Challenges in designing exploit mitigations for deeply embedded systems

Ali Abbasi; Jos Wetzels; Thorsten Holz; Sandro Etalle

doi:10.1109/EuroSP.2019.00013

Challenges in designing exploit mitigations for deeply embedded systems

Ali Abbasi, Jos Wetzels, Thorsten Holz, Sandro Etalle

Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

40 Citations (Scopus)

1 Downloads (Pure)

Abstract

Memory corruption vulnerabilities have been around for decades and rank among the most prevalent vulnerabilities in embedded systems. Yet this constrained environment poses unique design and implementation challenges that significantly complicate the adoption of common hardening techniques. Combined with the irregular and involved nature of embedded patch management, this results in prolonged vulnerability exposure windows and vulnerabilities that are relatively easy to exploit. Considering the sensitive and critical nature of many embedded systems, this situation merits significant improvement. In this work, we present the first quantitative study of exploit mitigation adoption in 42 embedded operating systems, showing the embedded world to significantly lag behind the general-purpose world. To improve the security of deeply embedded systems, we subsequently present μArmor, an approach to address some of the key gaps identified in our quantitative analysis. μArmor raises the bar for exploitation of embedded memory corruption vulnerabilities, while being adoptable on the short term without incurring prohibitive extra performance or storage costs.

Original language	English
Title of host publication	Proceedings - 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019
Place of Publication	Piscataway
Publisher	Institute of Electrical and Electronics Engineers
Pages	31-46
Number of pages	16
ISBN (Electronic)	978-1-7281-1148-3
DOIs	https://doi.org/10.1109/EuroSP.2019.00013
Publication status	Published - 1 Jun 2019
Event	4th IEEE European Symposium on Security and Privacy, EURO S and P 2019 - Stockholm, Sweden Duration: 17 Jun 2019 → 19 Jun 2019

Conference

Conference	4th IEEE European Symposium on Security and Privacy, EURO S and P 2019
Country/Territory	Sweden
City	Stockholm
Period	17/06/19 → 19/06/19

Funding

ACKNOWLEDGMENT The work of first and third author was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (ERC Starting Grant No. 640110 BASTION). In addition, this work was supported by the German Federal Ministry of Education and Research (BMBF Grant 16KIS0592K HWSec) and the Intel Collaboratvie Research Institute “Collaboratvie Autonomous & Resilient Systems” (ICRI-CARS). The work of second and fourth authors has been supported by the NWO through the SpySpot project (no.628.001.004).

Keywords

Embedded System
Exploit Mitigation
Exploiting
Security

Access to Document

10.1109/EuroSP.2019.00013

Cite this

@inproceedings{82fd153289854fd5b8480022b0f8435e,

title = "Challenges in designing exploit mitigations for deeply embedded systems",

abstract = "Memory corruption vulnerabilities have been around for decades and rank among the most prevalent vulnerabilities in embedded systems. Yet this constrained environment poses unique design and implementation challenges that significantly complicate the adoption of common hardening techniques. Combined with the irregular and involved nature of embedded patch management, this results in prolonged vulnerability exposure windows and vulnerabilities that are relatively easy to exploit. Considering the sensitive and critical nature of many embedded systems, this situation merits significant improvement. In this work, we present the first quantitative study of exploit mitigation adoption in 42 embedded operating systems, showing the embedded world to significantly lag behind the general-purpose world. To improve the security of deeply embedded systems, we subsequently present μArmor, an approach to address some of the key gaps identified in our quantitative analysis. μArmor raises the bar for exploitation of embedded memory corruption vulnerabilities, while being adoptable on the short term without incurring prohibitive extra performance or storage costs.",

keywords = "Embedded System, Exploit Mitigation, Exploiting, Security",

author = "Ali Abbasi and Jos Wetzels and Thorsten Holz and Sandro Etalle",

year = "2019",

month = jun,

day = "1",

doi = "10.1109/EuroSP.2019.00013",

language = "English",

pages = "31--46",

booktitle = "Proceedings - 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019",

publisher = "Institute of Electrical and Electronics Engineers",

address = "United States",

note = "4th IEEE European Symposium on Security and Privacy, EURO S and P 2019 ; Conference date: 17-06-2019 Through 19-06-2019",

}

Abbasi, A, Wetzels, J, Holz, T & Etalle, S 2019, Challenges in designing exploit mitigations for deeply embedded systems. in Proceedings - 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019., 8806725, Institute of Electrical and Electronics Engineers, Piscataway, pp. 31-46, 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019, Stockholm, Sweden, 17/06/19. https://doi.org/10.1109/EuroSP.2019.00013

Challenges in designing exploit mitigations for deeply embedded systems. / Abbasi, Ali; Wetzels, Jos; Holz, Thorsten et al.
Proceedings - 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019. Piscataway: Institute of Electrical and Electronics Engineers, 2019. p. 31-46 8806725.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Challenges in designing exploit mitigations for deeply embedded systems

AU - Abbasi, Ali

AU - Wetzels, Jos

AU - Holz, Thorsten

AU - Etalle, Sandro

PY - 2019/6/1

Y1 - 2019/6/1

N2 - Memory corruption vulnerabilities have been around for decades and rank among the most prevalent vulnerabilities in embedded systems. Yet this constrained environment poses unique design and implementation challenges that significantly complicate the adoption of common hardening techniques. Combined with the irregular and involved nature of embedded patch management, this results in prolonged vulnerability exposure windows and vulnerabilities that are relatively easy to exploit. Considering the sensitive and critical nature of many embedded systems, this situation merits significant improvement. In this work, we present the first quantitative study of exploit mitigation adoption in 42 embedded operating systems, showing the embedded world to significantly lag behind the general-purpose world. To improve the security of deeply embedded systems, we subsequently present μArmor, an approach to address some of the key gaps identified in our quantitative analysis. μArmor raises the bar for exploitation of embedded memory corruption vulnerabilities, while being adoptable on the short term without incurring prohibitive extra performance or storage costs.

AB - Memory corruption vulnerabilities have been around for decades and rank among the most prevalent vulnerabilities in embedded systems. Yet this constrained environment poses unique design and implementation challenges that significantly complicate the adoption of common hardening techniques. Combined with the irregular and involved nature of embedded patch management, this results in prolonged vulnerability exposure windows and vulnerabilities that are relatively easy to exploit. Considering the sensitive and critical nature of many embedded systems, this situation merits significant improvement. In this work, we present the first quantitative study of exploit mitigation adoption in 42 embedded operating systems, showing the embedded world to significantly lag behind the general-purpose world. To improve the security of deeply embedded systems, we subsequently present μArmor, an approach to address some of the key gaps identified in our quantitative analysis. μArmor raises the bar for exploitation of embedded memory corruption vulnerabilities, while being adoptable on the short term without incurring prohibitive extra performance or storage costs.

KW - Embedded System

KW - Exploit Mitigation

KW - Exploiting

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85072032742&partnerID=8YFLogxK

U2 - 10.1109/EuroSP.2019.00013

DO - 10.1109/EuroSP.2019.00013

M3 - Conference contribution

SP - 31

EP - 46

BT - Proceedings - 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019

PB - Institute of Electrical and Electronics Engineers

CY - Piscataway

T2 - 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019

Y2 - 17 June 2019 through 19 June 2019

ER -

Challenges in designing exploit mitigations for deeply embedded systems

Abstract

Conference

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this