Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buffer overflow techniques that inject code into the stack and then execute it are therefore not applicable. It has been a common belief that code injection is impossible on Harvard architectures. This paper presents a remote code injection attack for Mica sensors. We show how to exploit program vulnerabilities to permanently inject any piece of code into the program memory of an Atmel AVR-based sensor. To our knowledge, this is the first result that presents a code injection technique for such devices. Previous work only succeeded in injecting data or performing transient attacks. Injecting permanent code is more powerful since the attacker can gain full control of the target sensor. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Aleph One. Smashing the stack for fun and profit. Phrack Magazine 49(14), 1996. http://www.phrack.org/issues.html?issue=49.
	2	AMD. AMD 64 and Enhanced Virus Protection.
	3	ATMEL. Atmega128(l) datasheet, doc2467: 8-bit microcontroller with 128k bytes in-system programmable flash.
	4	Katharine Chang , Kang G. Shin, Distributed Authentication of Program Integrity Verification in Wireless Sensor Networks, ACM Transactions on Information and System Security (TISSEC), v.11 n.3, p.1-35, March 2008  [doi>10.1145/1341731.1341735]
	5	Nathan Cooprider , Will Archer , Eric Eide , David Gay , John Regehr, Efficient memory safety for TinyOS, Proceedings of the 5th international conference on Embedded networked sensor systems, November 06-09, 2007, Sydney, Australia  [doi>10.1145/1322263.1322283]
	6	Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , Qian Zhang, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks, Proceedings of the 7th conference on USENIX Security Symposium, p.5-5, January 26-29, 1998, San Antonio, Texas
	7	Crossbow technology inc. Micaz.
	8	T. DeRaadt. Advances in OpenBSD. In CanSecWest, 2003.
	9	Prabal K. Dutta , Jonathan W. Hui , David C. Chu , David E. Culler, Securing the deluge Network programming system, Proceedings of the 5th international conference on Information processing in sensor networks, April 19-21, 2006, Nashville, Tennessee, USA  [doi>10.1145/1127777.1127826]
	10	T. Goodspeed. Exploiting wireless sensor networks over 802.15.4. In ToorCon 9, San Diego, 2007.
	11	T. Goodspeed. Exploiting wireless sensor networks over 802.15.4. In Texas Instruments Developper Conference, 2008.
	12	Qijun Gu , Rizwan Noorani, Towards self-propagate mal-packets in sensor networks, Proceedings of the first ACM conference on Wireless network security, March 31-April 02, 2008, Alexandria, VA, USA  [doi>10.1145/1352533.1352563]
	13	J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Least we remember: Cold boot attacks on encryption keys. In USENIX Security Symposium, 2008.
	14	Jonathan W. Hui , David Culler, The dynamic behavior of a data dissemination protocol for network programming at scale, Proceedings of the 2nd international conference on Embedded networked sensor systems, November 03-05, 2004, Baltimore, MD, USA  [doi>10.1145/1031495.1031506]
	15	IEEE. Wireless medium access control and physical layer specifications for low-rate wireless personal area networks. IEEE Standard, 802.15.4--2003.
	16	Chongkyung Kil , Jinsuk Jun , Christopher Bookholt , Jun Xu , Peng Ning, Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software, Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.339-348, December 11-15, 2006  [doi>10.1109/ACSAC.2006.9]
	17	Donnie H. Kim , Rajeev Gandhi , Priya Narasimhan, Exploring Symmetric Cryptography for Secure Network Reprogramming, Proceedings of the 27th International Conference on Distributed Computing Systems Workshops, p.17, June 22-29, 2007  [doi>10.1109/ICDCSW.2007.37]
	18	I. Krontiris and T. Dimitriou. Authenticated in-network programming for wireless sensor networks. In ADHOC-NOW, 2006.
	19	Patrick E. Lanigan , Rajeev Gandhi , Priya Narasimhan, Sluice: Secure Dissemination of Code Updates in Sensor Networks, Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, p.53, July 04-07, 2006  [doi>10.1109/ICDCS.2006.77]
	20	G. Montenegro, N. Kushalnagar, J. Hui, and D. Culler. Transmission of ipv6 packets over ieee 802.15.4 networks (rfc 4944). Technical report, IETF, September 2007.
	21	Ryan Riley , Xuxian Jiang , Dongyan Xu, An Architectural Approach to Preventing Code Injection Attacks, Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, p.30-40, June 25-28, 2007  [doi>10.1109/DSN.2007.13]
	22	A. Seshadri, A. Perrig, L. van Doorn, and P. K. Khosla. Swatt: Software-based attestation for embedded devices. In IEEE S&P, 2004.
	23	Hovav Shacham, The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86), Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315313]
	24	Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030124]
	25	Solar Designer. return-to-libc attack. Bugtraq mailing list, August 1997.
	26	The PaX Team. Pax address space layout randomization (aslr). http://pax.grsecurity.net/docs/aslr.txt.
	27	The PaX Team. Pax, 2003. http://pax.grsecurity.net.
	28	Ben L. Titzer , Daniel K. Lee , Jens Palsberg, Avrora: scalable sensor network simulation with precise timing, Proceedings of the 4th international symposium on Information processing in sensor networks, April 24-27, 2005, Los Angeles, California
	29	Ubisec&sens european project. http://www.ist-ubisecsens.org/.