Qijun Gu
ABSTRACT
Since sensor applications are implemented in embedded computer systems, cyber attacks that compromise regular computer systems via exploiting memory related vulnerabilities present similar threats to sensor networks. However, the paper shows that memory fault attacks in sensors are not just the same as in regular computers due to sensor's hardware and software architecture. In contrast to worm attacks, mal-codes carried by exploiting packets cannot be executed in a sensor. Therefore, the paper proposes a range of attack approaches to illustrate that a mal-packet, which only carries specially crafted data, can exploit memory-related vulnerabilities and utilize existing application codes in a sensor to propagate itself without disrupting sensor's functionality. The paper shows that such a mal-packet can have as few as 17 bytes. A prototype of a 27-byte mal-packet has been implemented and tested in Mica2 sensors. Simulation shows that the propagation pattern of such a malpacket in a sensor network is very different from worm propagation. Malpackets can either quickly take over the whole network or hard to propagate under different traffic situations.
- Atmega128. http://atmel.com/dyn/products/product-card.asp?part-id=2018.Google Scholar
- Mantis. http://mantis.cs.colorado.edu/.Google Scholar
- nesc: A programming language for deeply networked systems. http://nescc.sourceforge.net/.Google Scholar
- Ti msp430. http://www.ti.com/msp430.Google Scholar
- Tinyos. http://www.tinyos.net.Google Scholar
- Aleph One. Smashing the stack for fun and profit. Phrack Magazine, http://www.phrack.org/phrack/49/P49-14, 1996.Google Scholar
- Anonymous. Once upon a free(). Phrack Magazine, http://www.phrack.org/phrack/57/p57-0x09, 2001.Google Scholar
- S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In USENIX Security Symposium, 2003. Google ScholarDigital Library
- S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non-control-data attacks are realistic threats. In USENIX Security, 2005. Google ScholarDigital Library
- M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In the 12th USENIX Security Symposium, 2003. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: end-to-end containment of internet worms. In SOSP, 2005. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard: protecting pointers from buffer overflow vulnerabilities. In USENIX Security Symposium, 2003. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier,P. Wagle, and Q. Zhang. Automatic detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, 1998. Google ScholarDigital Library
- H. Etoh and K. Yoda. Propolice: improved stack-smashing attack detection. IPSJ SIGNotes Computer SECurity, http://www.trl.ibm.com/projects/security/ssp, 2001.Google Scholar
- D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19, 2002. Google ScholarDigital Library
- S. Govindavajhala and A. W. Appel. Using memory errors to attack a virtual machine. In IEEE Symposium on Security and Privacy, 2003. Google ScholarDigital Library
- Q. Gu. Analysis of software vulnerability in sensor nodes. In Proceeding of International Conference on Security and Management, 2007.Google Scholar
- B. Jack. Exploiting embedded systems. Black Hat Europe, 2006.Google Scholar
- M. Kaempf. Vudo malloc tricks. Phrack Magazine, http://www.phrack.org/phrack/57/p57-0x08, 2001.Google Scholar
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In USENIX Security Symposium, 2002. Google ScholarDigital Library
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In USENIX Security, 2005. Google ScholarDigital Library
- R. Kumar, E. Kohler, and M. Srivastava. Harbor: software-based memory protection for sensor nodes. In ACM IPSN, pages 340--349, 2007. Google ScholarDigital Library
- C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In ACM CCS, 2003. Google ScholarDigital Library
- Nergal. The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine, http://www.phrack.org/phrack/58/p58-0x04, 2001.Google Scholar
- T. Newsham. Format string attacks. http://muse.linuxmafia.org/lost+found/format-stringattacks.pdf, 2001.Google Scholar
- PAX. Pax address space layout randomization (aslr). http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- J. Regehr, N. Cooprider, W. Archer, and E. Eide. Memory safety and untrusted extensions for tinyos. Technical report, University of Utah, 2006.Google Scholar
- H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address space randomization. In ACM CCS, 2004. Google ScholarDigital Library
- Smirnov and T. Chiueh. Dira: automatic detection, identification and repair of control-data attacks. In Network and Distributed System Security Symposium, 2005.Google Scholar
- S. Staniford, V. Paxson, and N. Weaver. How to own the Internet in your spare time. In the 11th USENIX Security Symposium, pages 149--167, 2002. Google ScholarDigital Library
- P. Starzetz. Crc32 sshd vulnerability analysis. http://packetstormsecurity.org/0102exploits/ssh1.crc32.txt., 2001.Google Scholar
- Vendicator. Stackshield. http://www.angelfire.com/sk/stackshield.Google Scholar
- D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS, 2002.Google Scholar
- X. Wang, C.-C. Pan, P. Liu, and S. Zhu. Sigfree: A signature-free buffer overflow attack blocker. In USENIX Security, 2006. Google ScholarDigital Library
- H. Xu, W. Du, and S. Chapin. Context sensitive anomaly monitoring of process control flow to detect mimicry attacks and impossible paths. In Symposium on Recent Advances in Intrusion Detection, 2004.Google ScholarCross Ref
- C. Zou, W. Gong, and D. Towsley. Worm propagation modeling and analysis under dynamic quarantine defense. In the 2003 ACM workshop on Rapid Malcode, pages 51--60, 2003. Google ScholarDigital Library
Index Terms
Towards self-propagate mal-packets in sensor networks
Recommendations
A study of self-propagating mal-packets in sensor networks: Attacks and defenses
Since sensor applications are implemented in embedded computer systems, cyber attacks that compromise regular computer systems via exploiting memory-related vulnerabilities present similar threats to sensor networks. However, the paper shows that memory ...
Self-propagating mal-packets in wireless sensor networks: Dynamics and defense implications
Self-propagating mal-packets have become an emergent threat against information confidentiality, integrity, and service availability in wireless sensor networks. While playing an important role for people to interact with surrounding environment, ...
Self-propagating worms in wireless sensor networks
Co-Next Student Workshop '09: Proceedings of the 5th international student workshop on Emerging networking experiments and technologiesMalicious code is defined as software designed to execute attacks on software systems. This work demonstrates the possibility of executing malware on wireless sensor nodes that are based on the von Neumann architecture. This is achieved by exploiting a ...
Comments