|
 ABSTRACT
Device attestation is an essential feature in many security protocols and applications. The lack of dedicated hardware and the impossibility to physically access devices to be attested, makes attestation of embedded devices, in applications such as Wireless Sensor Networks, a prominent challenge. Several software-based attestation techniques have been proposed that either rely on tight time constraints or on the lack of free space to store malicious code. This paper investigates the shortcomings of existing software-based attestation techniques. We first present two generic attacks, one based on a return-oriented rootkit} and the other on code compression. We further describe specific attacks on two existing proposals, namely SWATT and ICE-based schemes, and argue about the difficulty of fixing them. All attacks presented in this paper were implemented and validated on commodity sensors.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
 |
1
|
Martín Abadi , Mihai Budiu , Úlfar Erlingsson , Jay Ligatti, Control-flow integrity, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
[doi> 10.1145/1102120.1102165]
|
| |
2
|
|
| |
3
|
Atmel Corporation. Atmega128 datasheet. http://www.atmel.com/atmel/acrobat/doc2467.pdf.
|
| |
4
|
Erik Buchanan , Ryan Roemer , Hovav Shacham , Stefan Savage, When good instructions go bad: generalizing return-oriented programming to RISC, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
[doi> 10.1145/1455770.1455776]
|
| |
5
|
Choi, Y.-G., Kang, J., and Nyang, D. Proactive code verification protocol in wireless sensor network. In ICCSA (2007), O. Gervasi and M. L. Gavrilova, Eds., vol. 4706 of Lecture Notes in Computer Science, Springer.
|
| |
6
|
Nathan Cooprider , Will Archer , Eric Eide , David Gay , John Regehr, Efficient memory safety for TinyOS, Proceedings of the 5th international conference on Embedded networked sensor systems, November 06-09, 2007, Sydney, Australia
[doi> 10.1145/1322263.1322283]
|
| |
7
|
|
| |
8
|
|
| |
9
|
|
| |
10
|
Goodspeed, T. Exploiting wireless sensor networks over 802.15.4. In Texas Instruments Developper Conference (2008).
|
| |
11
|
|
| |
12
|
|
| |
13
|
|
| |
14
|
Huffman, D.A. A method for the constructionof minimum redundancy codes. Proceedings of the IRE 40 (1962).
|
| |
15
|
Hund, R., Holz, T., and Freiling, F. C. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium (August 2009).
|
| |
16
|
|
| |
17
|
Klimov, A., and Shamir, A. New cryptographic primitives based on multiword t-functions. In Fast Software Encryption, 11th International Workshop, FSE 2004 (2004).
|
| |
18
|
Krahmer, S. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Tech. rep., suse, September 2005. available at http://www.suse.de/ krahmer/no-nx.pdf.
|
| |
19
|
|
| |
20
|
Nergal. The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine 58, 4 (2001). http://www.phrack.org/issues.html?issue=58&id=4http://www.phrack.or%g/issues.html?issue=58&id=4.
|
| |
21
|
|
| |
22
|
|
| |
23
|
Arvind Seshadri , Mark Luk , Adrian Perrig , Leendert van Doorn , Pradeep Khosla, SCUBA: Secure Code Update By Attestation in sensor networks, Proceedings of the 5th ACM workshop on Wireless security, September 29-29, 2006, Los Angeles, California
[doi> 10.1145/1161289.1161306]
|
| |
24
|
Arvind Seshadri , Mark Luk , Elaine Shi , Adrian Perrig , Leendert van Doorn , Pradeep Khosla, Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
25
|
Seshadri, A., Perrig, A., van Doorn, L., and Khosla, P. Using SWATT for verifying embedded systems in cars. In Proceedings of Embedded Security in Cars Workshop (ESCAR 2004) (Nov. 2004).
|
| |
26
|
Seshadri, A., Perrig, A., van Doorn, L., and Khosla, P. K. SWATT: SoftWare-based ATTestation for embedded devices. In IEEE Symposium on Security and Privacy (2004), IEEE Computer Society.
|
| |
27
|
|
| |
28
|
Shaneck, M., Mahadevan, K., Kher, V., and Kim, Y. Remote software-based attestation for wireless sensors. In ESAS (2005).
|
| |
29
|
|
| |
30
|
Solar Designer. return-to-libc attack. Bugtraq mailing list, August 1997.
|
| |
31
|
Texas Instruments. Msp430 f1611 datasheet.
|
| |
32
|
Xuejun Yang , Nathan Cooprider , John Regehr, Eliminating the call stack to save RAM, Proceedings of the 2009 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems, June 19-20, 2009, Dublin, Ireland
|
| |
33
|
|
INDEX TERMS
Primary Classification:
K.
Computing Milieux
K.6
MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
K.6.5
Security and Protection (D.4.6, K.4.2)
Subjects:
Invasive software (e.g., viruses, worms, Trojan horses)
General Terms:
Experimentation,
Security
Keywords:
code compression,
embedded systems,
indisputable code execution,
return-oriented programming,
software-based attestation,
swatt,
wireless sensor networks
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf