Challenges in Designing Exploit Mitigations for Deeply Embedded Systems

Abstract: Memory corruption vulnerabilities have been around for decades and rank among the most prevalent vulnerabilities in embedded systems. Yet this constrained environment poses unique design and implementation challenges that significantly complicate the adoption of common hardening techniques. Combined with the irregular and involved nature of embedded patch management, this results in prolonged vulnerability exposure windows and vulnerabilities that are relatively easy to exploit. Considering the sensitive and c… Show more

“…MCUS run a single binary image either as baremetal (i.e., with no OS), or are coupled with a light-weight OS (e.g., Mbed-OS or FreeRTOS [7], [8]). Existing solutions to protect MCUS [9]- [20], are still not deployed as they either require special hardware extensions, incur high overhead, or have limited security guarantees. So far, deployed MCUS lack essential protections that are available in their desktop counterparts [16]- [18], such as Data Execution Prevention (DEP), stack canaries [21], and Address Space Layout Randomization (ASLR).…”

“…ROP is a code reuse attack targeting backward edges, allowing an attacker to perform arbitrary execution. ROP remains a viable attack vector even in presence of other defenses such as stack canaries [20], [21], and randomization [17].…”

“…While researchers proposed several techniques to improve MCUS security, existing techniques cannot prevent controlflow hijacking attacks on all backward edges unless they incur prohibitive runtime overhead. Current defenses protect from control-flow hijacking through randomization [17], [19], [20], memory isolation [16], [18], [19], or CFI [10], [11]. However, these defenses only reduce the attack surface, but remain bypassable by ROP style attacks [27]- [31].…”

“…An alternative approach is to rely on information hiding. However, information hiding based defenses [17], [19], [20] are vulnerable to information disclosure [31], [32] and profiling [33] attacks. Ultimately, the security guarantees of information hiding remain limited by the small amount of memory available on MCUS.…”

“…Defenses also limit their applicability by requiring special hardware extensions that are not available for the wide majority of MCUS such as a Trusted Execution Environment (TEE) [20]. In order to enforce stronger guarantees to protect return addresses one option is to use a shadow stack [37], [38].…”

$\mu$RAI: Securing Embedded Systems with Return Address Integrity

“…MCUS run a single binary image either as baremetal (i.e., with no OS), or are coupled with a light-weight OS (e.g., Mbed-OS or FreeRTOS [7], [8]). Existing solutions to protect MCUS [9]- [20], are still not deployed as they either require special hardware extensions, incur high overhead, or have limited security guarantees. So far, deployed MCUS lack essential protections that are available in their desktop counterparts [16]- [18], such as Data Execution Prevention (DEP), stack canaries [21], and Address Space Layout Randomization (ASLR).…”

“…ROP is a code reuse attack targeting backward edges, allowing an attacker to perform arbitrary execution. ROP remains a viable attack vector even in presence of other defenses such as stack canaries [20], [21], and randomization [17].…”

“…While researchers proposed several techniques to improve MCUS security, existing techniques cannot prevent controlflow hijacking attacks on all backward edges unless they incur prohibitive runtime overhead. Current defenses protect from control-flow hijacking through randomization [17], [19], [20], memory isolation [16], [18], [19], or CFI [10], [11]. However, these defenses only reduce the attack surface, but remain bypassable by ROP style attacks [27]- [31].…”

“…An alternative approach is to rely on information hiding. However, information hiding based defenses [17], [19], [20] are vulnerable to information disclosure [31], [32] and profiling [33] attacks. Ultimately, the security guarantees of information hiding remain limited by the small amount of memory available on MCUS.…”

“…Defenses also limit their applicability by requiring special hardware extensions that are not available for the wide majority of MCUS such as a Trusted Execution Environment (TEE) [20]. In order to enforce stronger guarantees to protect return addresses one option is to use a shadow stack [37], [38].…”

$\mu$RAI: Securing Embedded Systems with Return Address Integrity

Moving Target Defense Techniques for the IoT

$$\mu $$IPS: Software-Based Intrusion Prevention for Bare-Metal Embedded Systems