSSL Project: Welcome to the OpenSSL project (2015). https://www.openssl.org/
OpenWRT Project: Web server configuration uHTTPd (2014). http://wiki.openwrt.org/doc/uci/uhttpd
Orchard, D., McCabe, F., Newcomer, E., Haas, H., Ferris, C., Booth, D., Champion, M.: Web services architecture. W3C note, February 2004. http://www.w3.org/TR/2004/NOTE-ws-arch-20040211/
PCI Security Standards Council: Payment Card Industry (PCI) data security standard requirements and security assessment procedures version 3.1, April 2015. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
Rectanus, B.: IronBee reference manual (2014). https://www.ironbee.com/docs/manual/
Rocha, M., Riva, N., Falcon, F., Santamaria, P.: D-Link IP cameras multiple vulnerabilities, April 2013. http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Rosenblatt, S.: Car hacking code released at Defcon. CNET, August 2013. http://www.cnet.com/news/car-hacking-code-released-at-defcon/
Rust Core Team: The Rust programming language. http://www.rust-lang.org/
Rust Core Team: Announcing Rust 1.0. Rust Programming Language Blog, May 2015. http://blog.rust-lang.org/2015/05/15/Rust-1.0.html
Siemens: WinCC/Web navigator: Operator control and monitoring via the web. http://w3.siemens.com/mcms/human-machine-interface/en/visualization-software/scada/wincc-options/wincc-web-navigator/pages/default.aspx
Spengler, B.: Grsecurity ACL documentation v1.5, April 2003. https://grsecurity.net/gracldoc.htm
Supermicro: Supermicro intelligent management (2015). http://www.supermicro.com/products/nfo/IPMI.cfm
Trustwave SpiderLabs: ModSecurity: Open source web application firewall (2015). https://www.modsecurity.org/
Wagle, P., Cowan, C.: StackGuard: simple stack smash protection for GCC. In: GCC Developers Summit, pp. 243–255, May 2003
Acknowledgments
This material is based upon work supported by a gift from Super Micro Computer, Inc. We would particularly like to thank Arun Kalluri, Joe Tai, Linda Wu, Mars Yang, Tau Leng, and Charles Liang from Supermicro. Additional support was provided by the National Science Foundation under grants CNS-1345254, CNS-1409505, and CNS-1518888.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Finkenauer, T., Halderman, J.A. (2016). Umbra: Embedded Web Security Through Application-Layer Firewalls. In: Bécue, A., Cuppens-Boulahia, N., Cuppens, F., Katsikas, S., Lambrinoudakis, C. (eds) Security of Industrial Control Systems and Cyber Physical Systems. CyberICS WOS-CPS 2015 2015. Lecture Notes in Computer Science(), vol 9588. Springer, Cham. https://doi.org/10.1007/978-3-319-40385-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-40385-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40384-7
Online ISBN: 978-3-319-40385-4
eBook Packages: Computer ScienceComputer Science (R0)