ABSTRACT
Internet-of-Things devices such as autonomous vehicular sensors, medical devices, and industrial cyber-physical systems commonly rely on small, resource-constrained microcontrollers (MCUs). MCU software is typically written in C and is prone to memory safety vulnerabilities that are exploitable by remote attackers to launch code reuse attacks and code/control data leakage attacks.
We present Randezvous, a highly performant diversification-based mitigation to such attacks and their brute force variants on ARM MCUs. Atop code/data layout randomization and an efficient execute-only code approach, Randezvous creates decoy pointers to camouflage control data in memory; code pointers in the stack are then protected by a diversified shadow stack, local-to-global variable promotion, and return address nullification. Moreover, Randezvous adds a novel delayed reboot mechanism to slow down persistent attacks and mitigates control data spraying attacks via global guards. We demonstrate Randezvous’s security by statistically modeling leakage-equipped brute force attacks under Randezvous, crafting a proof-of-concept exploit that shows Randezvous’s efficacy, and studying a real-world CVE. Our evaluation of Randezvous shows low overhead on three benchmark suites and two applications.
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information Systems Security 13, 1, Article 4 (Nov. 2009), 40 pages. https://doi.org/10.1145/1609956.1609960Google ScholarDigital Library
- Ali Abbasi, Jos Wetzels, Thorsten Holz, and Sandro Etalle. 2019. Challenges in Designing Exploit Mitigations for Deeply Embedded Systems. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy(EuroSP ’19). IEEE Computer Society, Stockholm, Sweden, 31–46. https://doi.org/10.1109/EuroSP.2019.00013Google ScholarCross Ref
- Misiker Tadesse Aga and Todd Austin. 2019. Smokestack: Thwarting DOP Attacks with Runtime Stack Layout Randomization. In Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization(CGO ’19). IEEE Computer Society, Washington, DC, 26–36. https://doi.org/10.1109/CGO.2019.8661202Google ScholarCross Ref
- Salman Ahmed, Ya Xiao, Kevin Z. Snow, Gang Tan, Fabian Monrose, and Danfeng (Daphne) Yao. 2020. Methodologies for Quantifying (Re-)Randomization Security and Timing under JIT-ROP. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security(CCS ’20). ACM, Orlando, FL, 1803–1820. https://doi.org/10.1145/3372297.3417248Google ScholarDigital Library
- Naif Saleh Almakhdhub, Abraham A. Clements, Saurabh Bagchi, and Mathias Payer. 2020. μRAI: Securing Embedded Systems with Return Address Integrity. In Proceedings of the 2020 Network and Distributed System Security Symposium(NDSS ’20). Internet Society, San Diego, CA, 18 pages. https://doi.org/10.14722/ndss.2020.24016Google ScholarCross Ref
- Arm Holdings. 2008. SSL Library Mbed TLS. https://tls.mbed.orgGoogle Scholar
- Arm Holdings 2018. ARMv7-M Architecture Reference Manual. Arm Holdings. DDI 0403E.d.Google Scholar
- Arm Holdings 2019. ARMv8-M Architecture Reference Manual. Arm Holdings. DDI 0553B.i.Google Scholar
- Michael Backes and Stefan Nürnberger. 2014. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 433–447.Google Scholar
- Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI ’06). ACM, Ottawa, ON, Canada, 158–168. https://doi.org/10.1145/1133981.1134000Google ScholarDigital Library
- Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. 2003. Address Obfuscation: An Efficient Approach to Combat a Board Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium(Security ’03). USENIX Association, Washington, DC, 105–120. https://www.usenix.org/conference/12th-usenix-security-symposium/address-obfuscation-efficient-approach-combat-broad-rangeGoogle Scholar
- Sandeep Bhatkar and R. Sekar. 2008. Data Space Randomization. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’08). Springer-Verlag, Paris, France, 1–22. https://doi.org/10.1007/978-3-540-70542-0_1Google ScholarDigital Library
- Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney. 2005. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proceedings of the 14th USENIX Security Symposium(Security ’05). USENIX Association, Baltimore, MD, 255–270. https://www.usenix.org/conference/14th-usenix-security-symposium/efficient-techniques-comprehensive-protection-memory-errorGoogle Scholar
- David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 268–279. https://doi.org/10.1145/2810103.2813691Google ScholarDigital Library
- Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking Blind. In Proceedings of the 2014 IEEE Symposium on Security and Privacy(SP ’14). IEEE Computer Society, Berkeley, CA, 227–242. https://doi.org/10.1109/SP.2014.22Google ScholarDigital Library
- Kjell Braden, Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Stephen Crane, Michael Franz, and Per Larsen. 2016. Leakage-Resilient Layout Randomization for Mobile Devices. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS ’16). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2016.23364Google ScholarCross Ref
- Nathan Burow, Xinping Zhang, and Mathias Payer. 2019. SoK: Shining Light on Shadow Stacks. In Proceedings of the 2019 IEEE Symposium on Security and Privacy(SP ’19). IEEE Computer Society, San Francisco, CA, 985–999. https://doi.org/10.1109/SP.2019.00076Google ScholarCross Ref
- Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Philippe Martin, and Miguel Castro. 2008. Data Randomization. Technical Report MSR-TR-2008-120. Microsoft Research.Google Scholar
- Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-flow Integrity. In Proceedings of the 24th USENIX Security Symposium(Security ’15). USENIX Association, Washington, DC, 161–176. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carliniGoogle Scholar
- Nicholas Carlini and David Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 385–399. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/carliniGoogle Scholar
- Ping Chen, Jun Xu, Zhiqiang Lin, Dongyan Xu, Bing Mao, and Peng Liu. 2015. A Practical Approach for Adaptive Data Structure Layout Randomization. In Proceedings of the 20th European Symposium on Computer Security(ESORICS ’15). Springer-Verlag, Vienna, Austria, 69–89. https://doi.org/10.1007/978-3-319-24174-6_4Google ScholarDigital Library
- Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats. In Proceedings of the 14th USENIX Security Symposium(Security ’05). USENIX Association, Baltimore, MD, 177–191. https://www.usenix.org/conference/14th-usenix-security-symposium/non-control-data-attacks-are-realistic-threatsGoogle Scholar
- Xi Chen, Asia Slowinska, Dennis Andriesse, Herbert Bos, and Cristiano Giuffrida. 2015. StackArmor: Comprehensive Protection from Stack-based Memory Error Vulnerabilities for Binaries. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS ’15). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2015.23248Google ScholarCross Ref
- Yue Chen, Zhi Wang, David Whalley, and Long Lu. 2016. Remix: On-Demand Live Randomization. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy(CODASPY ’16). ACM, New Orleans, LA, 50–61. https://doi.org/10.1145/2857705.2857726Google ScholarDigital Library
- Abraham A Clements, Naif Saleh Almakhdhub, Khaled S. Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer. 2017. Protecting Bare-Metal Embedded Systems with Privilege Overlays. In Proceedings of the 2017 IEEE Symposium on Security and Privacy(SP ’17). IEEE Computer Society, San Jose, CA, 289–303. https://doi.org/10.1109/SP.2017.37Google ScholarCross Ref
- Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium(Security ’98). USENIX Association, San Antonio, TX, 15 pages. https://www.usenix.org/conference/7th-usenix-security-symposium/stackguard-automatic-adaptive-detection-and-preventionGoogle Scholar
- Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 2015 IEEE Symposium on Security and Privacy(SP ’15). IEEE Computer Society, San Jose, CA, 763–780. https://doi.org/10.1109/SP.2015.52Google ScholarDigital Library
- Stephen J. Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 243–255. https://doi.org/10.1145/2810103.2813682Google ScholarDigital Library
- CVE 2021. CVE-2021-27421. https://www.cve.org/CVERecord?id=CVE-2021-27421Google Scholar
- Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS ’15). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2015.23262Google ScholarCross Ref
- Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 401–416. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/daviGoogle Scholar
- Lucas Vincenzo Davi, Alexandra Dmitrienko, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2013. Gadge Me If You Can: Secure and Efficient Ad-Hoc Instruction-Level Randomization for x86 and ARM. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security(ASIACCS ’13). ACM, Hangzhou, China, 299–310. https://doi.org/10.1145/2484313.2484351Google ScholarDigital Library
- Yufei Du, Zhuojia Shen, Komail Dharsee, Jie Zhou, Robert J. Walls, and John Criswell. 2022. Holistic Control-Flow Protection on Real-Time Embedded Systems with Kage. In Proceedings of the 31st USENIX Security Symposium(Security ’22). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity22/presentation/duGoogle Scholar
- EEMBC. 2018. CoreMark: An EEMBC Benchmark. https://www.eembc.org/coremarkGoogle Scholar
- EEMBC. 2019. CoreMark-Pro: An EEMBC Benchmark. https://www.eembc.org/coremark-proGoogle Scholar
- Embedded Security. 2018. PinLock. https://github.com/embedded-sec/ACES/tree/master/test_apps/pinlockGoogle Scholar
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 901–913. https://doi.org/10.1145/2810103.2813646Google ScholarDigital Library
- Mark Gallagher, Lauren Biernacki, Shibo Chen, Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Misiker Tadesse Aga, Austin Harris, Zhixing Xu, Baris Kasikci, Valeria Bertacco, Sharad Malik, Mohit Tiwari, and Todd Austin. 2019. Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS ’19). ACM, Providence, RI, 469–484. https://doi.org/10.1145/3297858.3304037Google ScholarDigital Library
- Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security through Efficient and Fine-Grained Address Space Randomization. In Proceedings of the 21st USENIX Security Symposium(Security ’12). USENIX Association, Bellevue, WA, 475–490. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffridaGoogle Scholar
- Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy(SP ’14). IEEE Computer Society, San Jose, CA, 575–589. https://doi.org/10.1109/SP.2014.43Google ScholarDigital Library
- Javid Habibi, Aditi Gupta, Stephen Carlsony, Ajay Panicker, and Elisa Bertino. 2015. MAVR: Code Reuse Stealthy Attacks and Mitigation on Unmanned Aerial Vehicles. In Proceedings of the 2015 IEEE 35th International Conference on Distributed Computing Systems(ICDCS ’15). IEEE Computer Society, Columbus, OH, 642–652. https://doi.org/10.1109/ICDCS.2015.71Google ScholarCross Ref
- Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson. 2012. ILR: Where’d My Gadgets Go?. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). IEEE Computer Society, San Francisco, CA, 571–585. https://doi.org/10.1109/SP.2012.39Google ScholarDigital Library
- Tomoaki Kawada, Shinya Honda, Yutaka Matsubara, and Hiroaki Takada. 2021. TZmCFI: RTOS-Aware Control-Flow Integrity Using TrustZone for Armv8-M. International Journal of Parallel Programming 49 (April 2021), 216–236. https://doi.org/10.1007/s10766-020-00673-zGoogle ScholarCross Ref
- Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. 2006. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In Proceedings of the 22nd Annual Computer Security Applications Conference(ACSAC ’06). IEEE Computer Society, Miami Beach, FL, 339–348. https://doi.org/10.1109/ACSAC.2006.9Google ScholarDigital Library
- Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P. Kemerlis, and Michalis Polychronakis. 2018. Compiler-Assisted Code Randomization. In Proceedings of the 2018 IEEE Symposium on Security and Privacy(SP ’18). IEEE Computer Society, San Francisco, CA, 461–477. https://doi.org/10.1109/SP.2018.00029Google ScholarCross Ref
- Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation(OSDI ’14). USENIX Association, Broomfield, CO, 147–163. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsovGoogle Scholar
- Donghyun Kwon, Jangseop Shin, Giyeol Kim, Byoungyoung Lee, Yeongpil Cho, and Yunheung Paek. 2019. uXOM: Efficient eXecute-Only Memory on ARM Cortex-M. In Proceedings of the 28th USENIX Security Symposium(Security ’19). USENIX Association, Santa Clara, CA, 231–247. https://www.usenix.org/conference/usenixsecurity19/presentation/kwonGoogle Scholar
- Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the 2nd International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization(CGO ’04). IEEE Computer Society, Palo Alto, CA, 12 pages. https://doi.org/10.1109/CGO.2004.1281665Google ScholarCross Ref
- Seongman Lee, Hyeonwoo Kang, Jinsoo Jang, and Brent Byunghoon Kang. 2022. SaVioR: Thwarting Stack-Based Memory Safety Violations by Randomizing Stack Layout. IEEE Transactions on Dependable and Secure Computing (July 2022), 2559–2575. https://doi.org/10.1109/TDSC.2021.3063843Google ScholarCross Ref
- Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu. 2009. Polymorphing Software by Randomizing Data Structure Layout. In Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Como, Italy, 107–126. https://doi.org/10.1007/978-3-642-02918-9_7Google ScholarDigital Library
- LLVM 2014. llvm::RandomNumberGenerator Class Reference. https://llvm.org/doxygen/classllvm_1_1RandomNumberGenerator.htmlGoogle Scholar
- Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS ’16). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2016.23173Google ScholarCross Ref
- Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 280–291. https://doi.org/10.1145/2810103.2813694Google ScholarDigital Library
- Lan Luo, Xinhui Shao, Zhen Ling, Huaiyu Yan, Yumeng Wei, and Xinwen Fu. 2022. fASLR: Function-Based ASLR via TrustZone-M and MPU for Resource-Constrained IoT Systems. IEEE Internet of Things Journal 9, 18 (Sept. 2022), 17120–17135. https://doi.org/10.1109/JIOT.2022.3190374Google ScholarCross Ref
- Mbed TLS Contributors. 2009. Mbed TLS Benchmark Demonstration Program. https://github.com/ARMmbed/mbedtls/blob/development/programs/test/benchmark.cGoogle Scholar
- Microchip 2020. 32-bit Microcontroller Families: Industry’s Broadest and Most Innovative 32-bit MCU Portfolio. Microchip. DS30009904V.Google Scholar
- Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the Heap. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL) (CCS ’10). ACM, 573–584. https://doi.org/10.1145/1866307.1866371Google ScholarDigital Library
- NXP 2021. UM11147 User Manual: RT6xx User Manual. NXP. Rev. 1.4.Google Scholar
- NXP 2021. UM11159 User Manual: i.MX RT685 Evaluation Board User Manual. NXP. Rev. 2.Google Scholar
- Thomas Nyman, Jan-Erik Ekberg, Lucas Davi, and N. Asokan. 2017. CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers. In Proceedings of the 20th International Symposium on Research in Attacks, Intrusions, and Defenses(RAID ’17). Springer-Verlag, Atlanta, GA, 259–284. https://doi.org/10.1007/978-3-319-66332-6_12Google ScholarCross Ref
- Aleph One. 1996. Smashing the Stack for Fun and Profit. Phrack 7 (Nov. 1996). Issue 49. http://www.phrack.org/issues/49/14.htmlGoogle Scholar
- James Pallister, Simon Hollis, and Jeremy Bennett. 2013. BEEBS: Open Benchmarks for Energy Measurements on Embedded Platforms. arXiv preprint arXiv:1308.5174 (Aug. 2013). arxiv:1308.5174 [cs.PF] https://arxiv.org/abs/1308.5174Google Scholar
- Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2012. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). IEEE Computer Society, San Francisco, CA, 601–615. https://doi.org/10.1109/SP.2012.41Google ScholarDigital Library
- Sergio Pastrana, Juan Tapiador, Guillermo Suarez-Tangil, and Pedro Peris-López. 2016. AVRAND: A Software-Based Defense Against Code Reuse Attacks for AVR Embedded Devices. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’16). Springer-Verlag, San Sebastián, Spain, 58–77. https://doi.org/10.1007/978-3-319-40667-1_4Google ScholarDigital Library
- PaX Team. 2001. Address Space Layout Randomization. https://pax.grsecurity.net/docs/aslr.txtGoogle Scholar
- Jannik Pewny, Philipp Koppe, Lucas Davi, and Thorsten Holz. 2017. Breaking and Fixing Destructive Code Read Defenses. In Proceedings of the 33rd Annual Computer Security Applications Conference(ACSAC ’17). ACM, Orlando, FL, 55–67. https://doi.org/10.1145/3134600.3134626Google ScholarDigital Library
- Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse. In Proceedings of the 12th European Conference on Computer Systems(EuroSys ’17). ACM, Belgrade, Serbia, 420–436. https://doi.org/10.1145/3064176.3064216Google ScholarDigital Library
- Soumyakant Priyadarshan, Huan Nguyen, and R. Sekar. 2020. Practical Fine-Grained Binary Code Randomization. In Proceedings of the 36th Annual Computer Security Applications Conference(ACSAC ’20). ACM, Austin, TX, 401–414. https://doi.org/10.1145/3427228.3427292Google ScholarDigital Library
- Prabhu Rajasekaran, Stephen Crane, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2020. CoDaRR: Continuous Data Space Randomization against Data-Only Attacks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security(ASIACCS ’20). ACM, Taipei, China, 494–505. https://doi.org/10.1145/3320269.3384757Google ScholarDigital Library
- Renesas 2022. RA Family Brochure. Renesas. Document No. R01CP0035EJ0300.Google Scholar
- Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1, Article 2 (March 2012), 34 pages. https://doi.org/10.1145/2133375.2133377Google ScholarDigital Library
- Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In Proceedings of the 2017 Network and Distributed System Security Symposium(NDSS ’17). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2017.23477Google ScholarCross Ref
- Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS ’07). ACM, Alexandria, VA, 552–561. https://doi.org/10.1145/1315245.1315313Google ScholarDigital Library
- Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security(CCS ’04). ACM, Washington, DC, 298–307. https://doi.org/10.1145/1030083.1030124Google ScholarDigital Library
- Zhuojia Shen, Komail Dharsee, and John Criswell. 2020. Fast Execute-Only Memory for Embedded Systems. In Proceedings of the 2020 IEEE Secure Development Conference(SecDev ’20). IEEE Computer Society, Atlanta, GA, 7–14. https://doi.org/10.1109/SecDev45635.2020.00017Google ScholarCross Ref
- Jiameng Shi, Le Guan, Wenqiang Li, Dayou Zhang, Ping Chen, and Ping Chen. 2022. HARM: Hardware-assisted Continuous Re-randomization for Microcontrollers. In Proceedings of the 2022 IEEE European Symposium on Security and Privacy(EuroSP ’22). IEEE Computer Society, Genoa, Italy, 520–536. https://doi.org/10.1109/EuroSP53844.2022.00039Google ScholarCross Ref
- Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proceedings of the 2013 IEEE Symposium on Security and Privacy(SP ’13). IEEE Computer Society, San Francisco, CA, 574–588. https://doi.org/10.1109/SP.2013.45Google ScholarDigital Library
- Alexander Sotirov. 2007. Heap Feng Shui in JavaScript. In Black Hat Europe.Google Scholar
- STMicroelectronics 2020. DS12469 Datasheet: STM32L412xx. STMicroelectronics. DS12469 Rev 8.Google Scholar
- STMicroelectronics 2021. DS11189 Datasheet: STM32F469xx. STMicroelectronics. DS11189 Rev 7.Google Scholar
- STMicroelectronics 2022. AN4230 Application Note: STM32 Microcontroller Random Number Generation Validation Using the NIST Statistical Test Suite. STMicroelectronics. Rev 7.Google Scholar
- Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. 2009. Breaking the Memory Secrecy Assumption. In Proceedings of the 2nd European Workshop on System Security(EuroSec ’09). ACM, Nuremburg, Germany, 1–8. https://doi.org/10.1145/1519144.1519145Google ScholarDigital Library
- Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning. 2011. On the Expressiveness of Return-into-libc Attacks. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection(RAID ’11). Springer-Verlag, Menlo Park, CA, 121–141. https://doi.org/10.1007/978-3-642-23644-0_7Google ScholarDigital Library
- Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, and Bryan C. Ward. 2019. Control-Flow Integrity for Real-Time Embedded Systems. In Proceedings of the 31st Euromicro Conference on Real-Time Systems(ECRTS ’19). Schloss Dagstuhl–Leibniz-Zentrum füer Informatik, Stuttgart, Germany, 2:1–2:24. https://doi.org/10.4230/LIPIcs.ECRTS.2019.2Google ScholarCross Ref
- Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. 2017. ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments(VEE ’17). ACM, Xi’an, China, 143–156. https://doi.org/10.1145/3050748.3050752Google ScholarDigital Library
- Zhe Wang, Chenggang Wu, Yinqian Zhang, Bowen Tang, Pen-Chung Yew, Mengyao Xie, Yuanming Lai, Yan Kang, Yueqiang Cheng, and Zhiping Shi. 2019. SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-Randomization. In Proceedings of the 28th USENIX Security Symposium(Security ’19). USENIX Association, Santa Clara, CA, 1239–1256. https://www.usenix.org/conference/usenixsecurity19/presentation/wangGoogle Scholar
- Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security(CCS ’12). ACM, Raleigh, NC, 157–168. https://doi.org/10.1145/2382196.2382216Google ScholarDigital Library
- Mario Werner, Thomas Unterluggauer, David Schaffenrath, and Stefan Mangard. 2018. Sponge-Based Control-Flow Protection for IoT Devices. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy(EuroSP ’18). IEEE Computer Society, London, United Kingdom, 214–226. https://doi.org/10.1109/EuroSP.2018.00023Google ScholarCross Ref
- David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation(OSDI ’16). USENIX Association, Savannah, GA, 367–382. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/williams-kingGoogle Scholar
- XAMPPRocky and contributors. 2015. Tokei: Count your code, quickly. https://github.com/XAMPPRocky/tokeiGoogle Scholar
- Jie Zhou, Yufei Du, Zhuojia Shen, Lele Ma, John Criswell, and Robert J. Walls. 2020. Silhouette: Efficient Protected Shadow Stacks for Embedded Systems. In Proceedings of the 29th USENIX Security Symposium(Security ’20). USENIX Association, Boston, MA, 1219–1236. https://www.usenix.org/conference/usenixsecurity20/presentation/zhou-jieGoogle Scholar
Index Terms
- Randezvous: Making Randomization Effective on MCUs
Recommendations
Return address randomization scheme for annuling data-injection buffer overflow attacks
Inscrypt'06: Proceedings of the Second SKLOIS conference on Information Security and CryptologyBuffer overflow(BOF) has been the most common form of vulnerability in software systems today, and many methods exist to defend software systems against BOF attacks. Among them, the instruction set randomization scheme, which makes attacker not to know ...
Defense Method of Ruby Code Injection Attack Based on Instruction Set Randomization
ICCCM '20: Proceedings of the 8th International Conference on Computer and Communications ManagementCode injection attack is a major security threat to applications, especially web applications. This type of attack stems from the attacker's ability to use the vulnerability/backdoor of the application to inject a malicious program into the server and ...
On the General Applicability of Instruction-Set Randomization
We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) ...
Comments