Article

Defending embedded systems with software symbiotes

Authors:

Salvatore J. StolfoAuthors Info & Claims

RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

Pages 358 - 377

https://doi.org/10.1007/978-3-642-23644-0_19

Published: 20 September 2011 Publication History

Abstract

A large number of embedded devices on the internet, such as routers and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices.We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed to inject intrusion detection functionality into the firmware of the device. A SEM or simply the Symbiote, may be injected into deployed legacy embedded systems with no disruption to the operation of the device. A Symbiote is a code structure embedded in situ into the firmware of an embedded system. The Symbiote can tightly co-exist with arbitrary host executables in a mutually defensive arrangement, sharing computational resources with its host while simultaneously protecting the host against exploitation and unauthorized modification. The Symbiote is stealthily embedded in a randomized fashion within an arbitrary body of firmware to protect itself from removal. We demonstrate the operation of a generic whitelist-based rootkit detector Symbiote injected in situ into Cisco IOS with negligible performance penalty and without impacting the routers functionality. We present the performance overhead of a Symbiote on physical Cisco router hardware. A MIPS implementation of the Symbiote was ported to ARM and injected into a Linux 2.4 kernel, allowing the Symbiote to operate within Android and other mobile computing devices. The use of Symbiotes represents a practical and effective protection mechanism for a wide range of devices, especially widely deployed, unprotected, legacy embedded devices.

References

[1]

Microsoft Corporation, Kernel Patch Protection: Frequently Asked Questions (2006), http://tinyurl.com/y7pss5y

[2]

Network Bluepill. Dronebl.org (2008), http://www.dronebl.org/blog/8

[3]

Chang, H., Atallah, M. J.: Protecting software code by guards. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 160-175. Springer, Heidelberg (2002)

Digital Library

[4]

Cui, A., Kataria, J., Stolfo, S. J.: Killing the myth of cisco ios diversity: Towards reliable, large-scale exploitation of cisco ios. In: USENIX Workshop on Offensive Technologies (August 2011)

Digital Library

[5]

Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: Software guards for system address spaces. In: OSDI, pp. 75-88. USENIX Association (2006)

Digital Library

[6]

Ligati, et al.: Enforcing security policies with run-time program monitors. Princeton University, Princeton (2005)

[7]

Harbour, N.:Win at Reversing: API Tracing and Sandboxing Through Inline Hooking. In: BlackHat, USA (2009)

[8]

Kiamilev, F., Hoover, R.: Demonstration of Hardware Trojans. In: Defcon 16 (2008)

[9]

Krügel, C., Robertson, W. K., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: ACSAC, pp. 91-100. IEEE Computer Society, Los Alamitos (2004)

Digital Library

[10]

Felix "FX" Linder. Cisco IOS Router Exploitation. In: BlackHat, USA (2009)

[11]

Lippmann, R., Kirda, E., Trachtenberg, A. (eds.): RAID 2008. LNCS, vol. 5230. Springer, Heidelberg (2008)

[12]

McLaughlin, S., Podkuiko, D., Delozier, A., Miadzvezhanka, S., McDaniel, P.: Embedded firmware diversity for smart electric meters. In: HotSec 2010 (2010)

Digital Library

[13]

Lynn, M.: Cisco IOS Shellcode. In: BlackHat, USA (2005)

[14]

Muniz, S.: Killing the myth of Cisco IOS rootkits: DIK. In: EUSecWest (2008)

[15]

Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, et al. (eds.) {11}, pp. 1-20

Digital Library

[16]

Roecher, D.-J., Thumann, M.: NAC Attack. In: BlackHat, USA (2007)

[17]

Skywing. Subverting PatchGuard Version 2, Uninformed 6 (2008)

[18]

Song, Y., Prahbu, P. V., Stolfo, S. J.: Smashing the stack with hydra: The many heads of advanced shellcode polymorphism. In: Defcon 17 (2009)

[19]

Vasisht, V. R., Lee, H.-H. S.: Shark: Architectural support for autonomic protection against stealth by rootkit exploits. In: MICRO, pp. 106-116. IEEE Computer Society, Los Alamitos (2008)

Digital Library

[20]

Ganesh, M. R. V., Leek, T.: Taint-based directed whitebox fuzzing. In: IEEE 31st International Conference on Software Engineering (2009)

Digital Library

[21]

Wa, R., Hunt, G., Hunt, G., Brubacher, D., Brubacher, D.: Detours: Binary interception of win32 functions. In: Proceedings of the 3rd USENIX Windows NT Symposium, pp. 135-143 (1998)

Digital Library

[22]

Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel rootkits through systematic hook discovery. In: Lippmann, et al. (eds.) {11}, pp. 21-38

Digital Library

Cited By

Choi HKate SAafer YZhang XXu DLigatti JOu XKatz JVigna G(2020)Cyber-Physical Inconsistency Vulnerability Identification for Safety Checks in Robotic VehiclesProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417249(263-278)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417249
Jones JHiser JDavidson JForrest SLitoiu MClarke STei K(2019)Defeating denial-of-service attacks in a self-managing N-variant systemProceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1109/SEAMS.2019.00024(126-138)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/SEAMS.2019.00024
Choi HLee WAafer YFei FTu ZZhang XXu DDeng XLie DMannan MBackes MWang X(2018)Detecting Attacks Against Robotic VehiclesProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243752(801-816)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243752
Show More Cited By

Defending embedded systems with software symbiotes
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Introduction to Embedded Systems
Embedded Control Systems Development with Giotto

Giotto is a principled, tool-supported design methodology for implementing embedded control systems on platforms of possibly distributed sensors, actuators, CPUs, and networks. Giotto is based on the principle that time-triggered task invocations plus ...
A framework for defending embedded systems against software attacks

The incidence of malicious code and software vulnerability exploits on embedded platforms is constantly on the rise. Yet, little effort is being devoted to combating such threats to embedded systems. Moreover, adapting security approaches designed for ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

September 2011

377 pages

ISBN:9783642236433

Sponsors

Communications Research Centre Canada: Communications Research Centre Canada
SRI Intl: SRI International

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 20 September 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Choi HKate SAafer YZhang XXu DLigatti JOu XKatz JVigna G(2020)Cyber-Physical Inconsistency Vulnerability Identification for Safety Checks in Robotic VehiclesProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417249(263-278)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417249
Jones JHiser JDavidson JForrest SLitoiu MClarke STei K(2019)Defeating denial-of-service attacks in a self-managing N-variant systemProceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1109/SEAMS.2019.00024(126-138)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/SEAMS.2019.00024
Choi HLee WAafer YFei FTu ZZhang XXu DDeng XLie DMannan MBackes MWang X(2018)Detecting Attacks Against Robotic VehiclesProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243752(801-816)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243752
Vogl SGawlik RGarmany BKittel TPfoh JEckert CHolz TFu K(2014)Dynamic hooksProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671277(813-828)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671277
Hadžiosmanović DSimionato LBolzoni DZambon EEtalle S(2012)N-Gram against the machineProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_18(354-373)Online publication date: 12-Sep-2012
https://dl.acm.org/doi/10.1007/978-3-642-33338-5_18
Cui AKataria JStolfo SBrumley DZalewski M(2011)Killing the myth of Cisco IOS diversityProceedings of the 5th USENIX conference on Offensive technologies10.5555/2028052.2028055(3-3)Online publication date: 8-Aug-2011
https://dl.acm.org/doi/10.5555/2028052.2028055
Cui AKataria JStofo SZakon RMcDermott JLocasto M(2011)From prey to hunterProceedings of the 27th Annual Computer Security Applications Conference10.1145/2076732.2076788(393-402)Online publication date: 5-Dec-2011
https://dl.acm.org/doi/10.1145/2076732.2076788

View Options

View options

Figures

Tables

Media

View Table of Conten