research-article

Public Access

Randezvous: Making Randomization Effective on MCUs

Authors:
Zhuojia Shen

University of Rochester, United States of America

University of Rochester, United States of America

0000-0002-8052-8643
View Profile

,
Komail Dharsee

University of Rochester, United States of America

University of Rochester, United States of America

0000-0002-0364-0447
View Profile

,
John Criswell

University of Rochester, United States of America

University of Rochester, United States of America

0000-0003-2176-3659
View Profile

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications ConferenceDecember 2022Pages 28–41https://doi.org/10.1145/3564625.3567970

Published:05 December 2022Publication History

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Pages 28–41

ABSTRACT

Internet-of-Things devices such as autonomous vehicular sensors, medical devices, and industrial cyber-physical systems commonly rely on small, resource-constrained microcontrollers (MCUs). MCU software is typically written in C and is prone to memory safety vulnerabilities that are exploitable by remote attackers to launch code reuse attacks and code/control data leakage attacks.

We present Randezvous, a highly performant diversification-based mitigation to such attacks and their brute force variants on ARM MCUs. Atop code/data layout randomization and an efficient execute-only code approach, Randezvous creates decoy pointers to camouflage control data in memory; code pointers in the stack are then protected by a diversified shadow stack, local-to-global variable promotion, and return address nullification. Moreover, Randezvous adds a novel delayed reboot mechanism to slow down persistent attacks and mitigates control data spraying attacks via global guards. We demonstrate Randezvous’s security by statistically modeling leakage-equipped brute force attacks under Randezvous, crafting a proof-of-concept exploit that shows Randezvous’s efficacy, and studying a real-world CVE. Our evaluation of Randezvous shows low overhead on three benchmark suites and two applications.

References

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information Systems Security 13, 1, Article 4 (Nov. 2009), 40 pages. https://doi.org/10.1145/1609956.1609960Google ScholarDigital Library
Ali Abbasi, Jos Wetzels, Thorsten Holz, and Sandro Etalle. 2019. Challenges in Designing Exploit Mitigations for Deeply Embedded Systems. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy(EuroSP ’19). IEEE Computer Society, Stockholm, Sweden, 31–46. https://doi.org/10.1109/EuroSP.2019.00013Google ScholarCross Ref
Misiker Tadesse Aga and Todd Austin. 2019. Smokestack: Thwarting DOP Attacks with Runtime Stack Layout Randomization. In Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization(CGO ’19). IEEE Computer Society, Washington, DC, 26–36. https://doi.org/10.1109/CGO.2019.8661202Google ScholarCross Ref
Salman Ahmed, Ya Xiao, Kevin Z. Snow, Gang Tan, Fabian Monrose, and Danfeng (Daphne) Yao. 2020. Methodologies for Quantifying (Re-)Randomization Security and Timing under JIT-ROP. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security(CCS ’20). ACM, Orlando, FL, 1803–1820. https://doi.org/10.1145/3372297.3417248Google ScholarDigital Library
Naif Saleh Almakhdhub, Abraham A. Clements, Saurabh Bagchi, and Mathias Payer. 2020. μRAI: Securing Embedded Systems with Return Address Integrity. In Proceedings of the 2020 Network and Distributed System Security Symposium(NDSS ’20). Internet Society, San Diego, CA, 18 pages. https://doi.org/10.14722/ndss.2020.24016Google ScholarCross Ref
Arm Holdings. 2008. SSL Library Mbed TLS. https://tls.mbed.orgGoogle Scholar
Arm Holdings 2018. ARMv7-M Architecture Reference Manual. Arm Holdings. DDI 0403E.d.Google Scholar
Arm Holdings 2019. ARMv8-M Architecture Reference Manual. Arm Holdings. DDI 0553B.i.Google Scholar
Michael Backes and Stefan Nürnberger. 2014. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 433–447.Google Scholar
Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI ’06). ACM, Ottawa, ON, Canada, 158–168. https://doi.org/10.1145/1133981.1134000Google ScholarDigital Library
Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. 2003. Address Obfuscation: An Efficient Approach to Combat a Board Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium(Security ’03). USENIX Association, Washington, DC, 105–120. https://www.usenix.org/conference/12th-usenix-security-symposium/address-obfuscation-efficient-approach-combat-broad-rangeGoogle Scholar
Sandeep Bhatkar and R. Sekar. 2008. Data Space Randomization. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’08). Springer-Verlag, Paris, France, 1–22. https://doi.org/10.1007/978-3-540-70542-0_1Google ScholarDigital Library
Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney. 2005. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proceedings of the 14th USENIX Security Symposium(Security ’05). USENIX Association, Baltimore, MD, 255–270. https://www.usenix.org/conference/14th-usenix-security-symposium/efficient-techniques-comprehensive-protection-memory-errorGoogle Scholar
David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 268–279. https://doi.org/10.1145/2810103.2813691Google ScholarDigital Library
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, and Dan Boneh. 2014. Hacking Blind. In Proceedings of the 2014 IEEE Symposium on Security and Privacy(SP ’14). IEEE Computer Society, Berkeley, CA, 227–242. https://doi.org/10.1109/SP.2014.22Google ScholarDigital Library
Kjell Braden, Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Stephen Crane, Michael Franz, and Per Larsen. 2016. Leakage-Resilient Layout Randomization for Mobile Devices. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS ’16). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2016.23364Google ScholarCross Ref
Nathan Burow, Xinping Zhang, and Mathias Payer. 2019. SoK: Shining Light on Shadow Stacks. In Proceedings of the 2019 IEEE Symposium on Security and Privacy(SP ’19). IEEE Computer Society, San Francisco, CA, 985–999. https://doi.org/10.1109/SP.2019.00076Google ScholarCross Ref
Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Philippe Martin, and Miguel Castro. 2008. Data Randomization. Technical Report MSR-TR-2008-120. Microsoft Research.Google Scholar
Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-flow Integrity. In Proceedings of the 24th USENIX Security Symposium(Security ’15). USENIX Association, Washington, DC, 161–176. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carliniGoogle Scholar
Nicholas Carlini and David Wagner. 2014. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 385–399. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/carliniGoogle Scholar
Ping Chen, Jun Xu, Zhiqiang Lin, Dongyan Xu, Bing Mao, and Peng Liu. 2015. A Practical Approach for Adaptive Data Structure Layout Randomization. In Proceedings of the 20th European Symposium on Computer Security(ESORICS ’15). Springer-Verlag, Vienna, Austria, 69–89. https://doi.org/10.1007/978-3-319-24174-6_4Google ScholarDigital Library
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats. In Proceedings of the 14th USENIX Security Symposium(Security ’05). USENIX Association, Baltimore, MD, 177–191. https://www.usenix.org/conference/14th-usenix-security-symposium/non-control-data-attacks-are-realistic-threatsGoogle Scholar
Xi Chen, Asia Slowinska, Dennis Andriesse, Herbert Bos, and Cristiano Giuffrida. 2015. StackArmor: Comprehensive Protection from Stack-based Memory Error Vulnerabilities for Binaries. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS ’15). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2015.23248Google ScholarCross Ref
Yue Chen, Zhi Wang, David Whalley, and Long Lu. 2016. Remix: On-Demand Live Randomization. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy(CODASPY ’16). ACM, New Orleans, LA, 50–61. https://doi.org/10.1145/2857705.2857726Google ScholarDigital Library
Abraham A Clements, Naif Saleh Almakhdhub, Khaled S. Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer. 2017. Protecting Bare-Metal Embedded Systems with Privilege Overlays. In Proceedings of the 2017 IEEE Symposium on Security and Privacy(SP ’17). IEEE Computer Society, San Jose, CA, 289–303. https://doi.org/10.1109/SP.2017.37Google ScholarCross Ref
Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium(Security ’98). USENIX Association, San Antonio, TX, 15 pages. https://www.usenix.org/conference/7th-usenix-security-symposium/stackguard-automatic-adaptive-detection-and-preventionGoogle Scholar
Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 2015 IEEE Symposium on Security and Privacy(SP ’15). IEEE Computer Society, San Jose, CA, 763–780. https://doi.org/10.1109/SP.2015.52Google ScholarDigital Library
Stephen J. Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It’s a TRaP: Table Randomization and Protection against Function-Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 243–255. https://doi.org/10.1145/2810103.2813682Google ScholarDigital Library
CVE 2021. CVE-2021-27421. https://www.cve.org/CVERecord?id=CVE-2021-27421Google Scholar
Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS ’15). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2015.23262Google ScholarCross Ref
Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Security Symposium(Security ’14). USENIX Association, San Diego, CA, 401–416. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/daviGoogle Scholar
Lucas Vincenzo Davi, Alexandra Dmitrienko, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2013. Gadge Me If You Can: Secure and Efficient Ad-Hoc Instruction-Level Randomization for x86 and ARM. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security(ASIACCS ’13). ACM, Hangzhou, China, 299–310. https://doi.org/10.1145/2484313.2484351Google ScholarDigital Library
Yufei Du, Zhuojia Shen, Komail Dharsee, Jie Zhou, Robert J. Walls, and John Criswell. 2022. Holistic Control-Flow Protection on Real-Time Embedded Systems with Kage. In Proceedings of the 31st USENIX Security Symposium(Security ’22). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity22/presentation/duGoogle Scholar
EEMBC. 2018. CoreMark: An EEMBC Benchmark. https://www.eembc.org/coremarkGoogle Scholar
EEMBC. 2019. CoreMark-Pro: An EEMBC Benchmark. https://www.eembc.org/coremark-proGoogle Scholar
Embedded Security. 2018. PinLock. https://github.com/embedded-sec/ACES/tree/master/test_apps/pinlockGoogle Scholar
Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 901–913. https://doi.org/10.1145/2810103.2813646Google ScholarDigital Library
Mark Gallagher, Lauren Biernacki, Shibo Chen, Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Misiker Tadesse Aga, Austin Harris, Zhixing Xu, Baris Kasikci, Valeria Bertacco, Sharad Malik, Mohit Tiwari, and Todd Austin. 2019. Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS ’19). ACM, Providence, RI, 469–484. https://doi.org/10.1145/3297858.3304037Google ScholarDigital Library
Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security through Efficient and Fine-Grained Address Space Randomization. In Proceedings of the 21st USENIX Security Symposium(Security ’12). USENIX Association, Bellevue, WA, 475–490. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffridaGoogle Scholar
Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy(SP ’14). IEEE Computer Society, San Jose, CA, 575–589. https://doi.org/10.1109/SP.2014.43Google ScholarDigital Library
Javid Habibi, Aditi Gupta, Stephen Carlsony, Ajay Panicker, and Elisa Bertino. 2015. MAVR: Code Reuse Stealthy Attacks and Mitigation on Unmanned Aerial Vehicles. In Proceedings of the 2015 IEEE 35th International Conference on Distributed Computing Systems(ICDCS ’15). IEEE Computer Society, Columbus, OH, 642–652. https://doi.org/10.1109/ICDCS.2015.71Google ScholarCross Ref
Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson. 2012. ILR: Where’d My Gadgets Go?. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). IEEE Computer Society, San Francisco, CA, 571–585. https://doi.org/10.1109/SP.2012.39Google ScholarDigital Library
Tomoaki Kawada, Shinya Honda, Yutaka Matsubara, and Hiroaki Takada. 2021. TZmCFI: RTOS-Aware Control-Flow Integrity Using TrustZone for Armv8-M. International Journal of Parallel Programming 49 (April 2021), 216–236. https://doi.org/10.1007/s10766-020-00673-zGoogle ScholarCross Ref
Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. 2006. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In Proceedings of the 22nd Annual Computer Security Applications Conference(ACSAC ’06). IEEE Computer Society, Miami Beach, FL, 339–348. https://doi.org/10.1109/ACSAC.2006.9Google ScholarDigital Library
Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P. Kemerlis, and Michalis Polychronakis. 2018. Compiler-Assisted Code Randomization. In Proceedings of the 2018 IEEE Symposium on Security and Privacy(SP ’18). IEEE Computer Society, San Francisco, CA, 461–477. https://doi.org/10.1109/SP.2018.00029Google ScholarCross Ref
Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation(OSDI ’14). USENIX Association, Broomfield, CO, 147–163. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsovGoogle Scholar
Donghyun Kwon, Jangseop Shin, Giyeol Kim, Byoungyoung Lee, Yeongpil Cho, and Yunheung Paek. 2019. uXOM: Efficient eXecute-Only Memory on ARM Cortex-M. In Proceedings of the 28th USENIX Security Symposium(Security ’19). USENIX Association, Santa Clara, CA, 231–247. https://www.usenix.org/conference/usenixsecurity19/presentation/kwonGoogle Scholar
Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the 2nd International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization(CGO ’04). IEEE Computer Society, Palo Alto, CA, 12 pages. https://doi.org/10.1109/CGO.2004.1281665Google ScholarCross Ref
Seongman Lee, Hyeonwoo Kang, Jinsoo Jang, and Brent Byunghoon Kang. 2022. SaVioR: Thwarting Stack-Based Memory Safety Violations by Randomizing Stack Layout. IEEE Transactions on Dependable and Secure Computing (July 2022), 2559–2575. https://doi.org/10.1109/TDSC.2021.3063843Google ScholarCross Ref
Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu. 2009. Polymorphing Software by Randomizing Data Structure Layout. In Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, Como, Italy, 107–126. https://doi.org/10.1007/978-3-642-02918-9_7Google ScholarDigital Library
LLVM 2014. llvm::RandomNumberGenerator Class Reference. https://llvm.org/doxygen/classllvm_1_1RandomNumberGenerator.htmlGoogle Scholar
Kangjie Lu, Stefan Nürnberger, Michael Backes, and Wenke Lee. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Proceedings of the 2016 Network and Distributed System Security Symposium(NDSS ’16). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2016.23173Google ScholarCross Ref
Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, Denver, CO, 280–291. https://doi.org/10.1145/2810103.2813694Google ScholarDigital Library
Lan Luo, Xinhui Shao, Zhen Ling, Huaiyu Yan, Yumeng Wei, and Xinwen Fu. 2022. fASLR: Function-Based ASLR via TrustZone-M and MPU for Resource-Constrained IoT Systems. IEEE Internet of Things Journal 9, 18 (Sept. 2022), 17120–17135. https://doi.org/10.1109/JIOT.2022.3190374Google ScholarCross Ref
Mbed TLS Contributors. 2009. Mbed TLS Benchmark Demonstration Program. https://github.com/ARMmbed/mbedtls/blob/development/programs/test/benchmark.cGoogle Scholar
Microchip 2020. 32-bit Microcontroller Families: Industry’s Broadest and Most Innovative 32-bit MCU Portfolio. Microchip. DS30009904V.Google Scholar
Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the Heap. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL) (CCS ’10). ACM, 573–584. https://doi.org/10.1145/1866307.1866371Google ScholarDigital Library
NXP 2021. UM11147 User Manual: RT6xx User Manual. NXP. Rev. 1.4.Google Scholar
NXP 2021. UM11159 User Manual: i.MX RT685 Evaluation Board User Manual. NXP. Rev. 2.Google Scholar
Thomas Nyman, Jan-Erik Ekberg, Lucas Davi, and N. Asokan. 2017. CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers. In Proceedings of the 20th International Symposium on Research in Attacks, Intrusions, and Defenses(RAID ’17). Springer-Verlag, Atlanta, GA, 259–284. https://doi.org/10.1007/978-3-319-66332-6_12Google ScholarCross Ref
Aleph One. 1996. Smashing the Stack for Fun and Profit. Phrack 7 (Nov. 1996). Issue 49. http://www.phrack.org/issues/49/14.htmlGoogle Scholar
James Pallister, Simon Hollis, and Jeremy Bennett. 2013. BEEBS: Open Benchmarks for Energy Measurements on Embedded Platforms. arXiv preprint arXiv:1308.5174 (Aug. 2013). arxiv:1308.5174 [cs.PF] https://arxiv.org/abs/1308.5174Google Scholar
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2012. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). IEEE Computer Society, San Francisco, CA, 601–615. https://doi.org/10.1109/SP.2012.41Google ScholarDigital Library
Sergio Pastrana, Juan Tapiador, Guillermo Suarez-Tangil, and Pedro Peris-López. 2016. AVRAND: A Software-Based Defense Against Code Reuse Attacks for AVR Embedded Devices. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’16). Springer-Verlag, San Sebastián, Spain, 58–77. https://doi.org/10.1007/978-3-319-40667-1_4Google ScholarDigital Library
PaX Team. 2001. Address Space Layout Randomization. https://pax.grsecurity.net/docs/aslr.txtGoogle Scholar
Jannik Pewny, Philipp Koppe, Lucas Davi, and Thorsten Holz. 2017. Breaking and Fixing Destructive Code Read Defenses. In Proceedings of the 33rd Annual Computer Security Applications Conference(ACSAC ’17). ACM, Orlando, FL, 55–67. https://doi.org/10.1145/3134600.3134626Google ScholarDigital Library
Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse. In Proceedings of the 12th European Conference on Computer Systems(EuroSys ’17). ACM, Belgrade, Serbia, 420–436. https://doi.org/10.1145/3064176.3064216Google ScholarDigital Library
Soumyakant Priyadarshan, Huan Nguyen, and R. Sekar. 2020. Practical Fine-Grained Binary Code Randomization. In Proceedings of the 36th Annual Computer Security Applications Conference(ACSAC ’20). ACM, Austin, TX, 401–414. https://doi.org/10.1145/3427228.3427292Google ScholarDigital Library
Prabhu Rajasekaran, Stephen Crane, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2020. CoDaRR: Continuous Data Space Randomization against Data-Only Attacks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security(ASIACCS ’20). ACM, Taipei, China, 494–505. https://doi.org/10.1145/3320269.3384757Google ScholarDigital Library
Renesas 2022. RA Family Brochure. Renesas. Document No. R01CP0035EJ0300.Google Scholar
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1, Article 2 (March 2012), 34 pages. https://doi.org/10.1145/2133375.2133377Google ScholarDigital Library
Robert Rudd, Richard Skowyra, David Bigelow, Veer Dedhia, Thomas Hobson, Stephen Crane, Christopher Liebchen, Per Larsen, Lucas Davi, Michael Franz, Ahmad-Reza Sadeghi, and Hamed Okhravi. 2017. Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In Proceedings of the 2017 Network and Distributed System Security Symposium(NDSS ’17). Internet Society, San Diego, CA, 15 pages. https://doi.org/10.14722/ndss.2017.23477Google ScholarCross Ref
Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS ’07). ACM, Alexandria, VA, 552–561. https://doi.org/10.1145/1315245.1315313Google ScholarDigital Library
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security(CCS ’04). ACM, Washington, DC, 298–307. https://doi.org/10.1145/1030083.1030124Google ScholarDigital Library
Zhuojia Shen, Komail Dharsee, and John Criswell. 2020. Fast Execute-Only Memory for Embedded Systems. In Proceedings of the 2020 IEEE Secure Development Conference(SecDev ’20). IEEE Computer Society, Atlanta, GA, 7–14. https://doi.org/10.1109/SecDev45635.2020.00017Google ScholarCross Ref
Jiameng Shi, Le Guan, Wenqiang Li, Dayou Zhang, Ping Chen, and Ping Chen. 2022. HARM: Hardware-assisted Continuous Re-randomization for Microcontrollers. In Proceedings of the 2022 IEEE European Symposium on Security and Privacy(EuroSP ’22). IEEE Computer Society, Genoa, Italy, 520–536. https://doi.org/10.1109/EuroSP53844.2022.00039Google ScholarCross Ref
Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proceedings of the 2013 IEEE Symposium on Security and Privacy(SP ’13). IEEE Computer Society, San Francisco, CA, 574–588. https://doi.org/10.1109/SP.2013.45Google ScholarDigital Library
Alexander Sotirov. 2007. Heap Feng Shui in JavaScript. In Black Hat Europe.Google Scholar
STMicroelectronics 2020. DS12469 Datasheet: STM32L412xx. STMicroelectronics. DS12469 Rev 8.Google Scholar
STMicroelectronics 2021. DS11189 Datasheet: STM32F469xx. STMicroelectronics. DS11189 Rev 7.Google Scholar
STMicroelectronics 2022. AN4230 Application Note: STM32 Microcontroller Random Number Generation Validation Using the NIST Statistical Test Suite. STMicroelectronics. Rev 7.Google Scholar
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. 2009. Breaking the Memory Secrecy Assumption. In Proceedings of the 2nd European Workshop on System Security(EuroSec ’09). ACM, Nuremburg, Germany, 1–8. https://doi.org/10.1145/1519144.1519145Google ScholarDigital Library
Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning. 2011. On the Expressiveness of Return-into-libc Attacks. In Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection(RAID ’11). Springer-Verlag, Menlo Park, CA, 121–141. https://doi.org/10.1007/978-3-642-23644-0_7Google ScholarDigital Library
Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, and Bryan C. Ward. 2019. Control-Flow Integrity for Real-Time Embedded Systems. In Proceedings of the 31st Euromicro Conference on Real-Time Systems(ECRTS ’19). Schloss Dagstuhl–Leibniz-Zentrum füer Informatik, Stuttgart, Germany, 2:1–2:24. https://doi.org/10.4230/LIPIcs.ECRTS.2019.2Google ScholarCross Ref
Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. 2017. ReRanz: A Light-Weight Virtual Machine to Mitigate Memory Disclosure Attacks. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments(VEE ’17). ACM, Xi’an, China, 143–156. https://doi.org/10.1145/3050748.3050752Google ScholarDigital Library
Zhe Wang, Chenggang Wu, Yinqian Zhang, Bowen Tang, Pen-Chung Yew, Mengyao Xie, Yuanming Lai, Yan Kang, Yueqiang Cheng, and Zhiping Shi. 2019. SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-Randomization. In Proceedings of the 28th USENIX Security Symposium(Security ’19). USENIX Association, Santa Clara, CA, 1239–1256. https://www.usenix.org/conference/usenixsecurity19/presentation/wangGoogle Scholar
Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security(CCS ’12). ACM, Raleigh, NC, 157–168. https://doi.org/10.1145/2382196.2382216Google ScholarDigital Library
Mario Werner, Thomas Unterluggauer, David Schaffenrath, and Stefan Mangard. 2018. Sponge-Based Control-Flow Protection for IoT Devices. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy(EuroSP ’18). IEEE Computer Society, London, United Kingdom, 214–226. https://doi.org/10.1109/EuroSP.2018.00023Google ScholarCross Ref
David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation(OSDI ’16). USENIX Association, Savannah, GA, 367–382. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/williams-kingGoogle Scholar
XAMPPRocky and contributors. 2015. Tokei: Count your code, quickly. https://github.com/XAMPPRocky/tokeiGoogle Scholar
Jie Zhou, Yufei Du, Zhuojia Shen, Lele Ma, John Criswell, and Robert J. Walls. 2020. Silhouette: Efficient Protected Shadow Stacks for Embedded Systems. In Proceedings of the 29th USENIX Security Symposium(Security ’20). USENIX Association, Boston, MA, 1219–1236. https://www.usenix.org/conference/usenixsecurity20/presentation/zhou-jieGoogle Scholar

Index Terms

Randezvous: Making Randomization Effective on MCUs
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security
  2. Systems security

Recommendations

Return address randomization scheme for annuling data-injection buffer overflow attacks
Inscrypt'06: Proceedings of the Second SKLOIS conference on Information Security and Cryptology

Buffer overflow(BOF) has been the most common form of vulnerability in software systems today, and many methods exist to defend software systems against BOF attacks. Among them, the instruction set randomization scheme, which makes attacker not to know ...
Read More
Defense Method of Ruby Code Injection Attack Based on Instruction Set Randomization
ICCCM '20: Proceedings of the 8th International Conference on Computer and Communications Management

Code injection attack is a major security threat to applications, especially web applications. This type of attack stems from the attacker's ability to use the vulnerability/backdoor of the application to inject a malicious program into the server and ...
Read More
On the General Applicability of Instruction-Set Randomization

We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference
December 2022
1021 pages
ISBN:9781450397599
DOI:10.1145/3564625

Copyright © 2022 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 December 2022
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Evaluated & Reusable / v1.1
Author Tags
control data protection
entropy improvements
microcontrollers
randomization
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate104of497submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 357
  Total Downloads
- Downloads (Last 12 months)229
- Downloads (Last 6 weeks)32
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Randezvous: Making Randomization Effective on MCUs

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Return address randomization scheme for annuling data-injection buffer overflow attacks

Defense Method of Ruby Code Injection Attack Based on Instruction Set Randomization

On the General Applicability of Instruction-Set Randomization