Plasticity: Protection and Crash Forensics for Embedded Devices

Abstract

Plasticity: Protection and Crash Forensics for Embedded Devices Embedded devices are ubiquitous. They often handle privacy-sensitive information, a fact that will only become more important as the movement towards the “Internet of Things” (IoT) gains traction. Moreover, they also often play a central role in critical infrastructure, for instance by managing key mechanical systems as part of industrial control systems in the energy and transportation sectors. Errors in the software running on these devices can have devastating impacts, in particular when an adversary is able to exploit vulnerabilities in order to cause severe failures in the physical world. As such, ensuring the security and reliability of such devices is of paramount importance. Embedded devices commonly execute proprietary firmware, where users of the devices have no access to the source code and only little documentation is available. Moreover, due to realtime constraints, hardware limitations, or scalability concerns, this firmware often runs as a single high authority protection domain without an operating system. As with common off-the-shelf (COTS) software, firmware is susceptible to a wide range of errors such as memory corruption flaws, command injection vulnerabilities, and logic flaws where successful exploits directly lead to catastrophic failures. In these cases, adversaries can immediately obtain highly privileged access to the underlying hardware and systems these devices control to carry out devastating attacks. In this project, we propose to develop a system we call PLASTICITY that complements and completes existing defenses based on software diversity and delayed input sharing. The first component of the system allows the defender to transparently introduce shims into firmware images to decouple the firmware from the inputs that are received from attached physical sensors. These shims introduce flexible and programmable filtering capabilities that can be updated at runtime. They provide the defender with the ability to remove inputs from the device that are known (or suspected) to crash the firmware. As a result, the firmware protected by PLASTICITY has the ability to defend itself from malicious inputs and commands, breaking out of the crash-recover cycle. The second component extends the firmware with crash forensics capabilities that analyze the execution state of the firmware to determine the root cause of a crash. This information is used to automatically generate input filters to prevent the firmware from crashing again, assuming that the attacker attempts to launch a similar attack after the firmware has recovered from the initial attack. Limited hardware resources and frequent real-time constraints on execution make efficient filter generation and enforcement a primary design goal. A significant amount of effort is often invested to demonstrate that the worst-case execution time of a section of code does not exceed a budget. If the device fails to meet its real-time deadlines, its outputs could be incorrect and cause harm to the cyber-critical system, representing yet another type of failure that attackers could attempt to exploit. While it is necessary that the shims be inline with input processing, we expect that the forensics code inserts only minimal (optimally, no) code into the execution paths of the firmware. Instead, we expect that this component is invoked only when a crash or other failure is detected. Based on the firmware execution state, together with knowledge of the firmware gleaned from an initial static analysis, it is the task of this component to piece together the root cause of the crash. This means that the forensic component should be able to identify the inputs that led to the crash, as well as the vulnerable program point. Then, the system should compute appropriate and generalized filters that prevent this input from crashing the firmware again in the future.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 12, 2016

Source ID

N000141512787

Entities

Tags