skip to main content
research-article

A framework for defending embedded systems against software attacks

Published:05 May 2011Publication History
Skip Abstract Section

Abstract

The incidence of malicious code and software vulnerability exploits on embedded platforms is constantly on the rise. Yet, little effort is being devoted to combating such threats to embedded systems. Moreover, adapting security approaches designed for general-purpose systems generally fails because of the limited processing capabilities of their embedded counterparts.

In this work, we evaluate a malware and software vulnerability exploit defense framework for embedded systems. The proposed framework extends our prior work, which defines two isolated execution environments: a testing environment, wherein an untrusted application is first tested using dynamic binary instrumentation (DBI), and a real environment, wherein a program is monitored at runtime using an extracted behavioral model, along with a continuous learning process. We present a suite of software and hardware optimizations to reduce the overheads induced by the defense framework on embedded systems. Software optimizations include the usage of static analysis, complemented with DBI in the testing environment (i.e., a hybrid software analysis approach is used). Hardware optimizations exploit parallel processing capabilities of multiprocessor systems-on-chip.

We have evaluated the defense framework and proposed optimizations on the ARM-Linux operating system. Experiments demonstrate that our framework achieves a high coverage of considered security threats, with acceptable performance penalties (the average execution time of applications goes up to 1.68X, considering all optimizations, which is much smaller than the 2.72X performance penalty when no optimizations are used).

References

  1. Aaraj, N., Raghunathan, A., and Jha, N. K. 2008. Virtualization-based framework for malware defense. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment. 64--87. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Cabir. 2004. Virus descriptions: Cabir. http://www.disklabs.com/cabir.asp.Google ScholarGoogle Scholar
  3. Cert. 2007. Vulnerability notes database. Computer Emergency Response Team. Carnegie Mellon University, Pittsburgh, PA. http://www.kb.cert.org/vuls.Google ScholarGoogle Scholar
  4. Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium. 177--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. ELFCrypt. 2005. http://www.infogreg.com/source-code/public-domain/elfcrypt-v1.0.html.Google ScholarGoogle Scholar
  6. FindBugs. 2007. http://findbugs.sourceforge.net.Google ScholarGoogle Scholar
  7. Flexispy. 2006. Flexispy spills blackberry secrets. http://www.flexispy.com/news-flexispy-blackberry -windows-mobile.htm.Google ScholarGoogle Scholar
  8. Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium 191--206.Google ScholarGoogle Scholar
  9. Gupta, R., Soffa, M. L., and Howard, J. 1997. Hybrid slicing: Integrating dynamic information with static analysis. ACM Trans. Soft. Eng. Meth. 6, 370--397. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Hazelwood, K. and Klauser, A. 2006. Tracking down software bugs using automatic anomaly detection. In Proceedings of the International Conference Software Engineering. 291--301. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Kaspersky Lab. 2007. Anti-virus system protects mobile devices. http://rfdesign.com/next_generation_wireless/news/kaspersky-anti-virus-mobile-devices-0208.Google ScholarGoogle Scholar
  12. Kiriansky, V., Bruening, D., and Amarasinghe, S. 2002. Secure execution via program shepherding. In Proceedings of the USENIX Security Symposium. 191--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Kruegel, C., Robertson, W., Valeur, F., and Vigna, G. 2004. Static disassembly of obfuscated binaries. In Proceedings of the USENIX Security Symposium. 18--35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the USENIX Security Symposium. 14--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. McAfee. 2007. McAfee virusscanmobile proven security on the go. http://us.mcafee.com/root/landingpages/afflandpage.asp?lpname=vs_mobile.Google ScholarGoogle Scholar
  16. Miettinen, M., Halonen, P., and Hatonen, K. 2006. Host-based intrusion detection for advanced mobile devices. In Proceedings of the Conference on Advanced Information Networking and Applications. 72--76. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Nash, D. C., Martin, T. L., Ha, D. S., and Hsiao, M. S. 2005. Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshop. 141--145. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Conference on Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  19. Payne, B. D., Carbone, M., Sharif, M., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. 233--247. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Perkins, J. H. and Ernst, M. D. 2004. Efficient incremental algorithms for dynamic detection of likely invariants. In Proceedings of the ACM Symposium on the Foundations of Software Engineering. 23--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Qemu. 2008. QEMU: Open source processor emulator. http://fabrice.bellard. free.fr/qemu.Google ScholarGoogle Scholar
  22. Ravi, S., Raghunathan, A., Kocher, P., and Hattangady, S. 2004. Security in embedded systems: Design challenges. ACM Trans. Embedd. Comput. Syst. 3, 461--491. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Samfat, D. and Molva, R. 1997. IDAMN: An intrusion detection architecture for mobile networks. IEEE J. Select. Areas Comm. 15, 1373--1380. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Secunia. 2007. Vulnerabilities and virus information. http://secunia.com.Google ScholarGoogle Scholar
  25. Sharp. 2002. Device profile: Sharp's Zaurus SL-5500 Linux PDA. http://www.linuxdevices.com/articles/AT2134869242.html.Google ScholarGoogle Scholar
  26. Simics. 2004. Virtutech Simics. http://www.virtutech.com/whatissimics.html.Google ScholarGoogle Scholar
  27. SimIt-ARM. 2007. http://simit-arm.sourceforge.net.Google ScholarGoogle Scholar
  28. Sun, B., Yu, F., Wu, K., and Leung, V. C. M., Oct. 2004. Mobility-based anomaly detection in cellular mobile networks. In Proceedings of the Workshop on Wireless Security. 61--69. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. UPX. 2007. The Ultimate Packer for eXecutables. http://upx.sourceforge.net.Google ScholarGoogle Scholar
  30. Vasudevan, A. and Yerraballi R. 2006. SPiKE: Engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the Australasian Computer Science Conference 311--320. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. VX Heavens. 2007. http://vx.netlux.org.Google ScholarGoogle Scholar
  32. Wegman, M. and Zadeck, F. 1991. Constant propagation with conditional branches. ACM Trans. Program. Lang. Syst. 13, 181--210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Wilander, J. and Kamkar, M. Feb. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  34. Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the ACM Conference on Computer and Communication Security. 116--127. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A framework for defending embedded systems against software attacks

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!