|
 ABSTRACT
Since sensor applications are implemented in embedded computer systems, cyber attacks that compromise regular computer systems via exploiting memory related vulnerabilities present similar threats to sensor networks. However, the paper shows that memory fault attacks in sensors are not just the same as in regular computers due to sensor's hardware and software architecture. In contrast to worm attacks, mal-codes carried by exploiting packets cannot be executed in a sensor. Therefore, the paper proposes a range of attack approaches to illustrate that a mal-packet, which only carries specially crafted data, can exploit memory-related vulnerabilities and utilize existing application codes in a sensor to propagate itself without disrupting sensor's functionality. The paper shows that such a mal-packet can have as few as 17 bytes. A prototype of a 27-byte mal-packet has been implemented and tested in Mica2 sensors. Simulation shows that the propagation pattern of such a malpacket in a sensor network is very different from worm propagation. Malpackets can either quickly take over the whole network or hard to propagate under different traffic situations.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Atmega128. http://atmel.com/dyn/products/product-card.asp?part-id=2018.
|
| |
2
|
Mantis. http://mantis.cs.colorado.edu/.
|
| |
3
|
nesc: A programming language for deeply networked systems. http://nescc.sourceforge.net/.
|
| |
4
|
Ti msp430. http://www.ti.com/msp430.
|
| |
5
|
Tinyos. http://www.tinyos.net.
|
| |
6
|
Aleph One. Smashing the stack for fun and profit. Phrack Magazine, http://www.phrack.org/phrack/49/P49-14, 1996.
|
| |
7
|
Anonymous. Once upon a free(). Phrack Magazine, http://www.phrack.org/phrack/57/p57-0x09, 2001.
|
| |
8
|
|
| |
9
|
Shuo Chen , Jun Xu , Emre C. Sezer , Prachi Gauriar , Ravishankar K. Iyer, Non-control-data attacks are realistic threats, Proceedings of the 14th conference on USENIX Security Symposium, p.12-12, July 31-August 05, 2005, Baltimore, MD
|
| |
10
|
|
 |
11
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
12
|
Crispin Cowan , Steve Beattie , John Johansen , Perry Wagle, PointguardTM: protecting pointers from buffer overflow vulnerabilities, Proceedings of the 12th conference on USENIX Security Symposium, p.7-7, August 04-08, 2003, Washington, DC
|
| |
13
|
Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , Qian Zhang, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks, Proceedings of the 7th conference on USENIX Security Symposium, p.5-5, January 26-29, 1998, San Antonio, Texas
|
| |
14
|
H. Etoh and K. Yoda. Propolice: improved stack-smashing attack detection. IPSJ SIGNotes Computer SECurity, http://www.trl.ibm.com/projects/security/ssp, 2001.
|
| |
15
|
|
| |
16
|
|
| |
17
|
Q. Gu. Analysis of software vulnerability in sensor nodes. In Proceeding of International Conference on Security and Management, 2007.
|
| |
18
|
B. Jack. Exploiting embedded systems. Black Hat Europe, 2006.
|
| |
19
|
M. Kaempf. Vudo malloc tricks. Phrack Magazine, http://www.phrack.org/phrack/57/p57-0x08, 2001.
|
| |
20
|
|
| |
21
|
Christopher Kruegel , Engin Kirda , Darren Mutz , William Robertson , Giovanni Vigna, Automating mimicry attacks using static binary analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.11-11, July 31-August 05, 2005, Baltimore, MD
|
| |
22
|
|
| |
23
|
|
| |
24
|
Nergal. The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine, http://www.phrack.org/phrack/58/p58-0x04, 2001.
|
| |
25
|
T. Newsham. Format string attacks. http://muse.linuxmafia.org/lost+found/format-stringattacks.pdf, 2001.
|
| |
26
|
PAX. Pax address space layout randomization (aslr). http://pax.grsecurity.net/docs/aslr.txt.
|
| |
27
|
J. Regehr, N. Cooprider, W. Archer, and E. Eide. Memory safety and untrusted extensions for tinyos. Technical report, University of Utah, 2006.
|
| |
28
|
Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
[doi> 10.1145/1030083.1030124]
|
| |
29
|
Smirnov and T. Chiueh. Dira: automatic detection, identification and repair of control-data attacks. In Network and Distributed System Security Symposium, 2005.
|
| |
30
|
|
| |
31
|
P. Starzetz. Crc32 sshd vulnerability analysis. http://packetstormsecurity.org/0102exploits/ssh1.crc32.txt., 2001.
|
| |
32
|
Vendicator. Stackshield. http://www.angelfire.com/sk/stackshield.
|
| |
33
|
D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS, 2002.
|
| |
34
|
Xinran Wang , Chi-Chun Pan , Peng Liu , Sencun Zhu, SigFree: a signature-free buffer overflow attack blocker, Proceedings of the 15th conference on USENIX Security Symposium, p.16-16, July 31-August 04, 2006, Vancouver, B.C., Canada
|
| |
35
|
H. Xu, W. Du, and S. Chapin. Context sensitive anomaly monitoring of process control flow to detect mimicry attacks and impossible paths. In Symposium on Recent Advances in Intrusion Detection, 2004.
|
| |
36
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.4