What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems

  • Aljoscha LautenbachEmail author
  • Magnus Almgren
  • Tomas Olovsson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10707)


The increased connectivity of road vehicles poses significant challenges for transportation security, and automotive security has rapidly gained attention in recent years. One of the most dangerous kinds of security relevant software bugs are related to memory corruption, since their successful exploitation would grant the attacker a high degree of influence over the compromised system. Such vulnerabilities and the corresponding mitigation techniques have been widely studied for regular IT systems, but we identified a gap with respect to resource constrained automotive systems.

In this paper, we discuss how the hardware architecture of resource constrained automotive systems impacts memory exploitation techniques and their implications for memory protection. Currently deployed systems have little to no protection from memory exploitation. However, based on our analysis we find that the simple and well-known measures like stack canaries, non-executable RAM, and to a limited extent memory layout randomization can also be deployed in this domain to significantly raise the bar for successful exploitation.


Embedded system security Electronic control unit Resource constraints Memory exploitation Memory protection 



We would like to thank all anonymous reviewers for their valuable feedback. The research leading to these results has been partially supported by the HoliSec project (2015-06894) funded by VINNOVA, the Swedish Governmental Agency for Innovation Systems, and by the Swedish Civil Contingencies Agency (MSB) through the project “RICS”.


  1. 1.
    Wolf, M., Weimerskirch, A., Paar, C.: Security in automotive bus systems. In: Workshop on Embedded Security in Cars (2004)Google Scholar
  2. 2.
    Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462. IEEE (2010)Google Scholar
  3. 3.
    Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, vol. 7792, August 2011Google Scholar
  4. 4.
    Kleberger, P., Olovsson, T., Jonsson, E.: Security aspects of the in-vehicle network in the connected car. In: 2011 IEEE Intelligent Vehicles Symposium (IV), pp. 528–533, June 2011Google Scholar
  5. 5.
    Greenberg, A.: Hackers remotely kill a jeep on the highway with me in it. (2015). Accessed 01 June 2017
  6. 6.
    Greenberg, A.: Hackers remotely kill a jeep on the highway with me in it. (2016). Accessed 01 June 2017
  7. 7.
    Valasek, C., Miller, C.: Adventures in automotive networks and control units. Technical report, Defcon 21, August 2013.
  8. 8.
    Miller, C., Valasek, C.: A survey of remote automotive attack surfaces. Technical report, Defcon 22, August 2014.
  9. 9.
    Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Technical report, Defcon 23, August 2015.
  10. 10.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62, May 2013Google Scholar
  11. 11.
    van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012). Scholar
  12. 12.
    Quigley, C.P., McMurran, R., Jones, R.P., Faithfull, P.T.: An investigation into cost modelling for design of distributed automotive electrical architectures. In: 2007 3rd Institution of Engineering and Technology Conference on Automotive Electronics, pp. 1–9, June 2007Google Scholar
  13. 13.
    Mayer, A., Hellwig, F.: System performance optimization methodology for Infineon’s 32-bit automotive microcontroller architecture. In: Proceedings of the Conference on Design, Automation and Test in Europe, DATE 2008, pp. 962–966. ACM, New York (2008)Google Scholar
  14. 14.
    Erjavec, J., Thompson, R.: Automotive technology: a systems approach. Cengage Learning (2014)Google Scholar
  15. 15.
    Gai, P., Violante, M.: Automotive embedded software architecture in the multi-core age. In: 2016 21st IEEE European Test Symposium (ETS), pp. 1–8, May 2016Google Scholar
  16. 16.
    ARM: ARMv7-M architecture reference manual. Technical report, December 2014Google Scholar
  17. 17.
    Cowan, C., et al.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. USENIX Secur. 98, 63–78 (1998)Google Scholar
  18. 18.
    Aleph One: Smashing the stack for fun and profit. Phrack Mag. 7(49), 14–16 (1996)Google Scholar
  19. 19.
    Solar Designer: Getting around non-executable stack (and fix), August 1997.
  20. 20.
    Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121–141. Springer, Heidelberg (2011). Scholar
  21. 21.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM (2007)Google Scholar
  22. 22.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 298–307. ACM, New York (2004)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Aljoscha Lautenbach
    • 1
    Email author
  • Magnus Almgren
    • 1
  • Tomas Olovsson
    • 1
  1. 1.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations