Advertisement

AVRAND: A Software-Based Defense Against Code Reuse Attacks for AVR Embedded Devices

  • Sergio PastranaEmail author
  • Juan Tapiador
  • Guillermo Suarez-Tangil
  • Pedro Peris-López
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)

Abstract

Code reuse attacks are advanced exploitation techniques that constitute a serious threat for modern systems. They profit from a control flow hijacking vulnerability to maliciously execute one or more pieces of code from the targeted application. ASLR and Control Flow Integrity are two mechanisms commonly used to deter automated attacks based on code reuse. Unfortunately, none of these solutions are suitable for modified Harvard architectures such as AVR microcontrollers. In this work, we present a code reuse attack against embedded AVR devices that shows how an adversary can execute arbitrary code reused from the firmware and other external libraries. We then propose a software-based defense based on fine-grained random permutations of the code memory. Our solution is installed in the bootloader section of the embedded device and thus executes during every device reset. We also propose a self-obfuscation technique to hinder code-reuse attacks against the bootloader.

Keywords

Code reuse attacks Return Oriented Programming AVR Internet-of-things Embedded devices Memory randomization 

Notes

Acknowledgments

We would like to thank our shepherd, Andrea Lanzi, for his assistance and the feedback provided during the reviewing process. This work was supported by the MINECO Grant TIN2013-46469-R (SPINY), the CAM Grant S2013/ICE-3095 (CIBERDINE) and the UK EPSRC Grant EP/L022710/1.

References

  1. 1.
    Anderson, W.: Entropy library documentation. Google Code Projects (2012)Google Scholar
  2. 2.
    Atmel, C.: Avr109: Self programming (2004). atmel.com/images/doc1644.pdf
  3. 3.
  4. 4.
    Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Security Symposium (2014)Google Scholar
  5. 5.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security (2003)Google Scholar
  6. 6.
    Braden, K., Crane, S., Davi, L., Franz, M., Larsen, P., Liebchen, C., Sadeghi, A.R.: Leakage-resilient layout randomization for mobile devices. In: Network and Distributed Systems Security Symposium (NDSS) (2016)Google Scholar
  7. 7.
    Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)Google Scholar
  8. 8.
    Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer overflows: attacks and defenses for the vulnerability of the decade. In: DARPA Information Survivability Conference and Exposition, 2000, DISCEX 2000, vol. 2, pp. 119–129. IEEE (2000)Google Scholar
  9. 9.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy, S&P, vol. 15 (2015)Google Scholar
  10. 10.
    Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the 22nd Network and Distributed Systems Security Symposium (NDSS) (2015)Google Scholar
  11. 11.
    Dean, B.S.: Avr downloader/uploader (2003). http://www.nongnu.org/avrdude/. Accessed Jan 2016
  12. 12.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 15–26. ACM (2008)Google Scholar
  13. 13.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, pp. 19–26. ACM (2009)Google Scholar
  14. 14.
    Gu, Q., Noorani, R.: Towards self-propagate mal-packets in sensor networks. In: Proceedings of the ACM Conference on Wireless Network Security, pp. 172–182. ACM (2008)Google Scholar
  15. 15.
    Habibi, J., Gupta, A., Carlsony, S., Panicker, A., Bertino, E.: MAVR: code reuse stealthy attacks and mitigation on unmanned aerial vehicles. In: Distributed Computing Systems (ICDCS), pp. 642–652. IEEE (2015)Google Scholar
  16. 16.
    Intel, C.: Hexadecimal object file format specification (1988)Google Scholar
  17. 17.
    Mohan, V., Hamlen, K.W.: Frankenstein: stitching malware from benign binaries. In: 6th USENIX Workshop on Offensive Technologies. USENIX (2012)Google Scholar
  18. 18.
    Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K., Franz, M.: Opaque control-flow integrity. In: Network and Distributed Systems Security Symposium (NDSS) (2015)Google Scholar
  19. 19.
    GNU Project: Avr libc home page (1999). http://www.nongnu.org/avr-libc/. Accessed Jan 2016
  20. 20.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(1), 2 (2012)CrossRefGoogle Scholar
  21. 21.
    Sadeghi, A.R., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: Annual Design Automation Conference. ACM (2015)Google Scholar
  22. 22.
    Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current Anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)Google Scholar
  23. 23.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Security and Privacy (SP), pp. 574–588 (2013)Google Scholar
  24. 24.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62. IEEE (2013)Google Scholar
  25. 25.
    Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 256–267. ACM (2015)Google Scholar
  26. 26.
    Trevennor, A.: Practical AVR Microcontrollers: Games, Gadgets, and Home Automation with the Microcontroller Used in the Arduino. Apress, USA (2012)CrossRefGoogle Scholar
  27. 27.
    Wojtczuk, R.: The advanced return-into-lib (c) exploits: Pax case study. Phrack Magazine, vol. 0x0b, Issue 0x3a, Phile# 0x04 of 0x0e (2001)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Sergio Pastrana
    • 1
    Email author
  • Juan Tapiador
    • 1
  • Guillermo Suarez-Tangil
    • 2
  • Pedro Peris-López
    • 1
  1. 1.Department of Computer ScienceUniversity Carlos III de MadridLeganésSpain
  2. 2.Information Security GroupRoyal Holloway University of LondonEghamUK

Personalised recommendations